MultiNet FAQ: SSH
I need to set up an SFTP2 transfer to work from a batch job. I'm not seeing an equivalent to the /PASSWORD qualifier that we were using with normal FTP - is there a recommended methodology for supplying the password in batch mode?
Password authentication cannot be used by SSH, SFTP, or SCP when in batch mode. You will have to use a non-interactive authentication method, most likely public key authentication. To set up public key authentication you will need to create a key pair:
$ multinet sshkeygen/ssh2/keys=[.ssh2]alice/nopass Generating 1024-bit dsa key pair 8 .oOo.oOo.ooO Key generated. 1024-bit dsa, alice@darth.example.com, Tue Apr 18 2016 12:48:50 Private key saved to [.SSH2]ALICE Public key saved to [.SSH2]ALICE.pub
You can create an identification. file in the [.ssh2] directory, or edit the existing one and add an idkey line to it. This instructs the client to use the key specified during authentication:
$ create [.ssh2]identification. idkey alice Ctrl+Z
Copy the public key to the server. SCP is used in the example below:
$ scp [.ssh2]alice.pub "alice@gondor.example.com::alice.pub" Keyboard-interactive: Password: alice.pub | 747B | 0.7 kB/s | TOC: 00:00:01 | 100%
You then have to configure the server to use the public key for authentication. If you are using our server you would put the .pub file in the user's [.ssh2] subdirectory and then add a key line to the [.ssh2]authorization. file like the following:
key alice.pub
If it is a Unix server and is running an OpenSSH server then the key will have to be converted. Here is an example using SSH to convert the key that was just sent over and append it to the user's authorized_keys file:
$ ssh "alice@gondor.example.com" ssh-keygen -i -f alice.pub >> .ssh/authorized_keys Keyboard-interactive: Password: Authentication successful.
The ssh-keygen command might be different depending on the version of the OpenSSH software. Check the man pages for the specific option to convert the key to the OpenSSH format. In the example above it is the -i option.
Now you can use SSH, SFTP, or SCP commands without using a password:
$ ssh "alice@gondor.example.com" date Authentication successful. Tue Apr 18 14:47:40 EDT 2006
To use SFTP in a command procedure you will probably want to use the /batchfile= qualifier and put the SFTP commands in there. For example:
$ create sftp.take get file.log rm file.log Ctrl+Z
$ sftp/batch_file=sftp.take "alice@gondor.example.com" sftp> get file.log file.log | 25B | 0.0 kB/s | TOC: 00:00:01 | 100% sftp> rm file.log sftp> exit
I have enabled SSH in my MultiNet configuration. When trying to create the host master key via the MULTINET SSH KEYGEN command, why do I receive the GETHOSTNAME: FUNCTION NOT IMPLEMENTED error message?
You must have the UCXQIO drivers loaded. To check this:
$ MU CONF NET-CONFIG>SHOW
If the drivers are loaded, you will see this line:
Load UCX $QIO driver: TRUE
If you do not see this line, then you need to load the drivers:
$ MU CONF NET-CONFIG>SET LOAD-UCX-DRIVER TRUE
Then reboot the system to make the drivers available.
What is the difference between SSH v2 and SSH v1 protocol?
SSH1 and SSH2 are different, and incompatible, protocols. While SSH v2 is generally regarded to be more secure than SSH v1, both protocols are offered by the MultiNet SSH server, and although they are incompatible, they may exist simultaneously on an SSH for OpenVMS system. The server front-end identifies what protocol a client desires to use, and will create an appropriate server for that client.
Which applications can I secure besides Telnet and the R services?
Port forwarding allows forwarding of TCP/IP connections to a remote machine over an encrypted channel. A local proxy server is created for a remote TCP/IP service. The service can be one of the Internet protocols: POP, SMTP (used by e-mail software), HTTP (used by Web browsers), TCP/IP connection to an RDBMS server, or almost any other TCP/IP based service provided the port is known via a static assignment. The local proxy server listens for a socket on the desired port, forwards the request and data over the secure channel, and instructs the SSH server to make the connection to the specified service on the remote machine. The only noticeable change is that the client software is configured to connect to the local proxy server rather that the remote server.
