Modes
SFTP is based upon SSH so you had better get SSH (or SSH2) working properly before you attempt your first SFTP transfer.
If you have ever attempted to use SFTP to do an automated data transfer via a application program or shell script, then you already know that there is no way to provide a password. You might think this is a bug, but it is really a security feature. The creators of SFTP wanted to stop people from placing hard-coded passwords in scripts. So you must use a public-private key.
DCL Command | Notes |
---|---|
$sshkeygen /help | this does not work |
$sshkeygen /ssh1 /help | this does work |
$sshkeygen /ssh2 /help | this does work |
This is how everything will look when we are done +---------------------------------------------------+---------------------------------------------------+ | User: BOB | User: ALICE | | Node: KAWC09 | Node: KAWC15 | | OS : OpenVMS | OS : OpenVMS | | File: [.ssh2]BOB_ON_KAWC09 (private half) | File: | | [.ssh2]BOB_ON_KAWC09.pub (public half) | [.ssh2]BOB_ON_KAWC09.pub (public half) | | [.ssh2]identification. (src control file) | [.ssh2]authorization. (dst control file) |
| # title: identification. | # title: authorization. |
| # notes: file of private keys | # notes: file of public keys |
| idkey BOB_ON_KAWC09 | key BOB_ON_KAWC09.pub | | idkey private-key-file-2 | key public-key-file-2 | | idkey private-key-file-3 | key public-key-file-3 | | # idkey NEXT PRIVATE KEY GOES HERE | # key NEXT PUBLIC KEY GOES HERE | +---------------------------------------------------+---------------------------------------------------+ Notes: 1) Only one key-pair is required to encrypt the connection in both directions (assuming we are not referring to "digital signing" which involves two key-pairs) 2) When BOB connects to Alice, BOB only uses private keys and Alice only uses public keys 3) Therefore, the public key file on BOB's side is not used by BOB. But it needs to be copied to Alice. (do not delete it; you may need to resend it, or you may wish to reuse it elsewhere)
$SET PROC/CASE=SENS/PARSE=EXTENDED ! switch to dangerous mode ...do some case-sensitive work. Like: 1) generating lowercase keys... 2) renaming files from uppercase to lowercase
$SET PROC/CASE=BLIND/PARSE=TRADITION ! switch back to default OpenVMS mode
legend: <ur> = user response <sr> = system response ================================================================================ Step-01 Interactively log into the local system as BOB then create a new key-pair ================================================================================ <sr> -i-in script: CSMIS$USER3:[ADMCSM.BOB]LOGIN.COM;15 ! from login script -i-on node : KAWC09 ! from login script -i-exiting : login.com ! from login script KAWC09::BOB> ! user's DCL prompt <ur> sshkeygen /ssh2/keys=[.ssh2]BOB_ON_KAWC09/nopass/keytype=dsa ! type this command <sr> Generating 1024-bit dsa key pair 1 oOo.oOo.oOo Key generated. 1024-bit dsa, [email protected], Tue Aug 19 2008 10:37:30 Private key saved to [.SSH2]BOB_ON_KAWC09 ! private key stays here Public key saved to [.SSH2]BOB_ON_KAWC09.pub ! public key to distribute KAWC09::BOB> ! user's DCL prompt ------------------------------------------------------------------------ <ur> set file/prot=[S:rwd,O:rwd,G,W] [.SSH2]*.* ! restrict permissions <sr> KAWC09::BOB> ! DO THIS EVERY STEP <ur> set file/prot=[S:rwed,O:rwed,G,W] SSH2.dir ! <sr> KAWC09::BOB> ! ================================================================================ Step-02 Create file "[.ssh2]identification." (tells the client which keys are available) Notes: 1. only use $CREATE if the file doesn't yet exist (otherwise use $EDIT) 2. otherwise, add the line desired line to the existing file 3. only add entries for private keys located in this directory (some of these public keys may have been copied here from other systems) ================================================================================ <sr> KAWC09::BOB> <ur> cre [.ssh2]identification. ! notice "no file extension" idkey BOB_ON_KAWC09 ! entry for a private key file idkey second-entry-goes-here ! optional <ctrl-z> ! hit the ctrl-z key <sr> KAWC09::BOB> ! user's DCL prompt ================================================================================ Step-03 Copy desired public key(s) to the destination account on remote system Notes: 1. use $scp (secure copy) or $sftp (secure FTP) 2. you will need a password for the remote account 3. if you don't have access to it, then mail this key-file to someone at the remote system who can install it for you 4. if you've read any books on spying or cryptography, this is the step where the ambassador delivers the code keys in a diplomatic pouch. ================================================================================ <sr> KAWC09::BOB> <ur> scp [.ssh2]BOB_ON_KAWC09.pub -
"[email protected]::[.ssh2]BOB_ON_KAWC09.PUB" <sr> Host key not found from database. Key fingerprint: xuhec-habos-durif-tohev-fuzer-cyhip-kydiv-labih-ribyg-posuz-koxyx You can get a public key's fingerprint by running (OpenVMS) $ sshkeygen /ssh2/fingerprint=publickey.pub (UNIX) % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? <ur> yes <sr> Host key saved to CSMIS$USER3:[ADMCSM.BOB.SSH2.HOSTKEYS]key_22_kawc15_on_bell_ca.pub host key for kawc15.on.bell.ca, accepted by BOB Tue Aug 19 2008 10:58:27 *** WARNING *** THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE LICENSED TO OR ARE PRIVATE PROPERTY OF THIS COMPANY AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED USERS FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY PROGRAM OR DATA ON THIS SYSTEM IS NOT PERMITTED, AND ANY UNAUTHORIZED ACCESS BEYOND THIS POINT MAY LEAD TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY TIME FOR OPERATIONAL REASONS, THEREFORE, IF YOU ARE NOT AN AUTHORIZED USER, DO NOT ATTEMPT TO LOGIN. [email protected]'s password: <ur> ######### ! enter Alice's password <sr> BOB_ON_KAWC09.pub | 751B | 751B/s | TOC: 00:00:01 | 100% ! <--- copy success KAWC09::BOB> ! user's DCL prompt ================================================================================ Step-04 set up file "[.ssh2]authorization." on the remote system note: 1) do this in the remote account you wish to use 2) don't use $CREATE if the file already exists (use $EDIT instead) ================================================================================ <sr> KAWC09::BOB> ! user's DCL prompt <ur> ssh [email protected] ! enter this command <sr> *** WARNING *** THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE LICENSED TO OR ARE PRIVATE PROPERTY OF THIS COMPANY AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED USERS FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY PROGRAM OR DATA ON THIS SYSTEM IS NOT PERMITTED, AND ANY UNAUTHORIZED ACCESS BEYOND THIS POINT MAY LEAD TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY TIME FOR OPERATIONAL REASONS, THEREFORE, IF YOU ARE NOT AN AUTHORIZED USER, DO NOT ATTEMPT TO LOGIN. ALICE's password: <ur> ######### ! enter Alice's password <sr> Authentication successful. Last interactive login on Tuesday, 19-AUG-2008 11:30:44.51 Last non-interactive login on Tuesday, 19-AUG-2008 10:58:35.45 1 login failure since last successful login -i-in script: CSMIS$USER3:[ADMCSM.ALICE]LOGIN.COM;15 -i-on node : KAWC15 -i-exiting : login.com KAWC15::ALICE> ! remote user's DCL prompt <ur> cre [.ssh2]authorization. ! notice "no file extension" key BOB_ON_KAWC09.PUB ! entry for a public key file key second-entry-goes-here ! <ctrl-z> ! hit the ctrl-z key <sr> KAWC15::ALICE> ! <ur> log ! log out <sr> ALICE logged out at 19-AUG-2008 11:40:49.01 Connection to kawc15.on.bell.ca closed. KAWC09::BOB> ! local user's prompt
+---------------------------------------------------+---------------------------------------------------+ | User: BOB | User: ALICE | | Node: KAWC09 | Node: KAWC15 | | OS : OpenVMS | OS : OpenVMS | | File: [.ssh2]BOB_ON_KAWC09 (private half) | File: | | [.ssh2]BOB_ON_KAWC09.pub (public half) | [.ssh2]BOB_ON_KAWC09.pub (public half) | | [.ssh2]identification. (src control file) | [.ssh2]authorization. (dst control file) |
