HPE Community
Operating System - OpenVMS
1753546 Members
5908 Online
108795 Solutions
New Discussion юеВ

Implications of replacing Telnet with SSH: SFTP, SCP

 
SOLVED
Go to solution
Thomas Ritter
Respected Contributor

тАО07-09-2007 12:16 PM

тАО07-09-2007 12:16 PM

Implications of replacing Telnet with SSH: SFTP, SCP

SSH is to be enabled on our secured firewalled production cluster. The firewalls do not allow FTP or port 21,20 access. If we enable SSH which uses port 20, then users have the ability to use SFTP, SCP or SSH. Can SSH be implemented and deny SFTP or SCP ? It seems that by solving the problem of having plain text transmitted over networks we creating another problem by broading the means with which data can leak from the systems. ? But SSH is new to me. Maybe I am missing something ?
What are your thoughts
0 Kudos
Reply
8 REPLIES 8
Richard Whalen
Honored Contributor

тАО07-09-2007 01:32 PM

тАО07-09-2007 01:32 PM

Solution

Re: Implications of replacing Telnet with SSH: SFTP, SCP

SSH typically runs on port 22.

SFTP works by starting an SSH session, then requesting SSH to start the SFTP subsystem. The image that is run for the subsystem is defined in the configuration file SSHD2_CONFIG.
Comment out the subsystem definitions from the configuration file and the subsystems will not be available.

On VMS SCP is just a different way of doing a single SFTP copy line. On Unix systems that run OpenSSH (the most popular), SCP is a separate program that basically works like RCP.
Reply
Thomas Ritter
Respected Contributor

тАО07-09-2007 01:45 PM

тАО07-09-2007 01:45 PM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

Richard, I did mean port 22. Just removed SFTP , tested and SFTP has failed. Not gracefully though.

isconnected; connection lost (Connection closed.).

Warning: child process (/sys$system/tcpip$ssh_ssh2) exited with code 27.


%TCPIP-E-SSH_FC_ERROR, undetermined error within sshfilecopy

This is a good start.


0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО07-10-2007 02:33 AM

тАО07-10-2007 02:33 AM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

Thomas,

I don't have the data anymore but copying big files with scp instead of ftp consumes a lot of CPU and could delay the transfer when done on a high speed interface (or delay applications running on the node).
On our Suns theys need to copy db dumps with scp ...

Wim
Wim
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО07-10-2007 02:41 AM

тАО07-10-2007 02:41 AM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

Oh yes,

Executing "rsh show time" needs 0.2 seconds while ssh needs 0.7 second (on old GS160).

Wim
Wim
0 Kudos
Reply
Hoff
Honored Contributor

тАО07-10-2007 04:43 AM

тАО07-10-2007 04:43 AM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

sftp and scp configuration (disable, deny) details:

http://64.223.189.234/node/347

sftp and scp do run just fine, albeit rather more processor resources are involved.
Reply
Ian Miller.
Honored Contributor

тАО07-10-2007 06:05 AM

тАО07-10-2007 06:05 AM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

which tcpip product are you using.

There may be restrictions on the files that can be copied with ssh
____________________
Purely Personal Opinion
0 Kudos
Reply
Thomas Ritter
Respected Contributor

тАО07-10-2007 12:12 PM

тАО07-10-2007 12:12 PM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

Thanks for the replies.
We are running VMS 7.3-2 and UCX 5.4 ECO 5.
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО07-10-2007 06:49 PM

тАО07-10-2007 06:49 PM

Re: Implications of replacing Telnet with SSH: SFTP, SCP

I have scp2 5.0.1 of multinet on 7.3.

I scp2 sysdump of 728.000 blocks.
Source node and destination node (both GS160) had 45% of cpu used for SSH processes.
Speed was 2.5 MB per sec. It took 2min30.

Same operation with copy used only 20% cpu and took 1m06.

Only did the test once on a machine in use.

Wim
Wim
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.