Which encryption ciphers are supported?
| SSH Cipers | SSHv1 | SSHv2 |
|---|---|---|
| 3DES (112 bit) | ||
| Archfour (128 bit) | ||
| BlowFish (128 bit) | ||
| DES (56 bit) | ||
| IDEA (128 bit) | ||
| TwoFish (256 bit) | ||
| AES (128, 192, 256 bit) | ||
| Cast-128 (128 bit) |
MultiNet SSH Port Forwarding
In order to use SSH so that remote VMS DECterms will display on a local VMS workstation using a MacOS X machine as the gateway between the two systems, follow these steps:
1. When configuring MultiNet on the VMS systems, apply all SSH patches and configure the SSH client and server, making sure the SSH server starts up when the system is booted. Note that SSH is not required on your local VMS workstation.
2. Start X11 on the Mac (Titan). It will bring up an xterm window on the Mac screen.
3. Before dialing up the PPP connection, establish an X11 xterm window or two on the VMS workstation display, as shown in the following example:
[Titan:~] user1% setenv DISPLAY 200.168.33.49:0.0 [Titan:~] user1% xterm & [Titan:~] user1% xterm &
The setenv DISPLAY command must specify the IP address on the LAN of the local VMS workstation ("FLASH"), because once PPP is active the Mac won't be able to do DNS lookups for local LAN addresses.
4. Establish the PPP connection.
5. In one of the xterm windows on FLASH, establish an SSH connection to the customer's VMS system:
[Titan:~] user1% ssh -X -C remote-vms-ip
where remote-vms-ip is the IP address of the machine you want to log into using the new PPP link established in Step 3.
5. Once logged into the remote machine, create a DECterm window that will display on the local VMS workstation by virtue of SSH's X11 forwarding:
CUSVMS:: show display Device: WSA4: [super] Node: hostname Transport: TCPIP Server: 10 Screen: 0 CUSVMS:: create/term/detach
7. After a few minutes (depending on line speed, etc.), you should get a DECterm window appearing on your local VMS workstation, logged into the customer's VMS system.
Note: Keystroke performance is highly dependent on the speed of the dialup connection and the customer's internal network load. Make sure you set the DECterm cursor to "non-blinking" for better performance. The one operation that does take a long time is an X11 "copy to clipboard" function (the Edit->Copy menu in a DECterm window).
You can also configure a print queue on the customer's VMS system that sends jobs to a Laserjet printer in your local office by following Steps 8-10:
8. On the customer's VMS system, configure a queue in DCPS or MultiNet which is tied to port (say) 9101 on "localhost". Anything sent to that queue on the customer's VMS system will be directed to port 9101 on that system.
9. Modify the SSH command used to connect to the customer's machine to forward the remote port to your local printer, for example:
[Titan:~] user1% ssh -X -C -R9101:200.168.33.49:9100 remote-vms-ip
(200.168.13.25 is the IP address of the local Laserjet 5M printer used in this example).
10. When logged into the customer's site, define SYS$PRINT to be the printer you set up in Step 8.
Note: If you have a remote customer that lets you come in via the Internet (e.g., SSH to their site), you can skip Steps 2 and 3 (creating an xterm windows and dialing up to establish a PPP connection), as shown in the following example:
YourVMS:: ssh/remote=(9101:200.168.13.25:9100) remote-vms-IP
When I do an ls command to some SFTP servers (on UNIX systems), the list of files is not alphabetized, but on others it is. Why?
The SFTP client lists the files in the order that it receives them from the SFTP server, and the SFTP server delivers names in the order that they are received from the operating system. If the operating system keeps the names sorted (VMS does), then the list of file names will be in alphabetical order.
Why do I have problems with version numbers (or wildcards for version numbers) when in VMS mode?
Displaying multiple versions of files is controlled by the logical MULTINET_SFTP_VMS_ALL_VERSIONS. If this logical is defined to TRUE, then all versions of files are displayed in directory commands. The default value is FALSE. Version numbers are not included with the filename if only the most recent version is being displayed.
I connected to a system running an earlier version of Process Software's SFTP server and VMS transfer mode was not automatically negotiated.