| # title: identification. | # title: authorization. |
| # notes: file of private keys | # notes: file of public keys |
| idkey BOB_ON_KAWC09 | key BOB_ON_KAWC09.pub | | idkey private-key-file-2 | key public-key-file-2 | | idkey private-key-file-3 | key public-key-file-3 | | # idkey NEXT PRIVATE KEY GOES HERE | # key NEXT PUBLIC KEY GOES HERE | +---------------------------------------------------+---------------------------------------------------+
================================================================================ Step-05 test the ssh2 connection (should no longer require a password) ================================================================================ <sr> KAWC09::BOB> ! user's prompt <ur> ssh [email protected] ! connect to ALICE <sr> *** WARNING *** THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE LICENSED TO OR ARE PRIVATE PROPERTY OF THIS COMPANY AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED USERS FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY PROGRAM OR DATA ON THIS SYSTEM IS NOT PERMITTED, AND ANY UNAUTHORIZED ACCESS BEYOND THIS POINT MAY LEAD TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY TIME FOR OPERATIONAL REASONS, THEREFORE, IF YOU ARE NOT AN AUTHORIZED USER, DO NOT ATTEMPT TO LOGIN. Authentication successful. ! <--- success message Last interactive login on Tuesday, 19-AUG-2008 11:40:17.32 Last non-interactive login on Tuesday, 19-AUG-2008 10:58:35.45 -i-in script: CSMIS$USER3:[ADMCSM.ALICE]LOGIN.COM;15 ! <--- from script -i-on node : KAWC15 ! <--- from script -i-exiting : login.com ! <--- from script KAWC15::ALICE> ! <--- yippee
================================================================================ Optional Step-06 Only necessary if you wish to allow connections in the reverse direction ================================================================================ repeat steps-01 through 04 above but in the reverse direction (alice to bob) ================================================================================ step-06a - create a pair of keys for ALICE on KAWC15 step-06b - create/update file "[.ssh2]identification." for ALICE on KAWC15 step-06c - copy ALICE's public key to BOB on KAWC09 step-06d - create/update file "[.ssh2]authorization." for BOB on KAWC09
================================================================================ Optional Step-07 (for BOB on KAWC09) create/update file: "[.ssh2]SSH2_CONFIG." note: 1) unless specified from the command-line, these parameters will be used 2) the second stanza is only necessary if someone tries to connect to kawc15 without using the full DNS name. ================================================================================ kawc15.on.bell.ca: batchmode Y user ALICE allowedAuthentications publickey kawc15: batchmode Y allowedAuthentications publickey user ALICE host kawc15.on.bell.ca ================================================================================ Optional Step-08 (for ALICE on KAWC15) create/update file: "[.ssh2]SSH2_CONFIG." note: 1) unless specified from the command-line, these parameters will be used 2) the second stanza is only necessary if someone tries to connect to kawc09 without using the full DNS name. ================================================================================ kawc09.on.bell.ca: batchmode Y user BOB allowedAuthentications publickey kawc09: batchmode Y allowedAuthentications publickey user BOB host kawc09.on.bell.ca
$ dir/prot/width=file=35 Directory CSMIS$ROOT3:[USR.ADMCSM.BOB.SSH2] authorization.;2 (RWD,RWD,,) HOSTKEYS.DIR;1 (RWD,RWD,,) identification.;4 (RWD,RWD,,) RANDOM_SEED.;1 (RWD,RWD,,) SSH2_CONFIG.TEMPLATE;1 (RWD,RWD,,) ALICE_ON_KAWC15.pub;1 (RWD,RWD,,) BOB_ON_KAWC09.;1 (RWD,RWD,,) BOB_ON_KAWC09.pub;1 (RWD,RWD,,)While the broken account looked like this:
