Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

SFTP: How do I pick they key to use?

 
SOLVED
Go to solution

SFTP: How do I pick they key to use?

Hi,
I'm new to using SFTP and am having trouble getting the host/server computer to recognize my connection. The host that I'm trying to SFTP to already has my public key so I believe the problem is that I'm not including it as part of my connection string so that it can authenticate me first with the key, and then with my account password. Unfortunately the only way I've found to connect is using the "OPEN userid@hostinfo.com" string and don't know how to include a reference to the key in my connection string.

Any ideas?

Thanks for your help!
Erik
14 REPLIES
Volker Halle
Honored Contributor

Re: SFTP: How do I pick they key to use?

Erik,

welcome to the OpenVMS ITRC forum.

Here is a pointer to a similar topic from back in 2005, I hope it will answer your question:

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=985928

Volker.
Richard W Hunt
Valued Contributor

Re: SFTP: How do I pick they key to use?

Having just gone through part of this myself, here is what I got to work.

First you need the user's private key on the SSH/SFTP client side.

The client needs some sort of CONFIG file, see the product documentation for how it is named. Everybody has a different convention on this but it is usually CONFIG_something or something_CONFIG. Its location is some .SSH or .SSH2 folder in the path of your SSH/SFTP utility.

Inside that CONFIG file, you identify the location of the key file via the "IdentifyFile" clause - if the SFTP client supports that clause. The client CONFIG file can get very ugly if you have more than one user who logs in through that same client unless they have individual profiles a la' Windows user profiles and the client is installed per-user.

Probably you'll need the host's public key also noted somewhere in that file if you already know it. Otherwise the first time you connect, you will need to manually interact so that you can accept the host's public key. After that, you can more easily automate the process since many clients allow you to point to a script once you have the completed connection.

Of course, your HOST also has a CONFIG file where similar rules apply. Except that for the OpenVMS host, each user has a private .SSH2 folder with the pointers you need in the individual SSHD2_CONFIG files.

Note that if you go to ECO 7 of TCPIP services, you need to download the updated SSH manual, which you can find online by searching the HP site. (Sorry, don't have the link at hand, I've set it aside somewhere and now can't find it at the moment.)
Sr. Systems Janitor

Re: SFTP: How do I pick they key to use?

Hi,
Thank you for your help. I'm confused as to what the "IdentifyFile" file should be set at. Currently it simply says "identification"

thanks,
Erik
Steven Schweda
Honored Contributor

Re: SFTP: How do I pick they key to use?

Believe it or not, it might help to know
which sort of computers, running which sort
of software, you're using as the client and
server. If either of them is running VMS,
then you may be asking your question in the
right place.

One place to start might be:

sftp "-V"

Re: SFTP: How do I pick they key to use?

We, the client, are using an OpenVMS system to run SFTP.

The results of sftp -V show the following, but I don't know what I'm supposed to be getting from this.

Sftp2/SFTP2.C:4642: CRTL version (SYS$SHARE:DECC$SHARE ident) is: V7.3-2-03

SshFileCopy/SSHFILECOPY.C:1080: Making local connection.
Ssh2SftpServer/SSHFILEXFERS.C:1758: Received SSH_FXP_INIT
Ssh2SftpServer/SSHFILEXFERS.C:1803: version is 3
SshFileCopy/SSHFILECOPY.C:1019: Connection to local, ready to serve requests.
Sftp2/SFTP2.C:798: Connection ready.
SshReadLine/SSHREADLINE.C:3670: Initializing ReadLine...
Steven Schweda
Honored Contributor

Re: SFTP: How do I pick they key to use?

> The results of sftp -V [...]

Sadly, on VMS there's a difference between
what you did:
sftp -V
and what I suggested:
sftp "-V"
.

Around here:

alp $ sftp "-V"
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_sftp2.exe: SSH Secure Shell OpenVMS
(V5.5) 3.2.0 on COMPAQ Professional Workstation - VMS V7.3-2

And, according to "sftp -h", you can use:
[-o option_to_ssh2]
and, according to "ssh -h", you can specify:
-i file Identity file for public key authentication

So, I'd guess that something like this might
work:

sftp -o "-i other_id_file" [...]

where other_id_file contains text like:
IdKey actual_key_file_name
the way [.ssh2]identification should be doing
now.

