The NTP server has a stratum limit of 15. The server does not synchronize to any time server that reports a stratum of 15 or greater. This may cause problems if you try to synchronize to a server running the UCX NTP server, if that server has been designated as "free running" (with the local-master command). For proper operation, the local-master designation must be specified with a stratum no greater than 14.

3.9 SNMP Problems and Restrictions

This section describes restrictions to the SNMP component for this release. For more information about using SNMP, refer to the HP TCP/IP Services for OpenVMS SNMP Programming and Reference manual.

3.9.1 Incomplete Restart

When the SNMP master agent and subagents fail or are stopped, TCP/IP Services is often able to restart all processes automatically. However, under certain conditions, subagent processes may not restart. When this happens, the display from the DCL command SHOW SYSTEM does not include TCPIP$OS_MIBS and TCPIP$HR_MIB. If this situation occurs, restart SNMP by entering the following commands:

$ @SYS$STARTUP:TCPIP$SNMP_SHUTDOWN.COM $ @SYS$STARTUP:TCPIP$SNMP_STARTUP.COM

3.9.2 SNMP IVP Error

On slow systems, the SNMP Installation Verification Procedure can fail because a subagent does not respond to the test query. The error messages look like this:

. . . Shutting down the SNMP service... done. Creating temporary read/write community SNMPIVP_153. Enabling SET operations. Starting the SNMP service... done. SNMPIVP: unexpected text in response to SNMP request: "- no such name - returned for variable 1" See file SYS$SYSDEVICE:[TCPIP$SNMP]TCPIP$SNMP_REQUEST.DAT for more details. sysContact could not be retrieved. Status = 0 The SNMP IVP has NOT completed successfully. SNMP IVP request completed. Press Return to continue ...

You can ignore these types of messages in the IVP.

3.9.3 Using Existing MIB Subagent Modules

If an existing subagent does not execute properly, you may need to relink it against the current version of TCP/IP Services to produce a working image. Some subagents (such as those for HP Insight Management Agents for OpenVMS) also require a minimum version of OpenVMS and a minimum version of TCP/IP Services.

The following restrictions apply:

• In general, only executable images linked against the following versions of the eSNMP shareable image are upward compatible with the current version of TCP/IP Services:
  • UCX$ESNMP_SHR.EXE from TCP/IP Services Version 4.2 ECO 4
  • TCPIP$ESNMP_SHR.EXE from TCP/IP Services Version 5.0A ECO 1
  
  Images built under versions other than these can be relinked with one of the shareable images, or with TCPIP$ESNMP_SHR.EXE in the current version of TCP/IP Services.
• The underlying eSNMP API changed from DPI in TCP/IP Services Version 5.0 to AgentX in later versions of TCP/IP Services. Therefore, executable images linked against older object library versions of the API (*$ESNMP.OLB) must be relinked against either the new object library or the new shareable image. Linking against the shareable image ensures future upward compatibility and results in smaller image sizes.

  Note Although images may run without being relinked, backward compatibility is not guaranteed. Such images can result in inaccurate data or run-time problems.

• This version of TCP/IP Services provides an updated version of the UCX$ESNMP_SHR.EXE shareable image to provide compatibility with subagents linked under TCP/IP Services Version 4.2 ECO 4. Do not delete this file.
• The SNMP server responds correctly to SNMP requests directed to a cluster alias. Note, however, that an unexpected host may be reached when querying from a TCP/IP Services Version 4.x system that is a member of a cluster group but is not the current impersonator.
• The SNMP master agent and subagents do not start if the value of the logical name TCPIP$INET_HOST does not yield the IP address of a functional interface on the host when used in a DNS query. This problem does not occur if the server host is configured correctly with a permanent network connection (for example, Ethernet or FDDI). The problem can occur when a host is connected through PPP and the IP address used for the PPP connection does not match the IP address associated with the TCPIP$INET_HOST logical name.
• Under certain conditions observed primarily on OpenVMS VAX systems, the master agent or subagent exits with an error from an internal select() socket call. In most circumstances, looping does not occur. If looping occurs, you can control the number of iterations by defining the TCPIP$SNMP_SELECT_ERROR_LIMIT logical name.
• The MIB browser provided with TCP/IP Services (TCPIP$SNMP_REQUEST.EXE) supports getnext processing of OIDs that include the 32-bit OpenVMS process ID as a component. However, other MIB browsers may not provide this support.
  For example, the following OIDs and values are supported on OpenVMS:

  1.3.6.1.2.1.25.4.2.1.1.1321206828 = 1321206828 1.3.6.1.2.1.25.4.2.1.1.1321206829 = 1321206829 1.3.6.1.2.1.25.4.2.1.1.1321206830 = 1321206830

  
  These examples are from hrSWRunTable ; the hrSWRunPerfTable may be affected as well.

