Operating System - HP-UX
1820478 Members
2918 Online
109624 Solutions
New Discussion юеВ

UsePrivilegeSeparation Problem with openssh-3.7.1p2

 
Jairo Campana
Trusted Contributor

UsePrivilegeSeparation Problem with openssh-3.7.1p2

*Hello , I installed openssh-3.7.1p2 in my Server hpux11.0 , when execute , my server running in mode trusted
------------------------------------------
# /usr/local/sbin/sshd
Privilege separation user sshd does not exist
---------------------------------------------
* this solution with the following patch PHNE_28312
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=319787
-------------------------------------
/usr/local/sbin/sshd
try login
login : test
acces denied
-----------------------------------------
*I modified in sshd_config
UsePrivilegeSeparation no
execute:
---------------------------------------------
# /usr/local/sbin/sshd
-------------------------------------------
try login
login:test
acces denied

tail -f /var/adm/syslog/syslog.log
May 6 13:20:09 whdux1 sshd[6650]: User test not allowed because account is locked
May 6 13:20:14 whdux1 sshd[6650]: Failed password for illegal user test from 172.31.195.241 port 4504

The password is correct and the users no this locked.

where this the problem

legionx
3 REPLIES 3
Mel Burslan
Honored Contributor

Re: UsePrivilegeSeparation Problem with openssh-3.7.1p2

I am not sure if you already checked this out but :

ID=test
STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)

case "$STATUS" in
"0000001" ) echo "New User Account: never been logged in yet."
;;
"0000010" ) echo "User Account DISABLED: LOCKED OUT by admin."
;;
"0000011" ) echo "New User Account: never logged in, DISABLED by admin."
;;
"0001000" ) echo "User Account DISABLED: too many password retries."
;;
"0001001" ) echo "New User Account: never logged in, too many pw retries."
;;
"0000000" ) echo "User Account is active."

* ) echo "Unknown status, $STATUS. Please check."

esac



if the userid is locked then these commands should bring it back alive:

#unlock user
/usr/lbin/modprpw -l -m alock=NO $ID
# Resets incorrect login count
/usr/lbin/modprpw -k $ID

hope it helps
________________________________
UNIX because I majored in cryptology...
Jairo Campana
Trusted Contributor

Re: UsePrivilegeSeparation Problem with openssh-3.7.1p2

correct: add ;;
;;
* ) echo "Unknown status, $STATUS. Please check."
esac

Result:
#./test
User Account is active.
#

the count this active.
try login: acces denied
the problem this with UsePrivilegeSeparation optinon of openssh-3.7.1p2
but I cannot solve this



legionx
Jairo Campana
Trusted Contributor

Re: UsePrivilegeSeparation Problem with openssh-3.7.1p2

solved my problem , installe ssh secure HPUX

Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process.
More information is available at:
6: http://www.citi.umich.edu/u/provos/ssh/privsep.html

the problem is with Privilege separation of openssh :
http://www.chiark.greenend.org.uk/ucgi/~cjwatson/cvsweb/openssh/README.privsep?annotate=1.1.1.4

Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.PAMM-enabled OpenSSH is known to function with privsep on Linux.
It does not function on HP-UX with a trusted system
legionx