02-25-2013 02:30 AM
We are trying to centralize the OS authentication with LDAP using OID (Oracle internet Directory).
It works fine with our Linux servers on different flavours; but on HP-UX its failing.
Below is the snippet from the ssh debug session:
$ ssh -vvv srinivas.kalyan@jnmddb01
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: num_prompts 1
debug3: packet_send2: adding 32 (len 26 padlen 6 extra_pad 64)
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)
debug3: channel 0: close_fds r 4 w 5 e 6 c -1
Connection to jnmddb01 closed by remote host.
Connection to jnmddb01 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 79 bytes in 0.4 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 193.3
debug1: Exit status -1
The user-id is recognised from the LDAP integration commands like beq, pwget:
$ /opt/ldapux/contrib/bin/beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 srinivas.kalyan -H 5
nss_status .............. NSS_SUCCESS
jnmddb01::root>nsquery passwd srinivas.kalyan
Using "files ldap" for the passwd policy.
Searching /etc/passwd for srinivas.kalyan
srinivas.kalyan was NOTFOUND
Switch configuration: Allows fallback
Searching ldap for srinivas.kalyan
User name: srinivas.kalyan
User Id: 506
Group Id: 501
Home Directory: /home/srinivas.kalyan
Switch configuration: Terminates Search
$ pwget -n srinivas.kalyan
Is there any other configuration required from the PAM?
Any pointers to solve this will be highly appreciated!
Solved! Go to Solution.
02-25-2013 03:04 AM - edited 02-25-2013 03:12 AM
The SSH client debug output includes:
> debug1: Authentication succeeded (keyboard-interactive).
> debug1: Entering interactive session.
These would suggest that the authentication phase has been successfully completed and a login session is starting, but then something causes the session to immediately end. So the problem might not be authentication, but perhaps something else, like not being able to start the configured shell.
First, check the basics:
- is the home directory /home/srinivas.kalyan accessible?
- the shell is listed as /bin/bash in LDAP. Does /bin/bash exist in this system?
- is /bin/bash working normally? (I think some old versions of bash had a bug that caused sessions to die like this on some versions of HP-UX. Maybe on 11.23 and PA-RISC?)
- does /etc/shells exist, and is /bin/bash listed in it?
(If /etc/shells does not exist, the system uses a hard-coded list of standard shells. See "man getusershell". If you create /etc/shells, you should add the standard shells to it too.)
- do you have a custom shell startup script (~/.profile, ~/.bash_profile or ~/.bashrc) which might end the session automatically if some conditions are true? Does /etc/profile have any customizations?
You should also look at /var/adm/syslog/syslog.log on the server: when login fails, sshd usually logs a sensible error message. For security reasons, this error message is not sent to the client. (No reason to tell a possible intruder exactly why his/her intrusion attempt failed. A legitimate user can contact the server administrator and get the information that way.)
02-27-2013 01:39 AM
Thanks MK for your response.
The issue seems to be due to inability of HP-UX to create users with more than 8 characters as we are trying to map the AD user-id to the unix user.
May be should try enabling the long username option of 11.31?!