System can log in multiple times, user cannot login at all

[tlovern]

Here is the user's sysuaf (yes I gave it all privs - will cut back when working):

Code: Select all

Username: 1LOVERN                          Owner:  
Account:                                   UIC:    [200,230] ([DEFAULT])
CLI:      DCL                              Tables: DCLTABLES
Default:  USER$DISK:[USERS.1LOVERN]
LGICMD:   
Flags: 
Primary days:   Mon Tue Wed Thu Fri        
Secondary days:                     Sat Sun
No access restrictions
Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
Pwdlifetime:         60 00:00    Pwdchange:      (pre-expired) 
Last Login:            (none) (interactive),            (none) (non-interactive)
Maxjobs:         0  Fillm:       128  Bytlm:        128000
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:            0
Maxdetach:       0  BIOlm:       150  JTquota:        4096
Prclm:           8  DIOlm:       150  WSdef:          4096
Prio:            4  ASTlm:       300  WSquo:          8192
Queprio:         4  TQElm:       100  WSextent:      16384
CPU:        (none)  Enqlm:      4000  Pgflquo:      256000
Authorized Privileges: 
  ACNT         ALLSPOOL     ALTPRI       AUDIT        BUGCHK       BYPASS
  CMEXEC       CMKRNL       DIAGNOSE     DOWNGRADE    EXQUOTA      GROUP
  GRPNAM       GRPPRV       IMPERSONATE  IMPORT       LOG_IO       MOUNT
  NETMBX       OPER         PFNMAP       PHY_IO       PRMCEB       PRMGBL
  PRMMBX       PSWAPM       READALL      SECURITY     SETPRV       SHARE
  SHMEM        SYSGBL       SYSLCK       SYSNAM       SYSPRV       TMPMBX
  UPGRADE      VOLPRO       WORLD
Default Privileges: 
  ACNT         ALLSPOOL     ALTPRI       AUDIT        BUGCHK       BYPASS
  CMEXEC       CMKRNL       DIAGNOSE     DOWNGRADE    EXQUOTA      GROUP
  GRPNAM       GRPPRV       IMPERSONATE  IMPORT       LOG_IO       MOUNT
  NETMBX       OPER         PFNMAP       PHY_IO       PRMCEB       PRMGBL
  PRMMBX       PSWAPM       READALL      SECURITY     SETPRV       SHARE
  SHMEM        SYSGBL       SYSLCK       SYSNAM       SYSPRV       TMPMBX
  UPGRADE      VOLPRO       WORLD
UAF>  Exit 
%UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-RDBNOMODS, no modifications made to rights database

Here is the login interactive setting:

Code: Select all

$ set login/inter
%SET-I-INTSET, login interactive limit = 100, current interactive value = 2

Disk user is configured to use:

Code: Select all

$ sho dev user$disk/full

    Disk NARNIA$DKA100:, device type ATA VMware Virtual S, is online, mounted, file-
    oriented device, shareable, available to cluster, error logging is enabled.

    Error count                    0    Operations completed              17305
    Owner process                 ""    Owner UIC                      [SYSTEM]
    Owner process ID        00000000    Dev Prot            S:RWPL,O:RWPL,G:R,W
    Reference count                1    Default buffer size                 512
    Total blocks           209715200    Sectors per track                     0
    Total cylinders                0    Tracks per cylinder                   0
    Logical Volume Size    209715200    Expansion Size Limit          209715200

    Volume label             "USERS"    Relative volume number                0
    Cluster size                   1    Transaction count                     1
    Free blocks            209659820    Maximum files allowed          16711679
    Extend quantity                5    Mount count                           1
    Mount status              System    Cache name      "_NARNIA$DKA0:XQPCACHE"
    Extent cache size             64    Max blocks in extent cache     20965982
    File ID cache size            64    Blocks in extent cache                0
    Quota cache size               0    Maximum buffers in FCP cache       4884
    Volume owner UIC        [SYSTEM]    Vol Prot    S:RWCD,O:RWCD,G:RWCD,W:RWCD

