topic Re: SSH_KEYGEN in Operating System - OpenVMS

SSH_KEYGEN

Heinz W Genhart — Fri, 16 Mar 2007 05:29:09 GMT

Hi Community

we are using public key authentication on OpenVMS.
Now we have a request from one of our users who wants to change the passphrase of his key.

I did the following:

I enter the command ssh_kegen -e private_key

ssh_keygen asks for the passphrase but after this I get the error message
"You have no controlling tty. Cannot read confirmation. Key unedited and unsaved."

Does somebody know what is the problem with ssh_kegen -e

Regards

Heinz

Re: SSH_KEYGEN

Steven Schweda — Fri, 16 Mar 2007 09:02:52 GMT

I can't find a document, but wasn't this a
known restriction (that is, "problem") at one
time?

Note that on my system, "ssh_keygen -h" does
not list "-e".

alp $ ssh_keygen -"V"
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh-keygen2.exe version 3.2.0, compiled Jul 27 2006.

alp $ tcpip show vers

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

Knowing nothing (except where this stuff was
developed first), I'd assume that it's trying
to talk directly to "/dev/tty" or something
like that, and the C RTL can't so the right
thing. Note that
search sys$system:tcpip$ssh_ssh-keygen2.exe "/dev/tty"
_does_ find something, which is not a good
sign.

Re: SSH_KEYGEN

Heinz W Genhart — Fri, 16 Mar 2007 09:15:25 GMT

Hi Steven

not list "-e">

Try ssh_keygen -? instead of ssh_keygen -h

Regards

Heinz

Re: SSH_KEYGEN

Steven Schweda — Fri, 16 Mar 2007 09:17:52 GMT

SYS$COMMON:[SYSHLP]TCPIP54ECO06.RELEASE_NOTES:

[...]
o Do not use the SSH_KEYGEN -e option (used to edit the
comment or passphrase of the key). This option does not
work.
[...]

I assume that you're supposed to do it on a
Tru64 system, instead. (Perhaps using SSH?)

Re: SSH_KEYGEN

Steven Schweda — Fri, 16 Mar 2007 09:20:42 GMT

alp $ ssh_keygen -? !! As if it would matter.
Usage: ssh_keygen [options] [key1 key2 ...]

Where `options' are:
-b nnn Specify key strength in bits (e.g. 1024)
-t dsa | rsa Choose the key type.
-c comment Provide the comment.
-p passphrase Provide passphrase.
-P Assume empty passphrase.
-?
-h Print this help text.
-q Suppress the progress indicator.
-i file Load and display information on `file'.
-B number The number base for displaying key information (default 10).
-V Print version number of tcpip$ssh_ssh-keygen2.exe image.
-r file Stir data from file to random pool.
-F file Dump fingerprint of file.

And which version are _you_ using?

Re: SSH_KEYGEN

EdgarZamora — Fri, 16 Mar 2007 09:26:22 GMT

They must've removed the -e from the documentation of later versions.

CLCC> ssh_keygen -h
Usage: ssh_keygen [options] [key1 key2 ...]

Where `options' are:
-b nnn Specify key strength in bits (e.g. 1024)
-t dsa | rsa Choose the key type.
-c comment Provide the comment.
-e file Edit the comment/passphrase of the key.
-p passphrase Provide passphrase.
-P Assume empty passphrase.
-?
-h Print this help text.
-q Suppress the progress indicator.
-1 Convert a SSH 1.x key.
-i file Load and display information on `file'.
-D file Derive the private key given in 'file' to public key.
-B number The number base for displaying key information (default 10).
-V Print version number of tcpip$ssh_ssh-keygen2.exe image.
-r file Stir data from file to random pool.
-F file Dump fingerprint of file.

CLCC> ssh "-V"
$1$dga100:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS
(V1.0) 2.4.1 on AlphaServer DS25 - VMS V7.3-2

CLCC> tcpip sho ver

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 4
on a AlphaServer DS25 running OpenVMS V7.3-2

CLCC>

Re: SSH_KEYGEN

Steven Schweda — Fri, 16 Mar 2007 09:26:51 GMT

It fails faster on an IA64 system:

td183 $ ssh_keygen -b 1024 -t dsa -p fred fred
Generating 1024-bit dsa key pair
5 oOo.oOo.oOoo
Key generated.
1024-bit dsa, antinode@td183.testdrive.hp.com, Fri Mar 16 2007 14:24:10
Private key saved to fred
Public key saved to fred.pub

td183 $ ssh_keygen -e fred
Do you want to edit key "1024-bit dsa, antinode@td183.testdrive.hp.com, Fri Mar
16 2007 14:24:10" You have no controlling tty. Cannot read confirmation.
Key unedited and unsaved.

td183 $ ssh_keygen "-V"
$8$dka100:[sys0.syscommon.][sysexe]tcpip$ssh_ssh-keygen2.exe version 3.2.0, comp
iled Jun 22 2006.

td183 $ tcpip show vers

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6
on an HP rx2600 (1.40GHz/1.5MB) running OpenVMS V8.3

Re: SSH_KEYGEN

Steven Schweda — Fri, 16 Mar 2007 09:33:35 GMT

> They must've removed the -e from the
> documentation of later versions.

