Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

SSH public key authentication on OpenVMS

Published: 05-04-2018 | Author: Remy van Elst | Text only version of this article


Table of Contents


openvms

(You can read all my OpenVMS articles by clicking the picture (above)

My OpenVMS adventure continues, after my rabbit hole of folder removal, thistime I actually get public key authentication working with OpenSSH so that Idon't have to type my password to login.

There is a bit of documentation from HP to set up SSH key authentication butthat misses one important little thing. That thing took me a few days to figureout.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Client public key authentication

On the HPe website there is extensive documentation on both the SSH serversetup as well as the client setup on OpenVMS. On the DECUServe system I'mnot an administrative user so this article will only cover the client part. Itassumes a set up and working SSH server.

SSH public key authentication allows you to login to an SSH server withoutspecifying a password. It is more secure since passwords can easily be bruteforced. An SSH key can be securely on a HSM so that the private part neveris exposed and SSH keys allow for key forwarding, that means you can use the keyfrom your laptop to login to other servers and then logon further to machinesbehind there without placing your private key on the intermidiate machines.

Overall SSH keys are considered to be best practice instead of passwords.

Since I access the DECUServe system via SSH with a password I was wonderingif OpenVMS would support key authentication and according to thedocumentation it should just be simple. Place the public key and configureit to allow login.

But sadly that was not all.

Creating the files and folders.

First create an [SSH2] folder in your homedir:

 $ CREATE /DIRECTORY [.SSH2] $ DIR [.SSH2]%DIRECT-W-NOFILES, no files found

Create the configuration file in which we explicitly allow public keyauthentication next to password login:

 $ EVE [.SSH2]SSH2_CONFIG 

Place the following line in there:

AllowedAuthentications publickey, password

Directly underneath that the EVE editor will show this:

[End of file] Buffer: SSH2_CONFIG.                                                                                                                                                     | Write | Insert | Forward1 line read from file EISNER$DRA3:[DECUSERVE_USER.EXAMPLE.SSH2]SSH2_CONFIG.;2

Save the file with CTRL+Z. As you can see via the ;2 file version number Iwas messing around. Did I mention how awesome it is that OpenVMS has fileversioning built in the filesystem?

On linux and other systems that use OpenSSH, you would create~/.ssh/authorized_keys and place your key(s) in there like so:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq1vxYvJNBZMtrufZD0ivHXrt0A+WhslMcWeQTU2du2jznw64ScrxN+EYXVGg3JKu8N/QK/0VrtsxITFthHJQP0FkC0J8GnWeT3x2y0N38P+H3B/h1rh9DBY/GTUlXY9Q0MKAOEdTjSecK11Nd5183Xcygnv5xAxLqzqmnllumAE1Wd/B0NoKrcSy51hERn0kKTR9hIw8FTOUNPAwTgsMJ+A10aJtqjlk4OrOd1KOHi1jWNTc5wcW6xgWzMksdw++fBBPcJN9Bgihxz9kSwdpkcIYlBkIZZEwZtTvNy7K2nKw94omWmdr0ZlqsNwfOihyQpo4wtusjakTmM4GA+bH3 remy@gateway

On OpenVMS, you create a file named AUTHORIZATION and in there you specifyfilenames of public keys, like KEY EXAMPLE-HOSTNAME.PUB where EXAMPLE-HOSTNAME.PUB is the file name with the format $USER-$HOST.PUB.

Use EVE to create this AUTHORIZATION. file and add the filename of yourpublic key file:

 $ EVE [.SSH2]AUTHORIZATION

My key example:

KEY REMY-GATEWAY.PUB

Note, do not add the key here like you might be used to on linux, just make up afilename, prefixed with KEY. Next create the actual key file:

 $ EVE [.SSH2]REMY-GATEWAY.PUB

Paste your public key and save with CTRL+Z.

The documentation states that the public key file requires specific permission.On linux I'm used to setting permissions on the authorized_keys file and theprivate key material, but this will be comparable I guess:

SET FILE /PROTECTION=(S:WRED,O:WRED,G:RE,W:R) [.SSH2]REMY-GATEWAY.PUB

You can check the current permissions with the SHOW SECURITY command:

 $ SHOW SECURITY [.SSH2]REMY-GATEWAY.PUBEISNER$DRA3:[DECUSERVE_USER.EXAMPLE.SSH2]REMY-GATEWAY.PUB;2 object of class FILE     Owner: [EXAMPLE]     Protection: (System: RWED, Owner: RWED, Group: RE, World: R)     Access Control List: <empty>

By default, or at least on DECUServe my files get the following permissions:

     Protection: (System: RWED, Owner: RWED, Group, World)

Now you should be all set to go. Login specifically disabling password loginusing your key:

$ ssh -oHostKeyAlgorithms=+ssh-dss -o "PasswordAuthentication no"  EXAMPLE@eisner.decus.org

Output:

The authenticity of host 'eisner.decus.org (104.207.199.162)' can't be established.DSA key fingerprint is SHA256:S0vOOBec5QvjeC1aLvnSccBewSgOvsF2s97KGaY1pnE.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'eisner.decus.org,104.207.199.162' (DSA) to the list of known hosts.                                N O T I C EThis is Encompasserve.  Access is for subscribed individuals only. o  By logging into the system you agree to abide by the Encompasserve    Canons of Conduct. o  Source code or any other information posted on this system is not    warranted in any way.  YOU USE IT AT YOUR OWN RISK. o  If you submit source code to or post information on this system, you    must allow its unrestricted use.  You must have the right to grant    such permission. o  Refer to the Encompasserve Canons of Conduct, posted in the    DECUServe_Information conference topic 4.3, for further guidance. o  Report problems in DECUServe_Forum.For information about Encompasserve please login under -> Username INFORMATIONTo subscribe to Encompasserve       please login under -> Username REGISTRATIONTo report any form of a problem     please login under -> Username PROBLEMSTo renew an Expired account         please login under -> Username REGISTRATIONPermission denied (publickey,password).

