- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: SSH_KEYGEN2 usage and -X option
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-15-2008 05:51 AM
тАО10-15-2008 05:51 AM
I was researching the issue of using an X509 certificate's embedded RSA-1024 key to establish an SSH session. OK, lots of folks on this forum have told me it can't be done without buying another network package. But sometimes if you want to get something done you have to display a little tenacity. (Others can probably call it hard-headedness or obstinacy. I can live with that.)
After working with Attachmate on using Reflections 14 to establish the PKI SSH2 connection to an OpenVMS box, the crux of the matter is that we need to be able to extract the public RSA key out of the public certificate in a way that doesn't violate the rules on key usage.
That is not as stringent as it might first sound, because to use a non-web connection, the full certificate is not an issue. The RSA portion of the key is used to open the SSH tunnel. After that, if you do something ELSE that requires DoD signatures, the other parts of the certificate becomes an issue. (I had to check that fact with my site security guys before proceeding down this path at all.) Those of you who understand Dept. of Defense should already be aware that it is legal to do that kind of extraction because it is the PUBLIC cert/key that I am analyzing. Obviously, using the private key would be another matter.
Well, here is where we ran into a roadblock.
Reflections has a way to extract and upload that public key to UNIX or Windows boxes but the Upload option doesn't work correctly on OpenVMS. Don't know why at this time.
The X509 utility that comes with OpenSSL allows me to extract and display the public key that is in my X509v3 certificate. I do not see any errors in attempting to translate the exported public certificate using the X509 utility's -text option for the details of the certificate or the -pubkey option to extract the public RSA key.
The RSA key is supposed to be just a funky text file, but I can't extract that out via any means (so far) and translate it to another, more usable format. Even though it looks superficially like the RSA key I get if I generate one manually. Even though it shows me a header that delineates the beginning and end of the key. Even though I convert that file to STREAM_LF before working with it. That means I am blocked by the SSL utilities unless someone knows a torturous path from the X509 -pubkey option to something else I can use for RSA analysis.
The port of ssh_keygen2 seems to lack some commands, or perhaps they are undocumented, that would be productive here. Specifically, a UNIX server or Windows Server version of SSH_KEYGEN2 has a -X command that is not listed in the OpenVMS version. Yet that compile date is recent enough that the feature ought to be present in whatever source was used for the port.
So my question is, does SSH_KEYGEN2 version as noted above have some things in it that weren't documented in the .PDF that was associated with the ECO 7 update of TCPIP?
Or is there a path through the SSL utility minefield that will make that key usable?
Solved! Go to Solution.
- Tags:
- certificate
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-15-2008 10:51 AM
тАО10-15-2008 10:51 AM
Solutionof this if I could see some of the files,
even with mangled contents (so long as the
form is preserved). I may or may not
actually know anything useful, but I have a
dim recollection of manually translating
some key files before I discovered
"ssh-keygen -X" (or, as it's often known now,
"-i").
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-15-2008 11:09 AM
тАО10-15-2008 11:09 AM
Re: SSH_KEYGEN2 usage and -X option
$ ssh-keygen -e -f uploaded.key.file > converted.key.file
The move the converted key file to your VMS machine.
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-16-2008 04:31 AM
тАО10-16-2008 04:31 AM
Re: SSH_KEYGEN2 usage and -X option
I can confirm the SECSH format. If you use the Reflections "Upload" button in the UserKeys tab of the Security setup for an SSH session, it attempts to extract the key in SECSH format. (It says so in the log file!)
Knowing that -i has replaced -X helps, too. I am going to work based on those two bits of information.
Are there other names for those formats besides "OpenSSL" and "SECSH" - and is there a way to interconvert these using one of the pkcs sub-functions of OpenSSL?
Is there an on-line place that would give a decent overview of the two? I'll search, of course, but if anyone has a favorite, I'd appreciate knowing.
Before I actually post a key, I want to play with this problem some more using what I just learned from you.
Between this forum and the Attachmate help desk I might yet find a way around this problem that won't violate too many rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-16-2008 07:14 AM
тАО10-16-2008 07:14 AM
Re: SSH_KEYGEN2 usage and -X option
That probably depends on where you are.
"man ssh-keygen" should tell you what's true
in your environment. On my Solaris 10
system, it says:
[...]
-X Obsolete. Replaced by the -i option.
[...]
(I certainly wouldn't trust me.)
Are there other names [...]
I've seen "SSH2-compatible", which, I assume,
is the same as "SECSH" (but no bets).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-16-2008 07:44 AM
тАО10-16-2008 07:44 AM