HPE Community
Operating System - OpenVMS
1828159 Members
2786 Online
109975 Solutions
New Discussion

ssh_add cannot connect to ssh_agent

 
Terrence Branscombe
New Member

‎03-07-2007 02:24 PM

‎03-07-2007 02:24 PM

ssh_add cannot connect to ssh_agent

According to what I can find in the SSH docs, the SSH_ADD program should connect with the SSH_AGENT program and add any keys specified in your [.SSH2]IDENTIFICATION. file. That isn't happening for me. I can start the agent, see the subprocess is created, but SSH_ADD hangs until I CTRL-Y. This then kills the subprocess and SSH_AGENT. Did I miss something in the docs? Thanks.

I have a hobbyist system (VMS Alpha 7.3-2) running TCPIP for OpenVMS 5.4 ECO 5.

$ show user/full tbransco
OpenVMS User Processes at 7-MAR-2007 19:13:32.26
Total number of users = 1, number of processes = 1

Username Process Name PID Terminal
TBRANSCO TBRANSCO 00000228 TNA4: (Host: GONDOR Port: 1707)
$ dir/owner/prot [.ssh2]identification.

Directory DISK$USR:[TBRANSCO.SSH2]

IDENTIFICATION.;3 [TBRANSCO] (RWD,RWD,R,R)

Total of 1 file.

$ tcpip show service ssh

Service Port Proto Process Address State

SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled

$ ssh_agent
%DCL-S-SPAWNED, process TBRANSCO_36807 spawned

$ show user/full tbransco
OpenVMS User Processes at 7-MAR-2007 19:15:31.43
Total number of users = 1, number of processes = 2

Username Process Name PID Terminal
TBRANSCO TBRANSCO 00000228 TNA4: (Host: GONDOR Port: 1707)
TBRANSCO TBRANSCO_36807 00000239 (subprocess of 00000228)

$ show symbol/global ssh_add
SSH_ADD*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE"

$ ssh_add
0 Kudos
Reply
6 REPLIES 6
Steven Schweda
Honored Contributor

‎03-07-2007 03:02 PM

‎03-07-2007 03:02 PM

Re: ssh_add cannot connect to ssh_agent

I know nothing, but around here:

alp $ tcpip show vers

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

alp $ show symb ssh*
SSH*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH2.EXE"
SSH_ADD*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE"
SSH_AGENT*2 == "SPAWN /NOWAIT RUN SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE"
SSH_KEYGEN*2 == "$SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE"

alp $ SSH_AGENT
%DCL-S-SPAWNED, process SMS_57148 spawned

alp $ ssh_add
Adding identity: /alp$dka0/sms/ssh2/SMS_NPP_ID_DSA_1024_A.pub

alp $ SSH_ADD -l
Listing identities.
The authorization agent has one key:
SMS_NPP_ID_DSA_1024_A: 1024-bit dsa, sms@alp.antinode.org, Thu Jul 24 2003 03:43
:07

What's in your [.SSH2]IDENTIFICATION file?

alp $ type [.SSH2]IDENTIFICATION.
IdKey SMS_NPP_ID_DSA_1024_A

And:

alp $ dire /date /prot /size [.SSH2]SMS_NPP_ID_DSA_1024_A

Directory ALP$DKA0:[SMS.SSH2]

SMS_NPP_ID_DSA_1024_A.;1
2 23-JUL-2003 22:43:30.09 (RWD,RWD,,)
SMS_NPP_ID_DSA_1024_A.PUB;1
2 23-JUL-2003 22:43:30.25 (RWD,RWD,R,R)
0 Kudos
Reply
Terrence Branscombe
New Member

‎03-08-2007 04:52 PM

‎03-08-2007 04:52 PM

Re: ssh_add cannot connect to ssh_agent

Steve,

Thanks for the suggestions.

The content of my IDENTIFICATION file is correct, and the file protections on my private and public key are identical to yours.

$ type [.ssh2]identification.
IdKey RSA_2048_HPSSH_KEY

$ dir/prot [.ssh2]rsa*;*

Directory DISK$USR:[TBRANSCO.SSH2]

RSA_2048_HPSSH_KEY.;1
(RWD,RWD,,)
RSA_2048_HPSSH_KEY.PUB;1
(RWED,RWED,R,R)

There is also nothing in the output of ANALYZE/AUDIT indicating an access failure, nor anything suspect in OPERATOR.LOG.
0 Kudos
Reply
Terrence Branscombe
New Member

‎03-08-2007 05:27 PM

‎03-08-2007 05:27 PM

Re: ssh_add cannot connect to ssh_agent

SOLVED, but it's a bit embarrassing.

In an effort to discourage a recent surge in SSH and FTP login bots trying to break into my system I had locked down access to the network by specifying some specific hosts and my subnet here at home. I had neglected to add LOCALHOST to my list, hence SSH_ADD could not access SSH_AGENT. Joy.

$ TCPIP SHOW CONFIGURATION COMMUNICATION/SECURITY

Communication Security Configuration

Allow Log: None
Force Log: None

Security device: Not defined

Access lists
Accept host: LOCALHOST, xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
Accept netw: 192.168.0.0:255.255.255.0
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎03-08-2007 05:34 PM

‎03-08-2007 05:34 PM

Re: ssh_add cannot connect to ssh_agent

I still don't know anything likely to be
useful, but I see that my SSH_AGENT
subprocess has a couple of BG devices:

alp $ SSH_AGENT
%DCL-S-SPAWNED, process SMS_40842 spawned

alp $ show proc /all SMS_40842
[...]
Devices allocated: BG2319:
BG2320:
[...]

and "show devi /full" on these things shows
"Operations completed" counts which increase
when I say "ssh_add".

Perhaps you could learn something if you run
the agent manually with a "-d "
option:

alp $ show symb SSH_AGENT
SSH_AGENT*2 == "SPAWN /NOWAIT RUN SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE"

alp $ mcr SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE -xxx
illegal option -- x
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh-agent2.exe: unknown option 'x'.
Usage: ssh_agent [-d ]


What the "" should be is a
mystery to me, but there should be a
document somewhere which offers some
guidance (hints?).

More rambling guesswork follows.

"tcpip show devi /full BG2320:" suggests that
mine's listening on 127.0.0.1:60593. (Might
be an IP socket on VMS but a UNIX socket on
UNIX?) Anyway, it might be doing a name
look-up on "localhost" or something to get
the "127.0.0.1" address, so if your DNS or
local HOSTS data base lacks that standard
item, that might bewilder someone.
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎03-08-2007 05:37 PM

‎03-08-2007 05:37 PM

Re: ssh_add cannot connect to ssh_agent

Well, I was getting close. If this
#(&$^#&(*$ forum were working properly, I
might have gotten my guess in before it was
complately too late. Grrr.
0 Kudos
Reply
Terrence Branscombe
New Member

‎03-09-2007 12:05 PM

‎03-09-2007 12:05 PM

Re: ssh_add cannot connect to ssh_agent

Steve,

That was a damn fine guess you made at the end of your post. It would have led to the solution if I hadn't remembered my monkeying around with TCPIP COMM settings.

Much appreciated,

Terry
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.