topic Re: SSH customizing in Operating System - OpenVMS

SSH customizing

Wim Van den Wyngaert — Wed, 08 Mar 2006 10:43:34 GMT

Page 28 of http://h71000.www7.hp.com/openvms/products/ssh/ssh.pdf

During configuration, the SSHD2_CONFIG. file is copied to TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]. When the connection attempt is made from a remote client, the SSH server reads the file and creates the run-time version of the configuration parameters. If you want a different set of parameters, you must create your own version of the configuration file in your SSH subdirectory.

Is it true that the user can decide to have his own server config ? Also on Unix ?
Can't test it over here.

Wim

Re: SSH customizing

Ian Miller. — Wed, 08 Mar 2006 10:50:25 GMT

SSHD2_CONFIG is the server config file.
SSH2_CONFIG is the client config file.
Users can have their own client config file.

See
http://h71000.www7.hp.com/doc/732final/aa-rvbua-te/00/00/43-con.html

Re: SSH customizing

Wim Van den Wyngaert — Wed, 08 Mar 2006 10:57:46 GMT

IAn,

They are talking here about the SERVER customizing. I tested it on my unborn 7.3 version without success.

Wim

Re: SSH customizing

Steven Schweda — Wed, 08 Mar 2006 11:16:02 GMT

Does the user run the server? Does it make
sense to talk about a user customizing the
server?

I read the "you" and "your" in your quotation
as refering to the system manager, not to a
client/user.

But I'm always open to a good argument.

(Good writing is a rare thing. "You" is a
bit ambiguous here, I'd say.)

Re: SSH customizing

Wim Van den Wyngaert — Wed, 08 Mar 2006 11:23:09 GMT

Steven,

In my opinion, the config file can be modified. You can not "create" your own version.

The user file could however be read for creating the encryption process on behalf of the user.

Any case, I did a test with set watch file and found

1) it works without a config file (simply says failed to read but continues as if everything is allowed but without saying it)

2) it isn't trying to find the config file in the user directory

Of course with the pre version.

Wim

Re: SSH customizing

Steven Schweda — Wed, 08 Mar 2006 17:10:37 GMT

> In my opinion, the config file can be
> modified. You can not "create" your own
> version.

Hey. _I_ didn't write the thing. But
why can't I "create" my own config file? I
may choose to copy a lot of stuff into it
from the old one. And even if I simply edit
the old one, I'll create my own version of
it. ";2", is _my_ version. (Maybe on a
_UNIX_ system, I can't create my own version,
but this is VMS.)

> 2) it isn't trying to find the config file
> in the user directory

It isn't trying to find the _server_ config
file in the user's directory. This does not
amaze me.

Re: SSH customizing

Arch_Muthiah — Wed, 08 Mar 2006 18:58:38 GMT

Wim,

If the StrictHostKeyChecking variable is set to "yes" in the system-wide ssh2_config. file, then all users will be forced to use only this system-wide ssh2_config file only. In this case any user specific config file from [username.ssh2] directory won't be read.

I did not check this, but you can check by setting this StrictHostKeyChecking variable to 'no" to make sure the user created config file is read.

Archunan

Re: SSH customizing

Arch_Muthiah — Wed, 08 Mar 2006 19:08:26 GMT

Wim,

We can create our own config file from TCPIP$TEMPLATES.TLB library and can be modified as per our requirements. These are the commands...

$library/extract=ssh2_config sys$library:tcpip$templates.tlb/out=tcpip$ssh_device:[tcpip$ssh.ssh2]ssh2_config.

$library/extract=sshd2_config sys$library:tcpip$templates.tlb/out=tcpip$ssh_device:[tcpip$ssh.ssh2]sshd2_config.

Archunan

Re: SSH customizing

Wim Van den Wyngaert — Thu, 09 Mar 2006 02:01:11 GMT

Archunan,

Where did you find that info ?

Normally the parameter is used for copying keys yes/no.

Wim

Re: SSH customizing

Wim Van den Wyngaert — Thu, 09 Mar 2006 07:04:35 GMT

I checked a source on the internet. The SSH server opens the default server config file or one passed to it as a parameter on the command line.

This is only possible when modifying the startup script (of HP) or by defining a system logical tcpip$ssh_server_params.

