1830930 Members
2333 Online
110017 Solutions
New Discussion

Trust System + ssh

 
SOLVED
Go to solution
yaron daniel
Frequent Advisor

Trust System + ssh

Hi all

I move my system to Trust-System mode, and now i can not login to the system with ssh:
I get the password promt and after writing the password i get connection closed.
It worked before the move to Turst-System, it looks like configuration problem (maybe at pam) ??? i do not have many much data at the syslog.log file. any tips ...
the truth is out there
18 REPLIES 18
Simon Hargrave
Honored Contributor

Re: Trust System + ssh

Perhaps you could post: -

- any errors in syslog
- any errors you see on screen
- your /etc/sshd/sshd_config file
Michael Selvesteen_2
Trusted Contributor

Re: Trust System + ssh

Please tell us the version of SSH server and client. The debug ouput from server and client will also be helpful.

Some things to try

1.Normally, when the system is converted to Trusted mode all the users passwords are expired. - Check whether your password had expired.

2. Do you use NIS or NIS+?

Mauro Gatti
Valued Contributor

Re: Trust System + ssh

Are you able to login via console?
Ubi maior, minor cessat!
Mauro Gatti
Valued Contributor

Re: Trust System + ssh

If you are not able to login in any way (console included) have a look at your /etc/nsswitch.conf file
I got your same problem converting my server after a new installation.
Some configuration of nsswitch.file are not supported by trusted systems.
I correct my nsswitch file using only files and dns (not "compact" entries) and it has come back to work fine.


Ubi maior, minor cessat!
Muthukumar_5
Honored Contributor

Re: Trust System + ssh

Is it working for other login services?
Try to enable verbose with ssh -vvv and post output.

hth.
Easy to suggest when don't know about the problem!
yaron daniel
Frequent Advisor

Re: Trust System + ssh

Hello All

I install this version: T1471AA A.04.00.000 HP-UX Secure Shell.
I do not user NIS or NIS+, Here is the output file of with all the answers:
the truth is out there
Michael Selvesteen_2
Trusted Contributor

Re: Trust System + ssh

Hmm...From your logs everything seems to be normal. To broaden the analysis, please post your server debug messages.

Use /opt/ssh/sbin/sshd -ddde for debug output
generic_1
Respected Contributor

Re: Trust System + ssh

Hello.
When you convert your system to trusted accounts tend to get locked. for a variety of reasons.

run /usr/lbin/getprpw accountname

look and make sure the lockout= is all 0s and alock= is no or false.

You can correct a locked account with
/usr/lbin/modprpw -k username
or -v to reset expire time.

also as far as ssh you will be prompted for your password unless you have valid keys on both sides setup correctly and you have a null passphrase. Double check your permissions/owerships too on the key files and directories. That can cause you grief too :) and security problems too.
yaron daniel
Frequent Advisor

Re: Trust System + ssh

Hi
Here is the output of the sshd with debug.
the truth is out there
Mauro Gatti
Valued Contributor

Re: Trust System + ssh

Try to check home directory and $HOME/.ssh directory permissions of user who is making connection.
Home have to be at least 755 (drwxr-xr-x) and .ssh have to be 700 (drwx------)

RGDS

Mauro
Ubi maior, minor cessat!
Michael Selvesteen_2
Trusted Contributor

Re: Trust System + ssh

Hello Daniel,

I guess you have missed to attach the debug file. Please attach it.

Also that, once the system is converted to trusted, the ssh login process will be as shown below

# ssh -l localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 6a:e4:7d:67:93:78:39:29:4e:ab:6b:af:98:00:37:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password:
Last successful login for : Mon Aug 1 17:04:51 IST-5:30 2005
Last unsuccessful login for : NEVER
Your password has expired.
Changing password for
Old password:

These messgaes are not present in your logs. If possible try to convert back to normal system and use /etc/tsconvert to convert again to trusted.

yaron daniel
Frequent Advisor

Re: Trust System + ssh

Hi

Sorry here is the file:

I also convert back the system and ssh works great, convert to trust-system again, ssh dows not work.

the truth is out there
Ermin Borovac
Honored Contributor

Re: Trust System + ssh

Just a guess but does it work with privilege separation turned off?

In /opt/ssh/etc/sshd_config set

UsePrivilegeSeparation no

and restart sshd.

BTW as other folks have requested you should really provide most detailed debug trace (e.g. with -ddd). It looks like you ran sshd with only one -d.
Denver Osborn
Honored Contributor
Solution

Re: Trust System + ssh

also try password auth with your ssh client connection. From your last sshd debug output, it didn't try passwd auth but instead keybd interactive... that's where it failed. See if you get better results w/ password auth and if it's good we'll troubleshoot from there.


ssh -vvv -o PreferredAuthentications=password username@hostname


hope this helps,
-denver
generic_1
Respected Contributor

Re: Trust System + ssh

check your accoutnts you are using with /usr/lbin/getprpw username
make sure they didnt get locked or expired after confverting.

I posted how to fix those above.

Also glance at /etc/securetty and more sure its ok. Have you tried an account beside root?
yaron daniel
Frequent Advisor

Re: Trust System + ssh

Hi All

I try :
ssh -vvv -o PreferredAuthentications=password username@hostname, and it works !!!
But i did not find this option in the ssh_config or sshd_config files.
How can i make it permanent ?

10x
the truth is out there
Denver Osborn
Honored Contributor

Re: Trust System + ssh

good deal. looks like something w/ pam and going to trusted. I don't have anytime to look at it, but might later. try a search in the forums for "sshd pam trusted" to see what's out there.

-denver
Todd Whitcher
Esteemed Contributor

Re: Trust System + ssh

In the ./ssh/ssh_config configure


PreferredAuthentications password