Obviously easier than fixing the problem.

My detailed guess: The program needs to
switch off "echo" while the user types his
new passphrase, and while this has been done
in any number of other VMS programs, the
effort of doing it in this one was deemed to
be too great.

One might be tempted to complain about
someone being too lazy even to steal existing
code from somewhere, but it may have been a
management decision, so I'll refrain.

Re: SSH_KEYGEN

Jon Pinkley — Fri, 16 Mar 2007 12:27:01 GMT

Steven,

Will the thought police approve of your last comment? :-)

(zero points for this)

Re: SSH_KEYGEN

Uwe Zessin — Fri, 16 Mar 2007 12:32:46 GMT

He He...
Maybe the "UCX attitude" is back:

You want BIND? Run a Unix system!

Re: SSH_KEYGEN

Jan van den Ende — Fri, 16 Mar 2007 13:36:07 GMT

Geni,

re Jon Pinkley
>>>
(zero points for this)
>>>
I object! This remark is worth at least 5 points! (and certainly at friday night with a good Triple in front of me!)

Proost.

Have one on me.

jpe

Re: SSH_KEYGEN

Steven Schweda — Fri, 16 Mar 2007 15:36:46 GMT

At the risk of posting a personal rant, I'll
admit that it crossed my mind that I may have
crossed one or more of these lines:

1. You had requested the removal of your message.
2. The message was a duplicate posting.
3. The message contained advertising of goods or services.
4. The question was off-topic and did not align with the charter of the HP Support Forums.
5. Language, personal rants, or material deemed abusive, defamatory or obscene.
6. The posting contained private information on other users and/or HP employees.
7. Other reasons deemed necessary by the HP Support Forums staff.

(Read this quickly, before it goes into the
memory hole.)

Re: SSH_KEYGEN

Andreas Vollmer — Sat, 17 Mar 2007 06:47:21 GMT

Hi Geni,

Hello everybody ;-)

You all have good point of view!
This forums reflect partly the requirements of us customers and it helps both, the customer and the supplier (HP) about our problems, our needs and even our ideas.

I have no objections to the remarks from Steven. There are management decisions that are quite often hard to understand and to support. We are all human beings, at least I thing we are ;))
Only critics, but constructive one, brings us all, HP and us customer & the management forward to success!
I am a proud user of OpenVMS and have the privilege to be in contact with you as colleagues and community users and know a couple of OpenVMS engineers.
We all are working for the success for our companies as well for the surviving of OpenVMS.
OpenVMS engineering's needs critics and input in order to know the needs of the business.
Often, unfortunately, there is a huge gap between the requirements of the business and us as OpenVMS System Manager or IT Manager.

So, use Geni's input and consider it as an important implementation input.
Many IT 'shops' using nowadays OpenSSL instead of OpenVMS -unfortunately- old fashion SSH implementation. Yes, this is historically, the OpenSSL was at the time of decision not fully accepted...
But maybe, within the next releases of TCP/IP Services giving the customer the choice during installation to switch over to OpenSSL or stay the older standard of SSL.
All these small, but important differences, makes it difficult to integrate OpenVMS in the heterogeneous IT environment with LINUX, MS, HP-UX, AIX etc.
Security concerns are important. Using a centralised security key authority such as PKI would easy to implement with OpenSSL.

Yes, I probably mixed up several things, and it is not really a solution for Geni but I hope my input will be positively registered at HP's engineering.
Because with OpenSSL we might not use to develop special procedures how to distribute keys between UNIX and VMS etc. because we can use well established standards of LINUX / UNIX
THIS is what we and the management would like to have. This is very often the reason the of the management when they go for LINUX because OpenVMS is proprietary. The customer should have the choice - to stay with the existing and use Open... on OpenVMS - ;-))
Please treat this a constructive input, wish, for the HP engineering and even management. -- Thanks!

I wish you all a wonderful weekend.
Andreas

Thanks Geni for your patience!

Re: SSH_KEYGEN

Heinz W Genhart — Mon, 19 Mar 2007 08:47:08 GMT

O.k.

SSH_KEYGEN -e does not work on OpenVMS.

With SSH_KEYGEN -h (or -?) the -e option is displayed on OpenVMS 7.3-2 and 8.2 but is removed in OpenVMS 8.3!

So, the solution for my problem is to find another solution than to change a passphrase within a key.

I think the SSH implementation on OpenVMS does not make us happy. Most other operating systems are using OpenSSH. That time when HP started developping SSH for OpenVMS, the code base was licensed from SSH Communications, the premier developer and standards advocate for SSH during its first few years.
I think that this was not a very happy decision. In a multi plattform environment as we are using here (OpenVMS, Sun Solaris, Red hat Linux, Suse Linux, Tru64, MS (sorry for the swear-word) we run very often into problems, not at least because we have to convert Keys. OpenSSH and SSH2 Keys are not compatible an needs to be converted.
Even our Tru64 guys replaced the SSH2 implementation with a OpenSSH implementation. I think, that would be the right way, also for OpenVMS.

Regards

Geni