HPE Community
Operating System - OpenVMS
1753511 Members
4844 Online
108795 Solutions
New Discussion юеВ

Re: SSH windows client to VMS

 
Gary Smallridge
Occasional Advisor

тАО03-30-2011 05:45 AM

тАО03-30-2011 05:45 AM

SSH windows client to VMS

Hi,

I'm trying to setup password-less SSH connection between a windows client (CopSSH) and VMS (V7.3-2 TCPIP V5.4 Eco 7).

I've generated the pair of key files (id_rsa and id_rsa.pub) on the client.

I'm not sure where to create them on the VMS system.

Looking back at past posts, it seems that I need to create the .ssh directory ([.ssh] ?) and the 'authorized_key.' file.

I've appended the 'id_rsa.pub' file to the 'authorized_key.' file.

The first time I connected, I entered the password and it added an entry to the known hosts file, etc.

When I connect subsequently, I still get prompted for the password.

The attached shows the output from 'ssh -v'.

Anyone know where I'm going wrong?
0 Kudos
Reply
7 REPLIES 7
Steven Schweda
Honored Contributor

тАО03-30-2011 06:31 AM - last edited on тАО08-04-2011 09:53 AM by

тАО03-30-2011 06:31 AM - last edited on тАО08-04-2011 09:53 AM by

Re: SSH windows client to VMS

> [...] I need to create the .ssh directory
> ([.ssh] ?)

[.SSH2] ?

> and the 'authorized_key.' file.

[.SSH2]AUTHORIZATION. ?

(Case probably doesn't matter, and I may
have done this stuff back in my ODS2 days.)

> I've appended the 'id_rsa.pub' file to the
> 'authorized_key.' file.

If you're looking at "past posts" involving
other operating systems, using OpenSSH (or
its friends), which is how it sounds, then
you should get hold of the actual VMS docs,
because many things are different here. For
example, [.SSH2]AUTHORIZATION holds file
names of key files, not the actual key data
as "authorized_keys" (with an "s") does.

> [...] a windows client (CopSSH) [...]

I know nothing about it, but if it's based on
OpenSSH, then you may also have key file
format problems, requiring some key file
format conversion (which probably would need
to be done on the other system, because the
VMS key generation program may be too lame to
do it). There should be plenty of those
"past posts" which cover the whole key format
mess. One recent example:

(thread deleted)


The latest manual should be:

http://h71000.www7.hp.com/doc/83final/ba548_90007/index.html

That's probably a newer version, but it or
the comparable older manual should help some.
(The SSH docs are under TCPIP.)

> [...] 'ssh -v'.

Also, when the server's unhappy, it seldom
tells the client all it knows, so you may
need to find the server's log file to get all
the useful info after something fails.

Reply
Duncan Morris
Honored Contributor

тАО03-30-2011 07:15 AM

тАО03-30-2011 07:15 AM

Re: SSH windows client to VMS

Hi Gary,

create [.ssh2]authorization. with
an entry

Key id_rsa.pub

Here are my own samples for allowing passwordless login within a node

ty [.ssh2]authorization.
Key id_duncanm_ev6.pub

ty [.ssh2]identification.
IdKey id_duncanm_ev6

The relevant key files should be present in the [.ssh2] directory. The authorization entries are the permitted inbound identities, and the identification file holds one or more identities which you would use outbound. If you only want inbound connections, then you only need the authorization file and public keys.

Regards,

Duncan
0 Kudos
Reply
Gary Smallridge
Occasional Advisor

тАО03-30-2011 08:16 AM

тАО03-30-2011 08:16 AM

Re: SSH windows client to VMS

Hi Duncan,

Yup it's easy setting it up for localhost connection.

I followed the same method for the windows system with and without converting the 'ida_rsa.pub' file to IETF format ('-e' switch to ssh-keygen), but it still prompts for the passphrase to the 'id_rsa' file.
0 Kudos
Reply
Duncan Morris
Honored Contributor

тАО03-30-2011 08:33 AM

тАО03-30-2011 08:33 AM

Re: SSH windows client to VMS

Gary,

is it prompting for a passphrase, or the VMS account password?

If it is the passphrase, then you probably want to regenerate the key pair specifying "no passphrase", which would be the "-P" option with the VMS ssh_keygen.

If it is prompting for the VMS account password, then you probably need to enable debugging during the connection to have a look at the connection dialogue.

Make sure that the public key at the VMS end has STMLF format, and I presume that you have checked that your SSHD2_CONFIG. has publickey listed for AllowedAuthentications.
0 Kudos
Reply
Edwin Gersbach_2
Valued Contributor

тАО04-04-2011 04:11 AM

тАО04-04-2011 04:11 AM

Re: SSH windows client to VMS

Gary

Also, if it is querying the passphrase you may want to check your SSH implementation on the windows system for the specification of the passphrase cache timeout value.

I'm using Exceed where this value is specified in the 'Connectivity Secure Shell Management Console' in the 'Settings' tab.

I've set a value of 600 so the phrase is kept for a whole working day (10 hours).

Edwin
0 Kudos
Reply
Hoff
Honored Contributor

тАО04-04-2011 04:43 AM

тАО04-04-2011 04:43 AM

Re: SSH windows client to VMS

I would suggest calling HP support here, as that's the new model for operating with OpenVMS, and given that HP has provided documentation insufficient or confusing for your particular needs. (And yes, the ssh manual is fairly dense; it seems written for folks that already understand what's going on, and lacking in recipes.)


From the log...

...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/h/.ssh/identity
debug1: Offering public key: /cygdrive/h/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /cygdrive/h/.ssh/id_dsa
debug1: Next authentication method: password
@asp03's password:
...

The public key path failed, and it's prompting you for your VMS password, in other words. Not for the key passphrase.

The keys either weren't the right private-public pair, or the key file format wasn't appreciated (stream LF), or the key format (DSA, RSA) wasn't right, or they were misplaced within the VMS ssh-related directory structures, or...

This phrasing:

> I've appended the 'id_rsa.pub' file to the 'authorized_key.' file.

Makes me wonder if you appended the key file contents onto the specified file, or if you appended the name of the key file onto the specified file. The former would not work.

Here's the basic sequence for a command-line generation from the perspective of a Unix box connecting to an OpenVMS box:

http://labs.hoffmanlabs.com/node/1118

It shows what format key is used, and where to transfer the public key within VMS, and how to configure the key as an authorized key.

A while back, I also used a Windows box to create a series of images and documentation for a PuTTY key setup and key exchange for a customer, though I haven't posted that one.

--

Reposting this as ITRC is again demonstrating its continued desire to be replaced by an actual and functional forums system.
Reply
Gary Smallridge
Occasional Advisor

тАО04-04-2011 05:36 AM

тАО04-04-2011 05:36 AM

Re: SSH windows client to VMS

Hi,

With the help you all have given, I have managed to get it working from a user's PuTty session.

1. The key is generated with Puttygen.
2. The public key is append to the end of the 'authorized_key' file.
3. An entry is added to the 'authorization.' file, e.g.:
Key id_rsa.pub

I think that there maybe old information around that refers to SSH v1 regarding the converting to 'ssh.com' format.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.