[Info-vax] Process SSH for OpenVMS

Peter Weaver weaverconsultingservices at gmail.com
Wed Jun 1 16:37:41 EDT 2022 

On Tuesday, May 31, 2022 at 11:54:49 AM UTC-4, VAXman- wrote:
> Is anybody here using Process SSH for OpenVMS? 
> 
> Trying to replace TCPIP Services ssh with Process Software's ssh so that 
> a customer can have some *modern* key exchange algorithms. Process's ssh 
> works *almost* but two issues (I'm working with Process support but maybe 
> somebody here has come across these issue) remain. 
> 
> 1. Public keys won't/don't work and 
> 2. sftp sessions timeout in about a minute of inactivity. 
> 
> -- 
> VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG 
> 
> I speak to machines with the voice of humanity.

I used to have 6 Alphas running TCPWare that used ssh inbound and outbound a lot. I'm not sure if there are any differences between Multinet's ssh and TCPWare, but this is what I used to do on TCPWare to enable ssh from a unix box;

$ SET DEFAULT user's_home_dir
$ CREATE/DIR [.SSH2]
$ SET FILE SSH2.DIR/PROTECTION=(S:RWE,O:RWE,G:RE,W:E)
$ SET DEFAULT [.SSH2]
$ CONVERT SYS$INPUT mypublickey.PUB /FDL=FIX_SSH2_KEYS.FDL
$DECK
---- BEGIN SSH2 PUBLIC KEY ----
....
---- END SSH2 PUBLIC KEY ----
$EOD

The script would then use EDT to insert the line
KEY mypublickey.PUB 
into AUTHRORIZATION.

The AUTHORIZATION. file had a protection of (RWED,RWED,RWED,), IIRC if World has any access then the login would fail.
The mypublickey.PUB had a protection of (RWD,RWD,,), but that wasn't critical, you can also get away with (RWED,RWED,RWED,). Since you mentioned that the SET WATCH only reports that the SSH2.DIR is being touched and nothing else then my guess is that the protection on SSH2.DIR is too open or the directory is not owned by the owner of the parent. 

The file FIX_SSH2_KEYS.FDL looked like this, the critical part was the stream_lf;
TITLE "File for fixing SSH2 public keys"
IDENT "OpenVMS FDL Editor"
SYSTEM
SOURCE "OpenVMS"
FILE
ALLOCATION 64
BEST_TRY_CONTIGUOUS yes
EXTENSION 6
ORGANIZATION sequential
RECORD
BLOCK_SPAN yes
CARRIAGE_CONTROL none
FORMAT stream_LF
SIZE 0

For the sftp timeout, make sure you are on the latest version of the software. We were running an old version TCPWare and I could not get sftp to work correctly until we updated one of the machines. I forget what version we had and what we went to.

More information about the Info-vax mailing list