  Volume Status:  ODS-2, subject to mount verification, file high-water marking,
      write-through XFC caching enabled, write-back XQP caching enabled.

here is what happens when using ssh:

Code: Select all

$ ssh 1lovern@10.0.1.33

 Welcome to OpenVMS (TM) x86_64 Operating System, Version V9.2-1  
1lovern@10.0.1.33's password: 
Connection closed by 10.0.1.33 port 22

I don't see anything in authorize, nor in the number of interactive logins (shouldn't matter - account has oper)

I can fire up as many system account sessions as I want.

It is going to be something simple, but I'm not seeing it.

Added in 14 minutes 2 seconds:
Ok, I can log in as the user on the defined port using telnet. I cannot login using SSH.

I set /local/network/remote/dialup, etc in authorize. I most have missed one.

Code: Select all

F$MODE() for both is interactive.

device is _OPA0: for user login working, _FTA7: for system logged in via SSH

it has to be something with SSH / device type.

Added in 9 minutes 54 seconds:
Looks like I need to configure that user for SSH access...this is all new to me.

[cct]

Try connecting with ssh -v <user>@<host> to get some debug information. To get more use -vv or even -vvv

That might give a clue!

Although looking at your UAF record, the password seems pre-expired. so maybe you ssh client doesnt allow password change

Chris

[sms]

Code: Select all

> Welcome to OpenVMS (TM) x86_64 Operating System, Version V9.2-1

   And the OpenSSH version is?

      prod show prod openssh

V8.9-1F seems to be recent.

> Looks like I need to configure that user for SSH access...this is all
> new to me.

   I'm unaware of anything special required in AUTHORIZE to allow an SSH
login.

> Connection closed by 10.0.1.33 port 22

   I got that on a half-configured system.  When I investigated, I found
problems in SYSUAF -- faulty identifier values and names, and defective
file/directory ownership/protections.  It's easy enough to omit
/BY_OWNER = ORIGINAL from a BACKUP command, for example.

   When I corrected those problems which I found, it worked properly,
and then I failed to find a simple way to recreate the problem, so I
don't know what caused it or fixed it.

   In general, I'd also look at ownership/protections on SYS$ANNOUNCE
and SYS$WELCOME, but you seem to have gotten to at least one of them.

> [...]  Pwdchange: (pre-expired)

   Under "Chapter 5. Authorize Utility" in the System Management
Utilities Reference Manual, Volume I: A-L (https://docs.vmssoftware.com/vsi-openvms-system-management-utilities-reference-manual-volume-i-a-l/#AUTHORIZE_PART) (which comes right _after_
"Volume II: M-Z" in the list at https://docs.vmssoftware.com/), I
failed to find a clear explanation of what that means or how to change
it, but I did have that initially, and now it's a recent date+time, so I
must have done something with the user's password (or lifetime, or
expiration, or something?).


> [...] or even -vvv

   Reasonable, but it didn't tell me much:

[...]
debug1: Trying private key: /Users/sms/.ssh/id_rsa
debug3: sign_and_send_pubkey: RSA
SHA256:+0ORfmrvhQHbuGlLA/6FhHRS6+efdv6POWV91QRncbw
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
Connection closed by 10.0.0.184 port 22

   Perhaps bad ownership/protections on the user's [.SSH]
directory/files?

[imiller]

What is the value of VmsAllowLoginWithExpiredPw in SSH$ROOT:[ETC]SSHD_CONFIG. ?

