HPE Community
Operating System - OpenVMS
1827894 Members
1673 Online
109969 Solutions
New Discussion

Re: SSH customizing

 
Wim Van den Wyngaert
Honored Contributor

‎03-08-2006 02:43 AM

‎03-08-2006 02:43 AM

SSH customizing

Page 28 of http://h71000.www7.hp.com/openvms/products/ssh/ssh.pdf

During configuration, the SSHD2_CONFIG. file is copied to TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]. When the connection attempt is made from a remote client, the SSH server reads the file and creates the run-time version of the configuration parameters. If you want a different set of parameters, you must create your own version of the configuration file in your SSH subdirectory.

Is it true that the user can decide to have his own server config ? Also on Unix ?
Can't test it over here.

Wim
Wim
0 Kudos
Reply
18 REPLIES 18
Ian Miller.
Honored Contributor

‎03-08-2006 02:50 AM

‎03-08-2006 02:50 AM

Re: SSH customizing

SSHD2_CONFIG is the server config file.
SSH2_CONFIG is the client config file.
Users can have their own client config file.

See
http://h71000.www7.hp.com/doc/732final/aa-rvbua-te/00/00/43-con.html
____________________
Purely Personal Opinion
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-08-2006 02:57 AM

‎03-08-2006 02:57 AM

Re: SSH customizing

IAn,

They are talking here about the SERVER customizing. I tested it on my unborn 7.3 version without success.

Wim
Wim
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎03-08-2006 03:16 AM

‎03-08-2006 03:16 AM

Re: SSH customizing

Does the user run the server? Does it make
sense to talk about a user customizing the
server?

I read the "you" and "your" in your quotation
as refering to the system manager, not to a
client/user.

But I'm always open to a good argument.

(Good writing is a rare thing. "You" is a
bit ambiguous here, I'd say.)
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-08-2006 03:23 AM

‎03-08-2006 03:23 AM

Re: SSH customizing

Steven,

In my opinion, the config file can be modified. You can not "create" your own version.

The user file could however be read for creating the encryption process on behalf of the user.

Any case, I did a test with set watch file and found

1) it works without a config file (simply says failed to read but continues as if everything is allowed but without saying it)

2) it isn't trying to find the config file in the user directory

Of course with the pre version.

Wim
Wim
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎03-08-2006 09:10 AM

‎03-08-2006 09:10 AM

Re: SSH customizing

> In my opinion, the config file can be
> modified. You can not "create" your own
> version.

Hey. _I_ didn't write the thing. But
why can't I "create" my own config file? I
may choose to copy a lot of stuff into it
from the old one. And even if I simply edit
the old one, I'll create my own version of
it. ";2", is _my_ version. (Maybe on a
_UNIX_ system, I can't create my own version,
but this is VMS.)

> 2) it isn't trying to find the config file
> in the user directory

It isn't trying to find the _server_ config
file in the user's directory. This does not
amaze me.
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-08-2006 10:58 AM

‎03-08-2006 10:58 AM

Re: SSH customizing

Wim,

If the StrictHostKeyChecking variable is set to "yes" in the system-wide ssh2_config. file, then all users will be forced to use only this system-wide ssh2_config file only. In this case any user specific config file from [username.ssh2] directory won't be read.

I did not check this, but you can check by setting this StrictHostKeyChecking variable to 'no" to make sure the user created config file is read.


Archunan
Regards
Archie
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-08-2006 11:08 AM

‎03-08-2006 11:08 AM

Re: SSH customizing

Wim,

We can create our own config file from TCPIP$TEMPLATES.TLB library and can be modified as per our requirements. These are the commands...

$library/extract=ssh2_config sys$library:tcpip$templates.tlb/out=tcpip$ssh_device:[tcpip$ssh.ssh2]ssh2_config.

$library/extract=sshd2_config sys$library:tcpip$templates.tlb/out=tcpip$ssh_device:[tcpip$ssh.ssh2]sshd2_config.


Archunan
Regards
Archie
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-08-2006 06:01 PM

‎03-08-2006 06:01 PM

Re: SSH customizing

Archunan,

Where did you find that info ?

Normally the parameter is used for copying keys yes/no.

Wim
Wim
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-08-2006 11:04 PM

‎03-08-2006 11:04 PM

Re: SSH customizing

I checked a source on the internet. The SSH server opens the default server config file or one passed to it as a parameter on the command line.

