topic ssh from unix to vms without passwords in Operating System - OpenVMS

ssh from unix to vms without passwords

Nancy J. Wick — Thu, 23 Oct 2008 22:07:59 GMT

Trying to figure out how to correctly configure the ssh keys to allow ssh from a unix system (specifically Solaris 10) to VMS. We've figured out and have working correctly ssh,sftp,scp from the VMS system to the Solaris box. Can't seem to get all of the nuances to allow the ssh,sftp,scp from the solaris box to the vms box. We're running TCP/IP services 5.4 ECO 5 on the OpenVMS system. I've setup the AUTHORIZATION file and the IDENTIFICATION file and copied the public key from the Solaris system to the VMS system (per the tcpip services gude for openVMS). I set the protection and file attribute per the documentation. The puble key is setup in the authorization file and the private key on the VMS is in the identificaiton file. Know I'm missing something but we haven't been able to determine what's not correct.

Re: ssh from unix to vms without passwords

Thomas Ritter — Thu, 23 Oct 2008 22:38:20 GMT

Nancy, VMS uses IEFT SECSH (Tectia) format keys and the others use OpenSSH format. On Solaris they can be converted using ssh-keygen.

Convert the keys on Solaris. Using your private key convert to a new public key. Something like

$ ssh-keygen -e -f private key .file > vms publick .key.file

where

-e Extract/convert from OpenSSH private key file to SECSH publick key format

On the VMS side load into the correct directory and test.

Re: ssh from unix to vms without passwords

Steven Schweda — Thu, 23 Oct 2008 22:44:47 GMT

"ssh -v [...]" will often provide some hinta
as to what's wrong.

> [...] copied the public key from the
> Solaris system to the VMS system [...]

With the correct format, or the format which
Solaris SSH software likes? They differ.

I made my keys on VMS (SSH2 format), and used
"ssh-keygen -X" ("-i" on newer versions) to
convert them to the OpenSSH format favored by
the Solaris software. I'm not sure if its
as easy to go the other way using the Solaris
ssh-keygen program. Alternatively, make some
keys on the VMS system, study the format, and
convert the Solaris-friendly keys manually.

Being able to see "ssh -v [...]" output
and/or key file data (even mutilated) might
be helpful. A Forum search might also find
several past similar discussions.

Re: ssh from unix to vms without passwords

Steven Schweda — Thu, 23 Oct 2008 23:26:28 GMT

> The puble key is setup in the authorization
> file and the private key on the VMS is in
> the identificaiton file.

Too vague. On Solaris, ~/.ssh/identity (or
id_dsa, ...) and ~/.ssh/authorized_keys
contain actual key data. On VMS,
[.SSH2]IDENTIFICATION. and
[.SSH2]AUTHORIZATION. contain keywords and
file names, and those _files_ contain the key
data. For example:

alp $ type [.SSH2]AUTHORIZATION.
KEY SMS_ID_DSA_1024_A.PUB
KEY SMS_NPP_ID_DSA_1024_A.PUB

alp $ type [.SSH2]IDENTIFICATION.
IdKey SMS_NPP_ID_DSA_1024_A

alp $ type [.SSH2]SMS_NPP_ID_DSA_1024_A.PUB
---- BEGIN SSH2 PUBLIC KEY ----
Subject: sms
Comment: "1024-bit dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52"
AAA[...]
[...]
[...]8WQ=
---- END SSH2 PUBLIC KEY ----

alp $ type [.SSH2]SMS_NPP_ID_DSA_1024_A.
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: sms
Comment: "1024-bit dsa, sms@alp.antinode.org, Thu Jul 24 2003 03:43:07"
P2/[...]
[...]
[...]dOw==
---- END SSH2 ENCRYPTED PRIVATE KEY ----

Re: ssh from unix to vms without passwords

Thomas Ritter — Thu, 23 Oct 2008 23:31:29 GMT

On our systems running Multinet's SSH, the authorize account needs to have the "/remote" and "/network" attributes enabled to function correctly. Finding this out the hard way can take some time.

Re: ssh from unix to vms without passwords

Kevin Carter_3 — Mon, 27 Oct 2008 15:24:16 GMT

Nancy,

I found editing the ssh server config file on VMS (SSHD2_CONFIG.;) and setting "VerboseMode yes" helpful in determining where the connection from UNIX is failing.

KC

Re: ssh from unix to vms without passwords

Terje Bjerkseth — Wed, 29 Oct 2008 13:38:32 GMT

I've just setup publickey access from Mac OS X 10.5.5 to OpenVMS I64 8.3-1H1. Note that I had both publickey and password authentication enabled on VMS, so that I could transfer the keys using SSH and password auth.

On Mac:
cd
ssh-keygen
cd .ssh
ssh-keygen -e -f id_rsa > EXAMPLE.PUB
cat > AUTHORIZATION << EOF
KEY EXAMPLE.PUB
EOF
sftp user@vms
mkdir SSH2
cd SSH2
put AUTHORIZATION
put EXAMPLE.PUB

After this ssh/sftp immediately worked using publickey (was prompted for passphrase, not password).

Then I also did the following:
ssh user@vms
(passphrase, no password :)
set default [.SSH2]
set security/prot=(g,w) AUTHORIZATION.
set security/prot=(g:re,w:r) EXAMPLE.PUB
and logged out and back in.

So for Unix to VMS, the naming of the key file doesn't seem to be important - and we should use default RSA, not DSA here.

Re: ssh from unix to vms without passwords

Steven Schweda — Wed, 29 Oct 2008 14:24:12 GMT

> and we should use default RSA, not DSA here.

Why?

Re: ssh from unix to vms without passwords

Terje Bjerkseth — Wed, 29 Oct 2008 16:56:13 GMT

>> and we should use default RSA, not DSA here.
> Why?

What I meant was just "this example uses RSA, not DSA".

I don't know the practical difference between them. Noticed that ssh_keygen on VMS uses DSA by default, while OpenSSH uses RSA by default. And I used OpenSSH. If you have any specific recommendations either way, please share.

Re: ssh from unix to vms without passwords

Hoff — Wed, 29 Oct 2008 17:14:52 GMT

AFAIK, there are no specific reasons to choose either RSA or DSA, outside of cases where a particular implementation requires one or the other.

There are the usual arguments around speed and security and which one is preferred by the government and such, but the distinctions (still) tend to be negligible in the current reality.

Like the recent reports of GPU-accellerated WPA PSK WiFi attacks, pick a good pass phrase and a reasonably long bit length and you should be good to go.

But best to watch for attacks, both against your servers and generic attacks against the underlying algorithms.