Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Connecting an OpenVMS to a LINUX machine

SOLVED
Go to solution
almanzam
Occasional Advisor

Connecting an OpenVMS to a LINUX machine

Greetings.

I have been trying to connect unsuccessfully to a Linux machine from a Linux machine in order to drop files via secure FTP. The command "sftp -V" shows "Sftp2/SFTP2.C:3880: CRTL version (SYS$SHARE:DECC$SHARE ident) is: V7.3-2-02" on the VMS side. The SSH-KEYGEN program outputs the following version: "ssh-keygen -h
$1$dga1:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (V5.5) 3.2.0 on AlphaServer ES45 Model 2B - VMS V7.3-2

The purpose for this is to copy files from the OpenVMS to the Linux machine via a batch file without supplying a password, a process which already can happen with Linux-to-Linux.

I have done the following:
1. Created the client (VMS) key with no password, 1024-bit encryption, the command
"ssh_keygen -P -b 1024 key_for_remote_host"

The files the generator created (*.pub;1 and *.;1 files) contain both Subject and Comments as part of the public key, something which I am not familiar with. With Linux keys, there are no comments and/or subjects, just the encryption.

How do I add that key into the .ssh/authorized_keys file of the remote LINUX system?

I have read plenty of VMS to VMS instructions, and have done that successfully, but VMS to Linux is puzzling me. Please help.
15 REPLIES
Steven Schweda
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

If Linux is like Solaris, you could copy the
key files to the Linux system, and use
"ssh-keygen -X" to convert them to the
OpenSSH format(s).

For a few more details, try searching this
forum for "ssh-keygen".

If you can figure out the format differences,
you can convert the files using a text
editor, but using the program is easier.
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

Thanks Steven. I tried looking at my Linux machine's keygen program and it doesn't have the flag you suggested. The only flags for conversion are -e (Convert OpenSSH to IETF SECSH key file) and -i (Convert IETF SECSH to OpenSSH key file). Either way, when I run the flag -e, I output to a file which doesn't seem like the natural KEY files that I get from a Linux Key-Generator (there's no host at the end of the key, which does exist on DSA keys I create on Linux). I add this output file to the .ssh/authorized_keys file of the Linux machine, and still can't connect without supplying the password from the VMS machine using the following:

ssh -o IdentityFile=keyforremotehost.pub user@remotehost

Any other suggestions? The goal here, again, is to NOT have to enter a password on the local VMS machine and transfer files via SFTP.
Richard Whalen
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

You probably want to do -i on the Linux system because VMS uses IETF SECSH format keys and I suspect that Linux uses OpenSSH format keys.
Steven Schweda
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

As of SunOS 5.10:

sol> man ssh-keygen
[...]
-X Obsolete. Replaced by the -i option.
[...]
-i This option reads an unencrypted
private (or public) key file in
SSH2-compatible format and prints an
OpenSSH compatible private (or pub-
lic) key to stdout. ssh-keygen also
reads the "SECSH" Public Key File
Format. This option allows import-
ing keys from several other SSH
implementations.


I gather that "-i" is the thing to do
nowadays instead of "-X".
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

I used the -i option and that didn't work.
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

Here is the resulting .ssh/authorized_keys file:

ssh-dss AAAAB3NzaC1kc3MAAACBAL*** KEY CONTENTS HERE***hcjPYQK/T9E1ytg== user_example@client_machine
ssh-dss AAAAB3NzaC1kc3MAAACB*** KEY CONTENTS HERE***oSXDR/c=

Note that the first entry for "client_machine" contains the user_example and client_machine identification, while the second entry, which is from the VMS-generated key, does not contain the user and machine identification for authorization.

I must note that the remote host is a RedHat Enterprise Linux 4 machine.
Steven Schweda
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

> I used the -i option and that didn't work.

As usual, it might help to see exactly what
you did, and what happened when you did it.
"Didn't work" is not very informative.

It (ssh-keygen -X/-i) seemes to work properly
on Solaris. Have you tried using an editor
to add the missing item to the new line
("user_example@client_machine")?

As I said, using a text editor is one way to
do the conversion. On Solaris (and, I
assume, on Linux or any other OpenSSH
system), the ".ssh/authorized_keys" file
seems to contain one line per key, with the
key type, the key data, and the user id, as
you've shown, while the format used on VMS
has different fields and multiple, shorter
lines. With an example of each type to look
at, it's pretty easy to see how to convert
one to the other. (Well, _I_ could do it, so
I thought that it must be pretty easy.)
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

>As usual, it might help to see exactly what
>you did, and what happened when you did it.
>"Didn't work" is not very informative.
Sorry. I meant "Same results." I realized what you said after I typed it and couldn't change it.

