HPE Community
Operating System - HP-UX
1834148 Members
1959 Online
110064 Solutions
New Discussion

SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

 
Han Barnat
Occasional Advisor

‎02-11-2009 04:40 AM

‎02-11-2009 04:40 AM

SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

We have recently upgraded Secure Shell from A.05.00.024 to A.05.10.006.
The system we are using is a HP-UX 11iv1, a trusted system. We are also using LDAP as the resource for password authentication for a group of users.
This always worked fine, except after the last upgrade of Secure Shell.
The behaviour has been changed, only the local password is accepted, the LDAP password is no longer accepted. There have been no changes in the configuration files like /etc/pam.conf (which is in fact a copy of pam.ldap.trusted.)

There are no usefull error messages in the log file, using ssh with verbose messages (ssh -v) does not shown any problems.

It is also observed that after succesfully logging in using the local password, a sudo to root (sudo su -) is accepted when the LDAP password has been typed in. So the system does accept the LDAP password, but only when the first login has been passed using the local password. I can't explain why the sudo password check acts differently than the normal login.

Reverting back to the previous Secure Shell is possible (swinstall + option downgrade allowed), everything is running fine again and the LDAP password is accepted as usual.

The patch level of the 11iv1 is december 2008, using an older patch level does not change the above behaviour.

The LDAP server is running Red Hat Directory Server v7. (B.07.10.30), this server seems to be running fine. There are no issues with HP-UX clients running older releases of Secure Shell.

I have copied the pam.ldap to pam.conf for test purposes. This means a pam.conf configuration for a NON-trusted system running on a trusted system. This worked, however the first attempt to login failed. A second password entry with (again) the LDAP password is accepted however. So the sequence is slighty changed.
The original trusted pam.conf gives the option to enter the password again after a first failed attempt but then the LDAP password is not accepted at all. Only the local password is accepted.

Any ideas?
0 Kudos
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎02-11-2009 04:58 AM

‎02-11-2009 04:58 AM

Re: SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

Shalom,

Seems like you have hit a bug. I recommend reporting it and reverting to the previous version of Secure Shell.

If you have a support contract HP may make the version available to you if you don't happen to have it laying around.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Han Barnat
Occasional Advisor

‎02-26-2009 07:02 AM

‎02-26-2009 07:02 AM

Re: SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

The problem has been resolved by placing a software support call at HP.

The fix is new release of Secure Shell A.5.10 which has not been released yet on the software.hp.com website.
The release info is:
A.05.10.033 for HP-UX 11i version 1

There will probably be newer release later which incorporate the fix.

So be sure to grab the latest A.5.10.xxx release to avoid any problems.

0 Kudos
Han Barnat
Occasional Advisor

‎02-26-2009 07:03 AM

‎02-26-2009 07:03 AM

Re: SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

See above comments.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.