$ dir/prot/width=file=35
Directory CSMIS$ROOT4:[CSMIS_ICT_FTP.DATA.SSH2]
AAA_HELP.TXT;1 (RWED,RWED,RWED,RWE) <<<--- much too liberal
authorization.;5 (RWED,RWED,RWED,RWE)
BL1CS9.pub;1 (RWED,RWED,RWED,RWE)
D6BCMS.pub;2 (RWED,RWED,RWED,RWE)
D7PCRW.pub;1 (RWED,RWED,RWED,RWE)
DEMC5S.pub;1 (RWED,RWED,RWED,RWE)
HOSTKEYS.DIR;1 (RWED,RWED,RWED,RWE)
ict_ftp_ON_KAWC09.;1 (RWED,RWED,RWED,RWE)
ict_ftp_ON_KAWC09.pub;1 (RWED,RWED,RWED,RWE)
identification.;4 (RWED,RWED,RWED,RWE)
neil_ON_KAWC15.pub;1 (RWED,RWED,RWED,RWE)
RANDOM_SEED.;1 (RWED,RWED,RWED,RWE)
The Repairs
$set file *.*/protect=(s:rwd,o:rwd,g,w)/log
$ dir/prot [-]ssh2.dir Directory CSMIS$ROOT3:[USR.ADMCSM.BOB] SSH2.DIR;1 (RWD,RWD,,) Total of 1 file.
One alternative is to modify this file: SYS$SYSROOT:[TCPWARE.SSH2]SSHD2_CONFIG. changing line this line: StrictModes yes to this: StrictModes no but this would reduce security for all ssh2 connections on this platform.
It makes more sense to set the file protections to less liberal.
On the flip side, you could create a special config file in you transfer account: $edit [.ssh2]ssh2_conf. adding line: StrictModes no
legend: <ur> = user response <sr> = system response =================================================================================================== Step-00 (only necessary on a new account) Use SSH to interactively connect to another account (which will create necessary folders and files) =================================================================================================== ----------------------------------------------------------------------------------- connect to ALICE to create the necessary files and folders in Bob's account ----------------------------------------------------------------------------------- <sr> KAWC09::BOB> ! Bob's DCL prompt <ur> $ ssh [email protected]
<sr> bla...bla...bla... (connection verbage)
alice's password: <ur> ######## ! enter Alice's password <sr> bla...bla...bla... (login verbage) KAWC98::ALICE> ! Alice's DCL prompt ---------------------------------------------------------------------------------- connect back to BOB to create the necessary folders in Alice's account ---------------------------------------------------------------------------------- <ur> $ ssh [email protected] <sr> <sr> bla...bla...bla... (connection verbage)
bob's password: <ur> ######## ! enter Bob's password <sr> bla...bla...bla... (login verbage) KAWC98::BOB> ! Alice's DCL prompt --------------------------------------------------------- <sr> KAWC09::BOB> ! Bob's DCL prompt <ur> log ! logout <sr> KAWC98::ALICE> ! Alice's DCL prompt <ur> log ! logout <sr> KAWC09::BOB> ! back where we started
legend: <ur> = user response <sr> = system response ================================================================================ Step-01 Interactively log into the local system as BOB then create a new key-pair (surprisingly, you may only enter UNIX-style cli switches with this stack) ================================================================================ <sr> -i-in script: CSMIS$USER3:[ADMCSM.BOB]LOGIN.COM;15 ! from login script -i-on node : KAWC09 ! from login script -i-exiting : login.com ! from login script KAWC09::BOB> ! user's DCL prompt <ur> ssh_keygen "-P" -t dsa ssh2/BOB_ON_KAWC09 ! type this command <sr> Generating 2048-bit dsa key pair 2 oOo.oOo.oOo Key generated. 