System can log in multiple times, user cannot login at all

[tlovern]

Here is the user's sysuaf (yes I gave it all privs - will cut back when working):

Code: Select all

Username: 1LOVERN                          Owner:  
Account:                                   UIC:    [200,230] ([DEFAULT])
CLI:      DCL                              Tables: DCLTABLES
Default:  USER$DISK:[USERS.1LOVERN]
LGICMD:   
Flags: 
Primary days:   Mon Tue Wed Thu Fri        
Secondary days:                     Sat Sun
No access restrictions
Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
Pwdlifetime:         60 00:00    Pwdchange:      (pre-expired) 
Last Login:            (none) (interactive),            (none) (non-interactive)
Maxjobs:         0  Fillm:       128  Bytlm:        128000
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:            0
Maxdetach:       0  BIOlm:       150  JTquota:        4096
Prclm:           8  DIOlm:       150  WSdef:          4096
Prio:            4  ASTlm:       300  WSquo:          8192
Queprio:         4  TQElm:       100  WSextent:      16384
CPU:        (none)  Enqlm:      4000  Pgflquo:      256000
Authorized Privileges: 
  ACNT         ALLSPOOL     ALTPRI       AUDIT        BUGCHK       BYPASS
  CMEXEC       CMKRNL       DIAGNOSE     DOWNGRADE    EXQUOTA      GROUP
  GRPNAM       GRPPRV       IMPERSONATE  IMPORT       LOG_IO       MOUNT
  NETMBX       OPER         PFNMAP       PHY_IO       PRMCEB       PRMGBL
  PRMMBX       PSWAPM       READALL      SECURITY     SETPRV       SHARE
  SHMEM        SYSGBL       SYSLCK       SYSNAM       SYSPRV       TMPMBX
  UPGRADE      VOLPRO       WORLD
Default Privileges: 
  ACNT         ALLSPOOL     ALTPRI       AUDIT        BUGCHK       BYPASS
  CMEXEC       CMKRNL       DIAGNOSE     DOWNGRADE    EXQUOTA      GROUP
  GRPNAM       GRPPRV       IMPERSONATE  IMPORT       LOG_IO       MOUNT
  NETMBX       OPER         PFNMAP       PHY_IO       PRMCEB       PRMGBL
  PRMMBX       PSWAPM       READALL      SECURITY     SETPRV       SHARE
  SHMEM        SYSGBL       SYSLCK       SYSNAM       SYSPRV       TMPMBX
  UPGRADE      VOLPRO       WORLD
UAF>  Exit 
%UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-RDBNOMODS, no modifications made to rights database

Here is the login interactive setting:

Code: Select all

$ set login/inter
%SET-I-INTSET, login interactive limit = 100, current interactive value = 2

Disk user is configured to use:

Code: Select all

$ sho dev user$disk/full

    Disk NARNIA$DKA100:, device type ATA VMware Virtual S, is online, mounted, file-
    oriented device, shareable, available to cluster, error logging is enabled.

    Error count                    0    Operations completed              17305
    Owner process                 ""    Owner UIC                      [SYSTEM]
    Owner process ID        00000000    Dev Prot            S:RWPL,O:RWPL,G:R,W
    Reference count                1    Default buffer size                 512
    Total blocks           209715200    Sectors per track                     0
    Total cylinders                0    Tracks per cylinder                   0
    Logical Volume Size    209715200    Expansion Size Limit          209715200

    Volume label             "USERS"    Relative volume number                0
    Cluster size                   1    Transaction count                     1
    Free blocks            209659820    Maximum files allowed          16711679
    Extend quantity                5    Mount count                           1
    Mount status              System    Cache name      "_NARNIA$DKA0:XQPCACHE"
    Extent cache size             64    Max blocks in extent cache     20965982
    File ID cache size            64    Blocks in extent cache                0
    Quota cache size               0    Maximum buffers in FCP cache       4884
    Volume owner UIC        [SYSTEM]    Vol Prot    S:RWCD,O:RWCD,G:RWCD,W:RWCD

  Volume Status:  ODS-2, subject to mount verification, file high-water marking,
      write-through XFC caching enabled, write-back XQP caching enabled.

here is what happens when using ssh:

Code: Select all

$ ssh 1lovern@10.0.1.33

 Welcome to OpenVMS (TM) x86_64 Operating System, Version V9.2-1  
1lovern@10.0.1.33's password: 
Connection closed by 10.0.1.33 port 22

I don't see anything in authorize, nor in the number of interactive logins (shouldn't matter - account has oper)

I can fire up as many system account sessions as I want.

It is going to be something simple, but I'm not seeing it.

Added in 14 minutes 2 seconds:
Ok, I can log in as the user on the defined port using telnet. I cannot login using SSH.

I set /local/network/remote/dialup, etc in authorize. I most have missed one.

Code: Select all

F$MODE() for both is interactive.

device is _OPA0: for user login working, _FTA7: for system logged in via SSH

it has to be something with SSH / device type.

Added in 9 minutes 54 seconds:
Looks like I need to configure that user for SSH access...this is all new to me.

