HPE Community
Operating System - HP-UX
1822101 Members
3581 Online
109640 Solutions
New Discussion юеВ

Trusted Systems and SSH

 
SOLVED
Go to solution
corkbuster
Occasional Contributor

тАО09-08-2003 05:32 AM

тАО09-08-2003 05:32 AM

Trusted Systems and SSH

Am deploying WRQ's Reflection Suite for X Version 10 so users can connect via X11 to HP-UX 11.00 system with HP Secure Shell 3.50.

Connections are fine. Problem arises when login messages are sent. Users are not seeing messages that "their password will expire in 10 days", " You are required to change your password" This only happens when X11 connections are made.

Before disabling telnet and ftp, this has to be resolved. Has anyone seen a similar problem?
0 Kudos
Reply
5 REPLIES 5
Bill Hassell
Honored Contributor

тАО09-08-2003 06:44 AM

тАО09-08-2003 06:44 AM

Solution

Re: Trusted Systems and SSH

SSH is not telnet so some of the 'normal' login messages may not be seen. You can use /usr/lbin/getprpw daily to create a file with usernames and expiration days. Then /etc/profile can be modified to search through this file for the current user and produce the expiration message.


Bill Hassell, sysadmin
Reply
Steven E. Protter
Exalted Contributor

тАО09-08-2003 07:00 AM

тАО09-08-2003 07:00 AM

Re: Trusted Systems and SSH

I would implement Bill's suggestion as follows:

/usr/lbin/getprpw > /tmp/expirelist.dat

in .profile

$EXPIRE=$(cat /tmp/expirelist.dat | grep -i $LOGNAME| wc -l)

if [ $EXPIRE -ge 1]
then

#
# Read the /tmp/expire.dat file in detail and echo days to expiration

echo "You password expires in X days do you want to change it(y/n)?"

read a

if [ "$a" = "y" ]
passwd
fi

Bill's idea creates good material to work with. I was stumped before he posted.

SEP

#
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
corkbuster
Occasional Contributor

тАО09-08-2003 07:38 AM

тАО09-08-2003 07:38 AM

Re: Trusted Systems and SSH

Thank you, we were barking up the same tree, just needed a little syntax nudge.

The limitations of ssh connections, is becoming clearer.
1. login messages as described above are not seen when using X11 connections via SSH, but are seen when using SSH alone.

2. If an account requires a password change before continuing, or the account is locked, the SSH connection terminates without any reason shown the user.

Thanks for all your help
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО09-08-2003 02:14 PM

тАО09-08-2003 02:14 PM

Re: Trusted Systems and SSH

Just a note about X11. It is VERY common for Xwindow configurations to bypass 'normal' logins. This is especially true for the 3 terminal emulators: dtterm, xterm and dtterm. This is easily fixed by placing a file called .Xdefaults in the HOME directory of the 11.0 server. Put the following string into it:

echo '*loginShell: true' > $HOME/.Xdefaults

This will set the default behavior for the terminal emulators to actually login and run /etc/profile, etc. You can add other Xresources to this file (see the man page for each client like dtterm)


Bill Hassell, sysadmin
0 Kudos
Reply
John de Villiers
Frequent Advisor

тАО09-09-2003 02:57 AM

тАО09-09-2003 02:57 AM

Re: Trusted Systems and SSH

we had the same problem with account expiries. we hadled it the following way.

disable expiry on all accounts. load pam_ntlm and let the users authenticate with their very same passwords they use on the NT domain. The NT domain can handle the expiry and everything.

John
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.