[Info-vax] Process SSH for OpenVMS

Wed Jun 1 18:16:25 EDT 2022

In article <ac8da4cc-4ba8-4ff0-b6c4-681dbc5003e8n at googlegroups.com>, Peter Weaver <weaverconsultingservices at gmail.com> writes:
>On Tuesday, May 31, 2022 at 11:54:49 AM UTC-4, VAXman- wrote:
>> Is anybody here using Process SSH for OpenVMS?=20
>>=20
>> Trying to replace TCPIP Services ssh with Process Software's ssh so that=
>=20
>> a customer can have some *modern* key exchange algorithms. Process's ssh=
>=20
>> works *almost* but two issues (I'm working with Process support but maybe=
>=20
>> somebody here has come across these issue) remain.=20
>>=20
>> 1. Public keys won't/don't work and=20
>> 2. sftp sessions timeout in about a minute of inactivity.=20
>>=20
>> --=20
>> VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG=
>=20
>>=20
>> I speak to machines with the voice of humanity.
>
>I used to have 6 Alphas running TCPWare that used ssh inbound and outbound =
>a lot. I'm not sure if there are any differences between Multinet's ssh and=
> TCPWare, but this is what I used to do on TCPWare to enable ssh from a uni=
>x box;
>
>$ SET DEFAULT user's_home_dir
>$ CREATE/DIR [.SSH2]
>$ SET FILE SSH2.DIR/PROTECTION=3D(S:RWE,O:RWE,G:RE,W:E)
>$ SET DEFAULT [.SSH2]
>$ CONVERT SYS$INPUT mypublickey.PUB /FDL=3DFIX_SSH2_KEYS.FDL
>$DECK
>---- BEGIN SSH2 PUBLIC KEY ----
>.....
>---- END SSH2 PUBLIC KEY ----
>$EOD
>
>The script would then use EDT to insert the line
>KEY mypublickey.PUB=20
>into AUTHRORIZATION.
>
>The AUTHORIZATION. file had a protection of (RWED,RWED,RWED,), IIRC if Worl=
>d has any access then the login would fail.
>The mypublickey.PUB had a protection of (RWD,RWD,,), but that wasn't critic=
>al, you can also get away with (RWED,RWED,RWED,). Since you mentioned that =
>the SET WATCH only reports that the SSH2.DIR is being touched and nothing e=
>lse then my guess is that the protection on SSH2.DIR is too open or the dir=
>ectory is not owned by the owner of the parent.=20
>
>The file FIX_SSH2_KEYS.FDL looked like this, the critical part was the stre=
>am_lf;
>TITLE "File for fixing SSH2 public keys"
>IDENT "OpenVMS FDL Editor"
>SYSTEM
>SOURCE "OpenVMS"
>FILE
>ALLOCATION 64
>BEST_TRY_CONTIGUOUS yes
>EXTENSION 6
>ORGANIZATION sequential
>RECORD
>BLOCK_SPAN yes
>CARRIAGE_CONTROL none
>FORMAT stream_LF
>SIZE 0
>
>For the sftp timeout, make sure you are on the latest version of the softwa=
>re. We were running an old version TCPWare and I could not get sftp to work=
> correctly until we updated one of the machines. I forget what version we h=
>ad and what we went to.

That was not the problem.  The directory's access was fine.  The directory's
content files were fine.  All of its protections and ownership were fine too.
Here's a hint as to what I did to get it working after Process Support noted
one %XQP, ... Status: 00000910 in the vast log file I sent them.

$ SET FILE/ENTER=SYS$COMMON:[SYSMGR]SSH2.DIR SYS$SPECIFIC:[SYSMGR]SSH2.DIR

35+ years later and people still can't code to rooted logicals and clusters.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.