Previous Page TOC Index Next Page



Chapter 4

Configuring the Secure Shell (SSH) V1 Server

This chapter describes how to configure and maintain the SSH for OpenVMS SSH1 server.

This is the server side of the software that allows secure interactive connections from other computers in the manner of rlogin/rshell/telnet. The SSH server has been developed to discriminate between SSH v1 and SSH v2 protocols, so the two protocols can coexist simultaneously on the same system.

SSH1 and SSH2 Differences

SSH1 and SSH2 are different, and incompatible, protocols. The SSH1 implementation is based on the V1.5 protocol and 1.3.7 F-Secure code base, and the SSH2 implementation is based on the V2 protocol and the F-Secure 3.1.0 code base. While SSH2 is generally regarded to be more secure than SSH1, both protocols are offered by SSH for OpenVMS, and although they are incompatible, they may exist simultaneously on a system. The server front-end identifies what protocol a client desires to use, and will create an appropriate server for that client.

Restrictions:

When using SSH to connect to a VMS server, if the VMS account is set up with a secondary password, SSH does not prompt the user for the secondary password. If the VMS primary password entered is valid, the user is logged in, bypassing the secondary password.

When using SSH to execute single commands (in the same manner as RSHELL), some keystrokes like CTRL/Y are ignored. In addition, some interactive programs such as HELP may not function as expected. This is a restriction of SSH. If this behavior poses a problem, log into the remote system using SSH in interactive mode to execute the program.

Understanding the Secure Shell Server

The Secure Shell daemon (SSHD) is the daemon program for SSH that listens for connections from clients. The server program replaces rshell and telnet programs. The server/client programs provide secure encrypted communications between two untrusted hosts over an insecure network. A new daemon is created for each incoming connection. These daemons handle key exchange, encryption, authentication, command execution, and data exchange.

Servers and Clients

An SSH server is an OpenVMS system that acts as a host for executing interactive commands or for conducting an interactive session. The server software consists of two pieces of software (for future reference, "SSHD" will refer to both SSHD_MASTER and SSHD, unless otherwise specified):

SSHD_MASTER, recognizes the differences between SSH v1 and SSH v2 and starts the appropriate server. If the request is for SSH v1, then the SSH v1 server is run; if the request is for SSH v2, then the SSH v2 server is run.

SSHD, a copy of which is spawned for each connection instance. SSHD handles all the interaction with the SSH client.

A client is any system that accesses the server. A client program (SSH) is provided with SSH for OpenVMS, but any SSH client that uses SSH version 1 protocol may be used to access the server. Examples of such programs are SSH for OpenVMS, MultiNet SSH, TCPware SSH, and FISSH on OpenVMS; SecureCRT and TTSSH on Windows®-based systems; and other SSH programs on UNIX-based systems.

Security

Each host has a host-specific RSA key (normally 1024 bits) that identifies the host. Additionally, when the SSHD daemon starts, it generates a server RSA key (normally 768 bits). This key is regenerated every hour (the time may be changed in the configuration file) if it has been used, and is never stored on disk. Whenever a client connects to the SSHD daemon,

SSHD sends its host and server public keys to the client.

The client compares the host key against its own database to verify that it has not changed.

The client generates a 256 bit random number. It encrypts this random number using both the host key and the server key, and sends the encrypted number to the server.

The client and the server start to use this random number as a session key which is used to encrypt all further communications in the session.

The rest of the session is encrypted using a conventional cipher. Currently, IDEA (the default), DES, 3DES, BLOWFISH, and ARCFOUR are supported.

The client selects the encryption algorithm to use from those offered by the server.

The server and the client enter an authentication dialog.

The client tries to authenticate itself using:

– .rhosts authentication

– .rhosts authentication combined with RSA host authentication

RSA challenge-response authentication

password-based authentication

Note! Rhosts authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file, if desired.

System security is not improved unless the RLOGIN and RSHELL services are disabled.

If the client authenticates itself successfully, a dialog is entered for preparing the session. At this time the client may request things like:

forwarding X11 connections

forwarding TCP/IP connections

forwarding the authentication agent connection over the secure channel

Finally, the client either requests an interactive session or execution of a command. The client and the server enter session mode. In this mode, either the client or the server may send data at any time, and such data is forwarded to/from the virtual terminal or command on the server side, and the user terminal in the client side. When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the client, and both sides exit.

