SSH account expired, telnet works

Scott Tinsley · ‎08-27-2004

debug1: sshd version OpenSSH_3.8 [ HP-UX_Secure_Shell-A.03.81.002 ]

Using TCB on HPUX 11.11. User cannot log in using ssh. Sshd syslog messages indicated that account has expired. getprpw shows no problems with account. Have run "modprpw -k account" and "modprpw -v account". No luck. Temporarily activated telnet and the user can get in. Has anybody run into this problem?

RAC_1 · ‎08-27-2004

What is the exact message??
Run ssh -vvv(on client)
sshd -ddd and post the error message.

Anil

There is no substitute to HARDWORK

Scott Tinsley · ‎08-27-2004

SSHD debug
HP-UX Secure Shell stopped
mtdb01 338 : $ /opt/ssh/sbin/sshd -ddd
debug3: RNG is ready, skipping seeding
debug2: read_server_config: filename /opt/ssh/etc/sshd_config
debug1: sshd version OpenSSH_3.8 [ HP-UX_Secure_Shell-A.03.81.002 ]
debug3: Not a RSA1 key file /opt/ssh/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /opt/ssh/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 172.16.208.14 port 51009
debug1: Client protocol version 2.0; client software version OpenSSH_3.8
debug1: match: OpenSSH_3.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8
debug1: Pid 26643
debug2: Network child is on pid 26699
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 103:102
debug1: permanently_set_uid: 103/102
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 527/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 534/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: monitor_read: checking request 4
debug3: mm_request_receive_expect entering: type 5
debug3: mm_answer_sign
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 40022d28(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user campnd service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: monitor_read: checking request 6
debug3: mm_request_receive_expect entering: type 7
debug3: mm_answer_pwnamallow
debug3: mm_request_receive entering
debug3: auth_shadow_acctexpired: today 12657 sp_expire 0 days left -12657
Account campnd has expired
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
input_userauth_request: illegal user campnd
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 3
debug3: mm_auth2_read_banner entering
debug3: mm_answer_authserv: service=ssh-connection, style=
debug3: mm_request_send entering: type 8
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive_expect entering: type 9
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth_banner: sent
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: monitor_read: checking request 10
debug3: mm_request_receive_expect entering: type 11
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug3: mm_request_receive entering
Failed none for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug1: userauth-request for user campnd service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=campnd devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 48
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: monitor_read: checking request 48
debug3: mm_request_receive_expect entering: type 49
debug3: mm_answer_pam_init_ctx
debug3: mm_request_receive entering
debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive entering
debug3: mm_sshpam_init_ctx: pam_init_ctx failed
debug3: Trying to reverse map address 172.16.208.14.
Failed keyboard-interactive for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug1: userauth-request for user campnd service ssh-connection method password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
Could not get shadow information for NOUSER
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed password for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug3: Trying to reverse map address 172.16.208.14.
Failed password for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user campnd service ssh-connection method password
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed password for illegal user campnd from 172.16.208.14 port 51009 ssh2
Failed password for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user campnd service ssh-connection method password
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed password for illegal user campnd from 172.16.208.14 port 51009 ssh2
Failed password for illegal user campnd from 172.16.208.14 port 51009 ssh2
debug3: mm_request_receive entering
Connection closed by 172.16.208.14
debug1: do_cleanup
debug1: do_cleanup

SSH -vvv on client

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/campnd/.ssh/id_rsa
debug3: no such identity: /home/campnd/.ssh/id_rsa
debug1: Trying private key: /home/campnd/.ssh/id_dsa
debug3: no such identity: /home/campnd/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
campnd@mtdb01's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
campnd@mtdb01's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
campnd@mtdb01's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).

RAC_1 · ‎08-27-2004

Post /usr/lbin/getprpw "user_name" (on the system where you are connecting to)

In order to isolate this, would it be possible for you to set ssh for public key exchange method. Generate the keys and put public key in uathorized_keys file in $HOME/.ssh dir on server.

Anil

There is no substitute to HARDWORK

Steven E. Protter · ‎08-27-2004

Sounds like between the two machines the uid number and or group id number is not consistent.

ssh is authenticating against a different user than telnet.

Though strings work, the OS uses numbers.

run the id commmand on both machines for the user and compare the numeric output.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Scott Tinsley · ‎08-27-2004

Steven,

Not sure I follow you. You can use ssh client from a Windows box to a Unix server. There is never a correspondence on UID required. If so< Windows client would not work.

RAC,

getprpw output

mtdb01 348 : $ /usr/lbin/getprpw campnd
uid=303, bootpw=NO, audid=14, audflg=1, mintm=0, maxpwln=-1, exptm=90, lftm=120, spwchg=Fri Aug 27 09:17:38 2004, upwchg=Fri Aug 27 09:05:48 2004, acctexp=0, llog=-1, expwarn=10, usrpick=YES, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Fri Aug 27 10:05:05 2004, ulogint=Fri Aug 27 08:46:45 2004, sloginy=console, culogin=-1, uloginy=pts/ta, umaxlntr=-1, alock=NO, lockout=0000000

We are trying the key exchange for authentication. Will update you when we get the test completed.