Also, when playing with authentication
options and problems, it's often easier to
puzzle things out using SSH (with "-v"?) than
it is using the more complex SFTP.

Re: SFTP: How do I pick they key to use?

I'm still a bit unsure as to what I'm to do with the "-V", but here is the output:

$ sftp "-V"
dsa1:[sys0.syscommon.][sysexe]tcpip$ssh_sftp2.exe: SSH Secure Shell OpenVMS (V5.
5) 3.2.0 on hp AlphaServer GS1280 7/1300 - VMS V7.3-2
Steven Schweda
Honored Contributor

Re: SFTP: How do I pick they key to use?

> I'm still a bit unsure as to what I'm to do
> with the "-V", but here is the output:

That was it. So now we all know with what
we're dealing, at least on the client side.

> I'm confused as to what the "IdentifyFile"
> file should be set at. Currently it simply
> says "identification"

That's fine. It means that SSH and its
friends will look at "[.ssh2]identification"
to get the name of the key files to use.

For example, on my system, I have two sets of
key files in [.ssh2] -- one with a passphrase
(SMS_ID_DSA_1024_A.*) and one without
(SMS_NPP_ID_DSA_1024_A.*). By default, SSH
gets the identity from
[.ssh2]identification., which on my system
says "IdKey SMS_NPP_ID_DSA_1024_A", so it
normally uses the no-passphrase keys.

alp $ ssh alp
Authentication successful.
[...]

If I want to use the with-passphrase keys, I
can specify an alternate identity file, say,
[.ssh2]identification._pp, which says "IdKey
SMS_ID_DSA_1024_A".

alp $ ssh -i identification._pp alp
Passphrase for key "/ALP$DKA0/sms/ssh2/SMS_ID_DSA_1024_A" with comment "1024-bit
dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52":

Authentication successful.
[...]

Similarly, for SFTP:

alp $ sftp alp
sftp> cd zx2000
ALP$DKA0:[SMS.ZX2000]
sftp> ls v*
VMS_INSTALL.TXT;3
VMS_INSTALL.TXT;2
VMS_INSTALL.TXT;1
sftp> quit

Or, using the with-passphrase keys (and the
correct SFTP syntax to specify the alternate
identity, unlike my earlier
suggestion/guess):

alp $ sftp -o "IdentityFile identification._pp" alp
Passphrase for key "/ALP$DKA0/sms/ssh2/SMS_ID_DSA_1024_A" with comment "1024-bit
dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52":
sftp> cd zx2000
ALP$DKA0:[SMS.ZX2000]
sftp> ls v*
VMS_INSTALL.TXT;3
VMS_INSTALL.TXT;2
VMS_INSTALL.TXT;1
sftp> quit


Now, back to the original problem.

> [...] am having trouble getting the
> host/server computer to recognize my
> connection.

What, exactly, does that mean? What command
did you use, and what, exactly, happened when
you tried it?

Do you have proper key files in your [.ssh2]
directory? Did you make them using
SSH_KEYGEN on the VMS system, or did you copy
them from some UNIX-like system somewhere
(where the key file formats are probably
different)?

Does "ssh other_host" work? If not, what is
the output you get from "ssh -v other_host"?
(Step one is to get a simple SSH command to
work.)

Re: SFTP: How do I pick they key to use?

Hi Steven, I really appreciate your continued support with this. Here are some answers/clarifications to questions you had.

First, problem #1 could've been the fact that the "identification." file did not exist on our system, so I created one that contained the "IdKey ID_DSA_2048_A" string. Actually, I created a identification._pp file just to mimic what you were showing me in your post.

Next, I tried multiple times to connect to the host system using the following commands and had no luck. I've included the error message that it is giving me.