Options

The SSHD Master process is configured via the CNFSSH command procedure. This procedure creates the SSH_DIR:SSH_CONFIGURE.COM file, and this is used when starting up the SSHD Master process. Once CNFSSH is used to modify the SSHD Master options, SSH should be restarted using @SYS$STARTUP:PSCSSH$STARTUP.COM.

Note! The recommended method to start the SSHD Master process is to use the @SYS$STARTUP:PSCSSH$STARTUP command. All of these options are set using @MULTINET:CNFSSH CONFIGURE

Configuration File

The individual SSHD server processes read configuration data from SSH_DIR:SSHD_CONFIG (or the file specified via the CNFSSH procedure). The file contains keyword value pairs, one per line. Lines starting with ‘#’ and empty lines are interpreted as comments. The following keywords are possible. Keywords are case insensitive.

Note! HP’s TCP/IP services do not use the traditional UNIX rhosts and hosts.equiv files; it uses a proprietary format. Therefore, any information added to HP’s files via the "ADD PROXY" command must also be manually added to the SSH_DIR:RHOSTS and SSH_DIR:HOSTS.EQUIV files in order for it to be used by SSH for OpenVMS.

Table 4-1 Configuration File Keywords [SSHD_CONFIG]

Keyword

Value

Default

Description

AllowForwardingPort

Port List


Can be followed by any number of port numbers, separated by spaces. Remote forwarding is allowed for those ports whose number matches one of the patterns.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range. By default, all port forwardings are allowed.

AllowForwardingTo

Host/port list


Can be followed by any number of hostname and port number patterns, separated by spaces. A port number pattern is separated from a hostname pattern by a colon. Forwardings from the client are allowed to those hosts and port pairs whose name and port number match one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns for host names. Normal name servers are used to map the client’s host into a fully-qualified host name. If the name cannot be mapped, its IP address is used as the hostname.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range. By default, all port forwardings are allowed.

AllowGroups

List


Can be followed by any number of OpenVMS rights identifier patterns, separated by spaces. Login is allowed only if the user’s list of rights identifiers contains an identifier that matches one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns. By default, logins as all users are allowed.

Note! All other login authentication steps must be completed successfully.

DenyGroups is an additional restriction.

AllowHosts

Host list


Can be followed by any number of host name patterns, separated by spaces. Login is allowed only from hosts whose name matches one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns. Normal name servers are used to map the client’s host into a fully-qualified host name. If the name cannot be mapped, its IP address is used as the hostname. By default, all hosts are allowed to connect.

AllowSHosts

Host list


Can be followed by any number of host name patterns, separated by spaces. .SHOSTS (and .RHOSTS and SSH_DIR:HOSTS.EQUIV) entries are honored for hosts whose name matches one of the patterns. Servers are used to map the client’s host into a fully-qualified host name. If the name cannot be mapped, its IP address is used as the host name. By default, all hosts are allowed to connect.

AllowTcpForwarding

Y/N

Y

Specifies whether TCP forwarding is permitted.

Note! Disabling TCP forwarding does not improve security in any way, as users can always install their own forwarders.

AllowUsers

User list


Can be followed by any number of user name patterns or user@host patterns, separated by spaces. Host name may be either the DNS name or the IP address. Login is allowed only for users whose name matches one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns. By default, logins as all users are allowed.

Note! All other login authentication steps must be completed successfully.

DenyUsers is an additional restriction.

DenyForwardingPort

Port list


Can be followed by any number of port numbers, separated by spaces. Remote forwardings are disallowed for those ports whose number matches one of the patterns.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range.

DenyForwardingTo

Host/port list


Can be followed by any number of hostname and port number patterns, separated by spaces. A port number pattern is separated from a hostname by a colon. Forwardings from the client are disallowed to those hosts and port pairs whose name and port number match one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns for host names. Normal name servers are used to map the client’s host into a fully-qualified host name. If the name cannot be mapped, its IP address is used as a host name.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range.

DenyGroups

Rights list


Can be followed by any number of OpenVMS rights identifier patterns, separated by spaces. Login is disallowed only if the user’s list of rights identifiers contains an identifier that matches one of the patterns.

DenyHosts

Host list


Can be followed by any number of host name patterns, separated by spaces. Login is disallowed from the host whose name matches any of the patterns.

DenySHosts

Host list


Can be followed by any number of host name patterns, separated by spaces. .SHOSTS (and .RHOSTS and SSH_DIR:HOSTS.EQUIV) entries whose name matches any of the patterns are ignored.