• You can ignore the following warning that appears in the log file if a null OID value (0.0) is retrieved in response to a Get , GetNext , or GetBulk request:

  o_oid; Null oid or oid->elements, or oid->nelem == 0

After upgrading to the current version of TCP/IP Services, you must disable and then enable SNMP using the TCPIP$CONFIG.COM command procedure. When prompted for "this node" or "all nodes," select the option that reflects the previous configuration.

3.9.5 Communication Controller Data Not Fully Updated

When you upgrade TCP/IP Services and then modify an existing communication controller, programs that use the communication controller might not have access to the updated information.

To ensure that programs like the MIB browser (SNMP_REQUEST) have access to the new data about the communication controller, do the following:

1. Delete the communication controller using the TCP/IP management command DELETE COMMUNICATION_CONTROLLER.
2. Reset the communication controller by running the TCPIP$CONFIG.COM command procedure and exiting.
3. Restart the program (such as SNMP) by entering the following commands:

   $ @SYS$STARTUP:SNMP_SHUTDOWN.COM $ @SYS$STARTUP:SNMP_STARTUP.COM

4. Use the TCP/IP management command LIST COMMUNICATION_CONTROLLER to display the information.

If you use either the -l (loop mode) or -t (tree mode) flag, you cannot also specify the -m (maximum repetitions) flag or the -n (nonrepeaters) flag. The latter flags are incompatible with loop mode and tree mode.

Incorrect use of the -n and -m flags results in the following types of messages:

$ snmp_request mynode.co.com public getbulk -v2c -n 20 -m 10 -t 1.3.6.1.2.1 Warning: -n reset to 0 since -l or -t flag is specified. Warning: -m reset to 1 since -l or -t flag is specified. 1.3.6.1.2.1.1.1.0 = mynode.company.com

3.9.7 Duplicate Subagent Identifiers

With this version of TCP/IP Services, two subagents can have the same identifier parameter. Be aware, however, that having two subagents with the same name makes it difficult to determine the cause of problems reported in the log file.

3.9.8 Community Name Restrictions

The following restrictions on community names are imposed by TCPIP$CONFIG.COM:

• Do not specify community names that include a space character.
• A quotation mark (") specified as part of a community name might be handled incorrectly. Check the validity of the name with the SHOW CONFIGURATION SNMP command, and if necessary, correct the name with the SET CONFIGURATION SNMP command.

The following notes pertain to eSNMP programming and subagent development.

• In the documentation, the terms "extension subagent", "custom subagent", and "user-written subagent" refer to any subagent other than the standard subagents for MIB-II and the Host Resources MIB, which are provided as part of the TCP/IP Services product.
• In the [.SNMP] subdirectory of TCPIP$EXAMPLES, files with the .C, .H, .COM, .MY, and .AWK extensions contain additional comments and documentation.
• The TCPIP$SNMP_REQUEST.EXE, TCPIP$SNMP_TRAPSND.EXE, and TCPIP$SNMP_TRAPSND.EXE programs are useful for testing during extension subagent development.
• For information about prototypes and definitions for the routines in the eSNMP API, see the TCPIP$SNMP:ESNMP.H file.

The SNMP Installation Verification Program will not run correctly if debug or trace options are turned on for any TCP/IP Services for OpenVMS component.

For example, including the line:

options debug

in TCPIP$ETC:RESOLV.CONF results in unsuccessful completion status.

The problem also exists if socket tracing is turned on and directed to SYS$OUTPUT with the following command:

$ DEFINE TCPIP$SOCKET_TRACE SYS$OUTPUT

The additional output produced by these and other debug or trace options can cause problems with the SNMP IVP because it was designed to parse output from a standard configuration only.

