Manualshelf

HP-UX Secure Shell A.05.30.008 and A.05.30.009 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
12345678910
RSA and DSA keys results in a bad login attempt for each key type. In such a scenario, the
audit log has the following entries:
SELF-AUDITING TEXT: User= root uid=0 ssh authentication method PUBKEY - failed
SELF-AUDITING TEXT: User= root uid=0 ssh authentication success - user logged in
SELF-AUDITING TEXT: User= root uid=0 ssh session open
For more information on HP-UX SMSE, see http://www.docs.hp.com/en/
internet.html#Security%20Containment
HP-UX Secure Shell user authentication using public-key fails in a server environment if
UsePAM is set to YES and pam.conf is set to PAM_LDAP.
Workaround: HP recommends the PAM_AUTHZ mechanism for HP-UX Secure Shell
environments that use public-key authentication with PAM_LDAP-based account
management.
On some systems, the following messages appears in the syslog.log file, when a user
logs out of a Secure Shell session:
pam_setcred: error Authentication failed
pam_setcred: error Permission denied
These messages appears only when the daemon is running in debug mode. These messages
are not relevant to (and does not affect) HP-UX Secure Shell operations. The PAM function
pam_setcred generates this message. These error messages appear during the scenarios
listed in Table 1-3.
Table 1-3 Scenarios where pam_setcred Generates Error Messages
Error MessagesKeyServ RunningUsePrivUser
Permission deniednoyesroot
Authentication failednoyesnon-root
Permission deniednonoroot
Permission deniednononon-root
Permission deniedyesyesroot
No messageyesyesnon-root
Permission deniedyesnoroot
Permission deniedyesnonon-root
A Kerberos ticket on a Secure Shell server system gets inadvertently deleted in the following
scenario:
1. User U1 creates a Kerberos ticket file on a Secure Shell server system, S1.
2. The SSH server on S1 is set up for PAM_KERBEROS authentication.
3. User U1 now remotely connects to the SSH instance on S1 using public-key
authentication.
4. User U1 exits.
The kinit-generated ticket file created in Step 1 gets deleted when the user exits the Secure
Shell session.
Workaround: Create the Kerberos ticket file (Step 1) in a non-default location and selectively
communicate this file name to Secure Shell processes using the KRB5CCNAME environment
variable.
The chroot functionality does not work if the UseLogin configuration directive in
sshd_config is set to YES.
In a chroot-ed environment, users do not see a subset of syslog messages. HP-UX Secure
Shell writes syslog messages at the time of authentication and when the session is terminated.
Known Problems and Workarounds 7