Last week I had an occasion to test public key authentication from OpenVMS to Linux. With the dayjob we have an implementation where data will be sent in batch via sftp to a Linux box. To get a better idea of “the entire process” thought I should take my Debian box and test authenticating to it. Once I got through all the quirks it wasn’t that difficult.
The biggest challenge has been getting past access violations when executing ssh commands on some OpenVMS servers. What I found on HP’s ITRC forum referenced UIC in RIGHTSLIST needing to match what’s in SYSUAF, for a user executing SSH commands. Even though OpenVMS TCPIP version 5.6 ECO 1 release notes comment about this as being fixed we have experienced it with ECO 2. None the less updating the RIGHTSLIST resolves the problem.
As for set up it wasn’t to bad. Here’s the steps (summary) I used.
- Enable the SSH Client in TCPIP$CONFIG.
- Create a sub folder for the user of [.SSH2], making sure your logged in as the account in question.
- Set default to that directory and create a key using ssh_keygen. (In order to use ssh_keygen you must first execute sys$manager:tcpip$define_commands.com.)
- Create an IDENTIFICATION. file with a line of.
KeyID <private key name>
- Push the public key (.PUB) to the Linux box.
- Log in as the user you’ll be connecting with, create a .ssh subfolder if it does not already exist.
- Take the public key (.PUB) from the OpenVMS box and put it in the authorized_keys file.
$ ssh-keygen -i -f openvms.pub >> authorized_keys note: keep in mind where default is in relation to .ssh/authorized_keys the above would assume your in ~/.ssh when executing ssh-keygen.
This was with the default config for sshd on Debian GNU/Linux 5.0 (lenny). Something to also keep in mind is from a security perspective ensuring access to the key files is limited to the user would be a good practice on both systems.