SSHD give an error when you ch8ange the password on AIX.

Hi,

I've seen that whenever you login on any AIX in our company, if the password has expired and it asks you for change the old password whenever you finished I get this error:
 /dev/pts/0: 3004-021 TSM lacks a required privilege.
and close the session. Once you try again to login it's successful.
Any idea about this error?
It happens with any ssh client.

NOTE: All AIX are running ssh version 5.4
s03i@b: /usr/local/bin # ssh -V
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010

Thanks.

sminfoAsked:
Who is Participating?
 
woolmilkporcConnect With a Mentor Commented:
OK, it's due to "UseLogin Yes" in sshd_config! ("login" is just a link to /usr/sbin/tsm)

tsm (or "login" in this case) tries an action after successful password change which it's not allowed to do.
Maybe one day I'll find out which action this might be.

Why do you need "login" with ssh? To get entries in wtmp?

wmp


0
 
woolmilkporcCommented:
Hi again,

how old are your AIXes??

I didn't see a 3004 message for decades!

The only cases I can remember are these crude things:

1) Your users don't have a HOME directory on the server in question, and you set "mkhomeatlogin" to "true" in "/etc/security/login.cfg" and /home is on a NFS share without root access.

2) Someone removed the SUID bit from /usr/sbin/tsm

Nice issue anyway!

wmp

0
 
sminfoAuthor Commented:
Hi wmp,

All AIX are 6.1 TL1 SP1.
All users have their own home directory.
But the odd thing is it asks you to change the password, and when finished it aborts with this error. BUT THE CHANGE WAS SUCCESSFUL.
Also, it happens with ALL users.
I've googled but I couldn't find this error...:-(
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
woolmilkporcCommented:
/usr/sbin/tsm ??
0
 
sminfoAuthor Commented:
Ah.. sorry

s03i0@bs21: /admin_tools # ls -l /usr/sbin/tsm
-r-sr-xr-x    3 root     security      83760 Jul 21 2010  /usr/sbin/tsm

something wrong?

0
 
sminfoAuthor Commented:
wmp,

the audit does not give any error when the issue ocurs:

ISSUE:
s030's New password:
Enter the new password again:
/dev/pts/4: 3004-021 TSM lacks a required privilege.

AUDIT:
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
PASSWORD_Change s030 s030 Tue Apr 26 18:26:22 2011 OK          passwd                          No associated roles             Global
        s030
event           login    real     time                     status      command                         role                            wpar name
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
FILE_Owner      root     root     Tue Apr 26 18:26:22 2011 OK          sshd                            No associated roles             Global
        owner: 0 group: 0 filename /dev/pts/4
event           login    real     time                     status      command                         role                            wpar name
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
SSH_connabndn   root     root     Tue Apr 26 18:26:22 2011 OK          sshd                            No associated roles             Global
        audit event euid 0 user s030 event 12 (SSH_connabndn)

:-(
0
 
woolmilkporcCommented:
/usr/sbin/tsm looks good.

I assume /dev/pts/ has permissions 755, all below has permissions 666, and everything there is owned by root/system?

Does the issue only happen with ssh, or does it happen with e.g. telnet as well?

Did you set "UseLogin" to "yes" in /etc/ssh/sshd_config?

What is the tpath attribute setting of the users in question? Something other than the default "nosak"?

I admit that the above are wild guesses ...

wmp
0
 
woolmilkporcCommented:
I searched a bit and read about problems with Trusted AIX (MLS) and things like usermod/login/getty in version 6.1.

Most of these issues are fixed in TL 4.

Do you run Trusted AIX, and if so, could an upgrade to that TL be on option for you?

wmp
0
 
sminfoAuthor Commented:
OK, here I go:

# ls -ld /dev/pts/
drwxr-xr-x    2 root     system        16384 Jul 07 2010  /dev/pts/

No, it's only with SSH, telnet works fine.

Yeap, I hace Use Login = yes on sshd_config

tpath=nosak are set on all users.

Please, take a look at a comment I wrote on the other question.. Thanks!

0
 
sminfoAuthor Commented:
And NO, I have not Trusted AIX. All AIX 6.1 are TL6.
0
 
sminfoAuthor Commented:
I think, I set UseLogin to YES because of AUDIT or syslog. I think without this option SSHD didn't sent logs... . Don't really remember now why :-)

OK..
0
 
woolmilkporcCommented:

After an unsuccessful login (password expired) "tsm" puts the user in the "trusted" state, and several things are not allowed anymore.

But at the moment I just can't imagine why this leads to an error only with login under ssh and not under e.g. telnet or the like.

Thx for the points!

wmp

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.