2048-bit dsa, [email protected], Mon Oct 27 2014 12:53:01 Private key saved to ssh2/bob_on_kawc09 ! private key stays here Public key saved to ssh2/bob_on_kawc09.pub ! public key to distribute KAWC09::BOB> ! user's DCL prompt ================================================================================ Step-02 Create file "[.ssh2]identification." (tells the client which keys are available) Notes: 1. only use $CREATE if the file doesn't yet exist (otherwise use $EDIT) 2. otherwise, add the line desired line to the existing file 3. only add entries for private keys located in this directory (some of these public keys may have been copied here from other systems) ================================================================================ <sr> KAWC09::BOB> <ur> cre [.ssh2]identification. ! notice "no file extension" idkey BOB_ON_KAWC09 ! entry for a private key file <ctrl-z> ! hit the ctrl-z key <sr> KAWC09::BOB> ! user's DCL prompt ================================================================================ Step-03 Copy desired public key(s) to the destination account on remote system Notes: 1. use $scp (secure copy) or $sftp (secure FTP) 2. you will need a password for the remote account 3. if you don't have access to it, then mail this key-file to someone at the remote system who can install it for you 4. if you've read any books on spying or cryptography, this is the step where the ambassador delivers the code keys in a diplomatic pouch. ================================================================================ <sr> KAWC09::BOB> <ur> scp ssh2/BOB_ON_KAWC09.pub -
[email protected]:ssh2/BOB_ON_KAWC09.PUB ! only one colon <sr> @SYS$MANAGER:SECURITY_WARNING.TXT [email protected]'s password: <ur> ######### ! enter Alice's password <sr> bob_on_kawc09.pub | 1.2kB | 1.2 kB/s | TOC: 00:00:01 | 100% ! <--- copy success KAWC09::BOB> ! user's DCL prompt ================================================================================ Step-04 set up file "[.ssh2]authorization." on the remote system note: 1) do this in the remote account you wish to use 2) don't use $CREATE if the file already exists (use $EDIT instead) ================================================================================ <sr> KAWC09::BOB> ! user's DCL prompt <ur> ssh [email protected] ! enter this command <sr> @SYS$MANAGER:SECURITY_WARNING.TXT alice's password: ! <ur> ######## ! enter Alice's password Authentication successful. Last interactive login on Monday, 27-OCT-2014 08:55:16.75 Last non-interactive login on Monday, 27-OCT-2014 08:59:23.88 -i-in script: CSMIS$USER3:[ADMCSM.ALICE]LOGIN.COM;98 -i-on node : KAWC98 -i-exiting : login.com KAWC98::ALICE> ! remote user's DCL prompt <ur> cre [.ssh2]authorization. ! notice "no file extension" key BOB_ON_KAWC09.PUB ! entry for a public key file <ctrl-z> ! hist the ctrl-z key <sr> KAWC98::ALICE> ! <ur> log 2 ! log out <sr> ALICE logged out at 27-OCT-2014 09:15:31.60 Connection to kawc0f.on.bell.ca closed. KAWC09::BOB> ! local user's prompt
================================================================================ Step-05 test the ssh2 connection (should no longer require a password) ================================================================================ <sr> KAWC09::BOB> ! user's prompt <ur> ssh [email protected] ! connect to ALICE <sr> *** WARNING *** THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE LICENSED TO OR ARE PRIVATE PROPERTY OF THIS COMPANY AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED USERS FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY PROGRAM OR DATA ON THIS SYSTEM IS NOT PERMITTED, AND ANY UNAUTHORIZED ACCESS BEYOND THIS POINT MAY LEAD TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY TIME FOR OPERATIONAL REASONS, THEREFORE, IF YOU ARE NOT AN AUTHORIZED USER, DO NOT ATTEMPT TO LOGIN. Authentication successful. ! <--- success message Last interactive login on Monday, 27-OCT-2014 09:17:03.16 Last non-interactive login on Monday, 27-OCT-2014 08:59:23.88 -i-in script: CSMIS$USER3:[ADMCSM.ALICE]LOGIN.COM;15 ! <--- from script -i-on node : KAWC98 ! <--- from script -i-exiting : login.com ! <--- from script KAWC98::ALICE> ! <--- yippee
================================================================================
Step-06
change file protections (many times required dependent upon other settings)
================================================================================
$set file [.ssh2]*.*/protect=(s:rwd,o:rwd,g,w)/log !
