Re: ssh from unix to vms without passwords (722 Views)
Reply
Occasional Contributor
Nancy J. Wick
Posts: 6
Registered: ‎04-20-2005
Message 1 of 10 (722 Views)

ssh from unix to vms without passwords

Trying to figure out how to correctly configure the ssh keys to allow ssh from a unix system (specifically Solaris 10) to VMS. We've figured out and have working correctly ssh,sftp,scp from the VMS system to the Solaris box. Can't seem to get all of the nuances to allow the ssh,sftp,scp from the solaris box to the vms box. We're running TCP/IP services 5.4 ECO 5 on the OpenVMS system. I've setup the AUTHORIZATION file and the IDENTIFICATION file and copied the public key from the Solaris system to the VMS system (per the tcpip services gude for openVMS). I set the protection and file attribute per the documentation. The puble key is setup in the authorization file and the private key on the VMS is in the identificaiton file. Know I'm missing something but we haven't been able to determine what's not correct.
Respected Contributor
Thomas Ritter
Posts: 414
Registered: ‎03-30-2005
Message 2 of 10 (722 Views)

Re: ssh from unix to vms without passwords

Nancy, VMS uses IEFT SECSH (Tectia) format keys and the others use OpenSSH format. On Solaris they can be converted using ssh-keygen.

Convert the keys on Solaris. Using your private key convert to a new public key. Something like

$ ssh-keygen -e -f private key .file > vms publick .key.file

where


-e Extract/convert from OpenSSH private key file to SECSH publick key format

On the VMS side load into the correct directory and test.




Honored Contributor
Steven Schweda
Posts: 9,096
Registered: ‎02-23-2005
Message 3 of 10 (722 Views)

Re: ssh from unix to vms without passwords

"ssh -v [...]" will often provide some hinta
as to what's wrong.

> [...] copied the public key from the
> Solaris system to the VMS system [...]

With the correct format, or the format which
Solaris SSH software likes? They differ.

I made my keys on VMS (SSH2 format), and used
"ssh-keygen -X" ("-i" on newer versions) to
convert them to the OpenSSH format favored by
the Solaris software. I'm not sure if its
as easy to go the other way using the Solaris
ssh-keygen program. Alternatively, make some
keys on the VMS system, study the format, and
convert the Solaris-friendly keys manually.

Being able to see "ssh -v [...]" output
and/or key file data (even mutilated) might
be helpful. A Forum search might also find
several past similar discussions.
Honored Contributor
Steven Schweda
Posts: 9,096
Registered: ‎02-23-2005
Message 4 of 10 (722 Views)

Re: ssh from unix to vms without passwords

> The puble key is setup in the authorization
> file and the private key on the VMS is in
> the identificaiton file.

Too vague. On Solaris, ~/.ssh/identity (or
id_dsa, ...) and ~/.ssh/authorized_keys
contain actual key data. On VMS,
[.SSH2]IDENTIFICATION. and
[.SSH2]AUTHORIZATION. contain keywords and
file names, and those _files_ contain the key
data. For example:

alp $ type [.SSH2]AUTHORIZATION.
KEY SMS_ID_DSA_1024_A.PUB
KEY SMS_NPP_ID_DSA_1024_A.PUB

alp $ type [.SSH2]IDENTIFICATION.
IdKey SMS_NPP_ID_DSA_1024_A


alp $ type [.SSH2]SMS_NPP_ID_DSA_1024_A.PUB
---- BEGIN SSH2 PUBLIC KEY ----
Subject: sms
Comment: "1024-bit dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52"
AAA[...]
[...]
[...]8WQ=
---- END SSH2 PUBLIC KEY ----


alp $ type [.SSH2]SMS_NPP_ID_DSA_1024_A.
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: sms
Comment: "1024-bit dsa, sms@alp.antinode.org, Thu Jul 24 2003 03:43:07"
P2/[...]
[...]
[...]dOw==
---- END SSH2 ENCRYPTED PRIVATE KEY ----
Respected Contributor
Thomas Ritter
Posts: 414
Registered: ‎03-30-2005
Message 5 of 10 (722 Views)

Re: ssh from unix to vms without passwords

On our systems running Multinet's SSH, the authorize account needs to have the "/remote" and "/network" attributes enabled to function correctly. Finding this out the hard way can take some time.




Frequent Advisor
Kevin Carter_3
Posts: 55
Registered: ‎05-20-2004
Message 6 of 10 (722 Views)

Re: ssh from unix to vms without passwords

Nancy,

I found editing the ssh server config file on VMS (SSHD2_CONFIG.;) and setting "VerboseMode yes" helpful in determining where the connection from UNIX is failing.

KC
Occasional Visitor
Terje Bjerkseth
Posts: 2
Registered: ‎10-29-2008
Message 7 of 10 (722 Views)

Re: ssh from unix to vms without passwords

I've just setup publickey access from Mac OS X 10.5.5 to OpenVMS I64 8.3-1H1. Note that I had both publickey and password authentication enabled on VMS, so that I could transfer the keys using SSH and password auth.

On Mac:
cd
ssh-keygen
cd .ssh
ssh-keygen -e -f id_rsa > EXAMPLE.PUB
cat > AUTHORIZATION << EOF
KEY EXAMPLE.PUB
EOF
sftp user@vms
mkdir SSH2
cd SSH2
put AUTHORIZATION
put EXAMPLE.PUB

After this ssh/sftp immediately worked using publickey (was prompted for passphrase, not password).

Then I also did the following:
ssh user@vms
(passphrase, no password :)
set default [.SSH2]
set security/prot=(g,w) AUTHORIZATION.
set security/prot=(g:re,w:r) EXAMPLE.PUB
and logged out and back in.

So for Unix to VMS, the naming of the key file doesn't seem to be important - and we should use default RSA, not DSA here.

Honored Contributor
Steven Schweda
Posts: 9,096
Registered: ‎02-23-2005
Message 8 of 10 (722 Views)

Re: ssh from unix to vms without passwords

> and we should use default RSA, not DSA here.

Why?
Occasional Visitor
Terje Bjerkseth
Posts: 2
Registered: ‎10-29-2008
Message 9 of 10 (722 Views)

Re: ssh from unix to vms without passwords

>> and we should use default RSA, not DSA here.
> Why?

What I meant was just "this example uses RSA, not DSA".

I don't know the practical difference between them. Noticed that ssh_keygen on VMS uses DSA by default, while OpenSSH uses RSA by default. And I used OpenSSH. If you have any specific recommendations either way, please share.
Honored Contributor
Hoff
Posts: 4,962
Registered: ‎01-29-2006
Message 10 of 10 (722 Views)

Re: ssh from unix to vms without passwords

AFAIK, there are no specific reasons to choose either RSA or DSA, outside of cases where a particular implementation requires one or the other.

There are the usual arguments around speed and security and which one is preferred by the government and such, but the distinctions (still) tend to be negligible in the current reality.

Like the recent reports of GPU-accellerated WPA PSK WiFi attacks, pick a good pass phrase and a reasonably long bit length and you should be good to go.

But best to watch for attacks, both against your servers and generic attacks against the underlying algorithms.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.