10-23-2008 03:07 PM
10-23-2008 03:38 PM
Convert the keys on Solaris. Using your private key convert to a new public key. Something like
$ ssh-keygen -e -f private key .file > vms publick .key.file
-e Extract/convert from OpenSSH private key file to SECSH publick key format
On the VMS side load into the correct directory and test.
10-23-2008 03:44 PM
as to what's wrong.
> [...] copied the public key from the
> Solaris system to the VMS system [...]
With the correct format, or the format which
Solaris SSH software likes? They differ.
I made my keys on VMS (SSH2 format), and used
"ssh-keygen -X" ("-i" on newer versions) to
convert them to the OpenSSH format favored by
the Solaris software. I'm not sure if its
as easy to go the other way using the Solaris
ssh-keygen program. Alternatively, make some
keys on the VMS system, study the format, and
convert the Solaris-friendly keys manually.
Being able to see "ssh -v [...]" output
and/or key file data (even mutilated) might
be helpful. A Forum search might also find
several past similar discussions.
10-23-2008 04:26 PM
> file and the private key on the VMS is in
> the identificaiton file.
Too vague. On Solaris, ~/.ssh/identity (or
id_dsa, ...) and ~/.ssh/authorized_keys
contain actual key data. On VMS,
[.SSH2]AUTHORIZATION. contain keywords and
file names, and those _files_ contain the key
data. For example:
alp $ type [.SSH2]AUTHORIZATION.
alp $ type [.SSH2]IDENTIFICATION.
alp $ type [.SSH2]SMS_NPP_ID_DSA_1024_A.PUB
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit dsa, firstname.lastname@example.org, Fri Jun 27 2003 03:57:52"
---- END SSH2 PUBLIC KEY ----
alp $ type [.SSH2]SMS_NPP_ID_DSA_1024_A.
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: "1024-bit dsa, email@example.com, Thu Jul 24 2003 03:43:07"
---- END SSH2 ENCRYPTED PRIVATE KEY ----
10-23-2008 04:31 PM
10-27-2008 08:24 AM
I found editing the ssh server config file on VMS (SSHD2_CONFIG.;) and setting "VerboseMode yes" helpful in determining where the connection from UNIX is failing.
10-29-2008 06:38 AM
ssh-keygen -e -f id_rsa > EXAMPLE.PUB
cat > AUTHORIZATION << EOF
After this ssh/sftp immediately worked using publickey (was prompted for passphrase, not password).
Then I also did the following:
(passphrase, no password :)
set default [.SSH2]
set security/prot=(g,w) AUTHORIZATION.
set security/prot=(g:re,w:r) EXAMPLE.PUB
and logged out and back in.
So for Unix to VMS, the naming of the key file doesn't seem to be important - and we should use default RSA, not DSA here.
10-29-2008 09:56 AM
What I meant was just "this example uses RSA, not DSA".
I don't know the practical difference between them. Noticed that ssh_keygen on VMS uses DSA by default, while OpenSSH uses RSA by default. And I used OpenSSH. If you have any specific recommendations either way, please share.
10-29-2008 10:14 AM
There are the usual arguments around speed and security and which one is preferred by the government and such, but the distinctions (still) tend to be negligible in the current reality.
Like the recent reports of GPU-accellerated WPA PSK WiFi attacks, pick a good pass phrase and a reasonably long bit length and you should be good to go.
But best to watch for attacks, both against your servers and generic attacks against the underlying algorithms.