Operating System - OpenVMS
1748210 Members
2980 Online
108759 Solutions
New Discussion юеВ

SSH in a captive account?

 
Thomas A. Williams
Regular Advisor

SSH in a captive account?

I just tried to run an ssh and scp command from a captive account, and I got this error:

' System error message: 'captive account - spawn command not allowed'

Is there any workaround to this? Or are SSH commands not going to work from a captive account?
4 REPLIES 4
Thomas A. Williams
Regular Advisor

Re: SSH in a captive account?

Correction - the SSH command actually works from a captive account. It's just the SCP command that doesn't
Steven Schweda
Honored Contributor

Re: SSH in a captive account?

I don't know anything, but SHOW PROCESS
/SUBPROCESSES (/IDENTIFICATION = xxxxxxxx)
does show a subprocess when SCP is run, and
a quick dump of the executable
(SYS$SYSTEM:TCPIP$SSH_SCP2.EXE) does show
what looks like message text mentioning
"sys$creprc()", so I'd guess that you're
doomed.

A quick Google search for:
scp subprocess
turns up a few places which say things like:

Recall that the command:

$ scp ... S:file ...

actually runs ssh in a subprocess to connect to S and invoke a remote scp server. [...]

(http://www.unix.org.ua/orelly/networking_2ndEd/ssh/ch11_05.htm)

All of which seems to reinforce the initial
impression of doom.
John Gillings
Honored Contributor

Re: SSH in a captive account?

Thomas,

The big hammer fix would be to set bit 6 in the SYSGEN parameter SECURITY_POLICY - this allows SPAWN from CAPTIVE accounts. Depending on your environment, it might not be appropriate to open this hole.

Note SECURITY_POLICY is NOT dynamic so it's a reboot to set or clear it.

If the SPAWN command is in DCL, you could add /TRUSTED, or if you can get at the source code, add the flag CLI$M_TRUSTED to the LIB$SPAWN FLAGS parameter.

I checked the SCP command for a "TRUSTED" flag, nothing obvious.
A crucible of informative mistakes
Thomas A. Williams
Regular Advisor

Re: SSH in a captive account?

Thanks for the replies. I also opened a call with HP support and this was their reply:

"I├в ve confirmed the behavior, and have contacted TCPIP engineering about it, and waiting for a response."