DenyUsers

User list


Can be followed by any number of user name patterns or user@host patterns, separated by spaces. A host name may be either the DNS name or the IP address. Login is disallowed for a user whose name matches any of the patterns.

HostKey

Filename

SSH_HOST_KEY

Specifies the file containing the private key.

IdleTimeout

Time

0

Sets the idle timeout limit in:

seconds (s or nothing after the number)

minutes (m)

hours (h)

days (d)

weeks (w)

If the connection has been idle (all channels) for the time specified, the process is terminated and the connection is closed.

An idle process is one that has done no I/O to stdin or stdout in the timeout value.

The default value of 0 (zero) for IdleTimeout means no timeout.

IgnoreRhosts

Y/N

N

Specifies that the SYS$LOGIN:RHOSTS file will not be used in authentication. SSH_DIR:HOSTS.EQUIV is still used.

KeepAlive

Y/N

Y

Specifies whether the system should send keepalive messages to the other side. If sent, termination of the connection or crash of one of the machines will be noticed. This means that connections will terminate if the route is down temporarily.

If keepalives are not ended, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources.

To disable keepalives, set the value to no in both the server and the client configuration files.

KeyRegenerationInterval

Time

3600

Specifies how long to wait before the server key is regenerated automatically. Regeneration prevents decrypting captured sessions by later breaking into the machine and stealing the keys. The key is never stored on disk. If the value is 0, the key is never regenerated.

ListenAddressee



Specifies the IP address of the interface where the SSHD server socket is BIND.

LoginGraceTime

Time

600

Specifies the time the server should disconnect if the user has not logged in successfully. If the value is 0, there is no time limit. The default is 600 seconds.

PasswordAuthentication

Y/N

Y

Specifies whether password authentication is allowed. The default is yes.

PermitEmptyPasswords

Y/N

N

Specifies whether the server allows login to accounts with empty password strings when password authentication is allowed. The default is no.

Note! Use of this keyword may contribute to your system becoming insecure. Process Software encourages you to NOT enable the use of empty passwords.

PermitRootLogin

Y/N

N

Specifies whether the user can log in as SYSTEM using SSH. This keyword may be set to:

yes allows SYSTEM logins through any of the authentication types allowed for other users.

no (default) disables SYSTEM logins through any of the authentication methods (nopwd and no are equivalent), unless you have a rhosts or SYS$DISK:[<login_dir>.SSH]AUTHORIZED_KEYS file in the SYS$MANAGER directory.

nopwd disables password-authenticated SYSTEM logins.

System login with RSA authentication when the "command" option has been specified is allowed regardless of the value of this keyword (which may be useful for taking remote backups even if SYSTEM login is not allowed).

QuietMode

Y/N

N

Specifies whether the system runs in quiet mode. In quiet mode, nothing is logged in the system log, except fatal errors.

RandomSeed

Filename

Random_seed

Specifies the SSH:DIR file containing the random seed for the server. This file is created automatically and updated regularly.

RhostsAuthentication

Y/N

N

Specifies whether authentication using SYS$LOGIN:RHOSTS or SSH_DIR:HOSTS.EQUIV files is sufficient. Normally, this method should not be permitted because it is insecure. Use RhostsRSAAuthentication because it performs RSA-based host authentication in addition to normal rhosts or SSH_DIR:HOSTS.EQUIV authentication. The default is no.

RhostsRSAAuthentication

Y/N

Y

Specifies whether SYS$LOGIN:RHOSTS or SSH_DIR:HOSTS.EQUIV authentication together with successful RSA host authentication is allowed.

RSAAuthentication

Y/N

Y

Specifies whether pure RSA authentication is allowed.

SilentDeny

Y/N

Y

Specifies whether denied (or not allowed) connections are denied silently (just close the connection, no logging, etc.) or if they are closed cleanly (send an error message and log the connection attempt). Defaults to silent mode, yes.

StrictIntrusionLogging

Y/N

Y

Log intrusion attempts for all failed authentication methods.

StrictModes

Y/N

Y

Specifies whether SSH should check file protection and ownership of the user’s home directory and rhosts files before accepting login.

SyslogFacility

Syslog level

"AUTH"

Gives the facility code that is used when logging messages from SSHD. Any valid syslog facility code may be used.

