AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

  • 1.  ssh problem: successful login counted as unsuccessful

    Posted Wed August 27, 2014 10:22 AM

    Originally posted by: JoachimB


    I have a strange problem with ssh since a few days and it may be related to the openssh update to level 6.0.0.6108 we did recently.

    The srm data collection server (srmbld06.boulder.ibm.com is 9.17.204.159) is logging in to the userid perfmgr on our AIX 6.1 TL9 SP3 servers via sftp.

    Although the login is successful, the failed_login_count is always increased by 1 and after 5 days, the userid perfmgr is locked.

    Here is an extract from the syslog of the connected server:

    Aug  5 09:53:10 xemppprs01 sshd[3014782]: debug1: fd 5 clearing O_NONBLOCK
    Aug  5 09:53:10 xemppprs01 sshd[3014782]: debug1: Forked child 14221316.
    Aug  5 09:53:10 xemppprs01 sshd[14221316]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
    Aug  5 09:53:10 xemppprs01 sshd[14221316]: debug1: inetd sockets after dupping: 5, 5
    Aug  5 09:53:10 xemppprs01 sshd[14221316]: debug1: audit connection from 9.17.204.159 port 55705 euid 0
    Aug  5 09:53:10 xemppprs01 sshd[14221316]: Connection from 9.17.204.159 port 55705
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: Client protocol version 2.0; client software version http://J2SSH_Maverick_1.4.31__IBM
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: no match: http://J2SSH_Maverick_1.4.31__IBM
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: Enabling compatibility mode for protocol 2.0
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: Local version string SSH-2.0-OpenSSH_6.0
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): \t0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).\n\t0509-026 System error: A file or directory in the path name does not exist.\n
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: Error loading Kerberos, disabling the Kerberos auth
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: permanently_set_uid: 202/201 [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: SSH2_MSG_KEXINIT sent [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: SSH2_MSG_KEXINIT received [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: kex: client->server aes128-cbc hmac-sha1 none [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: kex: server->client aes128-cbc hmac-sha1 none [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: SSH2_MSG_NEWKEYS received [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: KEX done [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: userauth-request for user perfmgr service ssh-connection method none [preauth]
    Aug  5 09:53:11 xemppprs01 sshd[14221316]: debug1: attempt 0 failures 0 [preauth]
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: Eff_sl:::Eff_tl: [preauth]
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: userauth-request for user perfmgr service ssh-connection method publickey [preauth]
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: attempt 1 failures 0 [preauth]
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: temporarily_use_uid: 299/0 (e=0/0)
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: trying public key file /home/perfmgr/.ssh/authorized_keys
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: Could not open authorized keys '/home/perfmgr/.ssh/authorized_keys': A file or directory in the path name does not exist.
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: restore_uid: 0/0
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: temporarily_use_uid: 299/0 (e=0/0)
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: trying public key file /home/perfmgr/.ssh/authorized_keys2
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: fd 4 clearing O_NONBLOCK
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: matching key found: file /home/perfmgr/.ssh/authorized_keys2, line 3
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: Found matching DSA key: 0c:cb.........................
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: restore_uid: 0/0
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: Failed to collect Cookie from Keystore\n
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: Keystore Opening wil be failed after login\n
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: Cookie received :\\n [preauth]
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: debug1: ssh_dss_verify: signature correct
    Aug  5 09:53:12 xemppprs01 sshd[14221316]: Accepted publickey for perfmgr from 9.17.204.159 port 55705 ssh2
    Aug  5 09:53:17 xemppprs01 syslog: ssh: failed login attempt for perfmgr from srmbld06.boulder.ibm.com
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: debug1: Entering sshefs_option_check [preauth]
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: debug1: AllowPkcs12KeystoreAutoOpen option not set [preauth]
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: debug1: monitor_read_log: child log fd closed
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: debug1: monitor_child_preauth: perfmgr has been authenticated by privileged process
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: debug1: audit event euid 0 user perfmgr event 2 (SSH_authsuccess)
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: debug1: Return Val-1 for auditproc:0
    Aug  5 09:53:17 xemppprs01 sshd[14221316]: User child is on pid 13172910
    Aug  5 09:53:17 xemppprs01 sshd[13172910]: debug1: ACCESS KEy before calling efslogin:\n
    Aug  5 09:53:17 xemppprs01 sshd[13172910]: debug1: permanently_set_uid: 299/0
    Aug  5 09:53:17 xemppprs01 sshd[13172910]: debug1: Entering interactive session for SSH2.
     

    What might be going wrong here?



  • 2.  Re: ssh problem: successful login counted as unsuccessful

    Posted Thu August 28, 2014 04:35 AM

    Originally posted by: L.Sarrazin


    Hi,

    did your try to test consistency (-n option for testing only, then -y option to correct errors) ?

    # pwdck -n ALL

    # usrck -n ALL

    And to force login_count to zero:

    # /usr/bin/chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s your_user

    Then try again to login and see if unsuccessful_login_count increases by 1.

    # /usr/bin/lssec -f /etc/security/lastlog -a unsuccessful_login_count -s your_user

    best regards.

    L. Sarrazin



  • 3.  Re: ssh problem: successful login counted as unsuccessful

    Posted Thu August 28, 2014 03:48 PM

    Originally posted by: JoachimB


    Thanks and hmm, does usrck and pwdck help when loging occurs via ssh and not by password?

    Yes, I can reset the login_count to zero but during the next ssh login it is again increased by one.

     



  • 4.  Re: ssh problem: successful login counted as unsuccessful

    Posted Fri August 29, 2014 11:35 AM

    Originally posted by: JoachimB


    I scanned thru my old, saved syslog files and can prove, that the problem started exactly the day when we installed OpenSSH v6.0.0.6108 from the AIX Web Download Pack Programs site.
     



  • 5.  Re: ssh problem: successful login counted as unsuccessful

    Posted Mon September 01, 2014 06:15 AM

    Originally posted by: JoachimB


    It turned out to be a bug in OpenSSH v6.0.0.6108.

    The bug will be fixed in OpenSSH v6.0.0.6109, expected to be available on AIX Web Download Pack Programs on Sept. 10th.