Making progress, but OpenSSH still won't work.

Jason Balinski · ‎10-29-2004

After heavily searching these forums I've gotten most of Insight Manager configured. I'm still having trouble with the initial psp deployment due to the Open SSH software.

I've done the 2003 workaround and I'm finally able to do an "mxagentconfig", but it only works if I use either "localhost" or 127.0.0.1 as the Hostname. If I use the external address, the hostname or the DNS name of the server it fails every time with "Failed to establish connection to [hostname]". I'm running this from the CMS.

From SIM, I no longer get the authentication errors, I now get:
EXCEPTION CLASS: com.hp.mx.dtf.sshClient.MxSshFailedConnectionException
EXCEPTION: Unable to contact the SSH server on node "host.domain.com".

Can someone please point me in the right direction? I'm growing extermely tired of this process - at this point there's no way I could duplicate the install on another box if I had to. (sorry for the venting...)

Maybe there's a security policy that's causing these problems for me? I'd greatly appreciate any help.

Aravindh Rajaram · ‎10-29-2004

see attachment

Scott_278 · ‎11-01-2004

AMicSys is right - install OpenSSH on the target machine. If you're using the local Administrator account and have renamed it, there are additional steps that need to be taken.

Jason Balinski · ‎11-01-2004

I'm using an administrative account, but not the real administrative account as it's been renamed. I believe I have done the extra steps required to get the alternate admin account to work, using:

mkpasswd -l -u *admin* > c:\progra~1\openssh\etc\passwd

For now I'm trying to use the CMS as the target just to get SOMETHING working. From the console on the CMS when I use mxagentconfig, I can connect as long as I use 127.0.0.1 or localhost. When I use the CMS's external IP address or hostname, still from the CMS console, mxagentconfig fails.

I don't believe this is an ID/password issue, it's more like a security setting that's too tight not allowing me to go to the network redirector and back.

Thanks for the help so far and any more you can provide is greatly appreciated.

Scott_278 · ‎11-01-2004

So your the account you used to install OpenSSH is *admin* ? If so, what's the path of the user's profile? Is it C:\Documents and Settings\Administrator? If so, edit the C:\Program Files\OpenSSH\etc\passwd file with Notepad. At the end of the line, you will see an etry like /home/admin. If the user's profile is C:\Documents and Settings\Administrator, edit the password entry to be /home/Administrator. Restart the OpenSSH service, and try mxagentconfig again.

Jason Balinski · ‎11-01-2004

The *admin* login is not the default administrator account, it's a new account that I created and added to the administrator's group. I also added that account to the local security policies where the OpenSSH readme file says to for the 2003 workaround.

Let me just restate that I am able to successfully use mxagentconfig to login when i use the loopback address, but the real IP of the CMS does not work.

Scott_278 · ‎11-01-2004

Let me get this straight...you're running mxagentconfig from the CMS, trying to connect to a target machine? Or is this all about using mxagentconfig to connect to the CMS using something other than the loopback?

If this is the case, are you giving MXAGENTCONFIG the *administrator* or *admin* credentials? And what are the contents of the C:\program files\openssh\etc\passwd file?

Scott_278 · ‎11-01-2004

I meant if mxagentconfig is failing on a machine other than the CMS, then:

If this is the case, are you giving MXAGENTCONFIG the *administrator* or *admin* credentials? And what are the contents of the C:\program files\openssh\etc\passwd file?

Jason Balinski · ‎11-01-2004

Let me get this straight...you're running mxagentconfig from the CMS, trying to connect to a target machine? Or is this all about using mxagentconfig to connect to the CMS using something other than the loopback?

If this is the case, are you giving MXAGENTCONFIG the *administrator* or *admin* credentials? And what are the contents of the C:\program files\openssh\etc\passwd file?

I am running mxagentconfig from the CMS trying to connect to the CMS. It works if I use the loopback, but not if I use the CMS IP address - both should point to the same place. Very wierd problem, like I said I think it might point to more of a security policy issue, but I don't even know where to start in that area.

I've added three id's to the passwd file using the command:

mkpasswd -l -u [id] > c:\progra~1\openssh\etc\passwd

I can login using all of them as long as I use that loopback address.

Scott_278 · ‎11-01-2004

If it were me, I'd be inclined not to worry about it. Once you've made the connection, then you've got the certificates in place.

I've never bothered to look at which addresses I could connect to on the CMS, so I won't be of much help. If you have trouble connecting to other boxes, then I may be of assistance.

Jason Balinski · ‎11-01-2004

Scott, Thanks for your help so far! Anyhow, the reason I'm worried about it is that I cannot run any tools from the web interface because the CMS cannot use OpenSSH to "shell out" to run the commands. I.E. I can't do an initial push of a support paq, nor can I even run a simple NetStat command.

The reason for all of this is that the CMS uses the DNS name which resolves to the external IP when it tries to connect to OpenSSH. If I could somehow make it use the 127.0.0.1 address then it would be a non-issue, although I doubt that would work anyway.

