8-AUG-1998 This directory contains the sources for a crude SSH server for VMS. Some local customization may be needed to build and install this program. Requirements: OpenVMS 6.2 or higher. DEC C compiler, 5.4 or higher. DEC TCP/IP Services for OpenVMS (UCX) or Multinet with UCX emulation. SSLeay 0.8.1, with patch to support RSA_NO_PADDING encryption option. (do not use RSAREF option when building SSLeay, it DOES NOT WORK) (SSLeay is available from http://www.free.lp.se/ssleay/). (optional): DECnet (for SSH 'command' mode when not using initiator program). Building: First edit ssl_location.mms and change the lines that begin "!ssllib =" and "!sslinc =", removing the "!" and making the values reflect the correct directories for your SSLeay installation. Use one of the following commands to build the executables: alpha: $ MMS all $ @build_ssh_server.com vax: $ MMS/macro=vax_build=1 all $ @build_ssh_server-vax.com There are 6 executables and 1 shareable image produced by the build: SSH_SERVER.EXE Main server, runs in detached process and accepts multiple incoming SSH connections via DECthreads multi-threading. RSA_ENGINE.EXE Runs in sub-process created by SSH_SERVER and handles the computationally intensive RSA decryption used to exchange the session key. KEY_GENERATOR.EXE Runs in sub-process created by SSH_SERVER and handles periodic generation of new RSA server key (skey.pem). INITIATOR.EXE Runs in sub-process created by SSH_SERVER and handles creating the login processes (under client's username) for client connections. SETHOST_SSH.EXE Primitive client program for exercising SSH server when other client's aren't available. SSH_LOGINOUT.EXE Program run by user processes to mimic normal loginout reporting (last login, newmail, etc). To work properly, this program must be installed with sysprv. SSHCRYPTOSHR.EXE (alpha only) Shareable image that provides the common cryptographics routines (SSLeay) used by the 4 executable images. Installation: First, you must generate 2 RSA private keys, each in a separate key file: skey.pem and hkey.pem. Invoking the ssh_server_startup.com procedure with a P1 value of "INITIAL_KEY" will generate these key files. You can alternatively generate the files using the genrsa application provided with SSLeay with the following restrictions: - The key lengths must differ by 256 or more bits (e.g. 768, 1024). - The files must be in PEM format and must NOT be password protected. Protect the key files against access from non-privileged users. Copy the SSHEXEC.COM command procedure to the same directory as the login file pointed to by the sys$sylogin logical and make world readable. Edit ssh_parameters.dat so the parameter file lines host_key and server_key point to the pem files created in the previous step. Test the server by invoking ssh_server_startup.com with a P1 value of "TEST" (i.e. "$ @ssh_server_startup test"). In test mode, the server is run interactively rather than creating a detached process to run the server. Modify your system startup procedures to invoke ssh_server_startup during boot and install ssh_loginout.exe with sysprv. Edit your system's sys$sylogin procedure to include ssh_login.com so that logins via SSH mimic the informational displays of a conventional login. This step is mandatory for X11 support to function properly. Notes and caveats: If you are running UCX 4.1, be sure you have are at least eco 7, there are bugs in earlier version that cause corrupted packets. The sethost_ssh program is provided to aid in server testing only. The only cipher types supported are none, idea, des, 3des, RC4, and blowfish. By default all ciphers are but none are enabled, you can exit the parameters file to change the ilst of allowed ciphers. The only authentication types supported are password and RSA. The user password must match the SYSUAF entry. X-11 tunneling is supported but has serious security considerations. Any logged in VMS user may connect to the X11 server being proxied through the SSH connection. There are three methods by which the SSH server creates user processes in response to a new request, which is used depends upon the parameter file options chosen: 1. Via the initiator helper program, run as a sub-process of the server process. This method will be used if the parameter file contains a definition for the initiator parameter. 2. Via DECnet task (SSHEXEC), used for 'command' (non-PTY) mode. This method uses username and password in the DECnet access control string to run the task as the target user and can therefore only be used with password authentication (no RSA). 3. Via latent login to a pseudo-terminal (PDT), capturing "Username: " and "Password: " prompts and responding appropriately. This method too is limited to password authentication only. Note that if your system does not use these prompts, you will have to edit cport_pty.c to look for the right strings. The PTY's for 'shell' mode are created with default terminal characteristics set by SYSGEN parameters TTY_DEFCHAR and TTY_DEFCHAR2 plus any changes specified in the parameters file. The screen size (rows, columns) and echo state specified in the ssh PTY request are the only client-specified parameters observed. Window_size requests send during interactive phase are ignored. Do not set the PTY /nohostsync. The PTY control routines disable input when the typeahead buffer is full and if /nohostsync is set the terminal will never get a signal to resume input. If the typeahead buffer on the PTY fills, control-Ys sent by the client will sit in the TCP stream until all pending input is read. The sethost_ssh program sets the local terminal /pasthru/noecho. If the program crashes without executing the exit handler, the terminal may be left in this state. Since /pasthru inhibits control-Y from interrupting the program, it uses control-\ as an escape character, forcing immediate exit of the program. ------------------------------------------------------------------------------- David L. Jones | Phone: (614) 292-6929 Ohio State University | Internet: 140 W. 19th St. Rm. 231a | jonesd@kcgl1.eng.ohio-state.edu Columbus, OH 43210 | vman+@osu.edu