X11DisplayOffset

#offset

10

Specifies the first display number available for SSHD’s X11 forwarding. This prevents SSHD from interfering with real X11 servers.

Starting the SSH Server for the First Time

Follow these instructions to configure the SSH server. If SSH isn’t currently running, you must define the MULTINET logicals by using:

$ @SYS$STARTUP:PSCSSH$STARTUP LOGICALS

1 Use the CNFSSH utility to configure the SSH server.

Note! SSH for OpenVMS must be running before issuing the SSHKEYGEN command.

2 Use SSHKEYGEN to create the file SSH_HOST_KEY in the SSH_DIR: directory if it has not been created as a result of executing @MULTINET:CNFSSH CONFIGURE.

$ MULTINET SSHKEYGEN/SSH1/HOST
Initializing random number generator...
Generating p: ...++ (distance 64)
Generating q: .......................................++ (distance 516)
Computing the keys...
Testing the keys...
Key generation complete.
Key file will be MULTINET_ROOT:[MULTINET.PSCSSH.SSH]SSH_HOST_KEY
Your identification has been saved in MULTINET_ROOT:[MULTINET.PSCSSH.SSH]SSH_HOST_KEY
Your public key is:
1024 37
1210318365576698697865367869291969476388228444969905611864276308
9072776904462744415966821020109463617644202397294642277946718549
4404442577594868297087171013359743853182442579923801302020844011
5343754909847513973160249324735913146330232410424936751015953611
18716872491123857940537322891584850459319961275605927
SYSTEM@gg1.prr.com
Your public key has been saved in MULTINET_ROOT:[MULTINET.PSCSSH.SSH]SSH_HOST_KEY.PUB

3 Edit the default configuration file at SSH_DIR:SSHD_CONFIG (if you wish to change the default settings). This default configuration is the same as contained in the file MULTINET:SSHD_CONFIG.TEMPLATE

Note! As delivered, the template file provides a reasonably secure SSH environment. However, Process Software recommends this file be examined and modified appropriately to reflect the security requirements of your organization.

4 Restart SSH. This creates the SSH server process and defines the SSH logical names.

$ SSHCTRL RESTART
$ SHOW PROCESS "SSHD Master"

7-JUN-2002 09:03:06.42 User: SYSTEM Process ID: 00000057
Node: PANTHR Process name: "SSHD Master"

Terminal:
User Identifier: [SYSTEM]
Base priority: 4
Default file spec: Not available
Number of Kthreads: 1

Devices allocated: BG1:
BG2:

$ SHOW LOGICAL/SYSTEM SSH*

(LNM$SYSTEM_TABLE)

"SSH_DIR" = "MULTINET_SPECIFIC_ROOT:[MULTINET.PSCSSH.SSH]"
"SSH_EXE" = "MULTINET_COMMON_ROOT:[MULTINET.PSCSSH.SSH]"
"SSH_LOG" = "MULTINET_SPECIFIC_ROOT:[MULTINET.PSCSSH.LOG]"
"SSH_MAX_SESSIONS" = "100"
"SSH_TERM_MBX" = "MBA36:"

Changing SSH Configuration File After Enabling SSH

If you make a change to the SSH configuration file after you have enabled SSH, you have to restart SSH. To have the changes take effect, use the command:

$ SSHCTRL RESTART

Connection and Login Process

To create a session, SSHD does the following:

1 SSHD_MASTER sees the connection attempt. It creates an SSHD process, passing the necessary information to it, such as the server key and operating parameters.

2 SSHD performs validation for the user.

3 Assuming the login is successful, SSHD creates a pseudo terminal for the user (an _FTAnn: device). This device is owned by the user attempting to log in.

4 SSHD creates an interactive process on the pseudo terminal, using the username, priority, and privileges of the user who is attempting to log in. If a command was specified, it is executed and the session is terminated.

5 SSH generates the file SSH_LOG: SSHD.LOG for each connection to the SSH server. Many connections result in many log files. Instead of purging the files on a regular basis, use the following DCL command to limit the number of versions:

$ SET FILE /VERSION_LIMIT=x SSH_LOG:SSHD.LOG

Note! The value for /VERSION_LIMIT must not be smaller than the maximum number of simultaneous SSH sessions anticipated. If the value is smaller, SSH users may be prevented from establishing sessions with the server.

