OpenVMS SSH password expiry woes continue

Jason McCormick jason.mccormick at lexi.com
Wed Jun 30 06:00:02 EST 2004


  I'm not a great expert in the draft specs for SSH, however this is the 
behavior I see from my server except for one thing.  I'm running 
F-SECURE 3.2.0 and whenever my password expires, I'm prompted to change 
it.  However I'm curious as to why you're getting insufficient 
privilege for SYS$INPUT.  Your banner (I assume you're talking about 
the SYS$WELCOME logical) would display after this point.  You may want 
to look through your login.com or the system defaults for a login that 
may be calling something required for an interactive session when 
changing the password isn't technically an interactive session yet.  

  From my experience you should login, get prompted to change the 
password by the VMS authentication subsystem and then get disconnected 
and then have to login again.  My theory is that VMS lacks the proper 
hooks to fully support the SSH spec for dealing with 
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ so they're trying to make it behave 
more like telnet.  If no one else on this list knows a better answer, 
you might want to try the Process' Listservs.  Hunter Goatley is an 
hold VMS hand who was very helpful at answering some NFS questions 
about a year ago for me. 

-- Jason

On Tuesday 29 June 2004 14:58, Scott Rankin wrote:
> I sent in a patch a week or so ago for a problem a customer of mine
> was seeing when trying to connect to their OpenVMS system with an
> 3.8.1p2 OpenSSH client (running on a linux box or in cygwin) and
> trying to login to an account who had an expired password.
>
> The problem continues although now it has nothing to do with what my
> patch handled as they have since upgraded their SSH software on the
> VMS host to one suggested by someone on this list [1] and by Process
> software. Their new server version string is,
> 3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS
>
>
> It looks to me like password userauthentication succeeds and then in
> the terminal window we see the message,
>
> Your password has expired; you must set a new password to log in
>
>
> Error opening primary input file SYS$INPUT
> Insufficient privilege or file protection violation
>
> and the connection is terminated.
>
> I have attached a sanitized debug3 log below. I also but several
> breakpoints in the code and don't seem to receive the
> SSH_MSG_USERAUTH_PASSWD_CHANGEREQ message at all. I wonder if it is
> related to the combination of having a banner and trying to do the
> password change?
>
> Anyway, I have very little skills related to VMS and would appreciate
> any suggestions. I naively imagine that they just need to redirect
> the equivalent of stdin but like I said I have no idea what I am
> doing on VMS.
>
> I searched this mailing list archive, another at Process [2] and one
> at HP [3] and found little related to this new error. On a whim I
> also tried the -t switch with ssh but that didn't help.
>
>
> Any suggestions greatly appreciated! Thanks in advance.
>
> Cheers,
> scott rankin
>
> Here is the sanitized debug3 log from an OpenSSH client running in
> cygwin: OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
> debug1: Connection established.
> debug1: identity file /home/scottra/.ssh/identity type -1
> debug1: identity file /home/scottra/.ssh/id_rsa type 1
> debug3: Not a RSA1 key file /home/scottra/.ssh/id_dsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /home/scottra/.ssh/id_dsa type 2
> debug1: Remote protocol version 1.99, remote software version 3.2.0
> F-SECURE SSH - Process Software SSH for OpenVMS
> debug1: no match: 3.2.0 F-SECURE SSH - Process Software SSH for
> OpenVMS debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25
>6-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25
>6-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha
>1-96,hm ac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha
>1-96,hm ac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-c
>bc,aes1 92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-c
>bc,aes1 92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
> debug2: kex_parse_kexinit:
> hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2:
> kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: dh_gen_key: priv key bits set: 140/256
> debug2: bits set: 537/1024
> debug1: sending SSH2_MSG_KEXDH_INIT
> debug1: expecting SSH2_MSG_KEXDH_REPLY
> debug3: check_host_in_hostfile: filename
> /home/scottra/.ssh/known_hosts debug3: check_host_in_hostfile: match
> line 15
> debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the DSA host key.
> debug1: Found key in /home/scottra/.ssh/known_hosts:15
> debug2: bits set: 516/1024
> debug1: ssh_dss_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/scottra/.ssh/identity (0x0)
> debug2: key: /home/scottra/.ssh/id_rsa (0x100e8d20)
