topic Re: Reconfigure SSH client to be SSH-2.0 in Operating System - OpenVMS

Reconfigure SSH client to be SSH-2.0

Incompat — Tue, 29 Jun 2010 00:34:59 GMT

By default, the SSH client in OpenVMS states that it wants to use SSH 1.99 by sending the following PVE identifier:
SSH-1.99-3.2.0 SSH OpenVMS V5.5 VMS_sftp_version 3
How do I change this to be SSH2-only? It should read:
SSH-2.0-3.2.0 SSH OpenVMS V5.5 VMS_sftp_version 3

I read the SSH documentation at:
http://www.openvms.compaq.com/doc/tcpip57.html
I suspect this can be controlled in the file device:[user.SSH2]SSH2_CONFIG. I set "Ssh1AgentCompatibility ssh2" but it did not affect the PVE string.

Where and how is this controlled?

Thanks!

Re: Reconfigure SSH client to be SSH-2.0

Steven Schweda — Tue, 29 Jun 2010 01:23:34 GMT

> [...] the SSH client in OpenVMS [...]

Which "the SSH client in OpenVMS" (in which
"OpenVMS") are we discussing?

tcpip show version
ssh "-V"

> [...] states that [...]

And you observed this how, exactly?

I know nothing, but around here, I don't see
much evidence that the client is stating much
of anything. I do see a message suggesting
something about the server:

alp $ ssh -vvv alp-l
[...]debug(28-JUN-2010 21:08:07.89): Remote version: SSH-2.0-3.2.0 SSH OpenVMS V5.5 VMS_sftp_version 3
[...]

There does seem to be a protocol-version
override directive of some kind in the server
configuration file ("ProtocolVersionString",
in (the comments in)
TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG.).

Re: Reconfigure SSH client to be SSH-2.0

Hoff — Tue, 29 Jun 2010 01:57:10 GMT

Guessing rather much here around the goals and the configuration, and I'll presume that you know that per RFC 4253, the version identifier string SSH-1.99 specifically indicates the server has ssh2 capabilities and that it is (also) offering ssh1 client compatibility, and I'll further assume that the goal here is to enforce ssh2 use on one or both ends.

If you're after the server as it might appear, then you'll want the daemon configuration file and not the client file.

Confirm that you've correctly upgraded your sshd files on the server; there are manual steps required including loading and potentially editing a new configuration file over the top.

Check the TCP/IP Services release notes for details.

In the sshd2_config file, look for Ssh1Compatibility; that's the knob you likely want. The client configuration file has an analogous Ssh1Compatibility switch.

With fully-configured and updated TCP/IP Services on V8.3 (checked V5.6-9ECO4), you'll get the following ssh server response to a telnet connection into port 22:

SSH-2.0-3.2.0 SSH OpenVMS V5.5 VMS_sftp_version 3

Which is what you want. This with Ssh1Compatibility set to no. (Note that I have V5.6 installed, but the embedded version string here shows as V5.5. Go figure.)

And if you're not on this TCP/IP and VMS version (or later), well, upgrade, or apply the patches, or both.

I don't know that HP particularly documents the details of the ssh implementation; it can seem a snipe hunt at times.

Re: Reconfigure SSH client to be SSH-2.0

Incompat — Tue, 29 Jun 2010 02:58:39 GMT

$ tcpip show version

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 5
on an HP rx2620 (1.60GHz/3.0MB) running OpenVMS V8.3

The problem I have having is not with sshd, but with the ssh client sending version 1.99.

I talked with HP Support and they may have found the answer. Tomorrow, I will try solution 4.21.47 in this document:
http://h71000.www7.hp.com/doc/84final/tcprn/tcp_rnpro_008.html

Which is basically to set:
define/system/exec TCPIP$SSH_AIX_PATCH 1

Re: Reconfigure SSH client to be SSH-2.0

Incompat — Tue, 29 Jun 2010 17:31:23 GMT

Setting this logical solved the problem. Now my network capture shows SSH-2.0:

0000 00 0c 29 45 6b f7 00 0d 28 bf 84 ff 08 00 45 00 ..)Ek... (.....E.
0010 00 5b 44 e9 40 00 7c 06 f3 0c ac 11 03 02 0a fe .[D.@.|. ........
0020 0c 96 c0 21 2e fb 7a 98 dd 22 f0 17 d1 ff 50 18 ...!..z. ."....P.
0030 f5 3c 37 dc 00 00 53 53 48 2d 32 2e 30 2d 33 2e .<7...SS H-2.0-3.
0040 32 2e 30 20 53 53 48 20 4f 70 65 6e 56 4d 53 20 2.0 SSH OpenVMS
0050 56 35 2e 35 20 56 4d 53 5f 73 66 74 70 5f 76 65 V5.5 VMS _sftp_ve
0060 72 73 69 6f 6e 20 33 0d 0a rsion 3. .

Re: Reconfigure SSH client to be SSH-2.0

Incompat — Tue, 29 Jun 2010 17:35:01 GMT

Setting:
define/system/exec TCPIP$SSH_AIX_PATCH 1
changed the client protocol PVE version string to:
SSH-2.0-3.2.0 SSH OpenVMS V5.5 VMS_sftp_version 3\r