Operating System - OpenVMS
1745913 Members
4399 Online
108723 Solutions
New Discussion юеВ

TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

 
Theodore Jay Allen
Occasional Advisor

TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

I am running TCPware V5.8-2 on OpenVMS I64 V8.3-1H1. I have no issues utilizing DSA keys to authenticate between the OpenVMS servers. I can also copy my private and public keys to a Win XP client and utilize PuTTY to connect to the OpenVMS hosts.

However, if I try to copy the keys to my Mac OS X 10.5.6 laptop, the "sshkeygen -y -f id_dsa" command cannot read/load the copied private key to output the public key to stdout.

Has anyone else experienced issues in the compatibility of the format of SSH v2 DSA keys generated by TCPware and Mac OS X Leopard?

Best Regards,

Ted
5 REPLIES 5
Steven Schweda
Honored Contributor

Re: TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

My Mac is off at the moment, and I don't know
which key format TCPware uses, but with
TCPIP, I'd expect you to need to use
"ssh-keygen -i":

http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/ssh-keygen.1.html

[...]
-i This option will read an unencrypted private (or public) key file in SSH2-compatible format and
print an OpenSSH compatible private (or public) key to stdout. ssh-keygen also reads the
`SECSH Public Key File Format'. This option allows importing keys from several commercial SSH
implementations.
[...]


I suspect that I did something like that.
Theodore Jay Allen
Occasional Advisor

Re: TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

I failed to mention that the key files were transferred in a zip file from OpenVMS to the Mac OS X client via FTP binary mode.

Also, when Mac OS X is requested to add a comment to an SSH v2 DSA key via the "-C" option, the comment only appears at the end of the public key file. There is no mention of it in the private key file. The TCPware SSH v2 DSA private and public keys both begin with:

Comment: "1024-bit dsa, user@host..."

The TCPware generated public key also contains a "Subject: user" line and the following begin/end tags:

---- BEGIN SSH2 PUBLIC KEY ----
---- END SSH2 PUBLIC KEY ----

The TCPware generated private key contains a "Subject: user" line, "Comment: ..." line, and begin/end tags as follows:

---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
---- END SSH2 ENCRYPTED PRIVATE KEY ----

The Mac OS X generated public key contains no "Subject:" entry and contains no begin/end tags, however, the first line of the public key does start with the string "ssh-dss ". As previously stated, it ends with the comment string (if any) supplied when it was generated.

The Mac generated private key does contain begin/end tags as follows:

-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----

Best Regards,

Ted Allen
Steven Schweda
Honored Contributor

Re: TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

> [...] via FTP binary mode.

Wouldn't be my first choice for text files,
but if they're Stream_LF, it shouldn't
matter.

> ---- BEGIN SSH2 PUBLIC KEY ----

That's how my TCPIP-generated key files look.

> -----BEGIN DSA PRIVATE KEY-----

That's how my converted key files look. I
actually converted my TCPIP-generated SSH2
key files to OpenSSH format on/for Solaris,
back when "-i" was spelled "-X", but the
results should all resemble each other.

On the Mac, as on any normal OpenSSH system,
things are in "~/.ssh", and they're organized
differently. For example, instead of having
key file names in "[.ssh2]authorization", you
have the actual key data in
"~/.ssh/authorized_keys"; instead of having a
key file name in "[.ssh2]identification", you
have the data in "~/.ssh/identity"; and so
on. (On my Mac, "~/.ssh/identity" is
actually a symlink to the key file.)

If you get your SSH2 key files converted, and
all the stuff installed in the right places,
then things should work.

alp $ tcpip show version

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

alp $ ssh "-V"
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (
V5.5) 3.2.0 on COMPAQ Professional Workstation - VMS V7.3-2

alp $ ssh smacg4x "uname -a"
Authentication successful.
Darwin smacg4x.antinode.info 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24 17:39
:01 PST 2008; root:xnu-1228.9.59~1/RELEASE_PPC Power Macintosh
Theodore Jay Allen
Occasional Advisor

Re: TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

Hi Steven,

Thanks for the responses. The "-i" option did the trick. I had used FTP to copy the public and private keys from my OpenVMS environment to my Mac (individually in ASCII mode and then as a zip file in Binary mode) and then just renamed them to what the Mac expected (id_dsa and ids_dsa.pub) which did not work.

With the "-i" option I simply redirected the output to the desired files and that resolved the issue:

# ssh-keygen -i -f ID_DSA_VMS >> id_dsa
# ssh-keygen -i -f ID_DSA_VMS.PUB >> id_dsa.pub

Now back to working on X11 keymapping and trying to figure out why I can launch the OpenVMS dtsession (CDE) session manager from the Mac while logged onto our corporate network directly but not when logged onto it via VPN.

Thanks again for the prompt and very helpful response.

Best Regards,

Ted Allen
Steven Schweda
Honored Contributor

Re: TCPware v5.8-2 SSH v2 Protocol DSA Keys with Mac OS X Client

> [...] X11 keymapping [...]

I don't use it enough (and I'm too lazy) to
have solved all the DEL v. BS problems (et
c.) I have mapped PF1-PF4 onto F1-F4 to
avoid worries about Num-Lock, but I did that
on a system about 450 miles away (which I use
when I'm visiting there), so I don't have the
details handy.

> [...] but not when logged onto it via VPN.

X stuff is normally on (or near) port 6000,
so, once you do the right SET DISPLAY things,
you may need to worry about what gets blocked
by the fancy network software. It's bound to
be educational, though.