Manualshelf

HP-UX Secure Shell A.05.20.013, A.05.20.014, and A.05.20.015 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
12345678910
Table 1-3 Scenarios where pam_setcred Generates Error Messages (continued)
Error MessagesKeyServ RunningUsePrivUser
Permission deniedyesnoroot
Permission deniedyesnonon-root
A Kerberos ticket on a Secure Shell server system gets inadvertently deleted in the following
scenario:
1. User U1 creates a Kerberos ticket file on a Secure Shell server system, S1.
2. The SSH server on S1 is set up for PAM_KERBEROS authentication.
3. User U1 now remotely connects to the SSH instance on S1 using public-key
authentication.
4. User U1 exits.
The kinit-generated ticket file created in Step 1 gets deleted when the user exits the Secure
Shell session.
Workaround: Create the Kerberos ticket file (Step 1) in a non-default location and selectively
communicate this file name to Secure Shell processes using the KRB5CCNAME environment
variable.
The chroot functionality does not work if the UseLogin configuration directive in
sshd_config is set to YES.
In a chroot-ed environment, users do not see a subset of syslog messages. HP-UX Secure
Shell writes syslog messages at the time of authentication and when the session is terminated.
The syslogd daemon reads the syslog messages written by all subsystems and reports it
to the /dev/log file. In a chroot-ed environment, the sshd daemon writes its syslog
messages to <newroot>/dev/log. It is not possible to link the <newroot>/dev/log file
to the /dev/log file, resulting in users not being able to view the subset of syslog messages.
Workaround: There is no workaround for this problem. Users of chroot-ed HP-UX Secure
Shell environments must be aware that a subset of messages written by the sshd daemon
will not show up in syslog.
HP-UX Secure Shell and the Strong Random Number Generator
HP-UX Secure Shell requires that a random number generator be located on the system. It searches
for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device
it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random
number generator program. The /dev/urandom and /dev/random devices are available by
default on HP-UX 11i v2 and HP-UX 11i v3 systems. These devices can also be obtained for
HP-UX 11i v1 by downloading and installing the HP-UX Strong Random Number Generator
from http://software.hp.com. If you are using HP-UX Secure Shell on HP-UX 11i v1, HP
recommends that you install the Strong Random Number Generator product as it significantly
speeds up program initialization and execution time for some commands.
HP-UX Secure Shell Resources
For more information about Secure Shell, read the following:
HTML and pdf versions at http://docs.hp.com ( Internet and Security Solutions)
A README text version in the software at: /opt/ssh/README.hp
The HP Instant Information CD
OpenSSH at http://www.openssh.com
— FAQs, Mail List Archives, Security pages, manpages
IETF at http://www.ietf.org/ (go to Working Groups > Security)
8 HP-UX Secure Shell A.05.20