This section contains the following information:

• SSH-related security advisories ( Section 3.10.1)
• SSH general notes and restrictions ( Section 3.10.2)
• UNIX features that are not supported by SSH ( Section 3.10.3)
• SSH command syntax notes and restrictions ( Section 3.10.4)
• SSH authentication notes and restrictions ( Section 3.10.5)
• SSH keys notes and restrictions ( Section 3.10.6)
• SSH session restrictions ( Section 3.10.7)
• SSH messages notes and restrictions ( Section 3.10.8)
• SSH remote command notes and restrictions ( Section 3.10.9)
• SSH batch mode restrictions ( Section 3.10.10)
• X11 port forwarding restrictions ( Section 3.10.12)
• File transfer restrictions (all file sizes) ( Section 3.10.13)
• File transfer restrictions (large files) ( Section 3.10.14)

Computer Emergency Readiness Team (CERT®) advisories are issued by the CERT Coordination Center (CERT/CC), a center of Internet security expertise located at the Software Engineering Institute, a federally-funded research and development center operated by Carnegie Mellon University. CERT advisories are a core component of the Technical Cyber Security Alerts document featured by the United States Computer Emergency Readiness Team (US-CERT), which provides timely information about current security issues, vulnerabilities, and exploits.

CERT and HP Software Security Response Team (SSRT) security advisories might be prompted by SSH activity. CERT advisories are documented at the following CERT/CC web site:

http://www.cert.org/advisories.

Table 3-1 provides brief interpretations of several SSH-related advisories:

Table 3-1 CERT/SSRT Network Security Advisories

Advisory	Impact on OpenVMS
CERT CA-2003-24	OpenSSH only; OpenVMS is not vulnerable.
CERT CA-2002-36	A worst case consequence of this vulnerability is a denial of service (DoS) for a single connection of one of the following types: Server process handling a connection from a malicious client Client process connecting to a malicious server In either case, a malicious remote host cannot gain access to the OpenVMS host (for example, to execute arbitrary code), and the OpenVMS server is still able to receive a new connection.
CERT-2001-35	OpenVMS is not vulnerable. Affects SSH Version 1 only, which is not supported.
CERT CA-1999-15	RSAREF2 library is not used; OpenVMS is not vulnerable.
SSRT3629A/B	OpenVMS is not vulnerable.

3.10.2 SSH General Notes and Restrictions

This section includes general notes and restrictions that are not specific to a particular SSH application.

• The UNIX path /etc is interpreted by the OpenVMS SSH server as TCPIP$SSH_DEVICE:[TCPIP$SSH].
• The following images are not included in this release:
  • TCPIP$SSH_SSH-CERTENROLL2.EXE
    This image provides certificate enrollment.
  • TCPIP$SSH_SSH-DUMMY-SHELL.EXE
    This image provides access to systems where only file transfer functionality is permitted.
  • TCPIP$SSH_SSH-PROBE2.EXE
    This image provides the ssh-probe2 command, which sends a query packet as a UDP datagram to servers and then displays the address and the SSH version number of the servers that respond to the query.

This section describes features that are expected in a UNIX environment but are not supported by SSH for OpenVMS.

• The server configuration parameter PermitRootLogin is not supported.
• The client configuration parameter EnforceSecureRutils is not supported.
• There is no automatic mapping from the UNIX ROOT account to the OpenVMS SYSTEM account.
• The SSH1 protocol suite is not supported for terminal sessions, remote command execution, and file transfer operations. Parameters unique to SSH1 in the server and client configuration files are ignored.

This section includes notes and restrictions pertaining to command syntax.

• From a non-OpenVMS client, if you use OpenVMS syntax for names (such as device names), enclose the names in single quotation marks to prevent certain characters from being interpreted as they would be on a UNIX system.
  For example, in the following command, UNIX interprets the dollar sign ($) as a terminator in the device name SYS$SYSDEVICE:[user], resulting in SYS:[user].

  # ssh user@vmssystem directory SYS$SYSDEVICE:[user]

  
  To avoid this problem, enter the command using the following format:

  # ssh user@vmssystem directory 'SYS$SYSDEVICE:[user]'

This section includes notes and restrictions pertaining to SSH authentication.

• The location of the SHOSTS.EQUIV file has been moved from TCPIP$SSH_DEVICE:[TCPIP$SSH] to TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2].
• If hostbased authentication does not work, the SSH server may have failed to match the host name sent by the client with the one it finds in DNS/BIND. You can check whether this problem exists by comparing the output of the following commands (ignoring differences in case of the output text):
  • On the server host:

    $ TCPIP TCPIP> SHOW HOST client-ip-address

  • On the client host:

    $ write sys$output - $_ "''f$trnlnm("TCPIP$INET_HOST")'.''f$trnlnm("TCPIP$INET_DOMAIN")'"

    
    If the two strings do not match, you should check the host name and domain configuration on the client host. It may be necessary to reconfigure and restart TCP/IP Services on the client host.

