- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: SSH passwordless login to HP-UX
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 03:37 AM
04-06-2005 03:37 AM
======================================================
-bash-3.00$ uname -mrsv
HP-UX B.11.11 U 9000/800
-bash-3.00$ ssh -V
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
======================================================
I made a public/private key pair and tried to login using it. Everything worked. But then I changed password hash field in /etc/passwd for that user to '*' (to prevent it from password login - it willnever be needed). And then ssh refused to log in with that user and asked for password.
I added 'debug' as option to every line in pam.conf and got the following:
======================================================
Apr 5 11:55:17 server2 syslog: pam_sm_acct_mgmt: 17 0 backup
Apr 5 11:55:17 server2 syslog: pam_sm_acct_mgmt: error 17
Apr 5 11:55:17 server2 syslog: pam_sm_acct_mgmt: exiting, error 17
Apr 5 11:55:17 server2 syslog: pam_acct_mgmt: error User account has expired
Apr 5 11:55:18 server2 syslog: unix pam_sm_authenticate(sshd backup), flags = 2
Apr 5 11:55:19 server2 syslog: pam_authenticate: error Authentication failed
Apr 5 11:55:19 server2 sshd[11897]: error: PAM: Authentication failed for backup from host.my.tld
Apr 5 11:55:20 server2 sshd[11897]: unix pam_sm_authenticate(sshd backup), flags = 2
Apr 5 11:55:20 server2 sshd[11897]: pam_authenticate: error Authentication failed
Apr 5 11:55:20 server2 sshd[11897]: Failed password for backup from xx.xx.xx.xx port 1430 ssh2
Apr 5 12:03:49 server2 sshd[24089]: pam_setcred: error Authentication failed
======================================================
'backup' is the user name I try to log on to.
I do not want to disable PAM for ssh, but I do want to disable logon to user backup in any way other than via public/private key (including local login).
How do I achieve this?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 03:54 AM
04-06-2005 03:54 AM
Re: SSH passwordless login to HP-UX
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 04:09 AM
04-06-2005 04:09 AM
Re: SSH passwordless login to HP-UX
And I want to have a special user which can login only with public key auth, and cannot login with password even locally. If I set any password for that user, everything works fine with the same commands. But I want to have no valid password which can be used for login (the usual way for that is an asterik in password hash field). But with that '*' ssh does not let me login via public key auth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 05:41 AM
04-06-2005 05:41 AM
Re: SSH passwordless login to HP-UX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 06:46 AM
04-06-2005 06:46 AM
Re: SSH passwordless login to HP-UX
You do not want to deactivate passwords.
The procedure I gave you allows for a pulic key exchange, which enables the users only via ssh, sftp and scp to have password free connectivity.
Your additional step is a security issue and should be reversed.
Change the user password with the passwd command. This should not effect password free ssh connectivity.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 07:30 AM
04-06-2005 07:30 AM
Re: SSH passwordless login to HP-UX
something like
telned : user_name
Anil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 05:16 PM
04-06-2005 05:16 PM
Solution- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 06:58 PM
04-06-2005 06:58 PM
Re: SSH passwordless login to HP-UX
Concerning adding that user to hosts.deny - well I am not quite sure that every ervice will look there (for example, su). And I want to disable login to that account completely, with any password. When using ssh, I use "command" option in authorized_key to enforce execution of only one command.
An idea to put 'x' instead of '*' is the best solution, I think. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 07:08 PM
04-06-2005 07:08 PM
Re: SSH passwordless login to HP-UX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2005 08:19 PM
04-06-2005 08:19 PM
Re: SSH passwordless login to HP-UX
Depends on which version of ssh you are using, the new versions have PAM disabled by default and you have to specifically change some settings in another file to make PAM work.
shh doesn't have anything to do with /etc/passwd, other than seeing if the user exists.
You need to generate your keys, without passwords aswell.
As root:
/usr/local/bin/ssh-keygen -t dsa -N ''
That will generate a NULL password.
You will also need to take these keys and add them to the /.shh/authorized_keys file. Take the id_dsa.pub and place it on the other machine you want to ssh too without using a password. You probably know all this already, but - thought I'de just explain it again.
Works fine on our machines, can ssh without passwords - no problem.
We use the following config for /etc/local/etc/openssh/sshd_config:
UsePAM yes
That's it.
David de Beer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2005 02:25 AM
04-07-2005 02:25 AM
Re: SSH passwordless login to HP-UX
Now I have UsePAM set to 'yes' in sshd_config. I do not want to disable it completely, but if there is possibility to disable it for that particulat user, it would be very nice.