HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration

Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos

  Table of Contents

  Glossary

  Index

Using Kerberos with TCP/IP SSH for OpenVMS, you can authenticate your SSH connections between OpenVMS systems.

The minimum version of TCP/IP Services for OpenVMS necessary for Kerberized SSH is Version 5.6.

To "Kerberize" your SSH connections, perform the following steps.

  1. Install and configure TCP/IP for OpenVMS Services Version 5.6 or higher.

  2. Install and configure Kerberos for OpenVMS.

    If you have already installed OpenVMS Version 7.3-2 or higher, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/

  3. Shut down Kerberos, if it is running, by entering the following command:

    $ @SYS$STARTUP:KRB$SHUTDOWN

  4. Configure TCP/IP Services for OpenVMS by entering the following command:

    $ @SYS$STARTUP:TCPIP$CONFIG

  5. Select #2, Client components, from the TCP/IP Configuration Menu:

    HP TCP/IP Services for OpenVMS Configuration Menu

    Configuration options:

    1 - Core environment
    2 - Client components
    3 - Server components
    4 - Optional components

    5 - Shutdown HP TCP/IP Services for OpenVMS
    6 - Startup HP TCP/IP Services for OpenVMS
    7 - Run tests

    A - Configure options 1 - 4
    [E] - Exit configuration procedure

    Enter configuration option: 2
  6. Ensure that the SSH Client and Server services are enabled. Select #7, SSH Client, from the TCP/IP Configuration Menu:

    HP TCP/IP Services for OpenVMS Client Components Configuration Menu

    Configuration options:

    1 - DHCP Client Disabled Stopped
    2 - FTP Client Enabled Started
    3 - NFS Client Disabled Stopped
    4 - REXEC and RSH Enabled Started
    5 - RLOGIN Enabled Started
    6 - SMTP Disabled Stopped
    7 - SSH Client Disabled Stopped
    8 - TELNET Enabled Started
    9 - TELNETSYM Disabled Stopped

    A - Configure options 1 - 9
    [E] - Exit menu

    Enter configuration option: 7
  7. Select #2, Enable service on this node, from the TCP/IP Configuration Menu. Type YES when it asks if you want to configure the SSH SERVER. If SSH is already enabled, skip to step 9.

    SSH CLIENT configuration options:

    1 - Enable service on all nodes
    2 - Enable service on this node

    3 - Stop service on this node

    [E] - Exit SSH_CLIENT configuration

    Enter configuration option: 2

    The SSH SERVER is enabled.

    * Do you want to configure SSH SERVER [NO]: YES
  8. Select #2, Enable Service on this node, from the TCP/IP Configuration Menu. Press return to select the default or type YES to create a new default server host key.

    SSH configuration options:

    1 - Enable service on all nodes
    2 - Enable service on this node

    3 - Stop service on this node

    [E] - Exit SSH configuration

    Enter configuration option: 2
    * Create a new default server host key? [YES]: YES
    Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY
    Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB
  9. Select Exit twice to exit from each submenu of the TCP/IP Configuration Menu.

  10. If the system asks if you want to start SSH now, answer NO.

    The following services are enabled but not started:

    SSH, SSH_CLIENT

    * Start these services now? [N] NO

    You may start services individually with:

    @SYS$STARTUP:TCPIP$<service>_STARTUP.COM
  11. If SSH is not already running, manually start the SSH client and server by entering the following commands:

    $ @SYS$STARTUP:TCPIP$SSH_STARTUP.COM
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSHD2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP-SERVER2.EXE installed
    %TCPIP-I-INFO, logical names created
    %TCPIP-I-INFO, service enabled
    %TCPIP-S-STARTDONE, TCPIP$SSH startup completed

    $ @SYS$STARTUP:TCPIP$ssh_client_STARTUP.COM
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SCP2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-SIGNER2.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH2.EXE installed
    %TCPIP-I-INFO, logical names created
    %TCPIP-S-STARTDONE, TCPIP$SSH_CLIENT startup completed
  12. Start Kerberos by entering the following command:

    $ @SYS$STARTUP:KRB$STARTUP
  13. Verify that the SSH service is enabled by entering the following command:

    $ TPCIP SHOW SERV

    Service Port Proto Process Address State

    FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled
    REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled
    RLOGIN 513 TCP not defined 0.0.0.0 Enabled
    RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled
    SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled
    TELNET 23 TCP not defined 0.0.0.0 Enabled
  14. Modify the following SSH configuration files to enable the Kerberos authentication methods:

    SYS$SYSDEVICE:[000000.TCPIP$SSH.SSH2]
    SSH2_CONFIG. (SSH client)
    SSHD2_CONFIG. (SSH server)

    In each file, under the 'Authentication' section, you must add the Kerberos authentication methods you would like to use. Following is an example that uses all three methods, plus the regular methods. Make sure you indent and space as the example in the file shows:

    AllowedAuthentications      gssapi-with-mic, kerberos-2@ssh.com,
    kerberos-tgt-2@ssh.com, publickey,
    password, hostbased

    You should only have one AllowedAuthentications line uncommented. If there are others that are uncommented, comment them out with a # sign as shown below:

    #   AllowedAuthentications       publickey, keyboard-interactive, password
  15. Add the following lines to SYS$MANAGER:SYSTARTUP_VMS.COM to install the 32-bit Kerberos images at boot time. They are needed for the Kerberos-based functionality with SSH:

    $ INSTALL CREATE SYS$SHARE:KRB$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARED
    $ INSTALL CREATE SYS$SHARE:GSS$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARE
  16. If you are using TCP/IP Version 5.6 and Kerberos Version 2.1 and want to use the gssapi-with-mic authentication method with SSH, you must define the following system logical:

    $ DEFINE/SYSTEM TCPIP$SSH_KRBRTL_HACK 1
  17. Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file.

    $ @SYS$MANAGER:KRB$SYMBOLS

The following steps should be performed by each user who will use Kerberized SSH.

  1. Log into the OpenVMS system.

    Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3

    Username: user1
    Password:
  2. Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter one of the following commands at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS SSH. You are then prompted for the password associated with the principal. (The -f is required for the kerberos-tgt-2 authentication method.)

    $ kinit -f “USER1”
    password for user1@NODE1.HP.COM

    $ kinit “USER1”
    password for user1@NODE1.HP.COM
  3. Enter the SSH command specifying the Kerberos authentication method to use and the hostname as follows:

    $ ssh -o”AllowedAuthentications gssapi-with-mic” node1
    Authentication successful.

    Welcome to OpenVMS (TM) Operating System, Version 8.3

    $ ssh -o”AllowedAuthentications kerberos-2@ssh.com” node1
    Authentication successful.

    Welcome to OpenVMS (TM) Operating System, Version 8.3

    $ ssh -o”AllowedAuthentications kerberos-tgt-2@ssh.com” node1
    Authentication successful.

    Welcome to OpenVMS (TM) Operating System, Version 8.3

    $
  4. See the HP TCP/IP Services for OpenVMS Guide to SSH for more information about configuring SSH and troubleshooting.