HPE Community
Operating System - HP-UX
1822895 Members
3583 Online
109645 Solutions
New Discussion юеВ

Re: trusted system

 
piyut_2
Frequent Advisor

тАО03-07-2005 10:46 PM

тАО03-07-2005 10:46 PM

trusted system

dear all,

I just changet to trusted system.when i tried to ssh only can with user root.the common user can't remote with ssh.what's wrong??

many thanks,

piyut
0 Kudos
Reply
12 REPLIES 12
Gordon Morrison
Trusted Contributor

тАО03-07-2005 10:56 PM

тАО03-07-2005 10:56 PM

Re: trusted system

Hi Piyut,
Do you mean you can't log in via ssh (as another user) without a password, or not at all? Does it say something like "can't verify remote host... are you sure you want to connect?" If so, answer "yes".
Is this a new ssh installation, or was ssh working on this host before?
Does telnet still work?
Are you sure that this user account is not locked/disabled? To re-enable it:
/usr/lbin/modprpw -k username

Also check the value of IgnoreUserKnownHosts in /opt/ssh/etc/sshd_config - If it's 'yes' that could be your problem
What does this button do?
0 Kudos
Reply
piyut_2
Frequent Advisor

тАО03-07-2005 11:11 PM

тАО03-07-2005 11:11 PM

Re: trusted system

yes, i can't login via ssh as another user, only user root can login via ssh.before i changed to trusted system, another user can login via ssh.this user not locked.
0 Kudos
Reply
piyut_2
Frequent Advisor

тАО03-07-2005 11:13 PM

тАО03-07-2005 11:13 PM

Re: trusted system

when i try to ssh to localhost:

# ssh prasz@localhost
prasz@localhost's password:
Connection to localhost closed by remote host.
Connection to localhost closed.
# ssh root@localhost
root@localhost's password:
Last successful login for root: Tue Mar 8 18:39:25 wib-7 2005 on pts/0
Last unsuccessful login for root: Tue Mar 8 17:40:05 wib-7 2005 on pts/ta
Last login: Tue Mar 8 18:39:25 2005 from 10.2.133.62
(c)Copyright 1983-2000 Hewlett-Packard Co., All Rights Reserved.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-1992 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993 The Open Software Foundation, Inc.
(c)Copyright 1986 Digital Equipment Corp.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2000 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
(c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.


RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.

Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304 U.S.A.

Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).
#


0 Kudos
Reply
Gordon Morrison
Trusted Contributor

тАО03-07-2005 11:20 PM

тАО03-07-2005 11:20 PM

Re: trusted system

Try ssh -v hostname
That should give you more output, and hopefully show why it's failing
You can also do ssh -vv or even ssh -vvv to get even more output.
What does this button do?
0 Kudos
Reply
RAC_1
Honored Contributor

тАО03-08-2005 12:21 AM

тАО03-08-2005 12:21 AM

Re: trusted system

When you convert to trusted mode, all accounts will expire. Just do /usr/lbin/modprpw -V and you should be fine.
If not, then post ssh -vvv and sshd -ddd (from server side)

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

тАО03-08-2005 12:59 AM

тАО03-08-2005 12:59 AM

Re: trusted system

> When you convert to trusted mode, all accounts will expire.

Woah!!! Talk about reading the small print!
Who wrote tsconvert? A lawyer?;o)
What does this button do?
0 Kudos
Reply
piyut_2
Frequent Advisor

тАО03-08-2005 01:24 AM

тАО03-08-2005 01:24 AM

Re: trusted system

guys,

we must install :
1. OpenSSL_A.00.09.07-d.006_HP-UX_B.11.11_32+64.depot
2. T1471AA_A.03.71.000_HP-UX_B.11.11_32+64.depot

and all user can login via ssh.


thanks for all,

piyut
0 Kudos
Reply
piyut_2
Frequent Advisor

тАО03-08-2005 01:56 AM

тАО03-08-2005 01:56 AM

Re: trusted system

oh god!!!

mount point / 98% after trusted system installed.this mount point always grow.how come???
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

тАО03-08-2005 02:00 AM

тАО03-08-2005 02:00 AM

Re: trusted system

/tcb is where the trusted system files are installed, and that is by default on the root filesystem ( / )

Are /opt /var /tmp and /usr seperate filesystems? They should be.
What does this button do?
0 Kudos
Reply
piyut_2
Frequent Advisor

тАО03-08-2005 10:37 AM

тАО03-08-2005 10:37 AM

Re: trusted system

coz of / reach 100% when audit log on, last nighr, i turn audit off.this morning, my system back to untrusted system, noone cahnged it and all user include root is deactivated. I must reactivate users and system ak me to provide new password.how come ??
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

тАО03-08-2005 08:59 PM

тАО03-08-2005 08:59 PM

Re: trusted system

How did you turn auditing off?

(P.S. Don't forget to assign points for answers that helped you. If you go to your profile page, you can see all the questions you have posted. As long as you haven't closed a thread, you can still assign points for answers to that question:o)
What does this button do?
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО03-09-2005 01:17 AM

тАО03-09-2005 01:17 AM

Re: trusted system

A couple of things:

tsconvert has no man page because it was not designed to be used separately from SAM. It is located in the /usr/lbin directory which is called a "backend command" directory. That means that the contents are undocumented, designed for use by a parent command (like SAM) and subject to change without notice. tsconvert has been 'stable' since the days of 10.xx but that's why it's use requires extra research. When SAM converts to Trusted, it runs tsconvert and modprpw -V.

When you convert to Trusted, the login command now looks at every character in the password. In a standard system, login looks at just the first 8 and silently ignores the rest. In a Trusted system, any extra characters beyond 8 are part of the security check and it will fail when users type more than 8 chars for their old password. Now users can always login with the 8 char limit and change their password to a longer one if desired.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.