HPE Community
Operating System - HP-UX
1834622 Members
2871 Online
110069 Solutions
New Discussion

OpenSSH (T1471AA) problems when authenicating via MIT Kerberos realm

 
R Cardwell
Advisor

‎04-01-2004 01:59 AM

‎04-01-2004 01:59 AM

OpenSSH (T1471AA) problems when authenicating via MIT Kerberos realm

Hi,

Hopefully someone can point me in the right direction so I can get a fix for a problem we are seeing. We are using the HP shipped version of Secure Shell (T1471AA) to replace telnet, rlogin, etc with user authenication via MIT Kerberos realm. We were previously using version A.03.61.000 and everything worked as expect out of the box (which was nice) however since upgrading to A.03.71.000 the installation has broken, and when logged into the KRB5 realm server, I cannot see any attempted authenication via sshd on the target host. has anyone got the latest HP released version of OpenSSH working with Kerberos, or know who i can direct application queries to.

Misc Information: Application T1471AA (version A.03.61.000 & A.03.71.000) install on Series 800 machine running HP-UX 11.11 (including Dec DART bundles + recommended libc and PAM patches), and I have changed the symbolic link /usr/lib/libgssapi_krb5.sl -> gss/libgssapi_krb5.sl to /usr/lib/libgssapi_krb5.sl /opt/kerberos/lib/libgssapi_krb5.sl

#chatr sshd (A.03.61.000)
sshd:
shared executable
shared library dynamic path search:
SHLIB_PATH disabled second
embedded path disabled first Not Defined
shared library list:
dynamic /usr/lib/libnsl.1
dynamic /usr/lib/libxnet.2
dynamic /usr/lib/libsec.2
dynamic /opt/openssl/lib/libcrypto.sl.0.9.6
dynamic /opt/kerberos/lib/libgssapi_krb5.2
dynamic /opt/kerberos/lib/libkrb5.3
dynamic /opt/kerberos/lib/libk5crypto.3
dynamic /opt/kerberos/lib/libcom_err.3
dynamic /opt/socks/lib/libsocks.sl.1
dynamic /usr/lib/libc.2
shared library binding:
deferred
global hash table disabled
plabel caching disabled
global hash array size:1103
global hash array nbuckets:3
shared vtable support disabled
static branch prediction disabled
executable from stack: D (default)
kernel assisted branch prediction enabled
lazy swap allocation disabled
text segment locking disabled
data segment locking disabled
third quadrant private data space disabled
fourth quadrant private data space disabled
third quadrant global data space disabled
data page size: D (default)
instruction page size: D (default)
nulptr references disabled
shared library private mapping disabled
shared library text merging disabled

#chatr sshd (A.03.71.00)
chatr /opt/ssh/sbin/sshd
chatr(warning): dl_header_ext.size != sizeof(dl_header_ext). Please update your
version of the linker.
/opt/ssh/sbin/sshd:
shared executable
shared library dynamic path search:
SHLIB_PATH disabled second
embedded path disabled first Not Defined
shared library list:
dynamic /usr/lib/libpam.1
dynamic /usr/lib/libnsl.1
dynamic /usr/lib/libxnet.2
dynamic /usr/lib/libsec.2
dynamic /usr/lib/libgssapi_krb5.sl
dynamic /usr/lib/libc.2
shared library binding:
deferred
global hash table disabled
plabel caching disabled
global hash array size:1103
global hash array nbuckets:3
shared vtable support disabled
static branch prediction disabled
executable from stack: D (default)
kernel assisted branch prediction enabled
lazy swap allocation disabled
text segment locking disabled
data segment locking disabled
third quadrant private data space disabled
fourth quadrant private data space disabled
third quadrant global data space disabled
data page size: D (default)
instruction page size: D (default)
nulptr references disabled
shared library private mapping disabled
shared library text merging disabled
0 Kudos
Reply
2 REPLIES 2
Steven E. Protter
Exalted Contributor

‎04-01-2004 02:47 AM

‎04-01-2004 02:47 AM

Re: OpenSSH (T1471AA) problems when authenicating via MIT Kerberos realm

The first thing, I'd reccomend is standardizaation. There are known issues with Secure Shell 3.6 and since you don't have to boot to install it, get 3.7 deployed on all boxes. Eliminate it as a factor in this issue and re-run the tests with verbose output.

Don't forget to stop and start the sshd daemon after installation.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
R Cardwell
Advisor

‎04-01-2004 02:51 AM

‎04-01-2004 02:51 AM

Re: OpenSSH (T1471AA) problems when authenicating via MIT Kerberos realm

Fixed it, the newer versions of SSH won't allow a user to login if the local account is disabled. Even if they authenicate via a Kerberos realm.

I switched the '*' to 'DISABLED' in the password field and everything works as expected.

Thats PAM for you I suppose.

Rich Cardwell
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.