HPE Community
Operating System - OpenVMS
1825775 Members
1945 Online
109687 Solutions
New Discussion

SSH key generation problem.

 
SOLVED
Go to solution
mikew_3
Advisor

‎09-09-2008 07:05 AM

‎09-09-2008 07:05 AM

SSH key generation problem.

I am trying to get SSH setup done on a VMS machine. I noticed that keys were not generated as part of the setup. When I try to execute ssh_keygen I get the following message:

IBAV02_MIKEW> ssh_keygen
$1$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh-keygen2.exe: FATAL: ssh_userfile_
open: using non-current uid but not initialized (uid=65540, path=/sys$sysdevice/
cgi/mikew/ssh2/random_seed.)
IBAV02_MIKEW>

Can someone tell me what I need to do to fix this?

Here is my version of TCPIP:

IBAV02_MIKEW> tcpip sho version

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.5
on an HP rx2620 (1.60GHz/3.0MB) running OpenVMS V8.2-1

IBAV02_MIKEW>

Any help would be appreciated.

Thanks,
Michael White


0 Kudos
Reply
17 REPLIES 17
Wim Van den Wyngaert
Honored Contributor

‎09-09-2008 07:30 AM

‎09-09-2008 07:30 AM

Re: SSH key generation problem.

Don't have that product but could you try it after removing ssh2 dir and creating a new one with the correct owner ?

Wim
Wim
0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 07:42 AM

‎09-09-2008 07:42 AM

Re: SSH key generation problem.

Thanks for the reply. I'm not sure what you mean by correct owner. I renamed the SSH2 directory and created a new SSH2 directory and got the same result. Owner shows up as the same. Protection on the directories is a little different. old_ssh2.dir is the old one that I renamed.

IBAV02_MIKEW> dir/fu old_ssh2.dir

Directory SYS$SYSDEVICE:[CGI.MIKEW]

OLD_SSH2.DIR;1 File ID: (25470,2,0)
Size: 1/16 Owner: [1,4]
Created: 21-AUG-2008 13:58:54.48
Revised: 9-SEP-2008 10:29:20.65 (2)
Expires:
Backup:
Effective:
Recording:
Accessed:
Attributes:
Modified:
Linkcount: 1
File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 16, Extend: 0, Global buffer count: 0
Default version limit: 4, Contiguous, MoveFile disabled
Directory file
Record format: Variable length, maximum 512 bytes, longest 512 bytes
Record attributes: No carriage control, Non-spanned
RMS attributes: None
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group:, World:
Access Cntrl List: None
Client attributes: None

Total of 1 file, 1/16 blocks.
IBAV02_MIKEW>


IBAV02_MIKEW> dir/fu ssh2.dir

Directory SYS$SYSDEVICE:[CGI.MIKEW]

SSH2.DIR;1 File ID: (25493,238,0)
Size: 1/16 Owner: [1,4]
Created: 9-SEP-2008 10:29:28.28
Revised: 9-SEP-2008 10:29:28.28 (0)
Expires:
Backup:
Effective:
Recording:
Accessed:
Attributes:
Modified:
Linkcount: 1
File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 16, Extend: 0, Global buffer count: 0
Default version limit: 4, Contiguous, MoveFile disabled
Directory file
Record format: Variable length, maximum 512 bytes, longest 512 bytes
Record attributes: No carriage control, Non-spanned
RMS attributes: None
Journaling enabled: None
File protection: System:RWE, Owner:RWE, Group:RE, World:E
Access Cntrl List: None
Client attributes: None

Total of 1 file, 1/16 blocks.
IBAV02_MIKEW>



Thanks in advance for any help.
0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 07:47 AM

‎09-09-2008 07:47 AM

Re: SSH key generation problem.

Something else that I noticed. The ssh_keygen process creates the random_seed file if it doesn't exist. See below:


IBAV02_MIKEW> sd
SYS$SYSDEVICE:[CGI.MIKEW.SSH2]
IBAV02_MIKEW>
IBAV02_MIKEW> dir
%DIRECT-W-NOFILES, no files found
IBAV02_MIKEW>
IBAV02_MIKEW> sho time
9-SEP-2008 10:38:42
IBAV02_MIKEW> ssh_keygen
$1$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh-keygen2.exe: FATAL: ssh_userfile_
open: using non-current uid but not initialized (uid=65540, path=/sys$sysdevice/
cgi/mikew/ssh2/random_seed.)
IBAV02_MIKEW>
IBAV02_MIKEW> dir/d/siz=all

Directory SYS$SYSDEVICE:[CGI.MIKEW.SSH2]

RANDOM_SEED.;1 0/0 9-SEP-2008 10:38:53.01

Total of 1 file, 0/0 blocks.
IBAV02_MIKEW>
IBAV02_MIKEW> sho time
9-SEP-2008 10:39:01
IBAV02_MIKEW>


0 Kudos
Reply
Steven Schweda
Honored Contributor

‎09-09-2008 07:49 AM

‎09-09-2008 07:49 AM

Re: SSH key generation problem.