> debug2: key: /home/scottra/.ssh/id_dsa (0x100e8d38)
> debug3: input_userauth_banner
>
>
>                        Unauthorized Access is Prohibited
>
>     Use of University of Bozo computing and network facilities
> requires prior authorization.  Unauthorized access is prohibited. 
> Usage is subject to security testing and monitoring.  Abuse is
> subject to criminal prosecution.
>     A complete manual of security policies and procedures is
> available at http://www.bozo.edu in the Administration directory.
>
>
> debug1: Authentications that can continue: publickey,password
> debug3: start over, passed a different list publickey,password
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/scottra/.ssh/identity
> debug3: no such identity: /home/scottra/.ssh/identity
> debug1: Offering public key: /home/scottra/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Offering public key: /home/scottra/.ssh/id_dsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: Authentication succeeded (password).
> debug2: fd 5 setting O_NONBLOCK
> debug2: fd 6 setting O_NONBLOCK
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug1: Entering interactive session.
> debug2: callback start
> debug2: ssh_session2_setup: id 0
> debug2: channel 0: request pty-req
> debug3: tty_make_modes: ospeed 38400
> debug3: tty_make_modes: ispeed 38400
> debug3: tty_make_modes: 1 3
> debug3: tty_make_modes: 2 28
> debug3: tty_make_modes: 3 8
> debug3: tty_make_modes: 4 21
> debug3: tty_make_modes: 5 4
> debug3: tty_make_modes: 6 0
> debug3: tty_make_modes: 7 0
> debug3: tty_make_modes: 8 17
> debug3: tty_make_modes: 9 19
> debug3: tty_make_modes: 10 26
> debug3: tty_make_modes: 12 18
> debug3: tty_make_modes: 13 23
> debug3: tty_make_modes: 14 22
> debug3: tty_make_modes: 18 15
> debug3: tty_make_modes: 30 0
> debug3: tty_make_modes: 31 0
> debug3: tty_make_modes: 32 0
> debug3: tty_make_modes: 33 0
> debug3: tty_make_modes: 34 0
> debug3: tty_make_modes: 35 0
> debug3: tty_make_modes: 36 1
> debug3: tty_make_modes: 37 0
> debug3: tty_make_modes: 38 1
> debug3: tty_make_modes: 39 0
> debug3: tty_make_modes: 40 0
> debug3: tty_make_modes: 41 0
> debug3: tty_make_modes: 50 1
> debug3: tty_make_modes: 51 1
> debug3: tty_make_modes: 53 1
> debug3: tty_make_modes: 54 0
> debug3: tty_make_modes: 55 0
> debug3: tty_make_modes: 56 0
> debug3: tty_make_modes: 57 0
> debug3: tty_make_modes: 58 0
> debug3: tty_make_modes: 59 1
> debug3: tty_make_modes: 60 0
> debug3: tty_make_modes: 61 0
> debug3: tty_make_modes: 70 1
> debug3: tty_make_modes: 71 0
> debug3: tty_make_modes: 72 1
> debug3: tty_make_modes: 73 0
> debug3: tty_make_modes: 74 0
> debug3: tty_make_modes: 75 0
> debug3: tty_make_modes: 90 1
> debug3: tty_make_modes: 91 1
> debug3: tty_make_modes: 92 0
> debug3: tty_make_modes: 93 0
> debug2: channel 0: request shell
> debug2: fd 3 setting TCP_NODELAY
> debug2: callback done
> debug2: channel 0: open confirm rwindow 100000 rmax 16384
>
>
> Your password has expired; you must set a new password to log in
>
>
> Error opening primary input file SYS$INPUT
> Insufficient privilege or file protection violationdebug1:
> client_input_channel_req: channel 0 rtype exit-status reply 0
> debug2: channel 0: rcvd close
> debug2: channel 0: output open -> drain
> debug2: channel 0: close_read
> debug2: channel 0: input open -> closed
> debug3: channel 0: will not send data after close
> debug2: channel 0: obuf empty
> debug2: channel 0: close_write
> debug2: channel 0: output drain -> closed
> debug2: channel 0: almost dead
> debug2: channel 0: gc: notify user
> debug2: channel 0: gc: user detached
> debug2: channel 0: send close
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: client-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
>   #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)
>
> debug3: channel 0: close_fds r -1 w -1 e 6
> debug2: fd 1 is not O_NONBLOCK
> debug2: fd 2 is not O_NONBLOCK
> Connection to xxx.xxx.xxx.xxx closed.
> debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.5
> seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 77.6
> debug1: Exit status 1
>
>
> [1]
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108752819415570&w=
>2 [2]
> http://www.multinet.process.com/scripts/mxarchive/as_init.com?Info-ss
>h [3]
> http://search.hp.com/gwuseng/index.html?qp=site%3Ah71000.www7.hp.com&
>hpr=htt
> p%3A//h71000.www7.hp.com/&hpa=http%3A//h71000.www7.hp.com/cgi-bin/fee
>dback.e
> xe&hpn=Return+to+OpenVMS+systems+site&hps=OpenVMS+systems+sites&h_aud
>ience=&
> h_audiencerestrict=&hpl=1&hph=&lk=1&rf=2&la=en&uf=0&hpo=hphqglobal,hp
>hqwwesg ,hphqbcs,hphqopenvms&es=0&ep=0
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Jason McCormick
Network & Systems Administrator - Lexi-Comp, Inc.
jason.mccormick at lexi.com - 330.656.0239




More information about the openssh-unix-dev mailing list