What are the results of

$ DIR/SEC USER$DISK:[USERS.1LOVERN]
$ DIR/SEC USER$DISK:[USERS]1LOVERN.DIR
$ DIR/SEC USER$DISK:[000000]USERS.DIR

[tlovern]

if I login to the console as a user, it works. So it is definitely an SSH thing.

here is the ssh -v output:

$ ssh -v 1lovern@10.0.1.33
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 10.0.1.33 [10.0.1.33] port 22.
debug1: Connection established.
debug1: identity file /Users/tlovern/.ssh/id_rsa type -1
debug1: identity file /Users/tlovern/.ssh/id_rsa-cert type -1
debug1: identity file /Users/tlovern/.ssh/id_ecdsa type -1
debug1: identity file /Users/tlovern/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/tlovern/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/tlovern/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/tlovern/.ssh/id_ed25519 type -1
debug1: identity file /Users/tlovern/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/tlovern/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/tlovern/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/tlovern/.ssh/id_xmss type -1
debug1: identity file /Users/tlovern/.ssh/id_xmss-cert type -1
debug1: identity file /Users/tlovern/.ssh/id_dsa type -1
debug1: identity file /Users/tlovern/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9 VSI
debug1: compat_banner: match: OpenSSH_8.9 VSI pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.0.1.33:22 as '1lovern'
debug1: load_hostkeys: fopen /Users/tlovern/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:s9P0rzx57Qfru/CiTsTdGPGFAy9D/UVJa2p4KJXamnE
debug1: load_hostkeys: fopen /Users/tlovern/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.0.1.33' is known and matches the ED25519 host key.
debug1: Found key in /Users/tlovern/.ssh/known_hosts:8
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/tlovern/.ssh/id_rsa
debug1: Will attempt key: /Users/tlovern/.ssh/id_ecdsa
debug1: Will attempt key: /Users/tlovern/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/tlovern/.ssh/id_ed25519
debug1: Will attempt key: /Users/tlovern/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/tlovern/.ssh/id_xmss
debug1: Will attempt key: /Users/tlovern/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received

Welcome to OpenVMS (TM) x86_64 Operating System, Version V9.2-1
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/tlovern/.ssh/id_rsa
debug1: Trying private key: /Users/tlovern/.ssh/id_ecdsa
debug1: Trying private key: /Users/tlovern/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/tlovern/.ssh/id_ed25519
debug1: Trying private key: /Users/tlovern/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/tlovern/.ssh/id_xmss
debug1: Trying private key: /Users/tlovern/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
1lovern@10.0.1.33's password:
Connection closed by 10.0.1.33 port 22
$

Added in 2 minutes 39 seconds:

Try connecting with ssh -v <user>@<host> to get some debug information. To get more use -vv or even -vvv

That might give a clue!

Although looking at your UAF record, the password seems pre-expired. so maybe you ssh client doesnt allow password change

Chris

I went in and unexpired the pwd, and that didn't make a difference.

It is strictly an SSH issue, using the console (telnet) works fine.

Part of the problem is that I don't know enough (anything) about SSH or how to troubleshoot it. Most of my OpenVMS life has been development with some system management, but not a lot of configuration or install experience.

Added in 7 minutes 46 seconds:

What is the value of VmsAllowLoginWithExpiredPw in SSH$ROOT:[ETC]SSHD_CONFIG. ?

What are the results of

$ DIR/SEC USER$DISK:[USERS.1LOVERN]
$ DIR/SEC USER$DISK:[USERS]1LOVERN.DIR
$ DIR/SEC USER$DISK:[000000]USERS.DIR

$ @doit
$ DIR/SEC USER$DISK:[USERS.1LOVERN]
USER$DISK:[USERS.1LOVERN]DOIT.COM;1 6 lines
Directory USER$DISK:[USERS.1LOVERN]