This is only possible when modifying the startup script (of HP) or by defining a system logical tcpip$ssh_server_params.

Wim
Wim
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-09-2006 04:07 AM

‎03-09-2006 04:07 AM

Re: SSH customizing

Wim,

Have you had a time to test by setting stricthostkeychecking to "yes" in your server ssh2_config. file.

Sysadmin can use this variable stricthostkeychecking to restrict any user from having their own ssh2_cinfig file.

This variable will be having "no" by default in HP's TCPIP, but Multinet and other's TCPIP product will have stricthostkeychecking variable set to "yes" by default.

So I would suggest you to try changing this variable to "yes", then have your own ssh2_config file in your login dir. Now definetly your own ssh2_config file will be used.

You can copy ssh2_config or you can extract it from sys$library:tcpip$templates.tlb lib.

I tested the extracted ssh2_config file and the system wide TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]ssh2_config. file contents will be exactly same.

You can try this if you have tcpip V5.4.

Archunan
Regards
Archie
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-09-2006 04:24 AM

‎03-09-2006 04:24 AM

Re: SSH customizing

Wim,

On my trial configuring SSH, I just tried changing this variable StrictHostKeyChecking on my own as I saw difft value set for this variable in MULTINET version of ssh2_config file.

Just you can try this.

Archunan
Regards
Archie
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-09-2006 04:32 AM

‎03-09-2006 04:32 AM

Re: SSH customizing

Wim,
I found this for you....
http://mvb.saic.com/disk$axpdocmar05/network/tcpip55/RELNOTES/tcp_rnpro_003.html

under "3.11.6 SSH Keys" section, it says.... "A system manager can tighten security by setting the StrictHostKeyChecking variable to "yes" in the systemwide SSH2_CONFIG. file, and forcing users to use only the systemwide version of the file"

Archunan
Regards
Archie
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-09-2006 05:15 AM

‎03-09-2006 05:15 AM

Re: SSH customizing

A.,

A D is missing in the config file name. They are talking about the client config, not the server.

Wim
Wim
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-09-2006 05:55 AM

‎03-09-2006 05:55 AM

Re: SSH customizing

Wim,

I guess the doc talks about both client and sever config file....
"A system manager can tighten security by setting the StrictHostKeyChecking variable to "yes" in the systemwide SSH2_CONFIG. file, and forcing users to use only the systemwide version of the file" --- here ssh2_config file name is sever config file. Isn't it?.

Please have a trial, it should work.

Archunan
Regards
Archie
0 Kudos
Reply
Ian Miller.
Honored Contributor

‎03-09-2006 09:14 AM

‎03-09-2006 09:14 AM

Re: SSH customizing

Archunan RE "StrictHostKeyChecking Yes" - disallows users from changing the configuration of the ssh client not server.
____________________
Purely Personal Opinion
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-15-2006 06:10 PM

‎03-15-2006 06:10 PM

Re: SSH customizing

Archunan,

1) The user config file isn't read. Putting the value of strict... to yes will tighten it but it isn't read so tightening is not possible.
2) The strict... is a client parameter, not a server.
3) The source are not containing any code for it

Wim
Wim
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎03-15-2006 06:18 PM

‎03-15-2006 06:18 PM

Re: SSH customizing

Ian,

The stricthostkeychecking only indicates how public keys should be copied. It seems that 5.5 has special coding to use the system wide value of the parameter (not my baby on 5.3).

I think the only safe solution is to give the user his own copy of the config file and to disable modifications of it via protections. This way he can not change the values himself.

Wim
Wim
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

‎03-16-2006 08:54 AM

‎03-16-2006 08:54 AM

Re: SSH customizing

Wim/Ian,

Yes I agree, SSH2 and StrictH... is a client side. I wrongly typed SSH2 is severside config file, even after Ian infomed that SSh2 is client and SSHD2 is server.

But by setting Strict...to â yesâ in ssh2_config and force the users to use only this file, the private key file: HOSTKEY
and HOSTKEY.PUB can be created.

if the SSH client and server detect systemwide configuration files from an older version of SSH, the client and server will fail to start.

Also if the SSH client detects a user-creaed config file from an older version of SSH, the client will display the warning and will allow the user to proceed.

Incase if we want to preserve SSH2 or SSHD config files changes.....

we can create our own SSH2 and SSHD config file using the template provided by the new SSH from SYS$LIBRARY:TCPIP$TEMPLATES.TLB in TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2] dire.


Archunan
Regards
Archie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.