HPE Community
Operating System - HP-UX
1820114 Members
3467 Online
109619 Solutions
New Discussion юеВ

SSH Only on a Trusted System...

 
SOLVED
Go to solution
Jeff Carlin
Frequent Advisor

тАО02-25-2003 01:51 PM

тАО02-25-2003 01:51 PM

SSH Only on a Trusted System...

I have a system running 11.11 sitting in our DMZ. In the process of hardening this system, I have removed telnet (port 23) and only SSH (slogin) is allowed to this system. All is working fine at this point. Then I did the tsconvert and all users were expired. How can the users signon now and get prompted for their password change when there is no telnet and slogin only states: Permission Denied? What am I missing here??? I can???t be the first person to create a Bastion host, trusted with only SSH access???or am I?

Jeff
Where wisdom is called for, force is of little use. --Of course, a hammer does wonders for relieving stress.
0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

тАО02-25-2003 01:59 PM

тАО02-25-2003 01:59 PM

Re: SSH Only on a Trusted System...

Jeff,

Unfortunately SSH cannot handle expired passwords. There is a missing link between ssh and the PAM modules.

However HP's secure shell based on openssh code can handle expired passwords. Install it if you can afford

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

There may be a patch available for this problem on openssh.org site. But it means recompiling the executables.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

тАО02-25-2003 02:00 PM

тАО02-25-2003 02:00 PM

Re: SSH Only on a Trusted System...

Jeff,

take a look at next link

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x47b87680e012d71190050090279cd0f9,00.html

Hope it helps,

Robert-Jan.
0 Kudos
Reply
Jeff Carlin
Frequent Advisor

тАО02-25-2003 02:37 PM

тАО02-25-2003 02:37 PM

Re: SSH Only on a Trusted System...

Sri, I have installed the HP version of SSH T1471AA. Is there something I need to do to enable the password change feature?
Where wisdom is called for, force is of little use. --Of course, a hammer does wonders for relieving stress.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-25-2003 03:01 PM

тАО02-25-2003 03:01 PM

Re: SSH Only on a Trusted System...

Hi (Again),

No you do not need to. You will probably have to install libpam patches. For 11i, it will be
PHCO_24839 or later.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Donny Jekels
Respected Contributor

тАО02-25-2003 06:29 PM

тАО02-25-2003 06:29 PM

Solution

Re: SSH Only on a Trusted System...

Jeff,

I found this document on GIAC (SANS) Unix system hardening.

This was an exam entry that was tested and excepted by SANS.

Hope it helps. Sorry about you not being able to get back in your system. I know the feeling. ;~(
Donny

"Vision, is the art of seeing the invisible"
Reply
Keith Buck
Respected Contributor

тАО02-26-2003 05:44 AM

тАО02-26-2003 05:44 AM

Re: SSH Only on a Trusted System...

Jeff,

After installing T1471AA, the old sshd may still be running. You will need to stop that sshd and start the new one. Usually with versions of secure shell, this can be done with

kill -HUP

on the sshd process. Since I don't know what version you had before...no guarantees that the new version will autostart.

The usual cause of the error you are seeing is that sshd wasn't compiled with the correct compile options (having to do with PAM). The version from HP was compiled correctly in this regard, and I have seen it correctly prompt for passwords.

Also, if you're interested, you should check out HP-UX Bastille. It will walk you through the steps of creating a Bastion host, (possibly including steps you missed) and when it converts to trusted mode, it won't immediately expire all your passwords :)

Hope that helps.

-Keith
0 Kudos
Reply
Jeff Carlin
Frequent Advisor

тАО02-26-2003 06:51 AM

тАО02-26-2003 06:51 AM

Re: SSH Only on a Trusted System...

Sri, I will be trying the patch. It looks like it addresses some PAM issues.

BTW - this server has been rebooted several times after the tsconvert. I doubt that the old SSH is running anymore =)
Where wisdom is called for, force is of little use. --Of course, a hammer does wonders for relieving stress.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-26-2003 08:29 AM

тАО02-26-2003 08:29 AM

Re: SSH Only on a Trusted System...

Hi Jeff,

If possible, can you run sshd in debug mode and try connecting to it with an expired user and post the output?. (Run it with sshd -d flag on the server). During the debug mode, users will not be able to connect to the server while the existing connections will keep working.

Also you should be seeing some PAM errors in the syslog.log.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.