sign in sign up
<<
Home , Secure Shell Protocol

SOFTWARE PRODUCT DESCRIPTION

SSH for OpenVMS

Version 2.4

The SSH for OpenVMS cedure. It takes less than five minutes to nections from clients. When the SSHD configure all services and utilities. You starts it generates a RSA Solution can control SSH for OpenVMS by key (normally 768 bits). This key is SSH for OpenVMS is the complete SSH means of a single utility that simplifies regenerated every hour (the time may be networking security extension for HP’s network management and allows you to changed in the configuration file) if it has VAX, Alpha and Integrity systems run- manage IT security. been used and is never stored on disk. A ning TCP/IP Services for OpenVMS new daemon is created for each incom- (sometimes referred to as UCX). SSH for Configuration Support ing connection. OpenVMS turns VAX, Alpha and Integ- SSH for OpenVMS supports VAX, rity computers into secure application A program that allows both SSH1 Alpha and Integrity computers running servers in multi-platform environments, and SSH2 logins is provided with SSH various versions of OpenVMS. When and integrates OpenVMS systems with for OpenVMS. It is based on WRQ each node in an OpenVMS cluster shares virtually any system through industry- RSIT 6.1.4.0. Any SSH client that uses a common system disk, the cluster needs standard SSH over TCP/IP. the SSH v1 protocol may be used to to store just one copy of most SSH for access the server. Examples of such pro- OpenVMS files. Only a few system-spe- The De-Facto Standard for grams include FISSH, MultiNet, TCP- cific configuration files are required on ware, and SSH for OpenVMS; TTSSH, Network Security each machine that runs the software. F-Secure Secure SSH, Secure CRT(R), The SSH protocol is used by millions of SSH for OpenVMS supports Symmetric and PuTTY on Windows(R)-based sys- users and thousands of organizations all Multi-Processing (SMP) for OpenVMS. tems; and F-Secure SSH, and other SSH over the world. SSH protocol version 2 programs on -based systems. is the basis for the Engineering Secure Shell (SSH) v1 The SSH v1 server is based on F-Secure Task Force (IETF) SECSH standard. code version 1.5. The SSH server is Process Software implements the F- Client and Server authenticated using a combination of Secure SSH protocol, which is the only SSH for OpenVMS provides secure public and private keys. Once the server solution that has been certified by the communication over unsecured net- has been authenticated, the user must be ICSA. works. The SSH client is an application for logging into and executing com- authenticated. Process Software offers four options for user : rho- Easy to Install and Operate mands on a remote system, replacing rsh, rlogin, rshell, and applications. sts, rhosts-, rsa challenge-response, Process Software’s SSH products inte- Furthermore, X11 connections and arbi- and . grate cleanly into the OpenVMS envi- trary TCP/IP ports can be forwarded ronment. SSH for OpenVMS supports over the . SSH connects Secure Shell (SSH) v2 OpenVMS v5-5.2 and higher, with and logs into the specified . TCP/IP Services v4.0 (with ECO 5) and Client and Server higher. It uses the standard TCP/IP Ser- SSH for OpenVMS supports protocol SSH for OpenVMS also supports proto- vices for OpenVMS BG interface. version 1 client and server. The Secure col v2 client and server. It is based on Shell Daemon (SSHD) is the daemon SSH for OpenVMS is easy to install WRQ RSIT 6.1.4.0. SSH v2 is generally program for SSH v1 that listens for con- using the VMINSTAL installation pro- regarded to be more secure than SSH v1. Although the protocols are incompati- ble, they may exist simultaneously on a Process Software SSH system. The The Core Features of SSH for OpenVMS... SSH for OpenVMS server front-end SSH for OpenVMS enables remote systems administrators, telecommuters, and other identifies which protocol a client users to access corporate networks without revealing and confidential data to desires to use, and will create an potential eavesdroppers. appropriate server for that client. * Supports both SSH v1 and SSH v2 protocols in the client and server The SSH2 server and client are com- piled from unaltered cryptographic * Provides secure with Secure (SFTP) client and source which is FIPS 140-2 Level 2 server compiliant. * (SCP) client and server, and SCP v1 server The server is authenticated via a public * Replaces Telnet, FTP, and r services with secure connections key and the Diffie-Hellman key- exchange method. Diffie-Hellman * Encrypts X-11 displays using X-11 forwarding uses a 256-bit random number for the * Encrypts third-party applications using , such as e-mail or database “session key”. This key is used to access encrypt all further communications in the session. The SSH v2 client authen- * Protects all data using strong ciphers tication offers the following options: * Supports RSA and DSA authentication host-based, public-key, 5, password, keyboard-interactive, and * Provides the ability to start and stop SSH for OpenVMS without rebooting the entire Certificate. With SSH v2, rcp and FTP system, ensuring that other products remain unaffected can be replaced with secure alterna- * Data compression improves the network performance when using long-distance tives. transmissions or low bandwidth connections The following table shows which * Operates with most third-party clients and servers. encryption algorithms are supported (See http://www.process.com/sshclients/index.html for a list of third-party clients by SSH v1 and SSH v2: that Process Software has tested.) SSH SSH * A public-key server and assistant have been added to make it easier to manage keys SSH Ciphers v1 v2 for SSH public . 3DES (112 bit) X X * Login/logout events are now logged via the VMS audit server. The user will see a Arcfour X X login record created by the SSH server, plus login and logout records for a detached (128 bit) session (the interactive login session). BlowFish X X * Single sign-on support simplifies management by allowing use of existing PKI cer- (128 bit) tificates and Kerberos v5 authentication methods. DES X X (56 bit) * Integrating with Process Software’s VMS Authentication Module allows use of LDAP and SecurID authentication. IDEA X (128 bit) * The CMPCLIENT utility allows users to enroll certificates by connecting to a CA TwoFish X () and using the CMPv2 protocol to enroll a certificate. (256 bit) * The CERTVIEW utility allows users to view and validate certificates. AES (128, 192, X 256 bit) * The CERTTOOL utlity allows the manipulation of X.509 formatted packages. Cast-128 X (128 bit)