[imiller]

OK. So when logged in using telnet
$ REPLY/ENABLE
$ ssh localhost
may show something

[cct]

Another way to create the ssh dir is to ssh outwards from VMS to another machione that has ssh configured

Sorry - I missed that the output was -vvv

If you have suitable keys, put a public key into [.ssh] but check the protections

Chris

[tlovern]

Ok, here is where I'm at:

I went ahead and turned on telnet client - that gives me what I need for now, but I dislike that it is somewhat insecure.
Since I'm behind a firewall, I'm ok for now. Still want to figure this out.

I generated a key / fingerprint, etc in the user account, in the[.ssh] directory, but I cannot get the ssh client on the Mac to accept the fingerprint - I'm probably doing it wrong, LOL.

so, for now, I'll press on using telnet - until it becomes an issue security wise.

Thanks for the help!

[cct]

You might be better off copying your Mac publickey ontp VMS and adding into the AUTHORIZED_KEYS. file. Might have to convert it - not sure what form of key the Mac uses

Chris

[sms]

Code: Select all

   Assuming that you're still stuck, let's look at one of the bits I
missed on first reading (as I was falling asleep).

> Username: 1LOVERN                          Owner:  
> Account:                                   UIC:    [200,230] ([DEFAULT])

   What's wrong with this picture?


   That's pretty much the kind of mess I created when I tried to add a
user to my system.  (Forgot to specify /UIC at the time?)  More normal
would be:

Username: DEFAULT                          Owner:  
Account:                                   UIC:    [200,200] ([DEFAULT])
                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

   So, I straightened out the DEFAULT identifier:

UAF> modify /ident DEFAULT /value = uic:[200,200]

   Then:

UAF> show /ident 1LOVERN

   The corresponding command in my case got:

%UAF-E-SHOWERR, unable to complete SHOW command
-SYSTEM-F-NOSUCHID, unknown rights identifier

   So, I added the correct identifier for the new user:

UAF> add /ident SMS /VALUE=UIC:[50,1]
%UAF-I-RDBADDMSGU, identifier SMS value [000050,000001] added to rights database

   In your case, I'd guess:

UAF> add /ident 1LOVERN /VALUE=UIC:[200,230]

   Then, after the SYSUAF contents started making sense, I looked at the
files which should have been owned by user SMS, and found that they
were owned by DEFAULT.  Like, for example:

> LOGIN.COM;1 [DEFAULT] (RWED,RWED,RE,)

   In your case, I'd (re-)check the ownership of
USER$DISK:[USERS]1LOVERN.DIR and USER$DISK:[USERS.1LOVERN...]*.*;*, with
the expectation of having to do some SET FILE /OWNER = 1LOVERN commands
to those things.

   With all the secrets hidden in the [.SSH] directory, software like
OpenSSH tends to be quite fussy about ownership and protections there,
so that those secrets remain secret.  On VMS, a confused/scrambled
SYSUAF can cause more problems with SSH than with less fussy schemes.

[tlovern]

Duh, this is what happens when you do stuff late at night....

I deleted 1lovern and re-added the account - then did a set file/own on the directory tree.

Lo and behold....SSH now works.

I should have caught the [default] thing too. Forest, trees, myopia, and most of all lack of humility...


thanks!

now just need to solve my key mapping problems and all will be right in the world. (well my corner, at least)

[sms]

Code: Select all

> Lo and behold....SSH now works.

   What could go wrong?

> [...] Forest, trees, [...]

   A "UAF> SHOW" report contains enough material to hide many things.  I
skipped right past the "([DEFAULT])" thing more than once.

> thanks!

   Glad to hear that you got it working.


> [...] my key mapping problems [...]

   Specifics?


> [...] not sure what form of key the Mac uses

   OpenSSH, I believe (like almost everyone these days?).  It's been a
long time since I looked/cared, but I thought that ssh-keygen could do
conversions between the SSH2 format used by old VMS SSH and the OpenSSH
format.

   The "OpenSSH for VSI OpenVMS Alpha, I64, and x86-64" document has a
section on "Migration" which mentions "a migration script
(ssh$root:[bin]ssh$migration.com) that can be used to convert
configuration files and user public/private keys from the format used 
by VSI TCP/IP Services to the format expected by OpenSSH.

   https://vmssoftware.com/products/openssh/ doesn't mention x86_64
release notes, but the IA64 one is all-purpose:

      https://vmssoftware.com/openkits/i64opensource/I64VMS-OPENSSH-V0809-1F-1-RNOTES.PDF


   Also:

>   Volume Status:  ODS-2, [...]

   Looks to me like a step backward.

[cct]

@sms I think he means his emualor key mapping - keys on his keyboard

Chri

[tlovern]

exactly - keyboard map by application. Got it mostly sorted out on on terminal emulator, but not another one.

Using iTerm2 on OS X, got my keys mostly mapped. Though it does get confused once in a while when editing in TPU and gets in a weird mode where the cursor and screen are not in synch. (but that's not a OpenVMS issue)


Trying to do too many things at once.. configure the system, build code, configure the environment (emulators, printers, etc.) it's a good thing I love OpenVMS

[sms]

Code: Select all

> Using iTerm2 on OS X, [...]

   I use XQuartz/xterm and have no serious problems.  My TPU work
normally involves "set keypad edt", and I don't constitute a thorough
test, but a little xmodmap action does what I need.