AUTHORIZED_KEYS File Format

The SYS$DISK:[<login_dir>.SSH]AUTHORIZED_KEYS file lists the RSA keys that are permitted for RSA authentication. Each line of the file contains one key (empty lines and lines starting with a ‘#’ are comments and ignored). Each line consists of the following fields, separated by spaces:

Table 4-2 RSA Keys

Key

Description

bits

Is the length of the key in bits.

comment

Not used for anything (but may be convenient for the user to identify the key).

exponent

Is a component used to identify and make up the key.

modulus

Is a component used to identify and make up the key.

options

Optional; its presence is determined by whether the line starts with a number or not (the option field never starts with a number.)

Note! Lines in this file are usually several hundred characters long (because of the size of the RSA key modulus). You do not want to type them in; instead, copy the IDENTITY.PUB file and edit it. The options (if present) consists of comma-separated option specifications. No spaces are permitted, except within double quotes. Option names are case insensitive.

The following option specifications are supported:

Table 4-3 RSA Key File [AUTHORIZED_KEYS]

Option Specification

Description

Allowforwardingport="<port list>"

Can be followed by any number of port numbers, separated by spaces. Remote forwarding is allowed for those ports whose number matches one of the patterns.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range. By default, all port forwardings are allowed.

The quotes (" ") are required. The <> show a list. Do not use the < > in the specification. For example:

allowforwardingport "2,52,2043"

Allowforwardingto="<hostname and port list>"

Can be followed by any number of hostname and port number patterns, separated by spaces. A port number pattern is separated from a hostname pattern by a colon. For example: hostname:port

Forwardings from the client are allowed to those hosts and port pairs whose name and port number match one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns for host names. Normal name servers are used to map the client’s host into a fully-qualified host name. If the name cannot be mapped, its IP address is used as the hostname.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range. By default, all port forwardings are allowed.

command="command"

Specifies the command to be executed whenever this key is used for authentication. The user-supplied command (if any) is ignored. You may include a quote in the command by surrounding it with a backslash (\). Use this option to restrict certain RSA keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Notice that the client may specify TCP/IP and/or X11 forwardings unless they are prohibited explicitly.

Denyforwardingport="<port list>"

Can be followed by any number of port numbers, separated by spaces. Remote forwardings are disallowed for those ports whose number matches one of the patterns.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range.

Denyforwardingto="<hostname port list>"

Can be followed by any number of hostname and port number patterns, separated by spaces. A port number pattern is separated from a hostname by a colon. For example: hostname:port number pattern

Forwardings from the client are disallowed to those hosts and port pairs whose name and port number match one of the patterns.

You can use ‘*’ and ‘?’ as wildcards in the patterns for host names. Normal name servers are used to map the client’s host into a fully-qualified host name. If the name cannot be mapped, its IP address is used as a host name.

You can use ‘*’ as a wildcard entry for all ports.

You can use these formats ‘>x’, ‘<x’, and ‘x_x’ to specify greater than, less than, or inclusive port range.

from="pattern-list"

In addition to RSA authentication, specifies that the fully-qualified name of the remote host must be present in the comma-separated list of patterns. You can use ‘*’ and ‘?’ as wildcards.

The list may contain patterns negated by prefixing them with ‘!’; if the fully-qualified host name matches a negated pattern, the key is not accepted.

This option increases security. RSA authentication by itself does not trust the network or name servers (but the key). However, if somebody steals the key, the key permits login from anywhere in the world. This option makes using a stolen key more difficult because the name servers and/or routers would have to be comprised in addition to just the key.

idle-timeout=time

Sets the idle timeout limit to a time in seconds (s or nothing after the number), in minutes (m), in hours (h), in days (d), or in weeks (w). If the connection has been idle (all channels) for that time, the process is terminated and the connection is closed.

no-agent-forwarding

Forbids authentication agent forwarding when used for authentication.

no-port-forwarding

Forbids TCP/IP forwarding when used for authentication. Any port forward requests by the client will return an error. For example, this might be used in connection with the command option.

no-X11-forwarding

Forbids X11 forwarding when used for authentication. Any X11 forward requests by the client will return an error.