2 Secure Copy Protocol v2 basic functionality is binary file trans- the other objects in an unshrouded for- (SCPv2) fers. SSH for OpenVMS supports mat BINARY and ASCII transfers with SCP2 is an evolving file transfer proto- SFTP2, and will also transfer VMS file col, and not all implementations will Port Forwarding characteristics when the remote system offer all levels of functionality. The Port forwarding allows forwarding of has the capability. When operating with basic functionality is binary file trans- TCP/IP connections to a remote machine systems that do not support the full range fers. SSH for OpenVMS supports over an encrypted channel. A local proxy of transfer mechanisms that SSH for BINARY and ASCII transfers with server is created for a remote TCP/IP ser- OpenVMS offers, SSH for OpenVMS SCP2, and will also transfer VMS file vice. The service can be one of the Inter- uses various methods to improve the characteristics when the remote system net protocols: POP, SMTP (used by e- chances that files will be useful upon has the capability. When operating with mail software), HTTP (used by Web transfer. systems that do not support the full range browsers), TCP/IP connection to an of transfer mechanisms that SSH for RDBMS server, or almost any other OpenVMS offers, SSH for OpenVMS Publickey Assistant TCP/IP based service provided the port uses various methods to improve the The publickey assistant can be used to is known via a static assignment. The chances that files will be useful upon add, remove, and list SSH v2 public keys local proxy server listens for a socket on transfer. that are stored on a remote server. the desired port, forwards the request and data over the secure channel, and SSH for OpenVMS uses the defined CMPCLIENT instructs the SSH server to make the con- extensions in the protocol to transfer nection to the specified service on the information about the OpenVMS file Allows users to enroll certificates by remote machine. The only noticeable header characteristics such that when a connecting to a CA (certification author- change is that the client software is con- file is transferred between two Open- ity) and using the CMPv2 protocol for figured to connect to the local proxy VMS systems running SSH for Open- enrolling a certificate. The user may sup- server rather than the remote server. VMS, MultiNet v4.4 and higher, or ply an existing private key when creating TCPware v5.6 and higher, the file header the certification request or allow a new X11 Forwarding information will also be transferred and key to be generated. the file will have the same format on the With X11 in use, the connection to the destination system as it had on the source CERTVIEW X11 display forwards to the remote side system. Also, when a file is transferred to Allows users to view and validate certif- any X11 programs started from the inter- a non-OpenVMS system, a method has icates, and, optionally, to output the active session (or command) through the been provided to translate those files that information from a certificate that is for- encrypted channel. Also, the connection can be translated into a format that will matted correctly to use when creating the to the real X server is made from the be usable on the remote system. Files SSH certificate mapping configuration. local system. Forwarding of X11 con- that are transferred from non-OpenVMS nections can be configured on the com- systems are stored as stream files on the CERTTOOL mand line or in configuration files. The OpenVMS system, which provides com- DECW$DISPLAY value set by SSH The CERTTOOL utility is used for dif- patibility for text files from those sys- points to the sever system with a display ferent needs concerning X.509 certifi- tems. number greater than zero. This is normal cates in PKCS#10 and PKCS#12 format. and happens because SSH creates a The CERTVIEW tool can be used for Secure File Transfer Protocol “proxy” X server on the server system certificate viewing and validation. for forwarding the connections over the v2 (SFTP2) For PKCS#10, CERTTOOL creates cer- encrypted channel. SSH sets up “fake” SFTP2 is an FTP-like client that can be tificate requests, allowing the user to Xauthority data on the OpenVMS server used to transfer files over a network. specify specific keyUsage and extended- (as OpenVMS does not support Xauthor- SFTP2 transfers the files through ssh2 KeyUsage flags. ity currently). It generates a random connections to ensure that the file trans- authorization cookie, stores it in Xau- port is secure. In order to connect using For PKCS#12, CERTTOOL creates a thority on the server, and verifies that SFTP2, you need to make sure that sshd2 PKCS#12 package containing any any forwarded connections carry this is running on the remote host that you are number of private keys and certificates. cookie and replace it by the real cookie connecting to. The final PFX package is encoded with a when the connection is opened. The real HMAC and by default contains one pass- authentication cookie is never sent to the SFTP2 is an evolving file transfer word protected safe, which contains all protocol, and not all implementations server system (and no cookies are unen- will offer all levels of functionality. The crypted).

