HPE Community
Operating System - OpenVMS
1752546 Members
4914 Online
108788 Solutions
New Discussion юеВ

Format of SSHD2_CONFIG

 
SOLVED
Go to solution
Richard W Hunt
Valued Contributor

тАО01-17-2008 05:35 AM

тАО01-17-2008 05:35 AM

Format of SSHD2_CONFIG

A while back I posted on wanting to set up SSH (v2) between OpenVMS and a non-VMS SSH client. Well, that is working now. Took a little bit. But I'm using RSA-1024 certificates to establish the connection and it seems to be OK.

If I can just get the SSH client to point to the right certificates (the "IdentifyFile" parameter or equivalent), we can use DoD certificates. I'm told there is a solution to that problem so that isn't my question. Though if anyone has any thoughts on the matter, I'd listen attentively.

Here's the real question. We have a cluster with a multi-channel network card riding multiple sub-nets and I have a syntax question, of sorts, for how to allow multiple SSH connections.

You have to tell SSHD where your host certificates are stored. OK, for testing, we did that on a single node and a single subnet on that node. No big deal. But when we go to full production status, we have a potential for adding enough key pointers that it will be an insanely long line. The KEY_22_node_subdomain_...._domain_masterdomain format for key file names on a military network often (as in our case) leads to some whompin' huge file names. And because the TCPIP$SSH directory is not rooted in SYS$SPECIFIC, it has to identify every hostkey file in the same SSHD2_CONFIG file.

For the parameters involving host key (public OR private) specification on the SSHD2 side, is there such a thing as a line continuation marker? Or do you repeat the key parameter & file name line once per key for as many keys as you have/need? Or do we have to switch to {gulp} TECO to make a long-enough line and delimit file names with commas? Or can I actually violate the key rule and just point to a single file for all connections? Does anyone know how to solve this problem?

I've looked in the manuals already so RTFM as an answer is too late.
Sr. Systems Janitor
0 Kudos
Reply
4 REPLIES 4
Hoff
Honored Contributor

тАО01-17-2008 07:52 AM

тАО01-17-2008 07:52 AM

Solution

Re: Format of SSHD2_CONFIG

I don't immediately have an OpenVMS box handy where I can experiment with the sshd2_config file.

Wander over to a Unix box and invoke the following incantations:

man ssh_config
man sshd_config
man sshd2_config

and see what you turn up. Various web sites also serve up the Unix docs, if you don't have a Unix box handy. (And there's the http://www.openssh.com/ web site, which has some materials.)

None of which explicitly references a line continuation.

I'd probably see if adding additional keyword=data pairs works, or (if not) if a trailing backslash (the standard C escape character) works as a line continuation. (If honored and if the backslash is found, the next character is ignored, and that character would be an LF in a Stream_LF file.)

The inevitable "fun" with these ports is in the determination of what is specific to the port, and what is generic to the package.

And once you sort this out, lob a report back at OpenVMS and at openssh (or whomever). Or post up a response here.
Reply
Steven Schweda
Honored Contributor

тАО01-17-2008 08:20 AM

тАО01-17-2008 08:20 AM

Re: Format of SSHD2_CONFIG

I know nothing, but it's not clear to me what
you're trying to do where which requires a
long line of something or other.

> Here's the real question. [...]

I don't see it.
0 Kudos
Reply
Richard W Hunt
Valued Contributor

тАО01-17-2008 09:27 AM

тАО01-17-2008 09:27 AM

Re: Format of SSHD2_CONFIG

Steven, thanks for your interest. I'll be more specific.

In file SSHD2_CONFIG., which resides in cluster-wide folder SYS$SYSDEVICE:[TCPIP$SSH.SSH2], there is a parameter called HostKeyFile, which you use to point to the SSH Private Key file to use for SSH connections to your host. Another parameter is the PublicHostKeyFile, pointing to the public key file.

My cluster sits on multiple internal and external networks, each with its own DNS, and each node therefore has multiple fully qualified domain names (FQDN) with different subdomain strings.

For testing, this was one file each, thus only "opening up" one very specific pathway. My job is to open up every pathway to SSH connection methods.

According to the SSH documentation for the TCPIP Services for OpenVMS v 5.4 ECO 7 (what I'm running, under OpenVMS 7.3-2), the name that I present for each key file has a format derived from the FQDN for that connection pathway. You would use a different key name for each different connection to a different node on a different network channel. So I'm looking at several names, none of which are short.

Option 1: Can I override the name to use for host key files so that ALL nodes regardless of their FQDN point to the same file? According to the manuals, no.

Option 2: Use some bizarred editor to specify each of the key files on the same line, comma-separated, and just have that be one whompin' huge line.

Option 3: Identify a continuation character that might allow me to just put the next long key name on the next line and so on until all keys have been entered.

Option 4: Some of the parameters appear to allow you to repeat them and the value used the second time is just tacked on to the value you supplied the first time. Some of the parameters don't do this. If all I have to do is enter several lines of HostKeyFile and PublicHostKeyFile, that won't be bad at all.

So Steven, my question is, which of the above options apply to OpenVMS 7.3-2 and TCPIP Services version 5.4 ECO 7? How do I specify the huge string that I will need to identify all cluster members on all applicable subnets? Having read the newest manuals I could find, I still don't have the answer.
Sr. Systems Janitor
0 Kudos
Reply
EdgarZamora_1
Respected Contributor

тАО01-17-2008 11:48 AM

тАО01-17-2008 11:48 AM

Re: Format of SSHD2_CONFIG


I'm considering doing the same thing as you - adding a long line in the sshd2 config file for DenyHosts. I didn't find anything in the documentation either and in speaking to my unix brethren he thinks it's gonna have to be just one looooooong line.

Very interested in the outcome of this...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.