Operating System - OpenVMS
1745817 Members
4236 Online
108722 Solutions
New Discussion юеВ

OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

 
SOLVED
Go to solution
Ana M. Garc├нa Olivencia
Regular Advisor

OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

Hi all.

One month ago, I posted a note

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1272093

where I asked about how to enable public key authorization when we have an UNIX SSH client and OpenVMS SSH server. I followed the suggestions you gave me and I thought that just in the opposite sense I wouldn't have any problem. But it was not so.

My pair of public-private keys are generated with passphrase at the Unix side. I have converted the private key to SSH2 format recognized by OpenVMS with 'ssh-keygen' command and '-e' option and it's ok.

I have followed the steps to enable OpenVMS ssh client and when I connect to an Unix ssh server (with only publick key authentication enabled), all the process seems ok (I use the '-vvv' option with the 'ssh' command) but when it asks for the passphrase, I enter it correctly, press return and it asks for it again, until three times, when it disconnects the conection.

Do you know if there is a problem using passphrases generated in Unix environment at OpenVMS client side?.

Have I missed something in the configuration process?

Thanks in advance.

Ana
11 REPLIES 11
Richard Whalen
Honored Contributor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

What TCP/IP stack are you using on VMS?
Are you getting the case correctly for the pass phrase?
Ana M. Garc├нa Olivencia
Regular Advisor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

Richard.

The version is:

HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 2
on a COMPAQ AlphaServer DS20E 666 MHz running OpenVMS V8.3

And I am sure I am entering the right passphrase.

Thanks.

Ana
Ana M. Garc├нa Olivencia
Regular Advisor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

I have done more tests with a pair of private/public keys with NO passphrase, convert them to SSH2 format, and it also asks for a passphrase (???). Therefore, it seems either a problem at OpenVMS side or in the key conversion.

I thought doing the conversion with the 'ssh-keygen' from OpenVMS but according to the last TCP/IP release notes, the option '-e' doesn't work.

In order to discard an error in the keystrokes on my behalf, another mate has tested with his own keys (with passphrase and with no passphrase) and the results are exactly the same.

Has anybody had this behavour?

Thanks.

Ana
Richard Whalen
Honored Contributor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

Since the SSH client is asking for the passphrase we can infer that public key authentication is enabled on both sides and that the private key file is being properly identified on the Unix side. On the VMS side the user's [.SSH2] directory should have an AUTHORIZATION. file; this file contains lines that look like:
key filename.extension
These files containing the public keys should also be in the user's [.SSH2] directory.
Ana M. Garc├нa Olivencia
Regular Advisor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

Richard.

I have both files, identification. and authorization. in the SSH2 directory (I have followed the steps from the SSH manual). In fact, with the same keys, the ssh works in the opposite direction (OpenVMS SSH server and Linux SSH client).

Ana
Richard Whalen
Honored Contributor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

The identification. file is only used by the SSH2 client.

Maybe the problem is with the SSH2 client on the Unix side. Can you do a test between two Unix systems where a key format conversion is not needed?
Steven Schweda
Honored Contributor
Solution

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

> [...] UNIX [...]

Not a well-defined quantity.

> I have converted the private key to SSH2
> format recognized by OpenVMS with
> 'ssh-keygen' command and '-e' option and
> it's ok.

Define "ok". What's in the files? On my
HP-UX system, "ssh-keygen -e" seems always
to produce an "SSH2 PUBLIC KEY", not an
"SSH2 ENCRYPTED PRIVATE KEY".

How, exactly, did you convert what into what?
Actual commands with (at least some of the)
actual output may be more helpful than vague
descriptions.

> [...] (I use the '-vvv' option with the
> 'ssh' command) [...]

That's nice, but I can't see the results.

Using a key file which I generated on the VMS
side (and converted to OpenSSH on the UNIX
side), it works for me:

alp $ ssh "-V"
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (
V5.5) 3.2.0 on COMPAQ Professional Workstation - VMS V7.3-2

alp $ type [.ssh2]identification._pp
IdKey SMS_ID_DSA_1024_A

alp $ type [.ssh2]SMS_ID_DSA_1024_A.
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: sms
Comment: "1024-bit dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52"
P2/[...]
[...]
[...]Oym
---- END SSH2 ENCRYPTED PRIVATE KEY ----

alp $ ssh -i identification._pp dyi
Passphrase for key "/ALP$DKA0/sms/ssh2/SMS_ID_DSA_1024_A" with comment "1024-bit
dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52":

Authentication successful.
Last successful login: Thu Oct 30 05:50:55 CDT 2008 alp-l.antinode.info
Last login: Thu Oct 30 05:50:55 2008 from alp-l.antinode.

Value of TERM has been set to "vt100".

dyi $ uname -a
HP-UX dyi B.11.31 U ia64 4235313755 unlimited-user license


My psychic powers are too weak to let me see
your key files or your "ssh -v [...]" output,
so it's hard for me to guess what might be
wrong in your environment.
Steven Schweda
Honored Contributor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

> I thought doing the conversion with the
> 'ssh-keygen' from OpenVMS but according to
> the last TCP/IP release notes, the option
> '-e' doesn't work.

What about "-i" on the UNIX side?
"man ssh-keygen".
Ana M. Garc├нa Olivencia
Regular Advisor

Re: OpenVMS SSH client and UNIX SSH server with public key auth and passphrase

Hi all.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Maybe the problem is with the SSH2 client on the Unix side. Can you do a test between two Unix systems where a key format conversion is not needed?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The same Linux system that is behaving as a SSH server in the problematic environment is behaving correctly as a SSH client with other Linux servers.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> [...] UNIX [...]

Not a well-defined quantity.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Different Linux systems.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Define "ok". What's in the files? On my
HP-UX system, "ssh-keygen -e" seems always
to produce an "SSH2 PUBLIC KEY", not an
"SSH2 ENCRYPTED PRIVATE KEY".
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Oupps!. It seems silly but I didn't realize that the contents of the converted private key file has, as Steven said it happens with HP-UX, the PUBLIC key format not the PRIVATE one (I focused my attention at the comment string and didn't see the format key). With 'ok' I only mean that there wasn't an error message in the conversion.

Anyway, looking again the meaning of the 'ssh-keygen' man page:

....

-e This option will read a private or public OpenSSH key file and print the key in RFC 4716 SSH Public Key File Format to stdout. This option allows exporting keys for use by several commercial SSH implementations.
....

It seems that the output of this option is alway PUBLIC key format.

Another mate has converted his private key with 'puttygen' command and it works ok with OpenVMS ssh client and UNIX systems. In fact, I have found at other forums that the only way is to use this command.

Therefore, my conclusions are:

* The '-e' option of 'ssh-keygen' command doesn't do what I wanted: to convert a private key file with OpenSSH format to SSH2 compatible format.

* There is no other option for this command to do that (the '-i' option suggested by Steven just does the opposite operation).

* You have to intall 'putty' to have the 'puttygen' command.

* If somebody knows another tool, please let us know.

>>My psychic powers are too weak to let me >>seeyour key files or your "ssh -v [...]" >>output, so it's hard for me to guess what >>might be wrong in your environment.

You are right but, before attaching a lot of information, I wanted to ask anybody if there was a reported problem or a known issue. I think that now we know that I was using the incorrect option, it is useless to attach the output.

Thank you very much for all your help.

Regards.

Ana