HPE Community
Operating System - HP-UX
1752580 Members
3528 Online
108788 Solutions
New Discussion юеВ

SSH Account lock-out

 
Jeff Greenhill
New Member

тАО03-03-2011 09:05 AM

тАО03-03-2011 09:05 AM

SSH Account lock-out

I have several accounts that are locked out if users try to connect to my HP-UX 11.23 servers, but they can log in with telnet.
I even had one user log in with telnet, then issue
$ ssh localhost
and try to log in with their ID, but login failed:
$ ssh srivass@localhost
Password:
Connection to localhost closed by remote host.
Connection to localhost closed.

$ telnet localhost
Trying...
Connected to localhost.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON

HP-UX mupr14 B.11.23 U ia64 (tb)

login: srivass
Password:
Last successful login for srivass: Thu Mar 3 12:02:22 EST5EDT 2011 on pts/td
L

Why is the account NOT locked (SAM says it is not locked), the user can log in with telnet, but not ssh?
0 Kudos
Reply
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

тАО03-03-2011 09:22 AM

тАО03-03-2011 09:22 AM

Re: SSH Account lock-out

Hi Jeff:

You need to examine your SSH configuration --- '/etc/ssh/ssh_config' and '/etc/ssh/sshd_config'.

I suspect from you description, that there is a line for 'AllowUsers' which has a space-separated list of allowed users, all others being denied.

Regards!

...JRF...
0 Kudos
Reply
mvpel
Trusted Contributor

тАО03-03-2011 10:33 AM

тАО03-03-2011 10:33 AM

Re: SSH Account lock-out

I find it helpful to run both the SSH client and server in debug mode:

ssh -vvv srivass@localhost

This shows the details of what the client is sending to and getting back from the sshd server.

You can start up a debug-mode sshd on a different port: sshd -ddd -p 2222

... and then ssh to that port from a different terminal. I think the logging goes into syslog, so make sure you have a syslog.conf destination for auth.debug.

There might, for example, be an issue with the permissions on the user's home directory or .ssh directory or other relevant files - a user with a 777 homedir will not be permitted to log in with public keys, for example.
0 Kudos
Reply
Jeff Greenhill
New Member

тАО03-28-2011 04:58 AM

тАО03-28-2011 04:58 AM

Re: SSH Account lock-out

I have tried suggestions. There is NO Allowusers keyword in my /opt/ssh/etc/sshd_config file.
Using a different problematic userid, snurdmp an ID I made up for just this purpose). I created the ID, changed (successfully) the initial password, then locked the ID by repeatedly typing in the wrong password. The, I un-locked the ID with modprpw -k snurdmp, then I did the following:

{mudv14:root}/home/greehilj->ssh -vvv snurdmp@localhost
OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.50.004, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: RNG is ready, skipping seeding
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/3
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH_3.*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14
debug2: fd 4 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 121/256
debug2: bits set: 538/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug3: check_host_in_hostfile: filename /opt/ssh/etc/ssh_known_hosts
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug3: check_host_in_hostfile: filename /opt/ssh/etc/ssh_known_hosts
debug2: no key of type 0 for host localhost
debug3: check_host_in_hostfile: filename /.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /opt/ssh/etc/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug3: check_host_in_hostfile: filename /opt/ssh/etc/ssh_known_hosts
debug2: no key of type 2 for host localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 17:b8:1d:dc:2d:ac:83:5b:fe:bd:17:96:8b:08:10:d4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
debug2: bits set: 522/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (0)
debug2: key: /.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: Final hpn_buffer_size = 131072
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 5/6 cfd -1)

debug3: channel 0: close_fds r 5 w 6 e 7 c -1
Connection to localhost closed by remote host.
Connection to localhost closed.
debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2000.2
debug1: Exit status -1
{mudv14:root}/home/greehilj->


Looks like it did not get a successful key (which was expected), so it accepted the password, then, terminated the connection without explanation and exited with -1.

Here is the only pertinent line from /var/adm/syslog/syslog.log (where we are logging SSH stuff):

Mar 28 08:50:56 mudv14 sshd[12336]: Accepted keyboard-interactive/pam for snurdm
p from 127.0.0.1 port 64110 ssh2


I AM STUMPED! Any ideas, anyone?
0 Kudos
Reply
Jeff Greenhill
New Member

тАО03-28-2011 05:05 AM

тАО03-28-2011 05:05 AM

Re: SSH Account lock-out

Sorry, I re-ran with ssh -vvvv snurdmp@localhost. Here is debug3: output (which I find equally un-revealing as debug1: and debug2:):
debug3: RNG is ready, skipping seeding
debug3: RNG is ready, skipping seeding
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug3: check_host_in_hostfile: match line 28
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug3: no such identity: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_dsa
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug3: ssh_session2_open: channel_new: 0
debug3: channel 0: status: The following connections are open:
debug3: channel 0: close_fds r 5 w 6 e 7 c -1
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.