OpenVMS SSH password expiry woes continue

Scott Rankin scottra at wrq.com
Wed Jun 30 04:58:30 EST 2004 

I sent in a patch a week or so ago for a problem a customer of mine was
seeing when trying to connect to their OpenVMS system with an 3.8.1p2
OpenSSH client (running on a linux box or in cygwin) and trying to login to
an account who had an expired password. 

The problem continues although now it has nothing to do with what my patch
handled as they have since upgraded their SSH software on the VMS host to
one suggested by someone on this list [1] and by Process software. Their new
server version string is,
3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS


It looks to me like password userauthentication succeeds and then in the
terminal window we see the message,

Your password has expired; you must set a new password to log in


Error opening primary input file SYS$INPUT
Insufficient privilege or file protection violation

and the connection is terminated. 

I have attached a sanitized debug3 log below. I also but several breakpoints
in the code and don't seem to receive the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
message at all. I wonder if it is related to the combination of having a
banner and trying to do the password change?

Anyway, I have very little skills related to VMS and would appreciate any
suggestions. I naively imagine that they just need to redirect the
equivalent of stdin but like I said I have no idea what I am doing on VMS.

I searched this mailing list archive, another at Process [2] and one at HP
[3] and found little related to this new error. On a whim I also tried the
-t switch with ssh but that didn't help.


Any suggestions greatly appreciated! Thanks in advance.

Cheers,
scott rankin

Here is the sanitized debug3 log from an OpenSSH client running in cygwin: 
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/scottra/.ssh/identity type -1
debug1: identity file /home/scottra/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/scottra/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/scottra/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 3.2.0 F-SECURE
SSH - Process Software SSH for OpenVMS
debug1: no match: 3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes1
92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes1
92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 140/256
debug2: bits set: 537/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /home/scottra/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 15
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the DSA host key.
debug1: Found key in /home/scottra/.ssh/known_hosts:15
debug2: bits set: 516/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/scottra/.ssh/identity (0x0)
debug2: key: /home/scottra/.ssh/id_rsa (0x100e8d20)
debug2: key: /home/scottra/.ssh/id_dsa (0x100e8d38)
debug3: input_userauth_banner


                       Unauthorized Access is Prohibited

    Use of University of Bozo computing and network facilities requires
    prior authorization.  Unauthorized access is prohibited.  Usage is 
    subject to security testing and monitoring.  Abuse is subject to
    criminal prosecution.  
    A complete manual of security policies and procedures is available at 
    http://www.bozo.edu in the Administration directory.
                                                                    

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/scottra/.ssh/identity
debug3: no such identity: /home/scottra/.ssh/identity
debug1: Offering public key: /home/scottra/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/scottra/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug2: channel 0: request pty-req
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 8
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 0
debug3: tty_make_modes: 7 0
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22
debug3: tty_make_modes: 18 15
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 0
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 37 0
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 0
debug3: tty_make_modes: 40 0
debug3: tty_make_modes: 41 0
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 0
debug3: tty_make_modes: 55 0
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 1
debug3: tty_make_modes: 60 0
debug3: tty_make_modes: 61 0
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 71 0
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 73 0
debug3: tty_make_modes: 74 0
debug3: tty_make_modes: 75 0
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug2: channel 0: request shell
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 100000 rmax 16384


Your password has expired; you must set a new password to log in


Error opening primary input file SYS$INPUT
Insufficient privilege or file protection violationdebug1:
client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug2: channel 0: output open -> drain
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)

debug3: channel 0: close_fds r -1 w -1 e 6
debug2: fd 1 is not O_NONBLOCK
debug2: fd 2 is not O_NONBLOCK
Connection to xxx.xxx.xxx.xxx closed.
debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.5 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 77.6
debug1: Exit status 1


[1] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108752819415570&w=2
[2] http://www.multinet.process.com/scripts/mxarchive/as_init.com?Info-ssh
[3]
http://search.hp.com/gwuseng/index.html?qp=site%3Ah71000.www7.hp.com&hpr=htt
p%3A//h71000.www7.hp.com/&hpa=http%3A//h71000.www7.hp.com/cgi-bin/feedback.e
xe&hpn=Return+to+OpenVMS+systems+site&hps=OpenVMS+systems+sites&h_audience=&
h_audiencerestrict=&hpl=1&hph=&lk=1&rf=2&la=en&uf=0&hpo=hphqglobal,hphqwwesg
,hphqbcs,hphqopenvms&es=0&ep=0

More information about the openssh-unix-dev mailing list