We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

SSHD give an error when you ch8ange the password on AIX.

sminfo
sminfo asked
on
Medium Priority
1,509 Views
Last Modified: 2013-11-17
Hi,

I've seen that whenever you login on any AIX in our company, if the password has expired and it asks you for change the old password whenever you finished I get this error:
 /dev/pts/0: 3004-021 TSM lacks a required privilege.
and close the session. Once you try again to login it's successful.
Any idea about this error?
It happens with any ssh client.

NOTE: All AIX are running ssh version 5.4
s03i@b: /usr/local/bin # ssh -V
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010

Thanks.

Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:
Hi again,

how old are your AIXes??

I didn't see a 3004 message for decades!

The only cases I can remember are these crude things:

1) Your users don't have a HOME directory on the server in question, and you set "mkhomeatlogin" to "true" in "/etc/security/login.cfg" and /home is on a NFS share without root access.

2) Someone removed the SUID bit from /usr/sbin/tsm

Nice issue anyway!

wmp

Author

Commented:
Hi wmp,

All AIX are 6.1 TL1 SP1.
All users have their own home directory.
But the odd thing is it asks you to change the password, and when finished it aborts with this error. BUT THE CHANGE WAS SUCCESSFUL.
Also, it happens with ALL users.
I've googled but I couldn't find this error...:-(
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:
/usr/sbin/tsm ??

Author

Commented:
Ah.. sorry

s03i0@bs21: /admin_tools # ls -l /usr/sbin/tsm
-r-sr-xr-x    3 root     security      83760 Jul 21 2010  /usr/sbin/tsm

something wrong?

Author

Commented:
wmp,

the audit does not give any error when the issue ocurs:

ISSUE:
s030's New password:
Enter the new password again:
/dev/pts/4: 3004-021 TSM lacks a required privilege.

AUDIT:
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
PASSWORD_Change s030 s030 Tue Apr 26 18:26:22 2011 OK          passwd                          No associated roles             Global
        s030
event           login    real     time                     status      command                         role                            wpar name
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
FILE_Owner      root     root     Tue Apr 26 18:26:22 2011 OK          sshd                            No associated roles             Global
        owner: 0 group: 0 filename /dev/pts/4
event           login    real     time                     status      command                         role                            wpar name
--------------- -------- -------- ------------------------ ----------- ------------------------------- ------------------------------- -------------------------
SSH_connabndn   root     root     Tue Apr 26 18:26:22 2011 OK          sshd                            No associated roles             Global
        audit event euid 0 user s030 event 12 (SSH_connabndn)

:-(
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:
/usr/sbin/tsm looks good.

I assume /dev/pts/ has permissions 755, all below has permissions 666, and everything there is owned by root/system?

Does the issue only happen with ssh, or does it happen with e.g. telnet as well?

Did you set "UseLogin" to "yes" in /etc/ssh/sshd_config?

What is the tpath attribute setting of the users in question? Something other than the default "nosak"?

I admit that the above are wild guesses ...

wmp
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:
I searched a bit and read about problems with Trusted AIX (MLS) and things like usermod/login/getty in version 6.1.

Most of these issues are fixed in TL 4.

Do you run Trusted AIX, and if so, could an upgrade to that TL be on option for you?

wmp

Author

Commented:
OK, here I go:

# ls -ld /dev/pts/
drwxr-xr-x    2 root     system        16384 Jul 07 2010  /dev/pts/

No, it's only with SSH, telnet works fine.

Yeap, I hace Use Login = yes on sshd_config

tpath=nosak are set on all users.

Please, take a look at a comment I wrote on the other question.. Thanks!

Author

Commented:
And NO, I have not Trusted AIX. All AIX 6.1 are TL6.
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
I think, I set UseLogin to YES because of AUDIT or syslog. I think without this option SSHD didn't sent logs... . Don't really remember now why :-)

OK..
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:

After an unsuccessful login (password expired) "tsm" puts the user in the "trusted" state, and several things are not allowed anymore.

But at the moment I just can't imagine why this leads to an error only with login under ssh and not under e.g. telnet or the like.

Thx for the points!

wmp

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.