3 Single Sign-On TGT, and passing TGT to remote hosts In addition, SSH v2 can be integrated Single sign-on support allows use of for single sign-on support. PKI certifi- with Process Software’s VMS Authenti- existing Kerberos v5 and Public Key cates can also be distributed for user cation Module to provide LDAP and Infrastructure (PKI) certificates. The authentication of SSH v2 sessions. SSH SecurID authentication for SSH. Process Software SSH Kerberos v5 stores the software certificates in DER requires the operation of HP’s binary format. The SSHKEYGEN utility OpenVMS Kerberos v5 T2.0 or greater, can be used to import and convert which contains the KDC. This kit PKCS#12 packages into private key/cer- Standards restricts support for Kerberos (and tificate pairs, X.509 format private key hence, Kerberos v5 support in SSH for into SSH private key, or PKCS#7 into and RFCs OpenVMS) to OpenVMS Alpha v7.2-2 certificates. The CERTENROLL utility and higher, and OpenVMS I64. When may be used to enroll certificates with a The SSH for OpenVMS product con- Kerberos v5 support is enabled, authen- Certificate Authority (CA) that support form to the following and Internet tication may be done via Kerberos pass- the CMPv2 protocol. Requests for Comments: word, Kerberos credentials, forwardable

Request for Comments Title RFC No. Basic Socket Interface Extensions for IPv6 3493 The Secure Shell (SSH) Protocol Assigned Numbers 4250 The Secure Shell (SSH) Protocol Architecture 4251 The Secure Shell (SSH) Authentication Protocol 4252 The Secure Shell (SSH) Protocol 4253 The Secure Shell (SSH) Connection Protocol 4254 Generic Message Exchange Authentication for the 4256 (SSH) The Secure Shell (SSH) Transport Layer Encryption Modes 4344 Improved Arcfour Modes for the Secure Shell (SSH) Transport 4345 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport 4419 Layer Protocol RSA for the Secure Shell (SSH) Transport Layer Protocol 4432 The Secure Shell (SSH) Public Key File Format 4716

4 Services, Documentation, and Ordering Information About Process Software Ordering Information SSH for OpenVMS is shipped on CD- Process Software is a premier supplier of Technical Services ROM. Contact [email protected] or communications software solutions to request a free evaluation at http:// Process Software’s Technical Services mission critical environments. We www.process.com/tcipip/sshreq.asp. Program has a well-deserved reputation deliver customer-centric and innovative for excellence. Services include consult- IP-based technologies to our customers ing, training, software maintenance, sup- Software Warranty worldwide, and provide them with supe- port, online resources, and 24-hour Process Software warrants all products rior customer support and service. support in North America—In short, for 90 days from the date of delivery. everything you need to keep your Pro- cess Software products and your net- Hardware and Software Process Software work operating at peak efficiency. Requirements 959 Concord Street SSH for OpenVMS requires at least one Framingham, Consulting network controller supported by UCX or Massachusetts 01701-4682 A comprehensive suite of programs is TCP/IP Services. Telephone: available on a host of topics, including SSH for OpenVMS supports the follow- U.S./Canada 1-(800) 722-7770 SSH for OpenVMS installation and con- ing operating systems and TCP/IP International 1-(508) 879-6994 figuration, DNS setup and use, network Services versions: security, troubleshooting, and others. FAX: 1-(508) 879-0042 * OpenVMS VAX V5.5-2, 6.2 and later Web: http://www.process.com Hot Line Support * OpenVMS Alpha V6.2 and later Networking experts are available by * OpenVMS I64 V8.2 and later E-mail: [email protected] telephone, e-mail, or fax. Optional 24- hour support is also available. * TCP/IP Services v4.0 (plus ECO v5) The information contained in this docu- or later ment is subject to change without notice. Updates Note: In order to enable Kerberos v5 Process Software assumes no responsi- All maintenance customers with current authentication in the SSH server, the HP bility for any errors that may appear in this document. service contracts receive automatic soft- OpenVMS Kerberos v5 product must be installed. ware and documentation updates of © Process Software, 2010 major releases. (See http://h71000.www7.hp.com/ /products/kerberos/) The Process Software name and logo are Training This restricts support for Kerberos v5 to trademarks, and MultiNet and TCPware A wide range of educational services can OpenVMS Alpha v7.2-2 and higher and are registered trademarks of Process be provided at your site, at regional train- OpenVMS I64. Software. All other company names and ing locations throughout North America, product names are trademarks or regis- or at our own training facility in tered trademarks of their respective hold- ers. Framingham, MA. Rev. 2.4 Documentation Comprehensive documentation for SSH for OpenVMS includes an administra- tion and user’s guide that provides instal- lation and configuration information, along with product release notes that contain late-breaking product informa- tion. Documentation is provided in HTML and PDF formats on the SSH for OpenVMS product CD, and is available in HTML and PDF formats on the Process Software Web site (http://www.process.com).

5