Re: RSH between OpenVMS machines without password

smsc_1 · ‎08-19-2011

Hello people, first of all, I'm not an OpenVMS expert. What I'm trying to do is quite simple on Linux, but I'm stuck on OpenVMS.

I want use RSH between two OpenVMS machines (one V7.,2 and other one V8.3-1H1) WHITHOUT USING A PASSWORD. This because I need to execute a remote script, but I don't want "share" the password in the main script.

RSH works fine on te source machine, but, for sure ask me for a password.

The simple question is, is there a way to avoid password request?

Thanks

./ Lucas

Hoff · ‎08-19-2011

Use ssh (details here), not rsh. ssh can do remote logins and can also execute single commands, and certificate-based no-password or passphrase-based logins. And FWIW, rsh, telnet, ftp and related are old, and lack any form of security; these tools expose your credentials. (If the security of your authentication credentials is a concern, then these older protocols are Bad News.)

If security isn't a particular concern and you have a DECnet connection (whether DDCMP or DECnet-Plus / DECnet Phase V over IP) between these systems, then you can use DECnet and DCL and proxies. No need for ssh nor rsh or related. Somewhat simpler (but also somewhat less capable) is SUBMIT /REMOTE command.

More advanced are distributed task management tools; task and batch and process schedulers. VMS lacks basic scheduling tools, but there are add-on tools that can potentially allow you to reach your general goals here. And an intermediate step up from the SUBMIT /REMOTE command is the HP DQS package; the distributed queue services package.

edit: The link color scheme here really obscures the embedded links, too.

Steven Schweda · ‎08-19-2011

smsc_1 · ‎08-19-2011

Thanks for reply, SSH could be the solution, however the security is not important in my case since both machines are in the same LAN behind a multiple firewalls!

The problem is that in the source machine there's no SSH client/server installation:

ABCD31:SYSTEM> ssh
%DCL-W-IVVERB, unrecognized command verb - check validity and spelling
\SSH\

 
  Compaq TCP/IP Services for OpenVMS Server Components Configuration Menu
   Configuration options:
     1 - BIND         Disabled Stopped      12 - NTP          Enabled  Started   
    2 - BOOTP        Disabled Stopped      13 - PC-NFS       Disabled Stopped   
    3 - DHCP         Disabled Stopped      14 - POP          Disabled Stopped   
    4 - FINGER       Disabled Stopped      15 - PORTMAPPER   Disabled Stopped   
    5 - FTP          Enabled  Started      16 - RLOGIN       Enabled  Started   
    6 - IMAP         Disabled Stopped      17 - RMT          Disabled Stopped   
    7 - LBROKER      Disabled Stopped      18 - SNMP         Enabled  Started   
    8 - LPR/LPD      Disabled Stopped      19 - TELNET       Enabled  Started   
    9 - METRIC       Disabled Stopped      20 - TFTP         Disabled Stopped   
   10 - NFS          Disabled Stopped      21 - XDM          Disabled Stopped   
   11 - LOCKD/STATD  Disabled Stopped                                           
                                                                                
     A  -  Configure options 1 - 21
   [E] -  Exit menu

tcpip show version:
Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 - ECO 2
on a AlphaServer ES40 running OpenVMS V7.3-1

Well, as already told I'm not OpenVMS expert, so, is there any way to "EASY" install SSH client/server protocol?

Also, Decnet is present between the machines, I already use it to copy files:

ABCD31:SYSTEM>COPY LOG.TXT BCDE41::$1$DKA101:[000000]LOG.TXT

Could you please advice on how execute remote script using decnet?

./ Lucas

Mike Kier · ‎08-19-2011

Since you have DECnet available you might want to look at the help for SUBMIT /REMOTE and also read up on DECnet proxies.

Practice Random Acts of VMS Marketing

Andy_Bustamant2 · ‎08-19-2011

Another option for remote management is using SYSMAN.

$ MCR SYSMAN

> HELP SET ENVIRONMENT

> HELP DO

Sometimes mistaken for a cluster management option, sysman allows remote management of multiple stand alone nodes as well.

Hoff · ‎08-19-2011

I linked to an example of the DCL you are requesting.

(And yes, the default link color scheme used in postings around here isn't as visible as it probably should be.)

Your TCP/IP Services version is too old to have ssh. There was an experimental version back then, but that'd very stale now, and vulnerable.

(Consider upgrading TCP/IP Services and/or VMS, too; a whole lot of the versions are undergoing support status transitions circa 1-Jan-2013, and V7.3-1 went off of support in 2005 or so.)

Firewalls aren't a panacea; it's fairly common for folks to use attack techniques that bypass or that drill through those these days. (And FWIW, the DEFCON SMG privilege bugs are likely present in that VMS version, too.)

smsc_1 · ‎08-20-2011

Well, unfortunately I cannot upgrade the TCP stack since the machine is in prodution and cannot be stopped! :(

However, I tried the SUBMIT /REMOTE command and it works, the bad news is that I need to run a remote script that call another script. With RSH this works, but with SUBMIT this doesn't work.

I'll try SYSMAN environment to test if it works!

./ Lucas

Volker Halle · ‎08-20-2011

smsc_1,

with SUBMIT/REMOTE you submit a DCL procedure, which is existing on the remote node, to the default SYS$BATCH queue on the remote node with an implicit SUBMIT/NOKEEP. The batch job executes under the user, which is used for Decnet access, which could be the default DECnet account, the default FAL$USER account or the DECnet proxy account, if one exists matching the user and nodename from which the SUBMIT/REMOTE command has been executed.