Scott Tinsley · ‎08-27-2004

sshd debug output, which includes key authentication and also fails.

mtdb01 351 : $ /usr/sbin/sshd -d -d -d
debug3: RNG is ready, skipping seeding
debug2: read_server_config: filename /opt/ssh/etc/sshd_config
debug1: sshd version OpenSSH_3.8 [ HP-UX_Secure_Shell-A.03.81.002 ]
debug3: Not a RSA1 key file /opt/ssh/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /opt/ssh/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 172.16.208.14 port 53220
debug1: Client protocol version 2.0; client software version OpenSSH_3.8
debug1: match: OpenSSH_3.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8
debug1: Pid 9746
debug2: Network child is on pid 9747
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 103:102
debug1: permanently_set_uid: 103/102
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: monitor_read: checking request 0
debug3: mm_request_receive entering
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 125/256
debug2: bits set: 516/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 480/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: monitor_read: checking request 4
debug3: mm_request_receive_expect entering: type 5
debug3: mm_answer_sign
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 40022d58(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user campnd service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: monitor_read: checking request 6
debug3: mm_request_receive_expect entering: type 7
debug3: mm_answer_pwnamallow
debug3: mm_request_receive entering
debug3: auth_shadow_acctexpired: today 12657 sp_expire 0 days left -12657
Account campnd has expired
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
input_userauth_request: illegal user campnd
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 3
debug3: mm_auth2_read_banner entering
debug3: mm_answer_authserv: service=ssh-connection, style=
debug3: mm_request_send entering: type 8
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive_expect entering: type 9
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth_banner: sent
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: monitor_read: checking request 10
debug3: mm_request_receive_expect entering: type 11
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug3: mm_request_receive entering
Failed none for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug1: userauth-request for user campnd service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: disabled because of invalid user
Failed publickey for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug1: userauth-request for user campnd service ssh-connection method publickey
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: disabled because of invalid user
Failed publickey for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug1: userauth-request for user campnd service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=campnd devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 48
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: monitor_read: checking request 48
debug3: mm_request_receive_expect entering: type 49
debug3: mm_answer_pam_init_ctx
debug3: mm_request_receive entering
debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive entering
debug3: mm_sshpam_init_ctx: pam_init_ctx failed
debug3: Trying to reverse map address 172.16.208.14.
Failed keyboard-interactive for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug1: userauth-request for user campnd service ssh-connection method password
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
Could not get shadow information for NOUSER
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed password for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug3: Trying to reverse map address 172.16.208.14.
Failed password for illegal user campnd from 172.16.208.14 port 53220 ssh2
debug3: mm_request_receive entering
Connection closed by 172.16.208.14
debug1: do_cleanup
debug1: do_cleanup

Massimo Bianchi · ‎08-27-2004

Hi,
from google:

> It seems as though the account is thought of as expired:
>
> debug3: mm_answer_pwnamallow
> debug3: auth_shadow_acctexpired: today 12604 sp_expire 0 days left -12604

That check only happens if PAM is disabled (just checked the 3.8.1p1
code, it's auth.c line 91 or so). Do you have "UsePAM yes" in your
sshd_config?

HTH,
Massimo

RAC_1 · ‎08-27-2004

Did some google search. It talks about setting use PAM to yes. Do you have set use PAM to yes in sshd_config file??

Anil

There is no substitute to HARDWORK

Scott Tinsley · ‎08-27-2004

Setting UsePAM to yes solved the problem.

We had done some poking around on Google but had not come across this information. Thanks for the help. Faster than the case we logged with

Still curious why this just became a problem. Pre PAM use, what did sshd use for authentication and why did it work until recently? Pre TCB use, we had a vanilla HPUX password file, no shadow file even around. So sshd could not have been using an old shadow file with erroneous expiration data. What would it have been using as its source of information if not the TCB?

Michael Selvesteen_2 · ‎08-29-2004

HP Secure Shell uses "/etc/passwd" or "/etc/shadow" file for user authentication if it runs with "UsePAM no" option.

I think, When PAM is enabled the PAM module takes care of all the authentication types. So it should have correctly mapped TCB files and authentication should have succeeded.

Note : when server runs in "UsePAM no" mode the passwd expiry is checked only for the passwordd authentication but when PAM is enabled every authentication method is subjected to check for password expiry

Massimo Bianchi · ‎08-29-2004

Hi,
in the README.text from the Secure Shell package there were some notes about the usage of usePAM on HP-UX systems, and there was the suggestion to use the default (yes).

HTH,
Massimo

Scott Tinsley · ‎08-30-2004

Thanks for everyones help. I assigned points to both posts with the answer we received that helped us get out of the jam.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

SSH account expired, telnet works

SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works

Re: SSH account expired, telnet works