HPE Community
Operating System - HP-UX
1829582 Members
4374 Online
109992 Solutions
New Discussion

Re: ssh pam and tcp_wrappers

 
Aaron Sheard
Frequent Advisor

‎07-05-2002 08:38 AM

‎07-05-2002 08:38 AM

ssh pam and tcp_wrappers

I have successfully upgraded to ssh3.4, and have changed the startup to use inetd.conf with tcp_wrappers.

My problem now is, I can ssh to the host with the root account, but any other user accounts fail, and the message in syslog is:

fatal: PAM session setup failed[33]: General Commercial Security error

what i can't understand is it works for root but no one else.. has anyone had this problem? I am running 11i "trusted system"
"uh, hey... did we get a good backup last night?"
0 Kudos
Reply
9 REPLIES 9
Thomas D. Harrison
Frequent Advisor

‎07-05-2002 09:12 AM

‎07-05-2002 09:12 AM

Re: ssh pam and tcp_wrappers

This isn't the exact answer but it might help. It regards a similar problem with ftp.

http://support1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000034057880
Imbibo ergo sum.
0 Kudos
Reply
Thomas D. Harrison
Frequent Advisor

‎07-05-2002 09:28 AM

‎07-05-2002 09:28 AM

Re: ssh pam and tcp_wrappers

I believe this has something to do with the /etc/rc.config.d/comsec configuration file.
( it starts the ttsyncd daemon ). I know it's not much of a solution but it might give you some key words to search on.

Good Luck!

Thom :^)
Imbibo ergo sum.
0 Kudos
Reply
Aaron Sheard
Frequent Advisor

‎07-05-2002 09:30 AM

‎07-05-2002 09:30 AM

Re: ssh pam and tcp_wrappers

thanks..I'll check it out. It's odd that root works fine though, just not regular users.
"uh, hey... did we get a good backup last night?"
0 Kudos
Reply
Aaron Sheard
Frequent Advisor

‎07-05-2002 10:36 AM

‎07-05-2002 10:36 AM

Re: ssh pam and tcp_wrappers

Ok, re: the first link the line referenced in the file inside /tcb has the right entry.

the other one, comsec, is for NIS+ servers - i don't use NIS at all so that one is not applicable..

It seems to have something to do with PAM but i am confused because root login works, not others. But i dont see how it could be a permissions problem.
"uh, hey... did we get a good backup last night?"
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎07-06-2002 02:55 AM

‎07-06-2002 02:55 AM

Re: ssh pam and tcp_wrappers


The error code isn't very helpful in this case. :-(
How long ago did you convert to a trusted system?
One of the side effects of doing that is that
passwords are immediately expired. There was a bug
in PAM where the wrong error code was being passed
back in the case of expired passwords. I'm not sure
how that would show up in the case of ssh.
If you haven't yet reset the password for the non-root user in
question, you might be tripping over that PAM bug.

I would suggest you try:
1) explicitly resetting the password of the user (with passwd)
and see if that changes the behavior
2) installing patch PHCO_24839 (11.11 PAM patch)

You are already looking at /var/adm/syslog/syslog.log, which
often has more helpful hints about what's going wrong in such
cases.

0 Kudos
Reply
Aaron Sheard
Frequent Advisor

‎07-08-2002 04:36 AM

‎07-08-2002 04:36 AM

Re: ssh pam and tcp_wrappers

I ended up installing the pre-compiled version made available by HP - it isn't the latest, but it works..
"uh, hey... did we get a good backup last night?"
0 Kudos
Reply
Richard Ross
Regular Advisor

‎07-18-2002 07:14 PM

‎07-18-2002 07:14 PM

Re: ssh pam and tcp_wrappers

Aaron,

What piece did you reinstall? I having the same problem. Can ssh into root, but receive the 'PAM session setup failed' on any other user.

I just upgraded to:
openssh to 3.4p1
tcpwrappers 7.5
zlib 1.1.4

This is on an hpux 11.0 Trusted system.
0 Kudos
Reply
Aaron Sheard
Frequent Advisor

‎07-19-2002 04:30 AM

‎07-19-2002 04:30 AM

Re: ssh pam and tcp_wrappers

I never did get it to compile. I ended up installing this one.

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=T1471AA&date=
"uh, hey... did we get a good backup last night?"
0 Kudos
Reply
Richard Ross
Regular Advisor

‎07-19-2002 05:49 AM

‎07-19-2002 05:49 AM

Re: ssh pam and tcp_wrappers

Aaron,

Found the problem.

openssh 3.4p1 defaults to turning sshd privsep ON. This is not supported on an HP Trusted system. You will need to vi sshd_config and turn off UsePrivilegeSeparation.

Recycle sshd and all works fine.

Unfortunatly, this is only documented if you downlod the openssh source.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.