HPE Community
Operating System - HP-UX
1825706 Members
3317 Online
109686 Solutions
New Discussion

Re: Trusted system breaks login!

 
SOLVED
Go to solution
Mark Ferraretto
Advisor

‎02-09-2001 01:34 AM

‎02-09-2001 01:34 AM

Trusted system breaks login!

Hello all,

I'm running HP-UX 11.00.01 on a L2000. I've got the December 2000 patch bundle installed and a few extra patches that have been issued since then as well.

My problem is that when I convert to a trusted system I can't log in any more! Not even as root from the console. Every login comes back saying 'Login incorrect'. I checked the syslog and there's nothing logged there. lastb shows the logins as bad logins. I used SAM to check the accounts and they were all active and had valid passwords. I checked /.secure and /tcb and the structures and permissions look OK there too. Once I unconverted all the logins worked OK. It's like the login executable can't find the passwords when it's a trusted system. Same goes for ftp and OpenSSH (which I built myself).

If I do a tsconvert I don't get any error messages - it all seems to appear to work OK and a tsconvert -r switches it right back no probs.

It's like everything is working just fine except no-one can log in. I've heard of a secure system but this is ridiculous!

I've done stacks of these conversions before without a problem. There was one thing I did differently this time. Usually I install and patch the system myself. But this system was pre-installed and had the September 2000 patches installed. I copied the December XSWGR1100 and XSWHWCR1100 patches plus my extras, perl, zlib, egd.pl openssl and openssh into one big software depot and installed everything all at once. Normally I've done the recommended patches first off the cd, then the extras off the cd, then the extra software. Anyway, it's the only thing I've changed!

Thanks


Mark
0 Kudos
Reply
4 REPLIES 4
Mark Ferraretto
Advisor

‎02-09-2001 02:07 AM

‎02-09-2001 02:07 AM

Re: Trusted system breaks login!

Some more info.

Here is a syslog message when root attempts to login (remote root logins are allowed):

Feb 9 05:06:05 zuxdev2 : unix pam_sm_authenticate(login root), flags = 0
Feb 9 05:06:07 zuxdev2 : pam_authenticate: error No account present for user
Feb 9 05:06:07 zuxdev2 : LOGIN: pam_authenticate error

A couple of things to note. First of all, why is there not account present?
Second, the log timestamp is 05:06 but the actual time (as per the system's clock) was 18:06. All other syslog messages are being recorded with the correct time except for the PAM ones. They're 13 hours slow. We're in Hong Kong and yes, the timezone is set correctly.
0 Kudos
Reply
Dan Hetzel
Honored Contributor

‎02-09-2001 02:16 AM

‎02-09-2001 02:16 AM

Re: Trusted system breaks login!

Hi Mark,

I've done the same as you, i.e. copying the December General Release Bundle Patch in a software depot on one of my servers and installed all patches from there. No problem at all after converting to trusted mode.

Did you select the 'match_target' option when installing?

Best regards,

Dan

PS: You have a really secure system now ;-)
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Alex Glennie
Honored Contributor

‎02-09-2001 02:30 AM

‎02-09-2001 02:30 AM

Solution

Re: Trusted system breaks login!

Could this be worth checking as it was a pre-installed system ?

After checking for all the obvious trusted system problems, (NIS, -t lock files under /tcb, running pwck and authck -pv),

a getprpw failed with the following error.
# /usr/lbin/getprpw mikesaa

user password file not found: mikesaa

After checking file /etc/nsswitch.conf it was determined
that the file that was copied into place was nsswitch.hp_defaults.

According to the comments in nsswitch.hp_defaults, it is used for NIS (YP) in conjunction with files. But since the "passwd:" entry in this file only specifies "compat", it was not checking the /tcb files for authentication.


Copying /etc/nsswitch.files to /etc/nsswitch.conf resolved the getprpw and the login problems.

See the nsswitch.conf(4) man page for more information on the contents of the /etc/nsswitch.conf file.
Reply
Mark Ferraretto
Advisor

‎02-09-2001 06:35 PM

‎02-09-2001 06:35 PM

Re: Trusted system breaks login!

Thanks. I set the password line to files in /etc/nsswitch.conf and all is well.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.