Older versions of the SFTP server do not provide the information that the SFTP2 client needs to see that VMS mode is available unless they have been set to translate by default (DEFINE MULTINET_SFTP_TRANSLATE_VMS_FILE_TYPES 7).
Why is the directory from a VMS system presented in UNIX format when VMS transfer mode is not in use?
In order to present filenames in a consistent format, they are only displayed as VMS filenames when VMS transfers are in use. When binary or ASCII transfers are in use, filenames are presented in UNIX format.
Why do the filenames on my VMS system have $ characters in them?
On ODS-2 disks the filenames are SRI encoded to preserve case and other special characters. For ODS-5, the logical MULTINET_SFTP_USE_SRI_ENCODING_ON_ODS5 controls will cause SRI encoding to be used if it is defined to be TRUE (the default value is FALSE).
Why doesn't SFTP2 have a TRANSLATE mode like SCP2 does?
The TRANSLATE_VMS qualifier was a method of providing ASCII (text) transfers when they were not available. It was felt that it was not necessary since SFTP2 has ASCII (text) transfers.
I am using WinSCP on my PC and it won't work with the VMS system. Why?
In order for WinSCP to work with the VMS system, the following UNIX commands must be placed in the path: alias, cd, chgrp, chmod, chown, echo, groups, ls, mkdir, mv, pwd, scp, rm, unalias, and unset. The user must have sufficient permissions to execute these UNIX commands. Because VMS doesn't have these commands, WinSCP will not work with the VMS SFTP server.
I've enabled the SSH server to do SSH1 but not SSH2 and my attempts to use SFTP fail. Why?
SSH2 must be enabled to use SFTP.
How do I setup host based authentication so that any user can SSH without using a password? This is system based authentication rather than user based.
You should already have host keys on your system if SSH has been started and working.
1. On the client system you should have:
"MULTINET_SSH2_HOSTKEY_DIR" = "MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.HOSTKEYS]" $ DIR MULTINET_SSH2_HOSTKEY_DIR Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.HOSTKEYS] HOSTKEY.;1 HOSTKEY.PUB;1
These are your host keys.
2. Copy the public key (HOSTKEY.PUB) to the server and place it where the logical below points:
"MULTINET_SSH2_KNOWNHOSTS_DIR" = "MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.KNOWNHOSTS]" $ DIR MULTINET_SSH2_KNOWNHOSTS_DIR Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.KNOWNHOSTS] HOSTKEY.PUB;1
3. Make a copy of the public key (HOSTKEY.PUB) into the format of clienthostname_domain_ssh-dss.pub. So in the case where the system name is nodename.example.com you see the result below:
$ DIR MULTINET_SSH2_KNOWNHOSTS_DIR Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.KNOWNHOSTS] NODENAME_EXAMPLE_COM_SSH-DSS.PUB;1 HOSTKEY.PUB;1
4. On the server add hostbased to your authentication methods in SSH2_DIR:SSHD2_CONFIG.:
AllowedAuthentications hostbased, publickey, password
5. On the server add the DNS name of the client to MULTINET:HOSTS.EQUIV:
$ TYPE HOSTS.EQUIV client.example.com
How can I configure MultiNet's SSH server to ignore client connection requests from addresses which are not in some sort of "approved" list?
You can use packet filtering to block those. The following set of rules would only allow connections from the 10.42.95.0/24 subnet and the host 10.115.48.1:
permit tcp 10.42.95.0 255.255.255.0 0 0 eq 22 permit tcp 10.115.48.1 255.255.255.255 eq 22 drop tcp 0 0 0 0 eq 22
Is there a way to identify whether a user's current interactive session is connected via SSH1 rather than SSH2 so that a message can be displayed?
The existence of the MULTINET_SSH_PID_DEVICE logical (where PID is the PID of the process) in the LNM$SSH_LOGICALS table indicates the connection is via SSH1 rather than SSH2.
Can you change the port the SSH server listens on?
