topic Re: SSH and ACME in Operating System - OpenVMS

SSH and ACME

Edwin Gersbach_2 — Thu, 20 Mar 2008 10:23:34 GMT

I've got the task to analyze the efford required and the impact of a change from UAF authentication to ACME authentication against our AD domain. With about 100 UAF's on clusters and single systems this seems to make sense.

However, I found a Document somewhere in HP saying:
>> SSH 5.5 ECO1 and prior versions do not
>> support external password authentication.

(http://www11.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00639632-2)

Now, I cannot find any hint that this has changed for the current versions (VMS V8.3, TCP/IP V5.6-9ECO2). I even think to remember having seen a more recent mentioning of this problem in this forum, but I'm not able to locate it.

Does anyone have some more information about this?

Edwin

Re: SSH and ACME

Volker Halle — Thu, 20 Mar 2008 11:23:27 GMT

Edwin,

see this entry from about 2 months ago:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1197550

Converting various TCP/IP Services components (IMAP, POP, PCNFS, XDM, and yes, SSH) to use the $ACM system service for password authentication is on the worklist for a future release

Volker.

Re: SSH and ACME

Art Wiens — Thu, 20 Mar 2008 11:36:52 GMT

Have a look at Process's product:

VMS Authentication Module

http://www.process.com/VMSauth/index.html

From the SPD:

VAM supports the following operating
system versions:
* OpenVMS VAX V7.3
* OpenVMS Alpha V6.2 and higher
* OpenVMS I64 V8.2 and higher

VAM supports the following TCP/IP
stacks and versions:
* MultiNet V4.4 and later
* TCPware V5.6-2 and later
* TCP/IP Services v4.0 (plus ECO v5)
or later

Cheers,
Art

Re: SSH and ACME

Edwin Gersbach_2 — Thu, 20 Mar 2008 12:04:09 GMT

Volker,
Many thanks. That's exactly the entry I was after. Somehow I missed it with whatever keywords I was trying.

Art,
I don't see how this can help me if SSH does not use the right hooks.

Edwin

Re: SSH and ACME

Richard Whalen — Thu, 20 Mar 2008 12:22:56 GMT

The combination of Process Software's SSH for VMS and VMS Authentication Module can be used to do external authentication for SSH.

Re: SSH and ACME

James T Horn — Fri, 21 Mar 2008 11:09:21 GMT

So without a third-party solution, you cannot use AD Authentication?

Re: SSH and ACME

Paul Nunez — Fri, 21 Mar 2008 12:34:25 GMT

Regarding James' question:

So without a third-party solution, you cannot use AD Authentication?

HP offers several solutions:

1. Use Advanced Server for OpenVMS to provide NTLM authentication for ExtAuth users. Using Advanced Server for ExtAuth involves no cost - it's absolutely free. But Advanced Server doesn't run on Itanium systems.

However, if an Itanium system is in a cluster with an Alpha running Advanced Server, the Itanium system can send the ExtAuth requests to the Alpha for processing (the necessary IA64 ACME modules are in sys$library: on the Alpha and the command procedure to load the acme modules on the itanium is in sys$startup: on the Alpha; these need to be copied to the Itanium and then the logical name PWRK$ACME_SERVER needs to be defined on the Itanium to the SCSNODE name of the Alpha(s)). See the release notes for Advanced Server v7.3B for more information.

2. Use LDAP. OpenVMS 8.3 (Alpha and Itanium) and later provide the ability (with the right kits installed ;o), to use LDAP for ExtAuth. Authentication can be directed to an Active Directory server or an HP Enterprise Directory server (and possible any of the Linux LDAP adaptations, though I'm not sure that's officially supported yet). See:

http://h71000.www7.hp.com/openvms/security.html#ldap

3. Use Kerberos. See:
http://h71000.www7.hp.com/doc/83final/BA554_90008/ch02s09.html?jumpid=reg_R1002_USEN

Re: SSH and ACME

Edwin Gersbach_2 — Tue, 25 Mar 2008 05:59:21 GMT

Paul,

As mentioned by Volker, your second 'solution' does not really work - at least not with the heavily used SSH.

Would be intresting to figure out wether SSH would work with the Advanced Server, but I doubt because it is said not to use the right entry points.

Anyway, I will close this thread. For us there is not enough benefit to go for a costly third party solution.

Edwin

Re: SSH and ACME

Edwin Gersbach_2 — Tue, 25 Mar 2008 06:00:43 GMT

As explained above.