Wim

Re: SSH customizing

Arch_Muthiah — Thu, 09 Mar 2006 12:07:33 GMT

Wim,

Have you had a time to test by setting stricthostkeychecking to "yes" in your server ssh2_config. file.

Sysadmin can use this variable stricthostkeychecking to restrict any user from having their own ssh2_cinfig file.

This variable will be having "no" by default in HP's TCPIP, but Multinet and other's TCPIP product will have stricthostkeychecking variable set to "yes" by default.

So I would suggest you to try changing this variable to "yes", then have your own ssh2_config file in your login dir. Now definetly your own ssh2_config file will be used.

You can copy ssh2_config or you can extract it from sys$library:tcpip$templates.tlb lib.

I tested the extracted ssh2_config file and the system wide TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]ssh2_config. file contents will be exactly same.

You can try this if you have tcpip V5.4.

Archunan

Re: SSH customizing

Arch_Muthiah — Thu, 09 Mar 2006 12:24:57 GMT

Wim,

On my trial configuring SSH, I just tried changing this variable StrictHostKeyChecking on my own as I saw difft value set for this variable in MULTINET version of ssh2_config file.

Just you can try this.

Archunan

Re: SSH customizing

Arch_Muthiah — Thu, 09 Mar 2006 12:32:45 GMT

Wim,
I found this for you....
http://mvb.saic.com/disk$axpdocmar05/network/tcpip55/RELNOTES/tcp_rnpro_003.html

under "3.11.6 SSH Keys" section, it says.... "A system manager can tighten security by setting the StrictHostKeyChecking variable to "yes" in the systemwide SSH2_CONFIG. file, and forcing users to use only the systemwide version of the file"

Archunan

Re: SSH customizing

Wim Van den Wyngaert — Thu, 09 Mar 2006 13:15:26 GMT

A.,

A D is missing in the config file name. They are talking about the client config, not the server.

Wim

Re: SSH customizing

Arch_Muthiah — Thu, 09 Mar 2006 13:55:46 GMT

Wim,

I guess the doc talks about both client and sever config file....
"A system manager can tighten security by setting the StrictHostKeyChecking variable to "yes" in the systemwide SSH2_CONFIG. file, and forcing users to use only the systemwide version of the file" --- here ssh2_config file name is sever config file. Isn't it?.

Please have a trial, it should work.

Archunan

Re: SSH customizing

Ian Miller. — Thu, 09 Mar 2006 17:14:44 GMT

Archunan RE "StrictHostKeyChecking Yes" - disallows users from changing the configuration of the ssh client not server.

Re: SSH customizing

Wim Van den Wyngaert — Thu, 16 Mar 2006 02:10:12 GMT

Archunan,

1) The user config file isn't read. Putting the value of strict... to yes will tighten it but it isn't read so tightening is not possible.
2) The strict... is a client parameter, not a server.
3) The source are not containing any code for it

Wim

Re: SSH customizing

Wim Van den Wyngaert — Thu, 16 Mar 2006 02:18:55 GMT

Ian,

The stricthostkeychecking only indicates how public keys should be copied. It seems that 5.5 has special coding to use the system wide value of the parameter (not my baby on 5.3).

I think the only safe solution is to give the user his own copy of the config file and to disable modifications of it via protections. This way he can not change the values himself.

Wim

Re: SSH customizing

Arch_Muthiah — Thu, 16 Mar 2006 16:54:14 GMT

Wim/Ian,

Yes I agree, SSH2 and StrictH... is a client side. I wrongly typed SSH2 is severside config file, even after Ian infomed that SSh2 is client and SSHD2 is server.

But by setting Strict...to â yesâ in ssh2_config and force the users to use only this file, the private key file: HOSTKEY
and HOSTKEY.PUB can be created.

if the SSH client and server detect systemwide configuration files from an older version of SSH, the client and server will fail to start.

Also if the SSH client detects a user-creaed config file from an older version of SSH, the client will display the warning and will allow the user to proceed.

Incase if we want to preserve SSH2 or SSHD config files changes.....

we can create our own SSH2 and SSHD config file using the template provided by the new SSH from SYS$LIBRARY:TCPIP$TEMPLATES.TLB in TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2] dire.

Archunan