COM.DIR;1 [DEFAULT] (RWE,RWE,RWE,RE)
DBG.INI;1 [DEFAULT] (RWED,RWED,RE,)
DEB.INI;1 [DEFAULT] (RWED,RWED,RE,)
DOIT.COM;1 [DEFAULT] (RWED,RWED,RWED,RE)
GET_DEFAULTS.COM;1 [DEFAULT] (RWED,RWED,RWED,RE)
KEPT_EVE$ADVANCED.TPU;1
[DEFAULT] (RWED,RWED,RE,)
LOG.DIR;1 [DEFAULT] (RWE,RWE,RWE,RE)
LOGIN.COM;1 [DEFAULT] (RWED,RWED,RE,)
LOGOUT.COM;1 [DEFAULT] (RWED,RWED,RE,)
SES.DIR;1 [DEFAULT] (RWE,RWE,RWE,RE)
TCPIP$FTP_SERVER.LOG;2
[DEFAULT] (RWED,RWED,RE,)
TCPIP$FTP_SERVER.LOG;1
[DEFAULT] (RWED,RWED,RE,)
TPU.DIR;1 [DEFAULT] (RWE,RWE,RWE,RE)
UTL.DIR;1 [DEFAULT] (RWE,RWE,RWE,RE)
V5TPU.TPU;1 [DEFAULT] (RWED,RWED,RE,)

Total of 15 files.
$ DIR/SEC USER$DISK:[USERS]1LOVERN.DIR

Directory USER$DISK:[USERS]

1LOVERN.DIR;1 [DEFAULT] (RWED,RWED,RWE,RE)

Total of 1 file.
$ DIR/SEC USER$DISK:[000000]USERS.DIR

Directory USER$DISK:[000000]

USERS.DIR;1 [SYSTEM] (RWE,RWE,RE,E)

Total of 1 file.

Added in 10 minutes 54 seconds:
ok, went all the way to -vvv in the SSH login attempt: here's everything from the point VMS responds:

Welcome to OpenVMS (TM) x86_64 Operating System, Version V9.2-1
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/tlovern/.ssh/id_rsa
debug3: no such identity: /Users/tlovern/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /Users/tlovern/.ssh/id_ecdsa
debug3: no such identity: /Users/tlovern/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/tlovern/.ssh/id_ecdsa_sk
debug3: no such identity: /Users/tlovern/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /Users/tlovern/.ssh/id_ed25519
debug3: no such identity: /Users/tlovern/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/tlovern/.ssh/id_ed25519_sk
debug3: no such identity: /Users/tlovern/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /Users/tlovern/.ssh/id_xmss
debug3: no such identity: /Users/tlovern/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /Users/tlovern/.ssh/id_dsa
debug3: no such identity: /Users/tlovern/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
1lovern@10.0.1.33's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
Connection closed by 10.0.1.33 port 22

[imiller]

I note a lack of [.SSH2] directory and TCPIP$SSH_SFTP-SERVER2.LOG which is curious. The protection on the login directory looks ok.

[tlovern]

I was using FIlezilla (ftp tool) to get some files off my mac into my account, hence the log.

the ssh2 directory, I think is where the problem lies - how do I get one created and what should be in it?
or do I create an empty one and it gets populated?

[cct]

It is no longer an SSH2.DIR, it is .ssh.DIR

Have you followed the steps in the OpenVMS V9.2-1 installation guide?

Also we currently see much around your password - try ssh -vv or even -vvv but that is very verbose!

Chris

[imiller]

[.SSH2] should get created but clearly is not and there would normally be a log file. Do you have auditing enabled for failed logins?
$ SHOW AUDIT
should show
Logfailure: batch,dialup,local,remote,network,subprocess,detached

If so you can look for audit log entries or audit alarms

[tlovern]

[.SSH2] should get created but clearly is not and there would normally be a log file. Do you have auditing enabled for failed logins?
$ SHOW AUDIT
should show
Logfailure: batch,dialup,local,remote,network,subprocess,detached

If so you can look for audit log entries or audit alarms

$ SHO AUDIT
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
$

Added in 1 minute 22 seconds:

It is no longer an SSH2.DIR, it is .ssh.DIR

Have you followed the steps in the OpenVMS V9.2-1 installation guide?

Also we currently see much around your password - try ssh -vv or even -vvv but that is very verbose!

Chris

I did the vvv option - it is in a posting above. SSH sends a pwd packet (50) and then VMS ends the connection.