Err, what? We followed the documentation to the letter?

Why does it not work?

This problem took me a few days to resolve. As I have no access to logging onthe OpenVMS system and no knowledge of how to view said logging, I was left totrial and error.

To save you time and trouble, it appears that the key file was not in thecorrect format for OpenVMS. We pasted the OpenSSH key format in the key file butthere is another format. I found this on a USENET newsgroup, you know you're farin the exotic corners of the internet when you're searching comp.os.vms. Buthey, it helped me solve this issue.

OpenVMS uses IEFT SECSH (Tectia) format keys. There is an IETF documentdescribing the format and a document on the SSH key subsystem if you wantto know more.

The DECUServe system does not have the SSH-KEYGEN OpenVMS program installed orat least I got an error when trying to execute it. Otherwise I would have triedto create a key there and compare the files and permissions with my own file.

OpenSSH uses, suprisingly, openssh format public keys. The ones you know andprobably 99% of the regular internet uses. But as always there are specialsnowflakes and it seems this is one of them. Googling around also gave lot's ofhits for IBM and z/OS.

Using ssh-keygen (on linux) we can convert a private key to this format withthe -e option. From the man page:

 -e Extract/convert from OpenSSH private key file to SECSH public key format 

In my case:

$ ssh-keygen -e -f ~/.ssh/id_rsa

Output:

---- BEGIN SSH2 PUBLIC KEY ----Comment: "2048-bit RSA, converted by remy@gateway from OpenSSH"AAAAB3NzaC1yc2EAAAADAQABAAABAQCq1vxYvJNBZMtrufZD0ivHXrt0A+WhslMcWeQTU2du2jznw64ScrxN+EYXVGg3JKu8N/QK/0VrtsxITFthHJQP0FkC0J8GnWeT3x2y0N38P+H3B/h1rh9DBY/GTUlXY9Q0MKAOEdTjSecK11Nd5183Xcygnv5xAxLqzqmnllumAE1Wd/B0NoKrcSy51hERn0kKTR9hIw8FTOUNPAwTgsMJ+A10aJtqjlk4OrOd1KOHi1jWNTc5wcW6xgWzMksdw++fBBPcJN9Bgihxz9kSwdpkcIYlBkIZZEwZtTvNy7K2nKw94omWmdr0ZlqsNwfOihyQpo4wtusjakTmM4GA+bH3---- END SSH2 PUBLIC KEY ----

Use the editor to update your KEY file on OpenVMS, in my case [.SSH]REMY-GATEWAY.PUB. Save with CTRL+Z and retry:

$ ssh -oHostKeyAlgorithms=+ssh-dss -o "PasswordAuthentication no" -i .ssh/id_rsa EXAMPLE@eisner.decus.org

Output:

                                N O T I C EThis is Encompasserve.  Access is for subscribed individuals only. o  By logging into the system you agree to abide by the Encompasserve    Canons of Conduct. o  Source code or any other information posted on this system is not    warranted in any way.  YOU USE IT AT YOUR OWN RISK. o  If you submit source code to or post information on this system, you    must allow its unrestricted use.  You must have the right to grant    such permission. o  Refer to the Encompasserve Canons of Conduct, posted in the    DECUServe_Information conference topic 4.3, for further guidance. o  Report problems in DECUServe_Forum.For information about Encompasserve please login under -> Username INFORMATIONTo subscribe to Encompasserve       please login under -> Username REGISTRATIONTo report any form of a problem     please login under -> Username PROBLEMSTo renew an Expired account         please login under -> Username REGISTRATION    Last interactive login on Thursday,  5-APR-2018 14:10:22.71%DCL-S-SPAWNED, process EXAMPLE_62002 spawned  User [EXAMPLE] has 132 blocks used, 9868 available,  of 10000 authorized and permitted overdraft of 0 blocks on DISK_USER $Subprocess EXAMPLE_62002 has completed $

Yay!

Conclusion

I learned a lot, again. I notice that filesystem actions like editing andpermissions are a bit easier for me since I'm beginning to grasp the conceptsand commands. To summarize:

One more thing, LOGOUT of OpenVMS

In an earlier article I wrote that I was unable to logout on OpenVMS sinceexit and CTRL+D not exited the SSH session. I stopped my sessions usingeither ~. or by closing the window.

In the same comp.os.vms I found the LOG command. The help says:

 $ HELP LOG[...]LOGOUT     Terminates an interactive terminal session.     Format       LOGOUT

So, now I can type 'LOG' on the prompt and exit OpenVMS.

Tags: alpha, blog, dec, decus, itanium, openvms, pdp, simh, vax, vms