Operating System - OpenVMS
1827853 Members
1631 Online
109969 Solutions
New Discussion

%TCPIP-F-SSH_FATAL error from TCPIP$CONFIG.COM

 
SOLVED
Go to solution
Galen Tackett
Valued Contributor

%TCPIP-F-SSH_FATAL error from TCPIP$CONFIG.COM

Yesterday I downloaded the SSH EAK to install on a VMS V7.3-1 system with TCP/IP Services V5.3 ECO 3. (We can't readily upgrade to newer versions or ECOs due to configuration management issues.)

I was able to get SSH working on two of three similarly configured systems without much trouble. On the third, however, I get an error when I try to enable and start the SSH server using TCPIP$CONFIG.COM. When the script attempts to generate new keys by invoking SSH_KEYGEN2, it gives this error message:

%TCPIP-F-SSH_FATAL, non-specific fatal error condition

How helpful that is! There's no other text to indicate what might be going on.

Using Google I've found other references to TCPIP-F-SSH_FATAL but none that offered any insight into this problem.

Any help will be greatly appreciated.

(I already took care of the issue with /FLAG=TCPIP needing to be removed from the SET SERVICE SSH command in TCPIP$CONFIG.COM)
4 REPLIES 4
John Gillings
Honored Contributor
Solution

Re: %TCPIP-F-SSH_FATAL error from TCPIP$CONFIG.COM

Galen,

Please check that there is a valid UIC identifier that matches your username. Simplest check is SHOW PROCESS. Your "User Identifier" should look like:

User Identifier: [your-username]

or

User Identifier: [group-ident,your-username]

If the identifier shows up as a numeric UIC value, then create the correct identifier with:

$ MCR AUTHORIZE ADD/IDENT/USER=your-username

If it shows up as some other username, then you need to resolve the conflict (or just login as a privileged user with matching identifier to do your SSH install).

In general, the default expectation is username and matching UIC identifier name are the same string. However, for most purposes you do not need an identifier matching your username(*), BUT security related products tend to be picky. They also have a tendancy to obscure real error messages so as to not give away too many clues to people trying to break them.

(*)in some cases it may not be possible to have username=identifier. For example, a username can be all numeric, but an identifier name must start with an alphabetic character.
A crucible of informative mistakes
Galen Tackett
Valued Contributor

Re: %TCPIP-F-SSH_FATAL error from TCPIP$CONFIG.COM

Thanks for the tip, John. I'll e-mail the site to have someone look at the UIC identifier as you suggest.
Galen Tackett
Valued Contributor

Re: %TCPIP-F-SSH_FATAL error from TCPIP$CONFIG.COM

John,

Your tip was exactly the right thing to check. There was no UIC identifier for the account that was running TCPIP$CONFIG. Adding one fixed the problem.

Thanks,

Galen
Galen Tackett
Valued Contributor

Re: %TCPIP-F-SSH_FATAL error from TCPIP$CONFIG.COM

John Gilling provided the tip that led to this fix. The account that was running TCPIP$CONFIG did not have a UIC identifier at all. To run the SSH configuration successfully it needed to have a UIC identifier that matched the username.