$ SFTP -o "IdentityFile identification._pp" xyz@www.somesite.org
This is a private system.
Unauthorized access is prohibited and will
xyz@www.somesite.org's password:

warning: Authentication failed.
Disconnected; no more authentication methods available (No further authenticatio
n methods available.).
FATAL: ssh2 client failed to authenticate. (or you have too old ssh2 installed,
check with ssh2 "-V")

%TCPIP-F-SSH_FATAL, non-specific fatal error condition

~~~~~~~~~~~~~~~

$ ssh -i identification._pp xyz@www.somesite.org
This is a private system.
Unauthorized access is prohibited and will
xyz's password:

warning: Authentication failed.
Disconnected; no more authentication methods available (No further authenticatio
n methods available.).
~~~~~~~~~~~~~~~~
The key was originally created using the SSH_KEYGEN on the VMS system.

The results of "ssh other_host" is:
debug: Ssh2/SSH2.C:1906: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-0
3
debug: SshAppCommon/SSHAPPCOMMON.C:322: Allocating global SshRegex context.
debug: SshConfig/SSHCONFIG.C:3332: Metaconfig parsing stopped at line 4.
debug: SshConfig/SSHCONFIG.C:861: Setting variable 'VerboseMode' to 'FALSE'.
debug: SshConfig/SSHCONFIG.C:3240: Unable to open ssh2/ssh2_config
debug: Connecting to other_host, port 22... (SOCKS not used)
debug: Ssh2/SSH2.C:2872: Entering event loop.
warning: Connecting to other_host failed: No address associated to the name
%TCPIP-E-SSH_ERROR, non-specific error condition

Re: SFTP: How do I pick they key to use?

I was playing with some "-D" 3 debugging and came up with this
debug: server offers auth methods 'publickey,password'.
debug: SshConfig/SSHCONFIG.C:3240: Unable to open ssh2/identification._pp
debug: Ssh2AuthClient/SSHAUTHC.C:377: Method 'publickey' disabled.

It seems like it is unable to use my identification file which could very likely be the problem
Steven Schweda
Honored Contributor
Solution

Re: SFTP: How do I pick they key to use?

> debug: SshConfig/SSHCONFIG.C:3240: Unable
> to open ssh2/identification._pp
> debug: Ssh2AuthClient/SSHAUTHC.C:377:
> Method 'publickey' disabled.

That looks like a clue. Where's your
"identification._pp" file? (An actual
DIRECTORY listing would be most convincing.)

Around here (where SYS$LOGIN is
"ALP$DKA0:[SMS]"):

alp $ dire /date /prot /size [.ssh2]id*

Directory ALP$DKA0:[SMS.SSH2]

IDENTIFICATION.;3 1 23-JUL-2003 22:46:43.97 (RWED,RWED,,)
IDENTIFICATION._NPP;1
1 23-JUL-2003 22:46:43.97 (RWED,RWED,,)
IDENTIFICATION._PP;3
1 26-JUN-2003 23:43:35.79 (RWED,RWED,,)

Total of 3 files, 3 blocks.

You might throw in /OWNER, too, just in case.


> [...] identification._pp file just to mimic
> [...]

Wouldn't be my choice (for a NO-passphrase
key set), but it shouldn't matter.

Re: SFTP: How do I pick they key to use?

Hi Steve,
Great news! I was able to get it working thanks to your advice. After poking around for a while I found that for whatever reason SSH/SFTP was looking for the identification file and the secret and public keys in my personal VMS directory, so once I moved those files into that directory everything started to work as expected.

Thanks for all of your help with this.

Erik
Steven Schweda
Honored Contributor

Re: SFTP: How do I pick they key to use?

> [...] I was able to get it working [...]

What could go wrong?

> [...] I found that for whatever reason [...]

The SSH _client_ must use user-specific data,
so it looks for them under SYS$LOGIN. The
documentation on this is somewhere between
confused and hopeless, I'll admit.

Fir example:
http://h71000.www7.hp.com/doc/83final/BA548_90007/ch03s02.html

[...] If you want to specify user-specific
parameters, you can create a client
configuration file in the [username.SSH2]
directory. [...]

Well, maybe, and maybe not.

Not having a good way to say something like
"SYS$LOGIN:[.SSH2]" makes it hard for UNIX
people who expect to be able to say things
like "$HOME/ssh2" or "~/ssh2".

Re: SFTP: How do I pick they key to use?

Solution found. Please see thread.