topic Re: ssh_add cannot connect to ssh_agent in Operating System - OpenVMS

ssh_add cannot connect to ssh_agent

Terrence Branscombe — Wed, 07 Mar 2007 22:24:00 GMT

According to what I can find in the SSH docs, the SSH_ADD program should connect with the SSH_AGENT program and add any keys specified in your [.SSH2]IDENTIFICATION. file. That isn't happening for me. I can start the agent, see the subprocess is created, but SSH_ADD hangs until I CTRL-Y. This then kills the subprocess and SSH_AGENT. Did I miss something in the docs? Thanks.

I have a hobbyist system (VMS Alpha 7.3-2) running TCPIP for OpenVMS 5.4 ECO 5.

$ show user/full tbransco
OpenVMS User Processes at 7-MAR-2007 19:13:32.26
Total number of users = 1, number of processes = 1

Username Process Name PID Terminal
TBRANSCO TBRANSCO 00000228 TNA4: (Host: GONDOR Port: 1707)
$ dir/owner/prot [.ssh2]identification.

Directory DISK$USR:[TBRANSCO.SSH2]

IDENTIFICATION.;3 [TBRANSCO] (RWD,RWD,R,R)

Total of 1 file.

$ tcpip show service ssh

Service Port Proto Process Address State

SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled

$ ssh_agent
%DCL-S-SPAWNED, process TBRANSCO_36807 spawned

$ show user/full tbransco
OpenVMS User Processes at 7-MAR-2007 19:15:31.43
Total number of users = 1, number of processes = 2

Username Process Name PID Terminal
TBRANSCO TBRANSCO 00000228 TNA4: (Host: GONDOR Port: 1707)
TBRANSCO TBRANSCO_36807 00000239 (subprocess of 00000228)

$ show symbol/global ssh_add
SSH_ADD*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE"

$ ssh_add

Re: ssh_add cannot connect to ssh_agent

Steven Schweda — Wed, 07 Mar 2007 23:02:13 GMT

I know nothing, but around here:

alp $ tcpip show vers

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

alp $ show symb ssh*
SSH*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH2.EXE"
SSH_ADD*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE"
SSH_AGENT*2 == "SPAWN /NOWAIT RUN SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE"
SSH_KEYGEN*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE"

alp $ SSH_AGENT
%DCL-S-SPAWNED, process SMS_57148 spawned

alp $ ssh_add
Adding identity: /alp$dka0/sms/ssh2/SMS_NPP_ID_DSA_1024_A.pub

alp $ SSH_ADD -l
Listing identities.
The authorization agent has one key:
SMS_NPP_ID_DSA_1024_A: 1024-bit dsa, sms@alp.antinode.org, Thu Jul 24 2003 03:43
:07

What's in your [.SSH2]IDENTIFICATION file?

alp $ type [.SSH2]IDENTIFICATION.
IdKey SMS_NPP_ID_DSA_1024_A

And:

alp $ dire /date /prot /size [.SSH2]SMS_NPP_ID_DSA_1024_A

Directory ALP$DKA0:[SMS.SSH2]

SMS_NPP_ID_DSA_1024_A.;1
2 23-JUL-2003 22:43:30.09 (RWD,RWD,,)
SMS_NPP_ID_DSA_1024_A.PUB;1
2 23-JUL-2003 22:43:30.25 (RWD,RWD,R,R)

Re: ssh_add cannot connect to ssh_agent

Terrence Branscombe — Fri, 09 Mar 2007 00:52:30 GMT

Steve,

Thanks for the suggestions.

The content of my IDENTIFICATION file is correct, and the file protections on my private and public key are identical to yours.

$ type [.ssh2]identification.
IdKey RSA_2048_HPSSH_KEY

$ dir/prot [.ssh2]rsa*;*

Directory DISK$USR:[TBRANSCO.SSH2]

RSA_2048_HPSSH_KEY.;1
(RWD,RWD,,)
RSA_2048_HPSSH_KEY.PUB;1
(RWED,RWED,R,R)

There is also nothing in the output of ANALYZE/AUDIT indicating an access failure, nor anything suspect in OPERATOR.LOG.

Re: ssh_add cannot connect to ssh_agent

Terrence Branscombe — Fri, 09 Mar 2007 01:27:53 GMT

SOLVED, but it's a bit embarrassing.

In an effort to discourage a recent surge in SSH and FTP login bots trying to break into my system I had locked down access to the network by specifying some specific hosts and my subnet here at home. I had neglected to add LOCALHOST to my list, hence SSH_ADD could not access SSH_AGENT. Joy.

$ TCPIP SHOW CONFIGURATION COMMUNICATION/SECURITY

Communication Security Configuration

Allow Log: None
Force Log: None

Security device: Not defined

Access lists
Accept host: LOCALHOST, xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
Accept netw: 192.168.0.0:255.255.255.0

Re: ssh_add cannot connect to ssh_agent

Steven Schweda — Fri, 09 Mar 2007 01:34:38 GMT

I still don't know anything likely to be
useful, but I see that my SSH_AGENT
subprocess has a couple of BG devices:

alp $ SSH_AGENT
%DCL-S-SPAWNED, process SMS_40842 spawned

alp $ show proc /all SMS_40842
[...]
Devices allocated: BG2319:
BG2320:
[...]

and "show devi /full" on these things shows
"Operations completed" counts which increase
when I say "ssh_add".

Perhaps you could learn something if you run
the agent manually with a "-d "
option:

alp $ show symb SSH_AGENT
SSH_AGENT*2 == "SPAWN /NOWAIT RUN SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE"

alp $ mcr SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE -xxx
illegal option -- x
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh-agent2.exe: unknown option 'x'.
Usage: ssh_agent [-d ]

What the "" should be is a
mystery to me, but there should be a
document somewhere which offers some
guidance (hints?).

More rambling guesswork follows.

"tcpip show devi /full BG2320:" suggests that
mine's listening on 127.0.0.1:60593. (Might
be an IP socket on VMS but a UNIX socket on
UNIX?) Anyway, it might be doing a name
look-up on "localhost" or something to get
the "127.0.0.1" address, so if your DNS or
local HOSTS data base lacks that standard
item, that might bewilder someone.

Re: ssh_add cannot connect to ssh_agent

Steven Schweda — Fri, 09 Mar 2007 01:37:02 GMT

Well, I was getting close. If this
#(&$^#&(*$ forum were working properly, I
might have gotten my guess in before it was
complately too late. Grrr.

Re: ssh_add cannot connect to ssh_agent

Terrence Branscombe — Fri, 09 Mar 2007 20:05:08 GMT

Steve,

That was a damn fine guess you made at the end of your post. It would have led to the solution if I hadn't remembered my monkeying around with TCPIP COMM settings.

Much appreciated,

Terry