OpenSSH Beta
-
Topic author - Contributor
- Posts: 22
- Joined: Tue Feb 15, 2022 3:47 pm
- Reputation: 0
- Status: Offline
OpenSSH Beta
I installed the OpenSSH beta on an V8.4 IA64 system, but when I try to ssh to it it immediately closes the link. It doesn't even start the ssh daemon and no log is created. What am I doing wrong?
Last edited by csewell on Tue Feb 15, 2022 3:55 pm, edited 2 times in total.
-
- VSI Expert
- Contributor
- Posts: 13
- Joined: Tue Aug 27, 2019 11:46 am
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
Hi,
If you mean HPE OpenVMS v8.4, the new OpenSSH for OpenVMS requires VSI OpenVMS I64 v8.4-2L1 or newer (or x86-64 v9.1-A).
If you mean HPE OpenVMS v8.4, the new OpenSSH for OpenVMS requires VSI OpenVMS I64 v8.4-2L1 or newer (or x86-64 v9.1-A).
-
Topic author - Contributor
- Posts: 22
- Joined: Tue Feb 15, 2022 3:47 pm
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
No I mean VSI OpenVMS 8.4-2L1 on IA64, the latest, barring V9.
Last edited by csewell on Wed Feb 16, 2022 8:28 am, edited 1 time in total.
-
Topic author - Contributor
- Posts: 22
- Joined: Tue Feb 15, 2022 3:47 pm
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
I can't figure out what the problem is. If I set OpenSSH as the service for port 22, any incoming connections to port 22 get dropped immediately without even starting the service command file. Outgoing connections from the ssh clients work fine, it's just the ssh server that is the problem; TCPIP$INETACP drops the connection without starting the service. Since that wasn't changed when the beta was installed there must be something wrong with the service definition.
-
- VSI Expert
- Contributor
- Posts: 13
- Joined: Tue Aug 27, 2019 11:46 am
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
Hi, So no new SSH$ROOT:[VAR]SSH$SSHD_STARTUP.LOG when you try to connect?
You may need to enable debug mode on the ssh client to get more info.
The service definition is typical:
$ ucx sh serv/full sshd22
Service: SSHD22
State: Enabled
Port: 22 Protocol: TCP Address: 0.0.0.0
Inactivity: 5 User_name: SSH$SSH Process: SSHD22
Limit: 10000 Active: 0 Peak: 1
File: SSH$ROOT:[BIN]SSH$SSHD_STARTUP.COM
Flags: Listen
Socket Opts: Rcheck Scheck
Receive: 0 Send: 0
Log Opts: None
File: SSH$ROOT:[VAR]SSH$SSHD_STARTUP.LOG
Security
Reject msg: not defined
Accept host: 0.0.0.0
Accept netw: 0.0.0.0
On the OpenSSH VMS host, can you TELNET to port 22:
$ telnet vmshost 22
%TELNET-I-TRYING, Trying ... 10.10.10.10
%TELNET-I-SESSION, Session 01, host vmshost, port 22
SSH-2.0-OpenSSH_8.8 VSIe character is ^]
Press Ctrl\] to get the TELNET prompt; then enter QUIT.
You may need to enable debug mode on the ssh client to get more info.
The service definition is typical:
$ ucx sh serv/full sshd22
Service: SSHD22
State: Enabled
Port: 22 Protocol: TCP Address: 0.0.0.0
Inactivity: 5 User_name: SSH$SSH Process: SSHD22
Limit: 10000 Active: 0 Peak: 1
File: SSH$ROOT:[BIN]SSH$SSHD_STARTUP.COM
Flags: Listen
Socket Opts: Rcheck Scheck
Receive: 0 Send: 0
Log Opts: None
File: SSH$ROOT:[VAR]SSH$SSHD_STARTUP.LOG
Security
Reject msg: not defined
Accept host: 0.0.0.0
Accept netw: 0.0.0.0
On the OpenSSH VMS host, can you TELNET to port 22:
$ telnet vmshost 22
%TELNET-I-TRYING, Trying ... 10.10.10.10
%TELNET-I-SESSION, Session 01, host vmshost, port 22
SSH-2.0-OpenSSH_8.8 VSIe character is ^]
Press Ctrl\] to get the TELNET prompt; then enter QUIT.
-
- Master
- Posts: 142
- Joined: Fri Jun 28, 2019 8:45 am
- Reputation: 0
- Location: South Tyneside, UK
- Status: Offline
- Contact:
Re: OpenSSH Beta
By default the new SSH server requires modern cryptography.