I haven't seen that one.

SYS$SYSDEVICE:[cgi.mikew] is your SYS$LOGIN
(home) directory? And you have write
permission there (and in/for [.ssh2])?

Normally, a (small, non-text) random_seed
file gets created there. Who owns yours, if
you have one)?

alp $ dire /owne /secu [.ssh2]ran*

Directory ALP$DKA0:[SMS.SSH2]

RANDOM_SEED.;1 [SMS] (RWD,RWD,,)

Total of 1 file.
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎09-09-2008 07:53 AM

‎09-09-2008 07:53 AM

Re: SSH key generation problem.

> RANDOM_SEED.;1 0/0 9-SEP-2008 10:38:53.01

Small, but not _that_ small:

alp $ dire /owne /secu /size [.ssh2]ran*

Directory ALP$DKA0:[SMS.SSH2]

RANDOM_SEED.;1 1 [SMS] (RWD,RWD,,)

Total of 1 file, 1 block.
0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 07:56 AM

‎09-09-2008 07:56 AM

Re: SSH key generation problem.

Yes, that is my login directory:

IBAV02_MIKEW> sho log sys$login
"SYS$LOGIN" = "SYS$SYSDEVICE:[CGI.MIKEW]" (LNM$JOB_87702000)
IBAV02_MIKEW>

Here is the dir listing of the random_seed file:

IBAV02_MIKEW> dir/fu RANDOM_SEED.;1

Directory SYS$SYSDEVICE:[CGI.MIKEW.SSH2]

RANDOM_SEED.;1 File ID: (25500,174,0)
Size: 0/0 Owner: [1,4]
Created: 9-SEP-2008 10:38:53.01
Revised: 9-SEP-2008 10:38:53.04 (1)
Expires:
Backup:
Effective:
Recording:
Accessed:
Attributes:
Modified:
Linkcount: 1
File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 0, Extend: 0, Global buffer count: 0
Version limit: 4
Record format: Stream_LF, maximum 0 bytes, longest 32767 bytes
Record attributes: Carriage return carriage control
RMS attributes: None
Journaling enabled: None
File protection: System:RWD, Owner:RWD, Group:, World:
Access Cntrl List: None
Client attributes: None

Total of 1 file, 0/0 blocks.
IBAV02_MIKEW>

0 Kudos
Reply
Steven Schweda
Honored Contributor

‎09-09-2008 08:07 AM

‎09-09-2008 08:07 AM

Re: SSH key generation problem.

> Size: 0/0 Owner: [1,4]

[1,4]? I own my own, as you can see.

Also:

> open: using non-current uid but not initialized (uid=65540,

Note that 65540 = 65536* 1+ 4, that is,
[1,4] in UNIX-compatible C RTL crypto-speak.

I don't know how you're getting ssh2.dir
owned by SYSTEM instead of yourself. Make
one yourself, perhaps?
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎09-09-2008 08:09 AM

‎09-09-2008 08:09 AM

Re: SSH key generation problem.

> > [1,4]? I own my own, as you can see.

Well, you could see that I owned my own
random_seed, but it's true for ssh2.dir, too:

alp $ dire /owne /secu ssh2

Directory ALP$DKA0:[SMS]

SSH2.DIR;1 [SMS] (RWED,RWED,RE,E)

Total of 1 file.
0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 08:17 AM

‎09-09-2008 08:17 AM

Re: SSH key generation problem.

I created the SSH2 dir manually and set owner as [1,4].

I looked at my user account in Authorize and this is my UIC is listed:

UAF> sho mikew

Username: MIKEW Owner: SYSTEM MANAGER
Account: SYSTEM UIC: [3,2] ([SYSTEM])
CLI: DCL Tables: DCLTABLES
Default: SYS$SYSDEVICE:[CGI.MIKEW]
LGICMD:


If I then look at the SYSTEM account it is listed as [1,4].

Do you think the UIC on my account is the problem?

