topic Re: On OpenVMS 8.4, does SSH use LDAP or SYSUAF.DAT for authentication? in Operating System - OpenVMS

On OpenVMS 8.4, does SSH use LDAP or SYSUAF.DAT for authentication?

Clark Powell — Fri, 14 Oct 2011 21:02:07 GMT

Perhaps somebody can help me verify if in OpenVMS 8.4 that SSH is being authenticated by LDAP and not by SYSUAF.DAT.

I know that it is true that under OpenVMS 8.3 (tcpip V5.6 - ECO 5) that SSH is using SYSUAF.DAT for authentication and not LDAP. Many including myself have been fooled because the HP implementation of LDAP will update the SYSUAF password when it changes. One must scroll back and look at the login to know if LDAP is being used. You will see,

**** Logon authenticated by LDAP ****
OpenVMS password has been synchronized with external password

The second line occurs when there is a successful LDAP login and the password in SYSUAF.DAT is not the same as the LDAP password. It means what is says.

Using SSH under OpenVMS 8.3 you won't see either of those lines because SSH is going directly to the SYSUAF.DAT for authentication.

Try this test. First log into your LDAP and SSH system using an account with EXTAUTH flag. Do this to verify that your SSH is working. Then use AUTHORIZE change the password, log out, and SSH back in. You will not be able to use the old SSH password but you will be able to use the new one that you set with authorize. Log using telnet or decent or anything that uses LOGINOUT.EXE and use the LDAP password. You will see the above lines because using LOGINOUT.EXE does sync SYSUAF.DAT with LDAP and then you will be able to log in using SSH and the ldap password.

I 've done this on OpenVMS 8.3 and I know that SSH doesn't authenticate with LDAP but I have been told that this problem was fixed in OpenVMS 8.4. I don't have an 8.4 system so I was wondering if anyone with an 8.4 system could check this for me?

Re: On OpenVMS 8.4, does SSH use LDAP or SYSUAF.DAT for authentication?

Clark Powell — Thu, 03 Nov 2011 16:42:38 GMT

This is the first time I've not gotten an answer on a question but I had some free time so I went ahead and answered it myself.

I have investigated the compatibility of SSH and LDAP under OpenVMS 8.4 and found that it still sufferers from the same problem. SSH is being authenticated without the use of LOGINOUT.EXE so it is authenticating the entered password against SYSUAF.DAT and not active directory, (AD.) Reproducing this is confusing as the HP LDAP implementation will, if compatible applications like SET HOST or TELNET are used, update the SYSUAF.DAT database, (see 1 below,) thereby giving the impression that SSH is going to AD while it is really going to SYSUAF.DAT for authentication. (see 2 below for clues) Below are the versions I'm using.

HP TCP/IP Services for OpenVMS Alpha Version V5.7 - ECO 2

on an AlphaServer DS10L 466 MHz running OpenVMS V8.4 update 500

I don't know how SSH is designed. It may be impossible to get SSH to authenticate directly with AD using LDAP. Updating SYSUAF.DAT may be the best work around that is possible. But, it's important to know how it works going in otherwise one might be baffled by the results.

(1) When using apps like telnet or set host you will see at login:

**** Logon authenticated by LDAP ****

OpenVMS password has been synchronized with external password

Indicates that LDAP has change the SYSUAF.DAT password DB to the AD password

(2) Some ways to identify a non-LDAP log on. 1.) you will not see "**** Logon authenticated by LDAP ****" 2.) Even though you might be using the same AD password, it will not be case sensitive; it is when LDAP is being used.

thanks,

W. Clark Powell

system programmer

Virginia Mason Medical Center

Seattle, WA

Re: On OpenVMS 8.4, does SSH use LDAP or SYSUAF.DAT for authentication?

Hoff — Thu, 03 Nov 2011 17:50:26 GMT

Interesting.

What OpenVMS provides is single-signon external authentication. (The implementation is strictly passwords, and only a microscopic fraction of what a full-on LDAP login system can provide. In a full implementation, user information including location and email addresses and mail server, and maybe details such as the notebook Notes conference settings and the Notes seen map and a host of other user-level details would be stored in LDAP and loaded as needed, and not maintained (only) locally.)

telnet and SET HOST invoke LOGINOUT. LOGINOUT (with the ACME LOGINOUT Image loaded) verifies the password against the designated LDAP server; Open Directory or Active Directory or another provider.

These mechanisms work by setting up a terminal device and triggering unsolicited input, which Job Control sees as a login request and launches LOGINOUT. (This particular sequence is obviously not feasible with ssh, as the LOGINOUT user and password prompting isn't compatible with how ssh is supposed to work. LOGINOUT would need modifications to implement certificate-based access.)

To add external authentication into the OpenVMS ssh server, ssh would need to be recoded to use calls into ACME; calls to either $acm or $acmw. The existing authentication within the environment (probably $getuai-based) would probably be ripped out, and replaced with the $acm[w] system service calls. (Here is an example of using $acmw.)

I'd expect the existing processing within ssh is older than $acm[w], and has not been updated to use ACME.

The other option (for you) is to set up a certificate-based login, and skip the password processing entirely. (There's a PDF available via that page that walks through setting up certificate logins from Mac OS X Terminal.app and from Windows using PuTTY, too.)

MultiNet appears to have another available option here, with its authentication server. I don't know off-hand if the Process ssh tools (which were available as a separate product) support ACME-based logins, but it's worth a look.