HPE Community
Operating System - HP-UX
1833091 Members
3038 Online
110050 Solutions
New Discussion

SSH + ActiveDirectory / LDAP + HP-UX 11.11

 
SOLVED
Go to solution
Gregory D Baker
Frequent Advisor

‎10-12-2009 10:27 PM

‎10-12-2009 10:27 PM

SSH + ActiveDirectory / LDAP + HP-UX 11.11

I've discovered that Secure_Shell 5.10 on HP-UX 11.11 has some problems. I don't know if they're pre-existing, but they don't seem to be present on HP-UX 11.23.

Firstly, if you enable "UseLogin yes" then X11 forwarding doesn't happen.

If you set "UseLogin no" then you can login but you don't get LDAP-defined auxiliary groups. Any groups of which you are a member in /etc/group -- they work fine. Any groups which are defined in ActiveDirectory (LDAP) don't appear.

Regardless of how you set UseLogin, if you run "ssh the-server some command" that command will run without any LDAP-defined auxiliary groups. (Because "login" doesn't get invoked at all in this situation regardless of UseLogin).

Also, regardless of UseLogin or protocol version, if you get your password wrong, you will be prompted again for a password, but there's no point in typing anything because even if you get it right, you will be rejected. And the fun part is that you will get asked three times, which is just enough to have your login disabled in ActiveDirectory if you're running with a default group policy. ;-(

Finally, for protocol version 2 (not protocol version 1), almost no pam.conf configuration works for password logins. The best I've been able to do is the following, in which you will get prompted for a password, then again prompted for "LDAP password". As long as you type your password

sshd auth sufficient libpam_unix.1
sshd auth sufficient libpam_ldap.1 try_first_pass

Replacing "try_first_pass" with "use_first_pass" (which you would think would make sure there is only one password prompt) just makes it impossible to log in.

Bizarrely, the "try_first_pass" configuration is fine for ssh version 1 and you only get asked once.

This is all quite consistent across half a dozen HP-UX 11.11 boxes. And the 11.23 boxes chuff along merrily with none of these problems.

----

Anyone else seen this same behaviour, or am I going crazy?
0 Kudos
Reply
1 REPLY 1
Armin Kunaschik
Esteemed Contributor

‎10-13-2009 11:20 PM

‎10-13-2009 11:20 PM

Solution

Re: SSH + ActiveDirectory / LDAP + HP-UX 11.11

No real advice by me. But did you notice that version 5.20 is available https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA ? You should give it a try... maybe it works.

My 2 cents,
Armin
And now for something completely different...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.