[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SSHD give an error when you ch8ange the password on AIX.

Posted on 2011-04-26
12
Medium Priority
?
1,389 Views
Last Modified: 2013-11-17
Hi,

I've seen that whenever you login on any AIX in our company, if the password has expired and it asks you for change the old password whenever you finished I get this error:
 /dev/pts/0: 3004-021 TSM lacks a required privilege.
and close the session. Once you try again to login it's successful.
Any idea about this error?
It happens with any ssh client.

NOTE: All AIX are running ssh version 5.4
s03i@b: /usr/local/bin # ssh -V
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010

Thanks.

0
Comment
Question by:sminfo
  • 6
  • 6
12 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35468161
Hi again,

how old are your AIXes??

I didn't see a 3004 message for decades!

The only cases I can remember are these crude things:

1) Your users don't have a HOME directory on the server in question, and you set "mkhomeatlogin" to "true" in "/etc/security/login.cfg" and /home is on a NFS share without root access.

2) Someone removed the SUID bit from /usr/sbin/tsm

Nice issue anyway!

wmp

0
 

Author Comment

by:sminfo
ID: 35468281
Hi wmp,

All AIX are 6.1 TL1 SP1.
All users have their own home directory.
But the odd thing is it asks you to change the password, and when finished it aborts with this error. BUT THE CHANGE WAS SUCCESSFUL.
Also, it happens with ALL users.
I've googled but I couldn't find this error...:-(
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35468309
/usr/sbin/tsm ??
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:sminfo
ID: 35468350
Ah.. sorry

s03i0@bs21: /admin_tools # ls -l /usr/sbin/tsm
-r-sr-xr-x    3 root     security      83760 Jul 21 2010  /usr/sbin/tsm

something wrong?

0
 

Author Comment

by:sminfo
ID: 35468574
wmp,

the audit does not give any error when the issue ocurs:

ISSUE:
s030's New password:
Enter the new password again:
/dev/pts/4: 3004-021 TSM lacks a required privilege.

AUDIT:
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
PASSWORD_Change s030 s030 Tue Apr 26 18:26:22 2011 OK          passwd                          No associated roles             Global
        s030
event           login    real     time                     status      command                         role                            wpar name
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
FILE_Owner      root     root     Tue Apr 26 18:26:22 2011 OK          sshd                            No associated roles             Global
        owner: 0 group: 0 filename /dev/pts/4
event           login    real     time                     status      command                         role                            wpar name
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
SSH_connabndn   root     root     Tue Apr 26 18:26:22 2011 OK          sshd                            No associated roles             Global
        audit event euid 0 user s030 event 12 (SSH_connabndn)

:-(
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35469489
/usr/sbin/tsm looks good.

I assume /dev/pts/ has permissions 755, all below has permissions 666, and everything there is owned by root/system?

Does the issue only happen with ssh, or does it happen with e.g. telnet as well?

Did you set "UseLogin" to "yes" in /etc/ssh/sshd_config?

What is the tpath attribute setting of the users in question? Something other than the default "nosak"?

I admit that the above are wild guesses ...

wmp
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35471458
I searched a bit and read about problems with Trusted AIX (MLS) and things like usermod/login/getty in version 6.1.

Most of these issues are fixed in TL 4.

Do you run Trusted AIX, and if so, could an upgrade to that TL be on option for you?

wmp
0
 

Author Comment

by:sminfo
ID: 35474308
OK, here I go:

# ls -ld /dev/pts/
drwxr-xr-x    2 root     system        16384 Jul 07 2010  /dev/pts/

No, it's only with SSH, telnet works fine.

Yeap, I hace Use Login = yes on sshd_config

tpath=nosak are set on all users.

Please, take a look at a comment I wrote on the other question.. Thanks!

0
 

Author Comment

by:sminfo
ID: 35474311
And NO, I have not Trusted AIX. All AIX 6.1 are TL6.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 35475333
OK, it's due to "UseLogin Yes" in sshd_config! ("login" is just a link to /usr/sbin/tsm)

tsm (or "login" in this case) tries an action after successful password change which it's not allowed to do.
Maybe one day I'll find out which action this might be.

Why do you need "login" with ssh? To get entries in wtmp?

wmp


0
 

Author Closing Comment

by:sminfo
ID: 35475410
I think, I set UseLogin to YES because of AUDIT or syslog. I think without this option SSHD didn't sent logs... . Don't really remember now why :-)

OK..
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35475452

After an unsuccessful login (password expired) "tsm" puts the user in the "trusted" state, and several things are not allowed anymore.

But at the moment I just can't imagine why this leads to an error only with login under ssh and not under e.g. telnet or the like.

Thx for the points!

wmp

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses
Course of the Month20 days, 2 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question