As you might expect, SSH setup on MultiNet is almost identical to TCPware so I won't add anything else to this section unless I stumble on something noteworthy
Disconnected; protocol error (Protocol error: packet too long:
legend: <ur> user response <sr> system response ---------------------------------------------------------------------------------- This Alpha is running TCPIP Services ==================================== (just making a client connection) --- <sr> KAWC09::Neil> <ur> sftp2 kawc0u.on.bell.ca <sr> Welcome to HP OpenVMS Industry Standard 64 Operating System, Version V8.4 [email protected]'s password: <ur> BlaBlaBla <sr> Disconnected; protocol error (Protocol error: packet too long: 314820071.). Warning: child process (/sys$system/tcpip$ssh_ssh2) exited with code 131. %TCPIP-E-SSH_FC_ERROR, error in ssh file transfer operation KAWC09::Neil> ---------------------------------------------------------------------------------- Jump over to the Itanium which is running MultiNet 5.4 ====================================================== Here I will only copy/rename two template files (on OpenVMS you must copy with a semicolon to prevent the OS from defaulting the extension) --- <sr> KAWC09::Neil> <ur> set def MULTINET_ROOT:[MULTINET] <sr> KAWC09::Neil> <ur> dir [...]*.template <sr> KAWC09::Neil> <ur> copy SSHD_CONFIG.TEMPLATE MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2]SSHD_CONFIG.; <sr> KAWC09::Neil> <ur> copy SSHD2_CONFIG.TEMPLATE MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2]SSHD2_CONFIG.; <sr> KAWC09::Neil> ---------------------------------------------------------------------------------- Jump back to the Alpha ====================== (repeating the previously broken connect command) --- <sr> KAWC09::Neil> <ur> sftp2 kawc0u.on.bell.ca <sr> Welcome to HP OpenVMS Industry Standard 64 Operating System, Version V8.4 [email protected]'s password: <ur> BlaBlaBla <sr> sftp> ---------------------------------------------------------------------------------- Additional Notes: examining MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG shows the proof debug[000000E0]: (16:06:52)Ssh2Common/SSHCOMMON.C;1:730: num_channels now 1debug[000000E0]: (16:06:52)Ssh2ChannelSession/SSHCHSERVER.C;2:1292: Allocating pty. debug[000000E0]: (16:06:52)Pty-VMS/PTY-VMS.C;2:286: VMS device _FTA19: created and allocated to user neil SSHD 0019[000000E0]: WARNING: SSHD2: Subsystem sftp not defined %SYSTEM-?-ILLPAGCNT, illegal page count parameter NEIL job terminated at 20-AUG-2015 16:06:52.52 Accounting information: Buffered I/O count: 193 Peak working set size: 14208 Direct I/O count: 219 Peak virtual size: 194704 Page faults: 915 Mounted volumes: 0 Charged CPU time: 0 00:00:00.10 Elapsed time: 0 00:00:08.55
Many Windows users download GUI-based applications capable of doing SFTP. Then they run into problems and are forced to give up. If you want to go further you'll need to install and play with OpenSSH. The easiest free way to do this is to install Cygwin then run OpenSSH from that environment. If you can't get SSH working over port 22 (perhaps because a firewall or proxy server is blocking port 22) then SFTP will never work.
