IBM Support

IC87275: (SFTP) USERAUTH FAIL WHEN DUP KEYS WITH DIFFERENT NAMES IN AUTHORIZED USER KEYSTORE

Direct links to fixes

3.4.1.8-SterlingSecureProxy-Windows-if0009
3.4.1.8-SterlingSecureProxy-SolarisSPARC-if0009
3.4.1.8-SterlingSecureProxy-Linux-if0009
3.4.1.8-SterlingSecureProxy-Linux_S390-if0009
3.4.1.8-SterlingSecureProxy-HP-if0009
3.4.1.8-SterlingSecureProxy-HP-IA-if0009
3.4.1.8-SterlingSecureProxy-AIX-if0009

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SFTP Public Key Auth fails when duplicate keys with different
names in Authorized User keystore
If the administrator adds a duplicate SSH public key with a new
name to the Authorized User keystore, the error is not found
until the user connects and attempts to validate using the key.
Depending on the order of the keys in the keystore, the
connection may fail with:
 SSE2621 user key list was not empty and key UserKey2 was not in
user key list
 SSE2610  Sessionid xxx Userkey xxx Invalid Logon Attempt, Count
1, locked: :false, ?
 SSE2624  Userid xxx from address xxx failed validation with key
fingerprint xx:yy:zz

Local fix

  • STRRTC - 336514
WA/RJ

Circumvention: None

Problem summary

  • SFTP Public Key Auth fails when duplicate keys with different
names in Authorized User keystore
If the administrator adds a duplicate SSH public key with a new
name to the Authorized User keystore, the error is not found
until the user connects and attempts to validate using the key.
Depending on the order of the keys in the keystore, the
connection may fail with:
 SSE2621 user key list was not empty and key UserKey2 was not in
user key list
 SSE2610  Sessionid xxx Userkey xxx Invalid Logon Attempt, Count
1, locked: :false, ?
 SSE2624  Userid xxx from address xxx failed validation with key
fingerprint xx:yy:zz

Problem conclusion

  • Added a search in the SSH Authorized User Keystore Configuration
screen for a duplicate key fingerprint before saving a new key.
If a duplicate key is found, a pop-up message is generated
indicating which key it is a duplicate of so that the
administrator can use that definition instead:
Specified key finger print xx:yy:zz is already associated with
authorized key UserKey2

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC87275
    • 

  • Reported component name
    STR SECURE PROX
    • 

  • Reported component ID
    5725D0300
    • 

  • Reported release
    341
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2012-10-16
    • 

  • Closed date
    2012-11-14
    • 

  • Last modified date
    2012-11-14
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR SECURE PROX
    • 

  • Fixed component ID
    5725D0300
    • 



Applicable component levels


    

  • R331  PSY
       UP
    • 

  • R340  PSY
       UP
    • 

  • R341  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 November 2012
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback