Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0346: HP-UX - Login/SSH fails/closes connection with user names longer than 8 characters

Centrify DirectControl ,  

12 April,16 at 11:02 AM

Applies to: All versions of DirectControl on HPUX platforms.

Problem:
Logging in using SSH (stock or Centrify OpenSSH) from a HP-UX machine with a username more than 8 characters fails. SSH closes connection. su works fine. If the username is 8 characters or less,  SSH works fine.

Cause:
HP-UX has imposed username restriction of maximum 8 characters running in either Trusted or non-Trusted mode.

Workaround:
In the case of non-Trusted Mode, it is possible to work around this feature by adding a file to the /etc/default directory, as described in the HP KB PCHO-23218, i.e.


/etc/default/I_ACCEPT_RESPONSIBILITY_FOR_BYPASSING_SECURITY_CHECKS

Additional notes (from HP forum sites): There is an eight character limit on user logins on HP-UX 11.0, however there is a patch from HP that you can install on your system to  address this issue. This is patch PHCO_21833.  Centrify will not provide or take any responsibility if this patch causes other issues. The PAM libraries intentionally reject login names which are longer than 8 characters. This behavior is changed from 10.20. Some customers may want a way to bypass this restriction. Below is the resolution.

Resolution:
libpam_unix.1 now checks for the existence of a file in the "/etc/default" directory called:

"I_ACCEPT_RESPONSIBILITY_FOR_BYPASSING_SECURITY_CHECKS".

If this file exists, then login names longer than 8 characters can be added to the zone, and then those users can login. Note the following restrictions:

1) HP has never claimed that HP-UX supports user names longer than 8 characters, and does not recommend that customers bypass the existing length checks. Doing  so may cause functional and/or security problems.

2) This patch does not remove the existing user name length checks from other commands - e.g. pwck(1m), sam(1m), useradd(1m).

3) Do not enable long usernames on trusted system configurations.

4) Check if long user and group name feature enabled or not (please refer to KB-2047 for details)

The below link explains the limitation as well.
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c01096261&cc=us&dlc=en&lc=en&jumpid=reg_R1002_USEN

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.