[Info-vax] ssh problem with Multinet 5,3/Itanium

[danoreilly]

I'm the engineer at Process who created & supported our SSH product.
I have some
responses to your original message mixed in below.

On Jan 8, 8:40 pm, Malcolm Dunnett <noth... at spammers.are.scum> wrote:
> I don't know if this is a 5.3 issue or an Itanium specific issue. I'm
> sure it's very specific to my environment though.
>
> In order to be able to use LDAP/ACME verification with Multinet I have
> written a routine that implements the keyboard-interactive protocol and
> authenticates the supplied username/password using ACME and LDAP
> (against Active Directory). To make this work with Multinet SSH I
> replace the LDAP-PLUGIN program supplied with vanilla Multinet (which is
> a placeholder routine that does nothing) with my program and modify the
> SSHD2_CONFIG. file to enable keyboard-interactive authentication.

LDAP-PLUGIN is far from a "placeholder".  When used with our VMS
Authentication
Module (VAM), it enables full LDAP authentication with any LDAP V3
server, which
includes Active Directory.  It's a more complete and flexible
implementation of
LDAP authentication than is ACME LDAP, save for the ability to change
passwords,
which is planned for a future version.

VAM also, by the way, provides not only LDAP authentication but also
authentication
via RSA SecurID and RADIUS, and it provides it not only for SSH but
also other
MultiNet components.  I'm currently working on an ACME interface.

> This works great on Alpha with Multinet 5.2 but today I tried to
> configure it with Multinet 5.3 on an IA64 box. The authentication still
> works ok (I get an "Authentication successful." message returned from
> the IA64 box). However right after the authentication successful message
> the session disconnects. The [.SSH]SSHD.log file on the IA64 contains:
>
> SSHD 0001[3CC0043E]: FATAL:
> DISK$MULTINET_V53_A:[MULTINET_V53A.MULTINET.SSH6.LIB.SSHUTIL.SSHADT]SSHADT.C;1:672
> SshADT (function name
>   unavailable) Precondition failed: container != ((void *) 0)
>    dunnett      job terminated at  8-JAN-2010 19:22:57.74
>
> and the SSHD_MASTER.LOG file on the IA64 contains:
>
> log: (08-Jan-2010 19:22:53)  Connection accepted from 142.25.103.71 port
> 3472
> log: (08-Jan-2010 19:22:53)  Executing ssh2 daemon
> log: (08-Jan-2010 19:22:53)  Child process started, pid = 3cc0043e
> (total active = 1)
> log: (08-Jan-2010 19:22:57)  Child process: 3CC0043E terminated (0 remain)
> log: (08-Jan-2010 19:22:57)    exit status: %SYSTEM-?-ILLPAGCNT, illegal
> page count parameter

This is something I'm aware of and am looking for a solution.  It's a
very rare
occurrence (only a very few customers have ever seen this).   If you
can make
it happen at will, it would be of great help in researching this
problem.

> I realize I'm way out on a limb with unsupported code here but I'm still
> hoping there's a simple solution. The lack of ACME support in Multinet
> SSH is a real problem because it means that every time a password is
> changed the user needs to connect via some other method (eg telnet) in
> order to synch the password before ssh can be used with the new
> password. Of course what I'd really like is for Multinet SSH to support
> ACME/LDAP - but barring that supporting the keyboard-interactive method
> would be great.

KEYBOARD-INTERACTIVE has been supported by MutliNet SSH for several
years now.

> Barring a Multinet solution, is there an implementation of SSH out there
> (open source) that works on VMS and supports keyboard-interactive?
>
> Does anyone know if the next version of TCP/IP services (in VMS 8.4)
> will support ACME/LDAP for SSH? (in which case dropping Multinet in
> favour of TCP/IP services might offer a solution)

It doesn't appear so.