8. Using VAM with SSH

Introduction

VAM may be used with the SSH server offerings from Process Software, found in MultiNet, TCPware and SSH for OpenVMS.  The VAM security modules are implemented in the SSH2 server in the form of plug-ins using keyboard-interactive authentication, and require a valid VAM license to use.  The SSH client used must support keyboard-interactive authentication.

 

Note: This chapter assumes the user is familiar with configuring the SSH offerings from Process Software.

 

 

Configuring VAM in SSH

The following sections describe the post-installation setup required to enable the various forms of authentication.

Configuring VAM

In general, VAM is configured for SSH support via the use of the VAM_CONFIG.DAT file.  However, due to restrictions of the SSH environment, not all VAM configuration keywords are honored by SSH.  These unused configuration keywords are:

·         LDAP_NO_PASSWORD_SYNC

·         LGI_AUTH_METHODS

·         ALLOW_DECNET_LOGIN

·         ALLOW_DECTERM_LOGIN

·         LDAP_COMMON_USERNAME

·         SECURID_COMMON_USERNAME

·         PROMPT_FOR_FT_PWD

·         FALLTHROUGH_TO_VMS

Configuring SSH

The SSH2_DIR:SSHD2_CONFIG file must be modified to enable keyboard-interactive support and the proper plugin support. 

The following example illustrates enabling LDAP support:

AllowedAuthentications          keyboard-interactive

AuthKbdInt.Required             plugin

AuthKbdInt.Plugin               ldapplugin