Okay so setting up the TCPware flavor of SSH on an OpenVMS platform is pretty straight forward. SSH1 stuff goes into folder [.ssh] whilst SSH2 stuff goes into folder [.ssh2] and most stuff is set up with a text editor.
I recently (2012-04-xx) ran into some problems setting up SSH2 on an older Solaris 9 box (I don't think this thing had been patched ever since it was installed in 2002). I guess our problems started by making the mistake of trying to translate TCPware concepts over to the Sun box (creating a folder named .ssh2 then populating it with files like authorization etc.). After a couple of wasted hours I decided to peak at file /etc/ssh/ssh_config then read the online help via the manual pages: man ssh , man ssh_config and man ssh-keygen
Caveat what follows may not be present on your Solaris-9 box so be careful
copy neil_ON_KAWC15_rsa_1024.pub from OpenVMS to UNIX # copy the public half of rsa cat authorized_keys # see what is in this file cp authorized_keys authorized_keys_backup # make a backup (once per session?) ssh-keygen -X -f neil_ON_KAWC15_rsa_1024.pub # convert format from SSH2 to OpenSSH (stdout) ssh-keygen -X -f neil_ON_KAWC15_rsa_1024.pub >> authorized_keys # convert format from SSH2 to OpenSSH (append)
#
# extracted from "man ssh_config"
#
# The values can be changed in per-user configuration files $HOME/.ssh/config
# or on the command line of ssh(1).
#
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file /etc/ssh/ssh_config
#
# Any configuration value is only changed the first time it is set.
# host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
#
DSAAuthentication yes
RSAAuthentication yes
#LogLevel VERBOSE # only do this to debug problems
#StrictModes no # not valid on this OS
#
# Example (matches compiled in defaults):
#
# Host *
# ForwardAgent no
# ForwardX11 no
# PubkeyAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# EscapeChar ~
On this Solaris box, the man pages provide much more information than is found in the various apps
Help | App |
---|---|
man ssh | ssh -? |
man ssh-keygen | ssh-keygen -? |
man scp | scp -? |
man sftp | sftp -? |
ssh-keygen -t rsa -b 512 -f vitria77_on_dm4c6h # generate a new key pair
cat vitria77_on_dm4c6h.pub # see OpenSSH formatted file ssh-keygen -e -f vitria77_on_dm4c6h.pub # convert pub key to IETF format (stdout) ssh-keygen -e -f vitria77_on_dm4c6h.pub > vitria77_on_dm4c6h.ietf # convert pub key to IETF format (file) ssh-keygen -x -f vitria77_on_dm4c6h.pub # just hacking here ssh-keygen -x -f vitria77_on_dm4c6h.pub > vitria77_on_dm4c6h.ssh2 # convert pub key to SSH2 format (file) cmp vitria77_on_dm4c6h.ietf vitria77_on_dm4c6h.ssh2 # these files are identical
scp vitria77_on_dm4c6h.ietf [email protected]:vitria77_on_dm4c6h.ietf
# Host * #Host vms-host.bell.ca # StrictHostKeyChecking no PubkeyAuthentication yes PasswordAuthentication yes # # this next line does not appear to work (so is disabled) # # IdentityFile2 $HOME/.ssh/vitria77_on_dm4c6h IdentityFile2 vitria77_on_dm4c6h LogLevel DEBUG #
Solaris-9 to VMS-5.5 (TCPware) Transfer Tests ============================================= scp junk.txt [email protected]:junk.txt - works: (but VMS-5.x will upcase the filename) Here, we want to drop a file into VMS subdirectory sys$login:[.ssh2] ==================================================================== scp junk.txt [email protected]:./ssh2/junk.txt - works: (but VMS-5.x will upcase the filename) scp junk.txt [email protected]:/[.ssh2]/ - fails: destination file will be no-name format like this ".;1" scp junk.txt [email protected]:/[.ssh2]/junk.txt - fails: destination file will be no-name format like this ".;1" scp junk.txt [email protected]:/[.ssh2]junk.txt - works: (but VMS-5.x will upcase the filename) scp junk.txt [email protected]:/[.ssh2]Junk.txt - works: (but VMS-5.x will upcase the filename) scp junk.txt [email protected]:/[.ssh2]*.