Operating System - HP-UX
1833847 Members
2033 Online
110063 Solutions
New Discussion

Re: SSH passwordless login to HP-UX

 
SOLVED
Go to solution
Constantin Stefanov
New Member

SSH passwordless login to HP-UX

I've got a system with:
======================================================
-bash-3.00$ uname -mrsv
HP-UX B.11.11 U 9000/800
-bash-3.00$ ssh -V
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
======================================================
I made a public/private key pair and tried to login using it. Everything worked. But then I changed password hash field in /etc/passwd for that user to '*' (to prevent it from password login - it willnever be needed). And then ssh refused to log in with that user and asked for password.
I added 'debug' as option to every line in pam.conf and got the following:
======================================================

Apr 5 11:55:17 server2 syslog: pam_sm_acct_mgmt: 17 0 backup
Apr 5 11:55:17 server2 syslog: pam_sm_acct_mgmt: error 17
Apr 5 11:55:17 server2 syslog: pam_sm_acct_mgmt: exiting, error 17
Apr 5 11:55:17 server2 syslog: pam_acct_mgmt: error User account has expired
Apr 5 11:55:18 server2 syslog: unix pam_sm_authenticate(sshd backup), flags = 2
Apr 5 11:55:19 server2 syslog: pam_authenticate: error Authentication failed
Apr 5 11:55:19 server2 sshd[11897]: error: PAM: Authentication failed for backup from host.my.tld
Apr 5 11:55:20 server2 sshd[11897]: unix pam_sm_authenticate(sshd backup), flags = 2
Apr 5 11:55:20 server2 sshd[11897]: pam_authenticate: error Authentication failed
Apr 5 11:55:20 server2 sshd[11897]: Failed password for backup from xx.xx.xx.xx port 1430 ssh2
Apr 5 12:03:49 server2 sshd[24089]: pam_setcred: error Authentication failed

======================================================
'backup' is the user name I try to log on to.
I do not want to disable PAM for ssh, but I do want to disable logon to user backup in any way other than via public/private key (including local login).
How do I achieve this?
10 REPLIES 10
Steven E. Protter
Exalted Contributor

Re: SSH passwordless login to HP-UX

follow attached word doc. X not needed, cat will work fine. Pay attention to permissions.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Constantin Stefanov
New Member

Re: SSH passwordless login to HP-UX

I managed to log in without password. It worked. But after I changed second field in /etc/passwd for that user to * (that field contains password hash), public key login ceased to work.
And I want to have a special user which can login only with public key auth, and cannot login with password even locally. If I set any password for that user, everything works fine with the same commands. But I want to have no valid password which can be used for login (the usual way for that is an asterik in password hash field). But with that '*' ssh does not let me login via public key auth.
Gary L. Paveza, Jr.
Trusted Contributor

Re: SSH passwordless login to HP-UX

I don't think you can disable the password like this. If I'm not mistaken a * in the password field tells the system that the account is locked - and therefore ssh should rightfully deny access as this user.
Steven E. Protter
Exalted Contributor

Re: SSH passwordless login to HP-UX

You never should have touched /etc/passwd

You do not want to deactivate passwords.

The procedure I gave you allows for a pulic key exchange, which enables the users only via ssh, sftp and scp to have password free connectivity.

Your additional step is a security issue and should be reversed.

Change the user password with the passwd command. This should not effect password free ssh connectivity.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
RAC_1
Honored Contributor

Re: SSH passwordless login to HP-UX

Putting 8 in the passwrod field will lock the user. HP-UX comes with built in tcp wrappers. Prepare /etc/hosts.deny and add user to it.

something like

telned : user_name

Anil
There is no substitute to HARDWORK
Ermin Borovac
Honored Contributor
Solution

Re: SSH passwordless login to HP-UX

How about placing a single character (e.g. x) in the encrypted password field. ssh should still work via publickey authentication. No password string will ever encrypt to a single character, so login via password entry would be impossible.
Constantin Stefanov
New Member

Re: SSH passwordless login to HP-UX

Well, I made something like this (I put random sequence of characters in password hash field with * inside, so I think will not map into any password). But on other OSes (like FreeBSD and some Linuxes) * in password field worked.
Concerning adding that user to hosts.deny - well I am not quite sure that every ervice will look there (for example, su). And I want to disable login to that account completely, with any password. When using ssh, I use "command" option in authorized_key to enforce execution of only one command.
An idea to put 'x' instead of '*' is the best solution, I think. Thanks.
Constantin Stefanov
New Member

Re: SSH passwordless login to HP-UX

And why I do not want to deactivate passwords? What are security issues with that? On other OSes it is quite usual way to make some service accounts with no ability to login. How do I make such an account with passwd command? I need an account which is accessible _only_ via ssh with command tied to specific key and inaccessible via any other method.
David de Beer
Valued Contributor

Re: SSH passwordless login to HP-UX


Depends on which version of ssh you are using, the new versions have PAM disabled by default and you have to specifically change some settings in another file to make PAM work.

shh doesn't have anything to do with /etc/passwd, other than seeing if the user exists.

You need to generate your keys, without passwords aswell.

As root:

/usr/local/bin/ssh-keygen -t dsa -N ''

That will generate a NULL password.

You will also need to take these keys and add them to the /.shh/authorized_keys file. Take the id_dsa.pub and place it on the other machine you want to ssh too without using a password. You probably know all this already, but - thought I'de just explain it again.

Works fine on our machines, can ssh without passwords - no problem.

We use the following config for /etc/local/etc/openssh/sshd_config:

UsePAM yes

That's it.

David de Beer.
Constantin Stefanov
New Member

Re: SSH passwordless login to HP-UX

My ssh version is in my original post. As far as I understand it is PAM who denies access (moreover, I am almost sure that it is pam_unix's account module - look at the log in the post).
Now I have UsePAM set to 'yes' in sshd_config. I do not want to disable it completely, but if there is possibility to disable it for that particulat user, it would be very nice.