You can certainly invoke sub-procedures from this procedure. You need to become aware of the account, under which the remote procedure executes and the login-directory for that account. If you add the following command into the DCL procedure, the .LOG file will not be printed and deleted: $ DEFINE SYS$PRINT NLA0:

Volker.

smsc_1 · ‎08-20-2011

Thanks for your feedback Volker,

this is what I tried:

mainscript.com (on remote machine)

copy dka100:[log]test.log dka101:[000000]

Then execute it on local machine with:

SUBMIT /REMOTE ABCD::DKA101:[SCRIPTS]mainscript.com

This works fine, but if I add the following line on mainscript.com:

copy dka100:[log]test.log dka101:[000000]
@DKA101:[SCRIPTS]test.com

Well, again, the copy command works, but the test.com script was not executed.

./ Lucas

Volker Halle · ‎08-21-2011

smsc_1,

what is the error message ? Please add a $ DEF SYS$PRINT NLA0: into the script, run it again and then check the MAINSCRIPT.LOG file in the login directory of the user on the remote node, under which this script runs.

Volker.

EdgarZamora_1 · ‎08-23-2011

You asked a simple question "How do you do rsh without using passwords?" and the simple answer is use tcpip communications proxies (as Steven S. already told you in an earlier response but you may have not noticed because he had it in an attachment). TCPIP HELP ADD PROXY

RBrown_1 · ‎08-23-2011

@smsc_1 wrote:

mainscript.com (on remote machine)
copy dka100:[log]test.log dka101:[000000]
Then execute it on local machine with:
SUBMIT /REMOTE ABCD::DKA101:[SCRIPTS]mainscript.com
This works fine, but if I add the following line on mainscript.com:
copy dka100:[log]test.log dka101:[000000]
@DKA101:[SCRIPTS]test.com
Where are the dollar signs? Each command line in a DCL command file must start with a dollar sign ($). If you leave them out, the first line might be executed, but the rest are not.

As mentioned by another, you should tell us the error message.

John Gillings · ‎08-23-2011

As others have suggested, use a TCPIP proxy that's what they're for! Perhaps a full example will help?

Two nodes NODEA and NODEB one user MYSELF has an account on each machine. You want MYSELF to be able to execute RSH commands from each node to the other without a password.

NODEA> TCPIP ADD PROXY MYSELF /HOST=NODEB/REMOTE_USER=MYSELF
NODEA> TCPIP SHOW PROXY

VMS User_name     Type      User_ID    Group_ID   Host_name

MYSELF            CD     MYSELF                   NODEB


NODEB> TCPIP ADD PROXY MYSELF /HOST=NODEA/REMOTE_USER=MYSELF
NODEB> TCPIP SHOW PROXY

VMS User_name     Type      User_ID    Group_ID   Host_name

MYSELF            CD     MYSELF                   NODEA


NODEA> RSH NODEB SHOW SYSTEM/NOPROCESS
OpenVMS V8.4  on node NODEB   24-AUG-2011 07:20:19.15   Uptime  150 21:12:53


NODEA> RSH NODEB RSH NODEA SHOW SYSTEM/NOPROCESS
OpenVMS V8.4  on node NODEA   24-AUG-2011 07:21:03.45   Uptime  164 14:19:24

One trick, sometimes the proxy doesn't appear as "CD" immediately, especially in a cluster with a shared proxy data base. In those cases, you need the magic, undocumented incantation executed on all cluster nodes:

$ TCPIP SET TCP/SIGNAL

(I've never fully understood what it actually means, or why it's necessary, but the upshot is it refreshes the proxy data base).

A crucible of informative mistakes

John Gillings · ‎08-23-2011

Steven,

I'm sure you already know this... Since going to the new system, your responses appear only as text attachments. The interface is bad enough without having to jump out of the thread to open an attachment to read a few lines of text. Can't you find a way to post responses so they appear in line?

A crucible of informative mistakes

Steven Schweda · ‎08-23-2011

smsc_1 · ‎08-28-2011

People, I would like to thanks all for helping me expecially John Gillings that show me the proxy example.

Just one more question. It's not important because I need to execute commnad from NODEB, but just to know in case I need it in the future.

I setup both proxy but I can execute the command only from "NODEB" to "NODEA".

If I start the command from NODEA I receive the following:

NODEA:USER> RSH NODEB SHOW SYSTEM/NOPROCESS
%RSH-E-FAILED, TCPIP$RSH - Permission denied - host IP addr
 (from remote)

This is the proxy configuration from NODEA

NODEA:USER> TCPIP SHOW PROXY
 VMS User_name     Type      User_ID    Group_ID   Host_name
USER              CD     USER                     NODEB

This is the proxy configuration from NODEB

NODEB:USER> tcpip show proxy
 VMS User_name     Type      User_ID    Group_ID   Host_name
USER              CD     USER                     NODEA

As advice by John I used the following command without success :(

NODEA:USER> TCPIP SET TCP/SIGNAL
%TCPIP-I-LOADSERV, loading TCPIP server proxy information
%TCPIP-I-SERVLOADED, auxiliary server loaded with 1 proxy records
-TCPIP-I-SERVSKIP, skipped 0 communication proxy records
-TCPIP-I-SERVTOTAL, total of 1 proxy records read

Users are the same on both machines.

./ Lucas

Hoff · ‎08-28-2011

Ensure that the rsh server is configured and enabled on the target VMS server. Via TCPIP$CONFIG or related.

And FWIW, I would discourage use of rsh for application-level operations. It's intended for interactive use. Given VMS's lack of an "expect" command or related, processing errors or untoward results from the target rsh-triggered script/procedure is comparatively hairy.

While DECnet DCL is (also) a hack, that provides a bi-directional communications path you can use to detect and report remote activity and particularly remote failures. (While IP task-to-task communications would be a useful enhancement to DCL, I don't see that happening.)

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: RSH between OpenVMS machines without password

RSH between OpenVMS machines without password