This chapter describes how to analyze and solve problems that
prevent you from logging in using SSH.
In this discussion, the user is the client user who
executes the SSH command, or is the user who is specified with the -l option to the SSH command.
Login is not permitted under the following conditions. In
these cases, no auditing occurs.
The user account does not exist.
The user account has expired.
The user account has access restrictions for the
current day and time.
The pwd_expired flag is set in the user's SYSUAF record.
The keyword userloginlimit has a value of zero in the SSH server configuration file.
(This applies to all users.)
If any of the following conditions are true for the user on
the SSH server, login is not permitted and auditing does occur:
The user failed the authentication
(for example, invalid or missing keys for the host-based or public-key method,
invalid password for the password method, expired password and configured
not to allow client in with expired password).
The disuser or autologin flag is set in the user's SYSUAF record.
The user does not have OPER privilege and one of
the following is true:
The number of interactive logins has
exceeded the SYSGEN parameter IJOBLIM.
The UserLoginLimit configuration parameter in the server configuration file
is greater than zero and there are already that number of logins
for any individual user name.
The client has been identified as an intruder.
If the user's password has expired and the connection
is from an OpenVMS system to another OpenVMS system, and the disforce_pwd_expired flag
is not set in the user's SYSUAF, then the user must change the
password. The password dictionary, password history, and generated
password lists are not used. The number of failed attempts to verify
the new password is specified using the NumberOfPasswordVerificationPrompts keyword
in the client configuration file.
The client user is not forced to change the password when:
The connection is from OpenVMS to
OpenVMS and the disforce_pwd_change flag is set in the user's SYSUAF record.
The connection is from a non OpenVMS system to an
OpenVMS system and the AllowNonvmsLoginWithExpiredPw value is set to YES in the client configuration file.
In these cases, the pwd_expired flag is set in the user's SYSUAF record, so that
any future attempts to login will fail if the password is not changed
during the current session.
The client user login is rejected if:
The connection is from a non-OpenVMS
system to an OpenVMS system and the AllowNonvmsLoginWithExpiredPw is set to NO in the server configuration file.
The connection is from an OpenVMS system to a non-OpenVMS
system, and the AllowNonVmsLoginWithExpiredPw is set to NO in the server configuration file.
If login is allowed but the password
has expired, and the user is forced to change his password, the following
message is displayed before the first DCL prompt:
WARNING - Your password has expired; update immediately with SET PASSWORD!
If the NumberOfPasswordVerificationPrompts option is set to 2, the following message is displayed:
Your password has expired; you must set a new password to log inNew password:Verification:New password verification error; please try againVerification:
If verification fails a second time, the login attempt fails.
HP TCP/IP Services for OpenVMS Guide to SSH