• If the user default directory in the SYSUAF user record is specified with angle brackets (for example, <user-name>) instead of square brackets ([user-name]), hostkey authentication fails. To solve this problem, change the user record to use square brackets.
• The pairing of user name and UIC in the OpenVMS rights database, as displayed by the AUTHORIZE utility's SHOW /IDENTIFIER command, must match the pairing in the SYSUAF record for that user name. If the pairings do not match, the following message error is displayed when the user attempts to establish an SSH session:

  $ ssh hosta %SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=000000000000 0000, PC=FFFFFFFF811A88E8, PS=0000001B Improperly handled condition, image exit forced. Signal arguments: Number = 0000000000000005 Name = 000000000000000C 0000000000000000 0000000000000000 FFFFFFFF811A88E8 000000000000001B Register dump: R0 = FFFFFFFFFFFFFFFE R1 = 0000000000495D08 R2 = 000000000001DEE0 R3 = 00000000004ABE18 R4 = 0000000000000000 R5 = 0000000000000000 R6 = 0000000000000000 R7 = 0000000000000000 R8 = 0000000000000000 R9 = 0000000000000000 R10 = 0000000000000000 R11 = 00000000002F7C20 R12 = 0000000000000000 R13 = 0000000000498708 R14 = 00000000004EDF48 R15 = 000000007AECFE10 R16 = 0000000000000000 R17 = 0000000000000000 R18 = 0000000000000000 R19 = 000000007B624258 R20 = 0000000077770000 R21 = 0000000000000008 R22 = FFFFFFFF77774A00 R23 = 0000000300000000 R24 = 0000000000000001 R25 = 0000000000000001 R26 = 0000000000118A6C R27 = 000000007C062700 R28 = 0000000000000000 R29 = 000000007ADEF290 SP = 000000007ADEF290 PC = FFFFFFFF811A88E8 PS = 100000000000001B

  
  To solve this, use the AUTHORIZE utility to correct the pairing of user name and UIC value in the OpenVMS rights database.

This section includes notes and restrictions pertaining to SSH keys.

• SSH client users can copy their own customized version of the SSH2_CONFIG. file and modify the value of the variable StrictHostKeyChecking . By setting the value of this variable to "no," the user can enable the client to automatically copy the public key (without being prompted for confirmation) from an SSH server when contacting that server for the first time.
  A system manager can tighten security by setting the StrictHostKeyChecking variable to "yes" in the systemwide SSH2_CONFIG. file, and forcing users to use only the systemwide version of the file. In this case, to copy the public key from the server, users (and the system manager) must use another mechanism (for example, a privileged user can manually copy the public key). To enforce this tighter security response, the system manager can perform the following steps:
  1. Edit TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. to include the following line:

     StrictHostKeyChecking yes

  2. Restrict user access to TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. For example:

     $ SET SECURITY/PROTECTION=(G,W) TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.;

  3. Edit the SYS$STARTUP:TCPIP$SSH_CLIENT_STARTUP.COM command procedure to install the SSH server image with the READALL privilege. In the following example, change the existing line to the replacement line, as indicated:

     . . . $ image = f$edit("sys$system:tcpip$ssh_ssh2.exe","upcase") $! call install_image 'image' "" <== existing line $ call install_image 'image' "readall" <== replacement . . .

  4. Enable the SSH client, as described in the HP TCP/IP Services for OpenVMS Guide to SSH.

     Note Steps 2 and 3 involve modification of system files. Therefore, it may be necessary to repeat the modifications after a future update of TCP/IP Services.

• If you do not specify the key file in the SSH_ADD command, and SSH_ADD finds no INDENTIFICATION. file, it adds only the first private key it finds in the [username.SSH2] directory.
• Do not use the SSH_KEYGEN -e option (used to edit the comment or passphrase of the key). This option does not work.
• With this release, the default size of keys generated by the SSH_KEYGEN utility is 2048 bits (for earlier releases, the default size was 1024 bits). Consequently, generation of keys takes longer --- sometimes five to ten times longer. On slow systems, or during SSH configuration, key generation may seem to be hanging when it is not. No progress indicator is displayed. During SSH configuration, the following messages indicate the keys are being generated:

  Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB

  Note While the keys are being generated, you might notice a delay. This does not indicate a hang.