HPE Community
Operating System - HP-UX
1820478 Members
2918 Online
109624 Solutions
New Discussion юеВ

UsePrivilegeSeparation Problem with openssh-3.7.1p2

 
Jairo Campana
Trusted Contributor

тАО05-06-2004 04:25 AM

тАО05-06-2004 04:25 AM

UsePrivilegeSeparation Problem with openssh-3.7.1p2

*Hello , I installed openssh-3.7.1p2 in my Server hpux11.0 , when execute , my server running in mode trusted
------------------------------------------
# /usr/local/sbin/sshd
Privilege separation user sshd does not exist
---------------------------------------------
* this solution with the following patch PHNE_28312
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=319787
-------------------------------------
/usr/local/sbin/sshd
try login
login : test
acces denied
-----------------------------------------
*I modified in sshd_config
UsePrivilegeSeparation no
execute:
---------------------------------------------
# /usr/local/sbin/sshd
-------------------------------------------
try login
login:test
acces denied

tail -f /var/adm/syslog/syslog.log
May 6 13:20:09 whdux1 sshd[6650]: User test not allowed because account is locked
May 6 13:20:14 whdux1 sshd[6650]: Failed password for illegal user test from 172.31.195.241 port 4504

The password is correct and the users no this locked.

where this the problem

legionx
0 Kudos
Reply
3 REPLIES 3
Mel Burslan
Honored Contributor

тАО05-06-2004 04:36 AM

тАО05-06-2004 04:36 AM

Re: UsePrivilegeSeparation Problem with openssh-3.7.1p2

I am not sure if you already checked this out but :

ID=test
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)

case "$STATUS" in
"0000001" ) echo "New User Account: never been logged in yet."
;;
"0000010" ) echo "User Account DISABLED: LOCKED OUT by admin."
;;
"0000011" ) echo "New User Account: never logged in, DISABLED by admin."
;;
"0001000" ) echo "User Account DISABLED: too many password retries."
;;
"0001001" ) echo "New User Account: never logged in, too many pw retries."
;;
"0000000" ) echo "User Account is active."

* ) echo "Unknown status, $STATUS. Please check."

esac



if the userid is locked then these commands should bring it back alive:

#unlock user
/usr/lbin/modprpw -l -m alock=NO $ID
# Resets incorrect login count
/usr/lbin/modprpw -k $ID

hope it helps
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Jairo Campana
Trusted Contributor

тАО05-06-2004 05:35 AM

тАО05-06-2004 05:35 AM

Re: UsePrivilegeSeparation Problem with openssh-3.7.1p2

correct: add ;;
;;
* ) echo "Unknown status, $STATUS. Please check."
esac

Result:
#./test
User Account is active.
#

the count this active.
try login: acces denied
the problem this with UsePrivilegeSeparation optinon of openssh-3.7.1p2
but I cannot solve this



legionx
0 Kudos
Reply
Jairo Campana
Trusted Contributor

тАО05-07-2004 12:29 AM

тАО05-07-2004 12:29 AM

Re: UsePrivilegeSeparation Problem with openssh-3.7.1p2

solved my problem , installe ssh secure HPUX

Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process.
More information is available at:
6: http://www.citi.umich.edu/u/provos/ssh/privsep.html

the problem is with Privilege separation of openssh :
http://www.chiark.greenend.org.uk/ucgi/~cjwatson/cvsweb/openssh/README.privsep?annotate=1.1.1.4

Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.PAMM-enabled OpenSSH is known to function with privsep on Linux.
It does not function on HP-UX with a trusted system
legionx
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.