Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0346: HP-UX - Login/SSH fails/closes connection with user names longer than 8 characters

Authentication Service ,  

12 April,16 at 11:02 AM

Problem:

Logging in using SSH (stock or Centrify OpenSSH) from a HP-UX machine with a username more than 8 characters fails. SSH closes connection. su works fine. If the username is 8 characters or less,  SSH works fine.

Cause:

HP-UX has imposed username restriction of maximum 8 characters running in either Trusted or non-Trusted mode.

Workaround:

In the case of non-Trusted Mode, it is possible to work around this feature by adding a file to the /etc/default directory, as described in the HP KB PCHO-23218, i.e.

/etc/default/I_ACCEPT_RESPONSIBILITY_FOR_BYPASSING_SECURITY_CHECKS

Additional notes (from HP forum sites): There is an eight character limit on user logins on HP-UX 11.0, however there is a patch from HP that you can install on your system to  address this issue. This is patch PHCO_21833.  Centrify will not provide or take any responsibility if this patch causes other issues. The PAM libraries intentionally reject login names which are longer than 8 characters. This behavior is changed from 10.20. Some customers may want a way to bypass this restriction. Below is the resolution.

Resolution:

libpam_unix.1 now checks for the existence of a file in the "/etc/default" directory called:

"I_ACCEPT_RESPONSIBILITY_FOR_BYPASSING_SECURITY_CHECKS".

If this file exists, then login names longer than 8 characters can be added to the zone, and then those users can login. Note the following restrictions:

1) HP has never claimed that HP-UX supports user names longer than 8 characters, and does not recommend that customers bypass the existing length checks. Doing  so may cause functional and/or security problems.

2) This patch does not remove the existing user name length checks from other commands - e.g. pwck(1m), sam(1m), useradd(1m).

3) Do not enable long usernames on trusted system configurations.

4) Check if long user and group name feature enabled or not (please refer to KB-2047: HP-UX - Login/SSH fails with user names longer than 8 characters for details)

The below link explains the limitation as well.
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c01096261&cc=us&dlc=en&lc=en&jumpid=reg_R1002_USEN

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions

Related Articles

 articleKB-2047: HP-UX - Login/SSH fails with user names longer than 8 characters articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin?