Chapter 8 Solving SSH Problems
» Table of Contents |  |  | » Glossary | | | » Index | | |
| | |
| ||
| ||
This chapter describes how to analyze and solve problems that prevent you from logging in using SSH.
| |
| |
| |
 | NOTE: In this discussion, the user is the client user who executes the SSH command, or is the user who is specified with the -l option to the SSH command. |
| |
| |
| |
Login is not permitted under the following conditions. In these cases, no auditing occurs.
The user account does not exist.
The user account has expired.
The user account has access restrictions for the current day and time.
The pwd_expired flag is set in the user's SYSUAF record.
The keyword userloginlimithas a value of zero in the SSH server configuration file. (This applies to all users.)
If any of the following conditions are true for the user on the SSH server, login is not permitted and auditing occurs:
The user failed the authentication (for example, invalid or missing keys for the host-based or public-key method, invalid password for the password method, expired password and configured not to allow client in with expired password).
The user name is in the DenyUsers list, or is not in the AllowUsers list (if it exists) in the server configuration file (SSHD2_CONFIG.).
The user is in a group that is in the DenyGroups list, or is not in the AllowGroups list (if it exists) in the server configuration file (SSHD2_CONFIG.). The groups in the DenyGroups and AllowGroups lists are specified by the decimal representation that is the group portion of the UIC. That is, if a user's UIC is [777,42], the following syntax denies the user and all other users with UIC [777,*]:
DenyGroups 511
The disuser or autologin flag is set in the user's SYSUAF record.
The user does not have OPER privilege and one of the following is true:
The number of interactive logins has exceeded the SYSGEN parameter IJOBLIM.
The UserLoginLimit parameter in the server configuration file is greater than zero and there are already that number of logins for any individual user name.
The client has been identified as an intruder.
If the user's password has expired and the connection is from an OpenVMS system to another OpenVMS system, and the disforce_pwd_expired flag is not set in the user's SYSUAF, then the user must change the password. The password dictionary, password history, and generated password lists are not used. The number of failed attempts to verify the new password is specified using the NumberOfPasswordVerificationPrompts parameter in the client configuration file.
The client user is not forced to change the password before logging in when:
The connection is from OpenVMS to OpenVMS and the disforce_pwd_change flag is set in the user's SYSUAF record.
The connection is from a different SSH implementation to an OpenVMS system and the AllowNonvmsLoginWithExpiredPw parameter is set to yes in the client configuration file. In these cases, the pwd_expired flag is set in the user's SYSUAF record, so that any future attempts to log in will fail if the password is not changed during the current session.
The client user login is rejected if:
The connection is from a different SSH implementation to an OpenVMS system and the AllowVmsLoginWithExpiredPw parameter is set to no in the server configuration file.
The connection is from an OpenVMS system to a different SSH implementation, and the AllowNonVmsLoginWithExpiredPw parameter is set to no in the server configuration file.
Examples
If login is allowed but the password has expired, and the user is forced to change his password, the following message is displayed before the first DCL prompt:
WARNING - Your password has expired; update immediately with SET PASSWORD!
If the NumberOfPasswordVerificationPrompts parameter is set to 2, the following message is displayed:
Your password has expired; you must set a new password to log in New password:Verification: New password verification error; please try again Verification:
If verification fails a second time, the login attempt fails.
To get detailed tracing information, on the OpenVMS SSH server, enter the following command:
|
$ ASSIGN/SYS "-i -d 6" TCPIP$SSH_SERVER_PARAM |
|
Trace information is written to the TCPIP$SSH_HOME:TCPIP$SSH_RUN.LOG file.