* - fails: no transfer (lost connection) scp junk.txt [email protected]:/[.ssh2] - fails: destination file will be no-name format like this ".;1" scp junk.txt [email protected]:[.ssh2]*.* - fails: no transfer (lost connection) scp junk.txt [email protected]:[.ssh2] - fails: destination file is $8B.SSH2$8D;1 (not in folder) scp junk.txt [email protected]:[.ssh2]junk.txt - fails: destination file is $8B.SSH2$8DJUNK$5NTXT;1 (not in folder) Here, we want to drop a file into VMS location disk$spc:[spc] ============================================================= scp junk.txt [email protected]:/disk$spc/spc/junk.txt - fails: does not work (but creates sub folder [.disk] which is empty) note: the shell noticed "$" and attempted symbol substitution scp junk.txt [email protected]:/disk\$spc/spc/junk.txt - works: (but VMS-5.x will upcase the filename) note: "\" is used to escape "$" scp junk.txt [email protected]:/spclib/junk.txt - works: (but VMS-5.x will upcase the filename) note: "spclib" is declared as a system-level logical like so: $ def/sys SPCLIB $1$DIA5:[SPC] scp junk.txt [email protected]:/spc\$lib/junk.txt - works: (but VMS-5.x will upcase the filename) note: "spc$lib" is declared as a system-level logical like so: $ def/sys SPC$LIB $1$DIA5:[SPC]Apparent Rules:
Personal Comment: I think SFTP is preferable to SCP. That said, this old version of Solaris seems to have no way to force ASC-TEXT transfers from the command line so the conversion may need to be forced by setting a logical at the receiving end.
Caveat: why is this here? I have run into instances where I need to connect an SFTP-client on OpenVMS to SFTP-server on CentOS
Time does not stand still for mankind or machine so it should be no surprise that many of the filenames described above have been changed. Your best path forward is to read the man pages (eg. man ssh) of the target system as well as the connecting system. For example:
---- BEGIN SSH2 PUBLIC KEY ---- Subject: custodian Comment: "1024-bit rsa, [email protected], Mon Apr 27 2020 1\ 5:04:52" AAAAB3NzaC1yc2EAAAADAQABAAAAgQCCzJ164AeNAjTafmfVeaqAzrP8sbqYnXKSWew/WG wam+0sLBdWByrCDpZkb4NKOSCI3njJZzsQ7bkAVdaRpRl2CdZ/nuU6VeJ0f9KHAgzDKDDn TRo1p4o2LdIBnNeNVtCXlDH4EwRB89ZQj9kjLSlCrAmtxoOlSb6jIKq2n7XpPQ== ---- END SSH2 PUBLIC KEY ----Why? File "~/.ssh/authorized_keys" on Linux currently requires that the public key sit on a single line with no superfluous information or control characters like this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCC..........PQ== optional-comment
#!/bin/bash # title : gen-test-keys.sh # author : Neil Rieck # edit : 2020-04-30 # platform: CentOS-7.7 # ========================== # rm neil_test_key* # # create rsa key pair # private key defaults to PEM # public key defaults to one-liner ssh-keygen -f neil_test_key1 -t rsa -b 1024 -N "" # # create rsa key pair # private key is forced to new format with "-o" (valid with OpenSSH 6.5) # public key defaults to one-liner ssh-keygen -f neil_test_key9 -o -b 1024 -N "" # # convert public key for export to another system ssh-keygen -e -f neil_test_key1.pub > neil_test_key_export.pub # # convert public key imported from another system ssh-keygen -i -f neil_test_key_export.pub > neil_test_key_import.pub # # compare imported result to original (only comments are different) diff -s neil_test_key1.pub neil_test_key_import.pub # # let's see the mess ls -la neil_test_key*
Click here to learn more: Linux Notes: SSH2