RSA Key File Examples

1024 33 12121...312314325 ylo@foo.bar
from="*.emptybits.com,!rose.flowers.com"

1024 35 23...2334 ylo@niksula
command="dir *.txt",no-port-forwarding

1024 33 23...2323 xxxxx.tazm.com
allowforwardingport="localhost:80"

1024 35 23...2334 www@localhost

SSH_KNOWN_HOSTS File Format

The SSH_DIR:SSH_KNOWN_HOSTS and SYS$DISK:[<login_dir>.SSH]KNOWN_HOSTS files contain host public keys for all known hosts. The global file should be prepared by the administrator (optional), and the per-user file is maintained automatically; whenever the user connects to an unknown host its key is added to the per-user file. Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces.

Hostnames is a comma-separated list of patterns ('*' and '?' act as wildcards). Each pattern is matched against the fully-qualified host names (when authenticating a client) or against the user-supplied name (when authenticating a server). A pattern may be preceded by '!' to indicate negation; if the hostname matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line.

Bits, exponent, and modulus are taken directly from the host key. They can be obtained from SSH_DIR:SSH_HOST_KEY.PUB. The optional comment field continues to the end of the line, and is not used. Lines starting with '#' and empty lines are ignored as comments. When performing host authentication, authentication is accepted if any matching line has the proper key.

It is permissible (but not recommended) to have several lines or different host keys for the same names. This happens when short forms of host names from different domains are put in the file. It is possible that the files contain conflicting information. Authentication is accepted if valid information can be found from either file.

Note! The lines in these files are hundreds of characters long. Instead of typing in the host keys, generate them by a script or by copying SSH_DIR:SSH_HOST_KEY.PUB and adding the host names at the front.

Example

closenet,closenet.hut.fi,...,130.233.208.41
1024 37 159...93 closenet.hut.fi

Note! HP’s TCP/IP services do not use the traditional UNIX rhosts and hosts.equiv files; it uses a proprietary format. Therefore, any information added to HP’s files via the "ADD PROXY" command must also be manually added to the SSH_DIR:RHOSTS and SSH_DIR:HOSTS.EQUIV files in order for it to be used by SSH for OpenVMS.

FILES

Table 4-4 SSH Files

File Name

Description

SSH_DIR:HOSTS.EQUIV

Contains host names, one per line. This file is used during .rhosts authentication. Users on those hosts are permitted to log in without a password, provided they have the same username on both machines. The hostname may also be followed by a username. Such users are permitted to log in as any user on the remote machine (except SYSTEM). Additionally, the syntax +@group can be used to specify netgroups. Negated entries start with '-'. If the client host/user is matched in this file, login is permitted provided the client and server usernames are the same. Successful RSA host authentication is required. This file should be world-readable but writable only by SYSTEM.

It is never a good idea to use usernames in hosts.equiv. It means the named user(s) can log in as anybody, which includes accounts that own critical programs and directories. Using a username grants the user SYSTEM access. The only valid use for usernames is in negative entries.

Note! This warning also applies to rshell/rlogin.

SSH_DIR:SHOSTS.EQUIV

Processed as SSH_DIR:HOSTS.EQUIV. May be useful in environments that want to run both rshell/rlogin and ssh.

SSH_DIR:SSH_HOST_KEY

Contains the private part of the host key. This file does not exist when SSH for OpenVMS is installed. The SSH server starts only with this file. This file must be created manually using the command: $ MULTINET SSHKEYGEN/SSH1/HOST. This file should be owned by SYSTEM, readable only by SYSTEM, and not accessible to others.

To create a host key with a name that is different than what SSHKEYGEN creates, do one of the following:

Generate with MULTINET SSHKEYGEN/SSH1/HOST and simply rename the file(s).

Generate without the /HOST switch and then name the file(s) whatever you want.

By default, the logical name SSH_DIR points to the directory where common SSH files are kept, such as the SSH executables.

SSH_DIR:SSH_HOST_KEY.PUB

Contains the public part of the host key. This file should be world-readable but writable only by SYSTEM. Its contents should match the private part. This file is not used for anything; it is only provided for the convenience of the user so its contents can be copied to known hosts files.

SSH_DIR:SSH_KNOWN_HOSTSSYS$DISK:[<login_dir>.SSH]KNOWN_HOSTS

Checks the public key of the host. These files are consulted when using rhosts with RSA host authentication. The key must be listed in one of these files to be accepted. (The client uses the same files to verify that the remote host is the one you intended to connect.) These files should be writable only by SYSTEM (the owner). SSH_DIR:SSH_KNOWN_HOSTS should be world-readable, and [.SSH]KNOWN_HOSTS can, but need not be, world-readable.