>It (ssh-keygen -X/-i) seemes to work properly
>on Solaris. Have you tried using an editor
>to add the missing item to the new line
>("user_example@client_machine")?
Yes, I tried that. NO avail. The results are the same. It keeps asking me for password.

>With an example of each type to look
>at, it's pretty easy to see how to convert
>one to the other. (Well, _I_ could do it, so
>I thought that it must be pretty easy.)
Here's the VMS public key file keyfromclient.pub:
---- BEGIN SSH2 PUBLIC KEY ----
Subject: user
Comment: "1024-bit dsa, user@clientmachine.edu, Thu Jul 27 2006 1\
4:19:56"
AAAAB3NzaC1kc3MAAACBAOsVrMJAbjYavRf6wjLC89Q6jOmQ6SHYXjompqzxQe75BebSfj
*more lines like above and below here*
HQW92OSlW9yY4DBl0XUDQVUUjOnAOUgqETNkUFvAQ7B7uChJnnSrcMNFzZSFZqSIhNSpyP3n9FQL0t9NmZj+1QDQ==
---- END SSH2 PUBLIC KEY ----

Here is my command on the LINUX side to convert the file to append to the .ssh/authorized_keys file (asks for keyfromclient.pub and outputs to convertedkeyfromclientmachine.pub):
ssh-keygen -i > convertedkeyfromclientmachine.pub


Here is the authorized_keys file on LINUX again:

ssh-dss AAAAB3NzaC1kc3MAAACBALenI1l1TVZphhoM93CNOfBXd7A+9Hwe8YRSgNIig**CODEANDSTUFF*M9d4a8iEPFzH4fG/7bCjkIB5PJn3yhcjPYQK/T9E1ytg== user@a.linux.machine.that.works
ssh-dss AAAAB3NzaC1kc3MAAACBAJCYMlc8shQrwtKLr3CUhDtnZFemV8icf6Nh1ZG0MTUpjKmimkwe*****CODEANDSTUFFHERE******XDR/c7a4fbPNPPb/HQhBjzb0SrnG9lVM4FDAh30VWJEqP2wHcQumJKbS8Z5Mg== user@clientmachine.edu

I added the user@clientmachine.edu above manually even after the concatenation of the converted file didn't add it. Again, it is still asking for a password on the VMS side:

VMS_PROMPT> ssh -o IdentityFile=keyfromclient.;1 user@remotehost.edu
user's password: cursor movement capability, using vt100
Authentication successful.
Last login: Fri Jul 28 07:42:58 2006 from 1**.**.32.***

The "cursor movement capability" is left over STDOUT message from OPENVMS... it's not the password. I had to type in the password on the SSH command to get in.
Steven Schweda
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

At this point, output from "ssh -v" may be
helpful. For some examples, you might look
at:

http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=1012120

but that may be going in the other direction.
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

VMS> ssh -v
debug: Ssh2/SSH2.C:1847: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-0
2
debug: SshAppCommon/SSHAPPCOMMON.C:307: Allocating global SshRegex context.
debug: SshConfig/SSHCONFIG.C:3285: Metaconfig parsing stopped at line 3.
debug: SshConfig/SSHCONFIG.C:842: Setting variable 'VerboseMode' to 'FALSE'.
debug: SshConfig/SSHCONFIG.C:3193: Unable to open ssh2/ssh2_config
Type $1$dga1:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe -h for help.
Steven Schweda
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

Sorry. I meant something like:

ssh -v linux_system
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

Gotcha:

