IC87275: (SFTP) USERAUTH FAIL WHEN DUP KEYS WITH DIFFERENT NAMES IN AUTHORIZED USER KEYSTORE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • SFTP Public Key Auth fails when duplicate keys with different
    names in Authorized User keystore
    If the administrator adds a duplicate SSH public key with a new
    name to the Authorized User keystore, the error is not found
    until the user connects and attempts to validate using the key.
    Depending on the order of the keys in the keystore, the
    connection may fail with:
     SSE2621 user key list was not empty and key UserKey2 was not in
    user key list
     SSE2610  Sessionid xxx Userkey xxx Invalid Logon Attempt, Count
    1, locked: :false, ?
     SSE2624  Userid xxx from address xxx failed validation with key
    fingerprint xx:yy:zz
    

Local fix

  • STRRTC - 336514
    WA/RJ
    
    Circumvention: None
    

Problem summary

  • SFTP Public Key Auth fails when duplicate keys with different
    names in Authorized User keystore
    If the administrator adds a duplicate SSH public key with a new
    name to the Authorized User keystore, the error is not found
    until the user connects and attempts to validate using the key.
    Depending on the order of the keys in the keystore, the
    connection may fail with:
     SSE2621 user key list was not empty and key UserKey2 was not in
    user key list
     SSE2610  Sessionid xxx Userkey xxx Invalid Logon Attempt, Count
    1, locked: :false, ?
     SSE2624  Userid xxx from address xxx failed validation with key
    fingerprint xx:yy:zz
    

Problem conclusion

  • Added a search in the SSH Authorized User Keystore Configuration
    screen for a duplicate key fingerprint before saving a new key.
    If a duplicate key is found, a pop-up message is generated
    indicating which key it is a duplicate of so that the
    administrator can use that definition instead:
    Specified key finger print xx:yy:zz is already associated with
    authorized key UserKey2
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC87275

  • Reported component name

    STR SECURE PROX

  • Reported component ID

    5725D0300

  • Reported release

    341

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-10-16

  • Closed date

    2012-11-14

  • Last modified date

    2012-11-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR SECURE PROX

  • Fixed component ID

    5725D0300

Applicable component levels

  • R331 PSY

       UP

  • R340 PSY

       UP

  • R341 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Sterling Secure Proxy

Software version:

341

Reference #:

IC87275

Modified date:

2012-11-14

Translate my page

Machine Translation

Content navigation