SSH_DIR:SSH_RANDOM_SEED

Contains a seed for the random number generator. This file should only be accessible by system. The file SSH_RANDOM_SEED. has the potential for increasing its number of versions. SSH_RANDOM_SEED. is created in the SSH_DIR: directory as well as in individual user accounts in the SYS$LOGIN:[.SSH] directory.

This DCL command limits the number of versions of this file in the SSH_DIR directory:

$SET FILE VERSION_LIMIT=x SSH_DIR:SSH_RANDOM_SEED.

This DCL command limits the number of versions of this file in the user's SYS$LOGIN:[.SSH]directory.

$SET FILE /VERSION_LIMIT=x - SYS$LOGIN:[.SSH]SSH_RANDOM_SEED.

or

$CREATE /DIRECTORY /VERSION_LIMIT=x - SYS$LOGIN:[.SSH]SSH_RANDOM_SEED.

SSH_DIR:SSHD_CONFIG

Contains configuration data for SSHD. This file should be writable by system only, but it is recommended (though not necessary) that it be world-readable.

SYS$DISK:[<login_dir>.SSH]AUTHORIZED_KEYS

Lists the RSA keys that can be used to log into the user's account. This file must be readable by system (which may on some machines imply it being world-readable). It is recommended that it not be accessible by others. The format of this file is described above.

SYS$DISK:[<login_dir>.SSH]SHOSTS

Permits access using SSH only. For SSH, this file is the same as for .rhosts. However, this file is not used by rlogin and rshell daemon.

SYS$LOGIN:RHOSTS

This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in without a password. The same file is used by rlogin and rshell. SSH differs from rlogin and rshell in that it requires RSA host authentication in addition to validating the hostname retrieved from domain name servers. The file must be writable only by the user. It is recommended that it not be accessible by others. It is possible to use netgroups in the file. Either host or username may be of the form +@groupname to specify all hosts or all users in the group.

SSH Logicals

These logicals are used with the SSH server in the system logical name table.

Table 4-5 SSH Logicals

Logical

Description

SSH_DIR

Points to the directory where system-specific configuration information is kept, including the host key files and the system-specific server configuration file.

SSH_EXE

Points to the directory where common SSH files are kept, such as the SSH executables.

SSH_LOG

Points to the directory where the log files are kept. Normally, this is MULTINET_SPECIFIC_ROOT:[MULTINET.PSCSSH.LOG]

SSH_MAX_SESSIONS

Set this to the maximum number of concurrent SSH sessions you want to allow on the server system. If SSH_MAX_SESSIONS is not defined, the default is 9999. Setting SSH_MAX_SESSIONS to zero (0) will cause an error. The value must be between 1 and 9999. It is defined through the configuration procedure.

SSH_TERM_MBX

Mailbox used by SSHD_MASTER to receive termination messages from SSHD daemon processes. Do not change this logical name. This is created by the SSHD_MASTER process.

MULTINET_SSH_ALLOW_EXPIRED_PW

Allows logging in to an account when the account's password has expired due to pwdlifetime elapsing. This applies to all users and circumvents normal VMS expired-password checking, and therefore should be used with caution. An entry is made into the SSH_LOG:SSHD.LOG file when access is allowed using this logical name.

MULTINET_SSH_ALLOW_PREEXPIRED_PW

Allows logging in to an account when the password has been pre-expired. This applies to all users and circumvents normal VMS expired-password checking, and therefore should be used with caution. An entry is made into the SSH_LOG:SSHD.LOG file when access is allowed using this logical name.

MULTINET_SSH_KEYGEN_MIN_PW_LEN

Defines the minimum passphrase length when one is to be set in SSHKEYGEN. If not defined, defaults to zero.

MULTINET_SSH_PARAMETERS_n

These parameters are used to start SSHD_MASTER. They are parameters set by @MULTINET:CNFSSH CONFIGURE.

MULTINET_SSH_USE_SYSGEN_LGI

If defined, causes SSHD to use the VMS SYSGEN value of LGI_PWD_TMO to set the login grace time, overriding anything specified in the command line or the configuration file.

SSH daemon Files

These files are used by or created by SSH when you log into a daemon. These files are not to be altered in any way.

Table 4-6 SSH daemon Files

File Name

Description

SSHD_MASTER.LOG

This log file is created by SSHD_MASTER.

SSHD.LOG

This log file is created by each SSHD daemon.

Previous Page TOC Index Next Page