Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH_KEYGEN2 usage and -X option

 
SOLVED
Go to solution
Richard W Hunt
Valued Contributor

SSH_KEYGEN2 usage and -X option

Running Alpha/OpenVMS 7.3-2, secure shell version is v 5.4 ECO 7, specific version for SSH_KEYGEN2 is 3.2.0, compiled oct 2 2007. Hardware is ES40, up-to-date with regard to any hardware ECOs and any firmware updates that I know about.

I was researching the issue of using an X509 certificate's embedded RSA-1024 key to establish an SSH session. OK, lots of folks on this forum have told me it can't be done without buying another network package. But sometimes if you want to get something done you have to display a little tenacity. (Others can probably call it hard-headedness or obstinacy. I can live with that.)

After working with Attachmate on using Reflections 14 to establish the PKI SSH2 connection to an OpenVMS box, the crux of the matter is that we need to be able to extract the public RSA key out of the public certificate in a way that doesn't violate the rules on key usage.

That is not as stringent as it might first sound, because to use a non-web connection, the full certificate is not an issue. The RSA portion of the key is used to open the SSH tunnel. After that, if you do something ELSE that requires DoD signatures, the other parts of the certificate becomes an issue. (I had to check that fact with my site security guys before proceeding down this path at all.) Those of you who understand Dept. of Defense should already be aware that it is legal to do that kind of extraction because it is the PUBLIC cert/key that I am analyzing. Obviously, using the private key would be another matter.

Well, here is where we ran into a roadblock.

Reflections has a way to extract and upload that public key to UNIX or Windows boxes but the Upload option doesn't work correctly on OpenVMS. Don't know why at this time.

The X509 utility that comes with OpenSSL allows me to extract and display the public key that is in my X509v3 certificate. I do not see any errors in attempting to translate the exported public certificate using the X509 utility's -text option for the details of the certificate or the -pubkey option to extract the public RSA key.

The RSA key is supposed to be just a funky text file, but I can't extract that out via any means (so far) and translate it to another, more usable format. Even though it looks superficially like the RSA key I get if I generate one manually. Even though it shows me a header that delineates the beginning and end of the key. Even though I convert that file to STREAM_LF before working with it. That means I am blocked by the SSL utilities unless someone knows a torturous path from the X509 -pubkey option to something else I can use for RSA analysis.

The port of ssh_keygen2 seems to lack some commands, or perhaps they are undocumented, that would be productive here. Specifically, a UNIX server or Windows Server version of SSH_KEYGEN2 has a -X command that is not listed in the OpenVMS version. Yet that compile date is recent enough that the feature ought to be present in whatever source was used for the port.

So my question is, does SSH_KEYGEN2 version as noted above have some things in it that weren't documented in the .PDF that was associated with the ECO 7 update of TCPIP?

Or is there a path through the SSL utility minefield that will make that key usable?
Sr. Systems Janitor
5 REPLIES 5
Steven Schweda
Honored Contributor
Solution

Re: SSH_KEYGEN2 usage and -X option

It might be easier for me to make sense out
of this if I could see some of the files,
even with mangled contents (so long as the
form is preserved). I may or may not
actually know anything useful, but I have a
dim recollection of manually translating
some key files before I discovered
"ssh-keygen -X" (or, as it's often known now,
"-i").
Ken Robinson
Valued Contributor

Re: SSH_KEYGEN2 usage and -X option

The problem here is, most likely, that the key format on VMS is different than the key format on Linux/Unix & Windows. Most Linux/Unix systems I've dealt with use the OpenSSH format, while VMS uses the IETF SECSH format. The ssh-keygen command on Linux/Unix has options that can be used to convert one format to another, but the ssh_keygen on VMS does not have those options. If you have a Linux/Unix system available, upload the key to that machine and do

$ ssh-keygen -e -f uploaded.key.file > converted.key.file

The move the converted key file to your VMS machine.

Ken
Richard W Hunt
Valued Contributor

Re: SSH_KEYGEN2 usage and -X option

Thanks for the leads, guys.

I can confirm the SECSH format. If you use the Reflections "Upload" button in the UserKeys tab of the Security setup for an SSH session, it attempts to extract the key in SECSH format. (It says so in the log file!)

Knowing that -i has replaced -X helps, too. I am going to work based on those two bits of information.

Are there other names for those formats besides "OpenSSL" and "SECSH" - and is there a way to interconvert these using one of the pkcs sub-functions of OpenSSL?

Is there an on-line place that would give a decent overview of the two? I'll search, of course, but if anyone has a favorite, I'd appreciate knowing.

Before I actually post a key, I want to play with this problem some more using what I just learned from you.

Between this forum and the Attachmate help desk I might yet find a way around this problem that won't violate too many rules.
Sr. Systems Janitor
Steven Schweda
Honored Contributor

Re: SSH_KEYGEN2 usage and -X option

> Knowing that -i has replaced -X helps, too.

That probably depends on where you are.
"man ssh-keygen" should tell you what's true
in your environment. On my Solaris 10
system, it says:

[...]
-X Obsolete. Replaced by the -i option.
[...]


(I certainly wouldn't trust me.)

Are there other names [...]

I've seen "SSH2-compatible", which, I assume,
is the same as "SECSH" (but no bets).
Richard W Hunt
Valued Contributor

Re: SSH_KEYGEN2 usage and -X option

I don't have access to a UNIX server. Our site has me rather isolated at the moment. I'll get with one of the other admins to see what their ssh_keygen2 says for the MAN command.
Sr. Systems Janitor