OpenSSH on AIX 5.3 Only allows root login

Irecently install OpenSSH on a Clean AIX 5.3 box.  SSH is working but it will only allow root to login.  I know I have to modify thee sshd_conf file but I do not know 1) what has to be changed and 2) where to find it.  Presently the system does not recognize the locate command  and I am not real familiar with the find command
LVL 1
gordonmannAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

omarfaridCommented:
By default all users are allowed. Please see the AllowUsers in sshd_config file.

The link below explains more:

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
0
gordonmannAuthor Commented:
I have that document and the file does not contain any AllowUsers Statement but still only root is allowed to log in via ssh I can telnet but not ssh.
0
omarfaridCommented:
Can you post your sshd_config contents?
0
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

gheistCommented:
Is clean install an option? By default it installs locate and updatedb and allows ssh logins for anyone with password.
0
gordonmannAuthor Commented:
Here the contents are.  Also, sftp does not seem to work as well.
#      $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem      sftp      /usr/local/libexec/sftp-server
0
gheistCommented:
Play around with UsePrivilegeSeparation and Compression.
All the authentication uses suid root programs, so maybe some suid bit was lost to recent security audit.
0
gordonmannAuthor Commented:
I have never installed or configured ssh before so what do you mean by "play around"
0
gheistCommented:
Default is commented out. Change it other way.
Please post output of
$ file `which sshd`

Thanks
0
gordonmannAuthor Commented:
is that a command I need to run?
0
gordonmannAuthor Commented:
gheist what do you me by "$ file `which sshd`"
0
gheistCommented:
Take fluorescent marker and write it on left side of your server.
I need to know if sshd is SUID root executable.
0
gordonmannAuthor Commented:
I am still totaly confused as to what you are asking
0
gheistCommented:
I ask you to execute command specified.
0
gordonmannAuthor Commented:
Sorry I have been upside down lately. Here is the output
/usr/sbin/sshd
0
gordonmannAuthor Commented:
I just noticed that these errors appear with each login
:
/etc/profile[73]: /usr/local/bin/byram_login.sh:  not found.
/etc/profile[74]: test: 0403-004 Specify a parameter with this command.
/etc/profile[89]: /usr/local/bin/ivr_flg.sh:  not found.
mkdir: cannot access directory /var/byrams/output/tmp.
/var/byrams/output/tmp: No such file or directory


I am wondering if the manner in which the users on this box were "created" is the problem.  An IBM Engineer copied the passwrd files from a previous box.
0
gordonmannAuthor Commented:
Could the problem of not being able to SSH is stem from a failed call to getuserattr:  How would this be corrected.
0
gheistCommented:
Does this output pop up when logging in via telnet or locally?
Does su work on your system?

Since you have incomplete "magic" file do this:
ls -l `which sshd`
and post output.

Please provide more system information:
oslevel -r
ssh -V
0
gordonmannAuthor Commented:
On telenet for any user and ssh for root only (root is the only user able to ssh).  The local login is gui and when you open a terminal the error does not appear.  su woorks fine but sudo and locate are not install (another problem that need to be resolved).

ls -l which sshd
which not found
sshd not found

oslevel -r
5300-04


ssh -V
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006
0
gheistCommented:
sudo is not part of AIX - get it from bullfreeware.

locate sshd executable and post its attributes.
0
gordonmannAuthor Commented:

drwxr-xr-x   3 root     system          256 Jan 29 15:52 rc.d
drwxr-xr-x   2 root     system          256 Dec 17 12:38 ssh
0
gheistCommented:
sshd not ssh

find / -type f -name sshd | xargs file
0
gordonmannAuthor Commented:
[root@stage01:/] find / -type f -name sshd | xargs file
/usr/sbin/sshd: executable (RISC System/6000) or object module not stripped
0
gheistCommented:
chmod u+s /usr/sbin/sshd

You have filesystem damage, sir. Answer out of scope of this question. I'd reinstall for better life.
0
gordonmannAuthor Commented:
The OS?
0
gordonmannAuthor Commented:
I tried the command and it did not correct ssh issue.
0
gheistCommented:
Have you restarted ssh subsystem 'refersh -s sshd' after change ?
0
gordonmannAuthor Commented:
Treid and received this error : 0513-005 The Subsystem, sshd, only supports signal communication.
0
gheistCommented:
kill -HUP `cat /var/run/sshd.pid`

Wil restart sshd.
Another suspect is UsePrivilegeSeparation
Enter
UsePrivilegeSeparation no
and restart sshd again.

If still nothing works you will need to deinstall and reinstall ssh server.
0
gordonmannAuthor Commented:

UsePrivilegeSeparation no was incorretc used UsePrivilegeSeparation=no  

Tried with and without single quotes.

[root@stage01:/] kill -HUP cat /var/run/sshd.pid
ksh: cat: Arguments must be %job or process ids
0
gheistCommented:
Reread my post and use Copy/Paste functionality of your computer.
0
gordonmannAuthor Commented:
I did --- but to show you what happened I just retried and here are the results:
[root@stage01:/] kill -HUP `cat /var/run/sshd.pid`
cat: cannot open /var/run/sshd.pid
ksh: kill: bad argument count
[root@stage01:/]
[root@stage01:/]
[root@stage01:/] UsePrivilegeSeparation
ksh: UsePrivilegeSeparation:  not found
[root@stage01:/] UsePrivilegeSeparation no
ksh: UsePrivilegeSeparation:  not found
[root@stage01:/]
0
gordonmannAuthor Commented:
I just discovered the because of how the users on this system were added (copying the password files form another machine) none of the users, with the exception of root, have a home directory or a ".profile".

Could this be part of the problem?  If it is how would I correct this without jeopardizing any of the other configuration settings or permissions?
0
gheistCommented:
What are permissions of newly created directory?
0
gordonmannAuthor Commented:
I have resolved everything except the ssh issue.  I removed and re-added all the users using smitty
0
gheistCommented:
Have you reinstalled ssh? Is it RPM or BFF,IBM or BULL??
0
gordonmannAuthor Commented:
I have tried but smitty tellls me "already installed"  how can I remove it in order to reinstall
0
gheistCommented:
What exactly have you tried?


If this is IBM - uninstall and reinstall using local console. Then launch it using smittys network services.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gordonmannAuthor Commented:
It is AIX 5.3 and I have never unistalled a program on AIX and do not know the proceudre.  How do ti accomplish this?
0
gordonmannAuthor Commented:
Actual resolution was "install patch from IBM"
0
gheistCommented:
Patch installation replaced damaged sshd with usable one with suid bit in place.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.