Yes, use the following sequence of commands
$ MULT CONFIG/SERVER SERVER-CONFIG> SELECT SSH SERVER-CONFIG> SET PARAM
It will now ask about deleting each parameter, just hit Enter as long as the parameter doesn't mention port. When it asks for new parameters type:
port new_port_number
then a blank line to terminate the dialog. Exit and save the configuration and then restart SSH with:
$ MU NETCONTROL SSH RESTART
If you are using SSH for OpenVMS, you can change it by executing SSH_CONFIGURE.COM again and entering the new port number when prompted.
How can I avoid the SSHD.LOG file version number reaching 32768?
When an SSH connection is formed, the SSHD Master server process creates an
SSH server process and hands off the connection. The SSH server process
creates a pseudo terminal and runs LOGINOUT.EXE on it to create a session process for carrying out the requested command or handling the interactive session. These activities are logged in an SSHD.LOG file by default,
but over time, this can create problems, as the version number eventually
increments to the maximum value of 32768.
Purging the SSHD.LOG files can be problematic, as those with active
connections will be locked and can't be deleted without closing the related
sessions. In some cases connections can stay active for days or weeks.
There is support available for changing the name of the SSHD log file by
defining a logical name to have a value that specifies the form that the log
file names should take. In MultiNet this logical is
MULTINET_SSH_LOG_FILE.
The logical is defined /SYSTEM and /EXECUTIVE. In the logical's equivalence
value, the following tokens can be used, and will be substituted with the
associated meaning at the time a log file is being created:
%D- date in yyyymmdd format%N- system SCS node name%C- an incrementing sequence number
For example:
$ DEFINE/SYSTEM/EXECUTIVE MULTINET_SSH_LOG_FILE "SSH_LOG:SSHD_%N_%D-%C.LOG"
This will result in SSHD log files with names such as SSHD_SYSA_20210901-1.LOG
You are not required to use any of the tokens in this renaming mechanism. If you do use them, you can use just those that you require.
Setting up an alternate naming pattern for the log files should remove the version number limit problem if you incorporate at least the date token. The disadvantage of naming the log files this way is that you have to manage (i.e. delete) old files so that they don't fill up the directory/disk over time. A periodic batch job that deletes logs older than some delta time in the past is one solution.
I can't use public key authorization when SYS$LOGIN: involves a search list
This issue only affects users with SYS$LOGIN: having a search list, and where one or more of the search paths is missing an SSH configuration directory.
When using public key authorization to log in with SSH, SFTP, or SCP, the server needs access to the user's SSH configuration directory (SYS$LOGIN:[.SSH] for SSH1 or SYS$LOGIN:[.SSH2] for SSH2 connections) to read the AUTHORIZATION. file and access the user's key files.
In cases where the user's SYS$LOGIN: involves a search list, such as when connecting as SYSTEM, where SYS$LOGIN translates to SYS$SYSROOT:[SYSMGR] and SYS$SYSROOT can translate into SYS$SYSROOT and SYS$COMMON, there can be problems if each of the paths does not contain an SSH configuration directory. SSH can get a "file not found" error, even though there is an SSH configuration directory in at least one of the paths. This stems from how VMS XQP works and is not directly due to SSH requirements.
Why does the SFTP client hang after issuing a DIR command to certain sites, notably VSI's vmssoftware.com?
There can be an issue with some sites that results in the SFTP client hanging when certain commands are entered, such as DIR or LS. This appears to be caused by problems parsing the Unix path specifications returned by the server. Conversion between VMS and Unix path syntax can be problematic in some cases. VSI's site is one that we've had reports of problems with, but there's a simple way to get around the issue, which is to CD to the current directory first, i.e. CD .. For example:
$ SFTP "user@vsiftp.vmssoftware.com" This is VMS Software, Inc. OpenVMS (TM) IA64 Operating System, V8.4-2L1 user@vsiftp.vmssoftware.com's password: ******** sftp> CD . /$1$dga300/000000/user sftp> DIR dr-xr-x--- 1 3136 2212 512 Oct 9 2022 ORC.DIR/ drwxr-x--- 1 541 2212 512 Oct 12 2022 I64.DIR/ -rwxr-x--- 1 DOCS 2212 76 Jan 4 2:41 SFTP-SERVER.LOG* sftp>