I found this by doing ssh -v which told me the client system I was using [HPE OpenVMS V8.4] did not have the algorithms that the OpenSSH server was accepting.
I will have to alter the SSHD_CONFIG to allow for the dim and distant past supported by VMS V8.4
I found this by doing ssh -v which told me the client system I was using [HPE OpenVMS V8.4] did not have the algorithms that the OpenSSH server was accepting.
I will have to alter the SSHD_CONFIG to allow for the dim and distant past supported by VMS V8.4
Ian Miller
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].
-
Topic author - Contributor
- Posts: 22
- Joined: Tue Feb 15, 2022 3:47 pm
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
The service isn't getting far enough to grab the contents of SSHD_CONFIG. However the display of the service settings did the trick. For some reason when the service was migrated the /LIMIT was changed to 0 which explains why the listener immediately closed the connection. It had reached the limit of 0 service copies running! Changing the limit to 10000 and a quick ENABLE/DISABLE and it's now starting the service command file.
Now for the next problem. The client connects, is authenticated, and then the daemon closes the connection:
$ SET PROC/DUMP
$ sshd -i
[Wed Feb 16 08:56:28 2022] [auth] [info] (00002D6A) ssh$sshd.exe.1:Accepted publickey for <username> from nnn.nnn.nnn.nnn port 51199 ssh2: RSA SHA256:<hex>
rg
[Wed Feb 16 08:56:28 2022] [auth] [err] (00002D6A) ssh$sshd.exe.1:error: no more sessions
SSH$SSH job terminated at 16-FEB-2022 08:56:29.00
So I took a look at SSHD_CONFIG and it had set MaxSessions 0 during the migration for some reason. I commented that out to let it use the default value (10 I think), and it's now working. Connections work through both the original tcpip clients and the new openssh clients.
Now for the next problem. The client connects, is authenticated, and then the daemon closes the connection:
$ SET PROC/DUMP
$ sshd -i
[Wed Feb 16 08:56:28 2022] [auth] [info] (00002D6A) ssh$sshd.exe.1:Accepted publickey for <username> from nnn.nnn.nnn.nnn port 51199 ssh2: RSA SHA256:<hex>
rg
[Wed Feb 16 08:56:28 2022] [auth] [err] (00002D6A) ssh$sshd.exe.1:error: no more sessions
SSH$SSH job terminated at 16-FEB-2022 08:56:29.00
So I took a look at SSHD_CONFIG and it had set MaxSessions 0 during the migration for some reason. I commented that out to let it use the default value (10 I think), and it's now working. Connections work through both the original tcpip clients and the new openssh clients.
Last edited by csewell on Wed Feb 16, 2022 11:16 am, edited 2 times in total.
-
- VSI Expert
- Contributor
- Posts: 13
- Joined: Tue Aug 27, 2019 11:46 am
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
Is there any mention of Maxsessions in the migration log - ssh$root:[var]ssh$migration_<date>_<time>.log?
Or in the old SSHD2_CONFIG. file, is Maxconnections specified:
$ sea sys$sysdevice:[tcpip$ssh.ssh2]sshd2_config. maxcon
Or in the old SSHD2_CONFIG. file, is Maxconnections specified:
$ sea sys$sysdevice:[tcpip$ssh.ssh2]sshd2_config. maxcon
-
Topic author - Contributor
- Posts: 22
- Joined: Tue Feb 15, 2022 3:47 pm
- Reputation: 0
- Status: Offline
Re: OpenSSH Beta
You're right, the original SSHD2_CONFIG file also has MaxConnections 0 uncommented in it. It's different than the config files across our other identical OpenVMS servers. I don't recall changing it and it doesn't seem to be obeyed under tcpip.
Update: Now I remember I copied that config file from another server that had been set up by someone else. Maybe they thought MaxConnections 0 meant unlimited. In any case, the original tcpip ssh daemon doesn't obey that setting, or we would have heard about it.
Update: Now I remember I copied that config file from another server that had been set up by someone else. Maybe they thought MaxConnections 0 meant unlimited. In any case, the original tcpip ssh daemon doesn't obey that setting, or we would have heard about it.
Last edited by csewell on Wed Feb 16, 2022 5:11 pm, edited 1 time in total.
Re: OpenSSH Beta
Code: Select all
> I installed the OpenSSH beta on an V8.4 IA64 system, [...]
I'll bite. Is this kit available (to a peon) someplace? Or is there
some good reason I don't see it?