PPRD> ssh -v remotesystem_example.edu
debug: Ssh2/SSH2.C:1847: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-0
2
debug: SshAppCommon/SSHAPPCOMMON.C:307: Allocating global SshRegex context.
debug: SshConfig/SSHCONFIG.C:3285: Metaconfig parsing stopped at line 3.
debug: SshConfig/SSHCONFIG.C:842: Setting variable 'VerboseMode' to 'FALSE'.
debug: SshConfig/SSHCONFIG.C:3193: Unable to open ssh2/ssh2_config
debug: Connecting to remotesystem_example.edu, port 22... (SOCKS not used)
debug: Ssh2/SSH2.C:2813: Entering event loop.
debug: Ssh2Client/SSHCLIENT.C:1607: Creating transport protocol.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:99: Added "hostbased" to usable meth
ods.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:99: Added "publickey" to usable meth
ods.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:99: Added "password" to usable metho
ds.
debug: Ssh2Client/SSHCLIENT.C:1648: Creating userauth protocol.
debug: client supports 3 auth methods: 'hostbased,publickey,password'
debug: SshUnixTcp/SSHUNIXTCP.C:1356: using local hostname clientmachine.edu
debug: Ssh2Common/SSHCOMMON.C:545: local ip = xxx.xxx.xxx.75, local port = 52028
debug: Ssh2Common/SSHCOMMON.C:547: remote ip = xxx.xxx.xxx.15, remote port = 22
debug: SshConnection/SSHCONN.C:2277: Wrapping...
debug: SshReadLine/SSHREADLINE.C:3651: Initializing ReadLine...
warning: Need basic cursor movement capability, using vt100
debug: Remote version: SSH-2.0-OpenSSH_3.9p1
debug: OpenSSH: Major: 3 Minor: 9 Revision: 0
debug: Ssh2Transport/TRCOMMON.C:1717: All versions of OpenSSH handle kex guesses
incorrectly.
debug: Ssh2Transport/TRCOMMON.C:2157: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/TRCOMMON.C:2222: c_to_s: cipher aes128-cbc, mac hmac-sha1,
compression none
debug: Ssh2Transport/TRCOMMON.C:2225: s_to_c: cipher aes128-cbc, mac hmac-sha1,
compression none
debug: Remote host key found from database.
debug: Ssh2Common/SSHCOMMON.C:346: Received SSH_CROSS_STARTUP packet from connec
tion protocol.
debug: Ssh2Common/SSHCOMMON.C:396: Received SSH_CROSS_ALGORITHMS packet from con
nection protocol.
debug: server offers auth methods 'publickey,gssapi-with-mic,password'.
debug: SshConfig/SSHCONFIG.C:3193: Unable to open ssh2/identification
debug: Ssh2AuthClient/SSHAUTHC.C:373: Method 'publickey' disabled.
debug: server offers auth methods 'publickey,gssapi-with-mic,password'.
csc_miguel's password: ient/AUTHC-PASSWD.C:249: Starting password query...
Richard Whalen
Honored Contributor
Solution

Re: Connecting an OpenVMS to a LINUX machine

Part of the problem is shown in the following two lines from the debug:
debug: SshConfig/SSHCONFIG.C:3193: Unable to open ssh2/identification
debug: Ssh2AuthClient/SSHAUTHC.C:373: Method 'publickey' disabled.

The SSH2 client tries to open SYS$LOGIN:[.SSH2]IDENTIFICATION. to read the list of private keys to work with when doing public key authentication. I would guess that the file is not present. Create this file with the following contents:
idkey public_key_file_name.

The public key files should also be in the SYS$LOGIN:[.SSH2] directory.
Jan van den Ende
Honored Contributor

Re: Connecting an OpenVMS to a LINUX machine

Almanzam.

-- I am just having some ugly memories and extrapolation from there.

I have no experience whatsoever with this implementation of SSH, but the answer by Richard did make some rambling.

Are so maybe trying this from the SYSTEM account? That would be an explanation:

The SYS$LOGIN for the SYSTEM account is SYS$MANAGER, which expands into a search list.
U*X systems. and a lot of software that has been ported too thoughtless from them. are totally unaware of the concept. Should they use the VMS parsing mechanism, that would be totally all right, but most of that s**t is too cocky to accept anything could be better than home-brew. Consequently, they belch.


So, _IF_ this failure is from the SYSTEM account, try any "normal" account.
Should this be from an account without the searchlist complication, then forget about my noise and get help from better-informed people.

Once again:
-- I am just having some ugly memories and only extrapolation from there!

hth

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.
almanzam
Occasional Advisor

Re: Connecting an OpenVMS to a LINUX machine

ONE: I was missing my identification. file on VMS. (that was silly on my part. I admit that I thought I didn't need that with the -o option IdentityFile=filewithkey.; parameter)
TWO: Fixed the "identification." file permissions so that the local client could read - the client must be able to read it to SSH
THREE: Checked the system configuration for SSH - good

SUCCESS. I was able to run an SCP, an SSH, and an SFTP without a password. Are there any other security items I have to check before I continue doing the batch copy?

Thank you, everyone again, for your help.