Loading...
Loading...
On any HPE Integrity server running HP-UX SecureShell A.09.30.003, sshd fails with non-default ChallRespAuthAllowUsers or ChallRespAuthDenyUsers directives.When this occurs, the either of the following may be observed:When ChallRespAuthAllowUsers or ChallRespAuthDenyUsers is specified in /opt/ssh/etc/sshd_config with non-default setting, startup script "/sbin/init.d/secsh start" fails with the following error./opt/ssh/etc/sshd_config line xxx: Incorrect challenge-response device name. EXIT CODE: 255When directly running sshd with option ChallRespAuthAllowUsers or ChallRespAuthDenyUsers, the command returns errors, as shown in the following example:# /usr/sbin/sshd -o ChallRespAuthAllowUsers='[pam] testuser'command-line line 0: keyword ChallRespAuthAllowUsers extra arguments at end of lineThe options ChallRespAuthAllowUsers and ChallRespDenyUsers were introduced in HP-UX SecureShell A.04.20.004 release in 2005. The description of these options are listed below from the "HP-UX Secure Shell Getting Started Guide".ChallRespAuthAllowUsersThis configuration directive has been introduced by the 3rd party “Auth Selection” /patch. Use this configuration directive to specify which users can be authenticated using Challenge Response authentication. The default setting is to allow all users.For example:ChallRespAuthAllowUsers Allow AllChallRespAuthDenyUsersThis configuration directive has been introduced by the 3rd party “Auth Selection” patch. Use this configuration directive to specify which users must be denied authentication using Challenge Response authentication. The default setting is to deny no users.For example:ChallRespAuthDenyUsers Deny noneSubsequent introduction of the AuthenticationMethods option in HP-UX SecureShell A.06.20.xx permits finer user authentication control.For example, to achieve the equivalent effect of option “ChallRespAuthAllowUsers [pam] testuser” as shown in the above example, specific AuthenticationMethods options can be configured for certain users using "Match User" in sshd_config as shown below:# set default Authentication methods as publickey or password, and do not set keyboard-interactive/ChallengeResponseAuthenticationMethods publickey password# for testuser, force keyboard-interactive/ChallengeResponse with or without publickey authenticationMatch User testuserAuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
Any HPE Integrity server running HP-UX SecureShell A.09.30.003.
With HP-UX SecureShell A.09.30.007, using ChallRespAuthAllowUsers or ChallRespAuthDenyUsers with non-default setting will not cause sshd to fail.The options no longer serve the same purpose for specifying what user is allowed/disallowed to use Challenge Response authentication. Following the above example, having "ChallRespAuthAllowUsers Allow testuser" in /opt/ssh/etc/sshd_config means that all users, instead of just testuser, will be proposed for interactive-keyboard/ChallengeResponse authentication.To specify non-default authentication method for specific users, configure AuthenticationMethods and "Match User" instead.
Operating Systems Affected:Not Applicable
Click on a version to see all relevant bugs
Hewlett Packard Enterprise Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.