Scott_278 · ‎11-01-2004

Someone else should confirm, but I don't think SIM allows you do update or run any of these tools against the CMS anyhow.

Jason Balinski · ‎11-01-2004

I can't run the tools against any box though, because SIM can't talk to the OpenSSH service. I get this error:

EXCEPTION CLASS: com.hp.mx.dtf.sshClient.MxSshFailedConnectionException
EXCEPTION: Unable to contact the SSH server on node "host.domain.com".

Thanks...

Scott_278 · ‎11-01-2004

So we're back to where we started. OK, forget about the CMS not connecting to the IP of the CMS. Let's focus on the target machine.

This is the deal...the C:\program files\openssh\etc\passwd file has an entry that points to the "home" directory of the user who installed OpenSSH. Let's assume that account was the local "administrator". The passwd file would have /home/administrator in it. The "/home" part equates to the base folder of that user's profile - in this case, C:\documents and Settings\Administrator.

So...what account did you install openssh with, what is the profile path for that user (type SET and look at the USERPROFILE variable), what are the contents of the passwd file?

Jason Balinski · ‎11-01-2004

Here are the contents of that file:

boxster:unused_by_nt/2000/xp:1003:513:boxster,U-EITINFRA02\boxster,S-1-5-21-3935383152-2057740328-1672152018-1003:/home/boxster:/bin/switch
lightning:unused_by_nt/2000/xp:1008:513:lightning,U-EITINFRA02\lightning,S-1-5-21-3935383152-2057740328-1672152018-1008:/home/lightning:/bin/switch
corvette:unused_by_nt/2000/xp:1007:513:Service Account,U-EITINFRA02\corvette,S-1-5-21-3935383152-2057740328-1672152018-1007:/home/corvette:/bin/switch

I used a completely different account to install the software. However, I believe as part of the 2003 workaround I deleted the file that was originally placed here and recreated it with the mkpasswd command.

Scott_278 · ‎11-01-2004

I should have stated this - is this the passwd file on the target server or the CMS? And what is the account you used to install SSH on the target server?

Jason Balinski · ‎11-01-2004

The ID I logged in with to install this software was a domain ID, it shows up nowhere in the passwd file.

I haven't even gotten to any target servers yet. My problem is that I cannot connect to that service on the CMS. Because I can't connect to it on the CMS, I cannot do an initial push of a support pack to any other boxes.

Scott_278 · ‎11-01-2004

I'm sorry, but you keep losing me. Hopefully someone else can help you.

Scott_278 · ‎11-11-2004

Jason - are you will watching this thread?

Jason Balinski · ‎11-11-2004

Yes, but I've moved the CMS to another machine. After the new install, I'm running more smoothly. I'm not having the network name vs. IP issue anymore. I am still having issues, but I can make an SSH connection to the server now. MXagentconfig also works fine. I've checked the passwd file and the correct path is there, and I have the .ssh folder under the user it's running as. My only remaining issue is that SIM itself still won't run anything from the command line.

Scott_278 · ‎11-11-2004

Good. I was going to tell you that I had to open a case with HP regarding SSH - it's been escalated up the chain now, and I'm fairly certain its a bug. If you attempt to run MXAGENTCONFIG against a target *before* you edit the passwd file, you can never make a successful connection, even after you edit the file/reinstall/etc... I'll post a message in this thread when it comes to a conclusion.

Regarding your remaining problem...do you mean you can't run a command line like NETSTAT from Tools - Command-Line Tools?

Jason Balinski · ‎11-11-2004

Well I finally got it working, although I'm very unhappy with the way I had to do it. It's extremely common practice to rename the "Administrator" account to minimize hacking attempts etc.

To get things working, I ended up creating a new account called "Administrator". I logged in with that account to establish a profile folder and then ran "mkpasswd -l -u administrator >>C:\program Files\openssh\etc\passwd. After that I did an MXAgentConfig and everything works.

Does anyone know of a workaround so that you can use an alternate account? It is unacceptable to have to use such an easy targeted account for this.

Also Scott thank you very much for your help again. I appreciate it.

Scott_278 · ‎11-11-2004

Yes. To use a renamed administrator account, you have to edit the passwd file. Let's say you installed SSH as "newadmin", though that account's profile is C:\Documents and Settings\Administrator - common for a renamed administrator account.

The passwd file would have to be edited from /home/newadmin to /home/Administrator.

The reason I opened a call with HP is because if you attempt to run MXAGENTCONFIG *before* editing the passwd file, it never seems to successfully connect no matter what I do. Yet, I can successfully ssh from a command-line both ways.

Jason Balinski · ‎11-11-2004

OK here's one better. We also change the admin password on a regular basis. Is there a way to use a completely new admin account that's not called administrator?

Thanks!

Ray Gayoso · ‎11-11-2004

I'm having the same issue... Have you made any progress?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Making progress, but OpenSSH still won't work.

Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.

Re: Making progress, but OpenSSH still won't work.