Operating System - OpenVMS
Showing results for 
Search instead for 
Did you mean: 

Format of SSHD2_CONFIG

Go to solution
Richard W Hunt
Valued Contributor

Format of SSHD2_CONFIG

A while back I posted on wanting to set up SSH (v2) between OpenVMS and a non-VMS SSH client. Well, that is working now. Took a little bit. But I'm using RSA-1024 certificates to establish the connection and it seems to be OK.

If I can just get the SSH client to point to the right certificates (the "IdentifyFile" parameter or equivalent), we can use DoD certificates. I'm told there is a solution to that problem so that isn't my question. Though if anyone has any thoughts on the matter, I'd listen attentively.

Here's the real question. We have a cluster with a multi-channel network card riding multiple sub-nets and I have a syntax question, of sorts, for how to allow multiple SSH connections.

You have to tell SSHD where your host certificates are stored. OK, for testing, we did that on a single node and a single subnet on that node. No big deal. But when we go to full production status, we have a potential for adding enough key pointers that it will be an insanely long line. The KEY_22_node_subdomain_...._domain_masterdomain format for key file names on a military network often (as in our case) leads to some whompin' huge file names. And because the TCPIP$SSH directory is not rooted in SYS$SPECIFIC, it has to identify every hostkey file in the same SSHD2_CONFIG file.

For the parameters involving host key (public OR private) specification on the SSHD2 side, is there such a thing as a line continuation marker? Or do you repeat the key parameter & file name line once per key for as many keys as you have/need? Or do we have to switch to {gulp} TECO to make a long-enough line and delimit file names with commas? Or can I actually violate the key rule and just point to a single file for all connections? Does anyone know how to solve this problem?

I've looked in the manuals already so RTFM as an answer is too late.
Sr. Systems Janitor
Honored Contributor

Re: Format of SSHD2_CONFIG

I don't immediately have an OpenVMS box handy where I can experiment with the sshd2_config file.

Wander over to a Unix box and invoke the following incantations:

man ssh_config
man sshd_config
man sshd2_config

and see what you turn up. Various web sites also serve up the Unix docs, if you don't have a Unix box handy. (And there's the http://www.openssh.com/ web site, which has some materials.)

None of which explicitly references a line continuation.

I'd probably see if adding additional keyword=data pairs works, or (if not) if a trailing backslash (the standard C escape character) works as a line continuation. (If honored and if the backslash is found, the next character is ignored, and that character would be an LF in a Stream_LF file.)

The inevitable "fun" with these ports is in the determination of what is specific to the port, and what is generic to the package.

And once you sort this out, lob a report back at OpenVMS and at openssh (or whomever). Or post up a response here.
Steven Schweda
Honored Contributor

Re: Format of SSHD2_CONFIG

I know nothing, but it's not clear to me what
you're trying to do where which requires a
long line of something or other.

> Here's the real question. [...]

I don't see it.
Richard W Hunt
Valued Contributor

Re: Format of SSHD2_CONFIG

Steven, thanks for your interest. I'll be more specific.

In file SSHD2_CONFIG., which resides in cluster-wide folder SYS$SYSDEVICE:[TCPIP$SSH.SSH2], there is a parameter called HostKeyFile, which you use to point to the SSH Private Key file to use for SSH connections to your host. Another parameter is the PublicHostKeyFile, pointing to the public key file.

My cluster sits on multiple internal and external networks, each with its own DNS, and each node therefore has multiple fully qualified domain names (FQDN) with different subdomain strings.

For testing, this was one file each, thus only "opening up" one very specific pathway. My job is to open up every pathway to SSH connection methods.

According to the SSH documentation for the TCPIP Services for OpenVMS v 5.4 ECO 7 (what I'm running, under OpenVMS 7.3-2), the name that I present for each key file has a format derived from the FQDN for that connection pathway. You would use a different key name for each different connection to a different node on a different network channel. So I'm looking at several names, none of which are short.

Option 1: Can I override the name to use for host key files so that ALL nodes regardless of their FQDN point to the same file? According to the manuals, no.

Option 2: Use some bizarred editor to specify each of the key files on the same line, comma-separated, and just have that be one whompin' huge line.

Option 3: Identify a continuation character that might allow me to just put the next long key name on the next line and so on until all keys have been entered.

Option 4: Some of the parameters appear to allow you to repeat them and the value used the second time is just tacked on to the value you supplied the first time. Some of the parameters don't do this. If all I have to do is enter several lines of HostKeyFile and PublicHostKeyFile, that won't be bad at all.

So Steven, my question is, which of the above options apply to OpenVMS 7.3-2 and TCPIP Services version 5.4 ECO 7? How do I specify the huge string that I will need to identify all cluster members on all applicable subnets? Having read the newest manuals I could find, I still don't have the answer.
Sr. Systems Janitor
Respected Contributor

Re: Format of SSHD2_CONFIG

I'm considering doing the same thing as you - adding a long line in the sshd2 config file for DenyHosts. I didn't find anything in the documentation either and in speaking to my unix brethren he thinks it's gonna have to be just one looooooong line.

Very interested in the outcome of this...