Operating System - OpenVMS
Showing results for 
Search instead for 
Did you mean: 

Re: SSH Server goes South

Frequent Advisor

SSH Server goes South

HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 5 on an AlphaServer ES40 running OpenVMS V8.3

One day, out of the blue, the SSH server on one of the nodes quits working. Logins rejected immediately. The run log only has this message:

%DCL-E-NOCMDPROC, error opening captive command procedure - access denied

Protections on those files that get run, TCPIP$SSH_DEVICE:LOGIN.COM & TCPIP$SYSTEM:TCPIP$SSH_RUN.COM, are

If we remove the restricted from the account that runs SSH, we can log in and the log indicates that LOGIN.COM does get run first and then TCPIP$SYSTEM:TCPIP$SSH_RUN.COM. Both files are executed without error so they are readable by the SSH account but there is something that makes OpenVMS reject the LOGIN.COM when the account is restricted.

I almost forgot to mention, the other node in the cluster has no problem with SSH. Both nodes use the same SSH account but have separate system disks with separate SSH files. We can find no differences in the files especially in protection.

any ideas?

Clark Powell
Trusted Contributor

Re: SSH Server goes South


The similar topic was discussed in the below thread.


Also refer the online help for the error message DCL-E-NOCMDPROC.

NOCMDPROC, error opening captive command procedure - access denied

Facility: CLI, Command Language Interpreter (DCL)

Explanation: When you attempted to log in, you failed because you have a
captive account and DCL received an error during the login.
For example, DCL could not find your LOGIN.COM file. You
may also have incorrect protection on the system's SYLOGIN
system's SYLOGIN file must be protected with at least WORLD:E
access to the file and the directory that contains it.

User Action: See your system manager.


Frequent Advisor

Re: SSH Server goes South

One might overlook the SYLOGIN.COM file if there are no other indications of a protection error and there wasn't but, in this case, it seems that the SYLOGIN.COM with no world access was the problem.

Clark Powell