Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos

Using Kerberos with TCP/IP SSH for OpenVMS, you can authenticate your SSH connections between OpenVMS systems.

The minimum version of TCP/IP Services for OpenVMS necessary for Kerberized SSH is Version 5.6.

To "Kerberize" your SSH connections, perform the following steps.

Install and configure TCP/IP for OpenVMS Services Version 5.6 or higher.
Install and configure Kerberos for OpenVMS.
If you have already installed OpenVMS Version 7.3-2 or higher, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/
Shut down Kerberos, if it is running, by entering the following command:$ @SYS$STARTUP:KRB$SHUTDOWN
Configure TCP/IP Services for OpenVMS by entering the following command: $ @SYS$STARTUP:TCPIP$CONFIG

Select #2, Client components, from the TCP/IP Configuration Menu:

HP TCP/IP Services for OpenVMS Configuration Menu
 
Configuration options:
 
  1  -  Core environment
  2  -  Client components
  3  -  Server components
  4  -  Optional components
 
  5  -  Shutdown HP TCP/IP Services for OpenVMS
  6  -  Startup HP TCP/IP Services for OpenVMS
  7  -  Run tests
 
  A  -  Configure options 1 - 4
 [E] -  Exit configuration procedure
 
Enter configuration option: 2

Ensure that the SSH Client and Server services are enabled. Select #7, SSH Client, from the TCP/IP Configuration Menu:

HP TCP/IP Services for OpenVMS Client Components Configuration Menu
 
Configuration options:
 
         1  -  DHCP Client      Disabled Stopped
         2  -  FTP Client       Enabled  Started
         3  -  NFS Client       Disabled Stopped
         4  -  REXEC and RSH    Enabled  Started
         5  -  RLOGIN           Enabled  Started
         6  -  SMTP             Disabled Stopped
         7  -  SSH Client       Disabled Stopped
         8  -  TELNET           Enabled  Started
         9  -  TELNETSYM        Disabled Stopped
 
         A  -  Configure options 1 - 9
        [E] -  Exit menu
 
Enter configuration option: 7

Select #2, Enable service on this node, from the TCP/IP Configuration Menu. Type YES when it asks if you want to configure the SSH SERVER. If SSH is already enabled, skip to step 9.

SSH CLIENT configuration options:
 
         1 - Enable service on all nodes
         2 - Enable service on this node
 
         3 - Stop service on this node
 
        [E] - Exit SSH_CLIENT configuration
 
Enter configuration option: 2
 
The SSH SERVER is enabled.
 
* Do you want to configure SSH SERVER [NO]: YES

Select #2, Enable Service on this node, from the TCP/IP Configuration Menu. Press return to select the default or type YES to create a new default server host key.

SSH configuration options:
 
         1 - Enable service on all nodes
         2 - Enable service on this node
 
         3 - Stop service on this node
 
        [E] - Exit SSH configuration
 
Enter configuration option: 2
* Create a new default server host key? [YES]: YES
Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY
Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB

Select Exit twice to exit from each submenu of the TCP/IP Configuration Menu.

If the system asks if you want to start SSH now, answer NO.

The following services are enabled but not started:
 
 SSH, SSH_CLIENT
 
 * Start these services now? [N] NO
 
 You may start services individually with:
 
 @SYS$STARTUP:TCPIP$<service>_STARTUP.COM

If SSH is not already running, manually start the SSH client and server by entering the following commands:

$ @SYS$STARTUP:TCPIP$SSH_STARTUP.COM
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSHD2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP-SERVER2.EXE installed
%TCPIP-I-INFO, logical names created
%TCPIP-I-INFO, service enabled
%TCPIP-S-STARTDONE, TCPIP$SSH startup completed
 
$ @SYS$STARTUP:TCPIP$ssh_client_STARTUP.COM
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SCP2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP2.EXE installed 
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-SIGNER2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH2.EXE installed
%TCPIP-I-INFO, logical names created
%TCPIP-S-STARTDONE, TCPIP$SSH_CLIENT startup completed

Start Kerberos by entering the following command:
$ @SYS$STARTUP:KRB$STARTUP

Verify that the SSH service is enabled by entering the following command:

$ TPCIP SHOW SERV
 
Service         Port  Proto    Process          Address        State
 
FTP               21  TCP      TCPIP$FTP        0.0.0.0        Enabled
REXEC            512  TCP      TCPIP$REXEC      0.0.0.0        Enabled
RLOGIN           513  TCP      not defined      0.0.0.0        Enabled
RSH              514  TCP      TCPIP$RSH        0.0.0.0        Enabled
SSH               22  TCP      TCPIP$SSH        0.0.0.0        Enabled
TELNET            23  TCP      not defined      0.0.0.0        Enabled

Modify the following SSH configuration files to enable the Kerberos authentication methods:
SYS$SYSDEVICE:[000000.TCPIP$SSH.SSH2] SSH2_CONFIG. (SSH client) SSHD2_CONFIG. (SSH server)
In each file, under the 'Authentication' section, you must add the Kerberos authentication methods you would like to use. Following is an example that uses all three methods, plus the regular methods. Make sure you indent and space as the example in the file shows:
AllowedAuthentications gssapi-with-mic, kerberos-2@ssh.com, kerberos-tgt-2@ssh.com, publickey, password, hostbased
You should only have one AllowedAuthentications line uncommented. If there are others that are uncommented, comment them out with a # sign as shown below:
# AllowedAuthentications publickey, keyboard-interactive, password
Add the following lines to SYS$MANAGER:SYSTARTUP_VMS.COM to install the 32-bit Kerberos images at boot time. They are needed for the Kerberos-based functionality with SSH:
$ INSTALL CREATE SYS$SHARE:KRB$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARED $ INSTALL CREATE SYS$SHARE:GSS$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARE
If you are using TCP/IP Version 5.6 and Kerberos Version 2.1 and want to use the gssapi-with-mic authentication method with SSH, you must define the following system logical:
$ DEFINE/SYSTEM TCPIP$SSH_KRBRTL_HACK 1
Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file.
$ @SYS$MANAGER:KRB$SYMBOLS

The following steps should be performed by each user who will use Kerberized SSH.

Log into the OpenVMS system.

Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3
 
Username: user1
Password:

Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter one of the following commands at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS SSH. You are then prompted for the password associated with the principal. (The -f is required for the kerberos-tgt-2 authentication method.)
$ kinit -f “USER1” password for user1@NODE1.HP.COM $ kinit “USER1” password for user1@NODE1.HP.COM

Enter the SSH command specifying the Kerberos authentication method to use and the hostname as follows:

$ ssh -o”AllowedAuthentications gssapi-with-mic” node1
Authentication successful.
 
Welcome to OpenVMS (TM) Operating System, Version 8.3
 
$ ssh -o”AllowedAuthentications kerberos-2@ssh.com” node1
Authentication successful.
 
Welcome to OpenVMS (TM)  Operating System, Version 8.3
 
$ ssh -o”AllowedAuthentications kerberos-tgt-2@ssh.com” node1
Authentication successful.
 
Welcome to OpenVMS (TM) Operating System, Version 8.3
 
$

See the HP TCP/IP Services for OpenVMS Guide to SSH for more information about configuring SSH and troubleshooting.

Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos

» Table of Contents

» Glossary

» Index