I manually did this command on the SSH2 directory.

set file/owner=[3,2] ssh2.dir

Now the diretory lists the owner as system:

IBAV02_MIKEW> dir/d/siz=all/owner ssh2.dir

Directory SYS$SYSDEVICE:[CGI.MIKEW]

SSH2.DIR;1 1/16 9-SEP-2008 10:29:28.28 [SYSTEM]


Total of 1 file, 1/16 blocks.
IBAV02_MIKEW>

Do you think this is the problem? How can I correct this?

Thanks again for everyones help.




0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 08:20 AM

‎09-09-2008 08:20 AM

Re: SSH key generation problem.

Small correction in my previous post. When I created the SSH2.dir file manually the owner was set to [1,4] by default. I didn't specify the owner in the dir/create command.

Thanks,

Mike
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎09-09-2008 08:32 AM

‎09-09-2008 08:32 AM

Re: SSH key generation problem.

Michael,

since you have SYSPRV (implicit, group # 2 is lower than the (default) SYSGEN param MAXSYSGROUP).
In that case, if you create a file (a directory is only a special file), then that file gets the ownership of the parent DIR, unless specified otherwise. SO, I assume that that the directory where your SSH2.DIR gets created, is also owned by [1,4]
-- as an aside, it is in violation of all security to have a USEr ACCOUNT having SYSPRV by default...)

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 09:27 AM

‎09-09-2008 09:27 AM

Re: SSH key generation problem.

Correct, I do have SYSPRV. My account is fully privleged.

You are correct my home directory [CGI.MIKEW] has a UIC of [1,4]

Any thoughts on what I need to do to get this working?
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎09-09-2008 10:04 AM

‎09-09-2008 10:04 AM

Re: SSH key generation problem.

> Any thoughts on what I need to do to get
> this working?

Straighten out everything?

Around here (which is more normal):

UAF> show system

Username: SYSTEM Owner: SYSTEM MANAGER
Account: SYSTEM UIC: [1,4] ([SYSTEM])


> You are correct my home directory
> [CGI.MIKEW] has a UIC of [1,4]

I'd fix that so that _you_ own your own home
directory. That alone may solve the SSH
problem.

Or cut back your privileges to see what
(else, all) you can't do in your own home
directory.
0 Kudos
Reply
mikew_3
Advisor

‎09-09-2008 11:03 AM

‎09-09-2008 11:03 AM

Re: SSH key generation problem.

I created a temp account to test with. I gave the new account a UIC of [10,10]. I created it's home directory and made it the owner. I then ran ssh_keygen under this acount and it worked.

$ ssh_keygen
Generating 2048-bit dsa key pair
8 .oOo.oOo.oOO
Key generated.
2048-bit dsa, miketest@ibav02, Tue Sep 09 2008 18:40:39
Passphrase :
Again :

Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to ssh2/id_dsa_2048_a
Public key saved to ssh2/id_dsa_2048_a.pub
$


I'm glad to know that this CAN work. I just need to figure out what I need to change to make it work for other accounts.

Forgive my lack of understanding on this. We have always run our user accounts as group 3. Is that part of the problem? Because I am group 3 which is less then MAXSYSGROUP in SYSGEN?

Thanks again for all of your help.


0 Kudos
Reply
EdgarZamora_1
Respected Contributor

‎09-09-2008 12:01 PM

‎09-09-2008 12:01 PM

Solution

Re: SSH key generation problem.

> UAF> sho mikew
>
> Username: MIKEW Owner: SYSTEM MANAGER
> Account: SYSTEM UIC: [3,2] ([SYSTEM])
> CLI: DCL Tables: DCLTABLES
> Default: SYS$SYSDEVICE:[CGI.MIKEW]
> LGICMD:

You really should fix the SYSTEM identifier to be for UIC [1,4] and not for your account MIKEW. The following sequence should fix it:

UAF> remove/id system
UAF> add/id system/value=uic:[1,4]
UAF> add/id mikew/value=uic:[3,2]

Reply
Wim Van den Wyngaert
Honored Contributor

‎09-09-2008 11:02 PM

‎09-09-2008 11:02 PM

Re: SSH key generation problem.

Mu advise : every SSH user must have it's own home directory and he must be the owner (of the root .dir file).
Then, whatever the privs, the SSH2 dir will be created correctly.

Also check the doc of what the protections must be because some SSH product require that a certain value is applied and it will NOT tell you that it needs a certain setting. It will simply give an error message that you don't understand (as the one you got).

Without google we would be totaly lost in this open software stuff.

fwiw

Wim
Wim
0 Kudos
Reply
mikew_3
Advisor

‎09-12-2008 10:45 AM

‎09-12-2008 10:45 AM

Re: SSH key generation problem.

I fixed the identifier's for system and mikew and ssh_keygen works now.

Thanks everyone.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.