This is a text-only version of the following page on https://raymii.org:
---
Title       : 	SSH public key authentication on OpenVMS
Author      : 	Remy van Elst
Date        : 	05-04-2018
URL         : 	https://raymii.org/s/blog/SSH_public_key_authentication_on_OpenVMS.html
Format      : 	Markdown/HTML
---



[![openvms][1]][2]

(You can read all my OpenVMS articles by [clicking the picture (above][2])

My OpenVMS adventure continues, after my rabbit hole of folder removal, this
time I actually get public key authentication working with OpenSSH so that I
don't have to type my password to login.

There is a bit of documentation from HP to set up SSH key authentication but
that misses one important little thing. That thing took me a few days to figure
out.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


### Client public key authentication

On the HPe website there is extensive [documentation][4] on both the SSH server
setup as well as the client setup on OpenVMS. On the [DECUServe][5] system I'm
not an administrative user so this article will only cover the client part. It
assumes a set up and working SSH server.

SSH public key authentication allows you to login to an SSH server without
specifying a password. It is more secure since passwords can easily be brute
forced. An SSH key can be securely on a [HSM][6] so that the private part never
is exposed and SSH keys allow for key forwarding, that means you can use the key
from your laptop to login to other servers and then logon further to machines
behind there without placing your private key on the intermidiate machines.

Overall SSH keys are considered to be best practice instead of passwords.

Since I access the [DECUServe][5] system via SSH with a password I was wondering
if OpenVMS would support key authentication and [according to the
documentation][7] it should just be simple. Place the public key and configure
it to allow login.

But sadly that was not all.

### Creating the files and folders.

First create an `[SSH2]` folder in your homedir:

    
    
     $ CREATE /DIRECTORY [.SSH2]
     $ DIR [.SSH2]
    %DIRECT-W-NOFILES, no files found
    

Create the configuration file in which we explicitly allow public key
authentication next to password login:

    
    
     $ EVE [.SSH2]SSH2_CONFIG 
    

Place the following line in there:

    
    
    AllowedAuthentications publickey, password
    

Directly underneath that the `EVE` editor will show this:

    
    
    [End of file]
    
     Buffer: SSH2_CONFIG.                                                                                                                                                     | Write | Insert | Forward
    
    1 line read from file EISNER$DRA3:[DECUSERVE_USER.EXAMPLE.SSH2]SSH2_CONFIG.;2
    

Save the file with `CTRL+Z`. As you can see via the `;2` file version number I
was messing around. Did I mention how awesome it is that OpenVMS has file
versioning built in the filesystem?

On linux and other systems that use OpenSSH, you would create
`~/.ssh/authorized_keys` and place your key(s) in there like so:

    
    
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq1vxYvJNBZMtrufZD0ivHXrt0A+WhslMcWeQTU2du2jznw64ScrxN+EYXVGg3JKu8N/QK/0VrtsxITFthHJQP0FkC0J8GnWeT3x2y0N38P+H3B/h1rh9DBY/GTUlXY9Q0MKAOEdTjSecK11Nd5183Xcygnv5xAxLqzqmnllumAE1Wd/B0NoKrcSy51hERn0kKTR9hIw8FTOUNPAwTgsMJ+A10aJtqjlk4OrOd1KOHi1jWNTc5wcW6xgWzMksdw++fBBPcJN9Bgihxz9kSwdpkcIYlBkIZZEwZtTvNy7K2nKw94omWmdr0ZlqsNwfOihyQpo4wtusjakTmM4GA+bH3 remy@gateway
    

On OpenVMS, you create a file named `AUTHORIZATION` and in there you specify
filenames of public keys, like `KEY EXAMPLE-HOSTNAME.PUB` where `EXAMPLE-
HOSTNAME.PUB` is the file name with the format `$USER-$HOST.PUB`.

Use `EVE` to create this `AUTHORIZATION.` file and add the filename of your
public key file:

    
    
     $ EVE [.SSH2]AUTHORIZATION
    

My key example:

    
    
    KEY REMY-GATEWAY.PUB
    

Note, do not add the key here like you might be used to on linux, just make up a
filename, prefixed with `KEY`. Next create the actual key file:

    
    
     $ EVE [.SSH2]REMY-GATEWAY.PUB
    

Paste your public key and save with `CTRL+Z`.

The documentation states that the public key file requires specific permission.
On linux I'm used to setting permissions on the `authorized_keys` file and the
private key material, but this will be comparable I guess:

    
    
    SET FILE /PROTECTION=(S:WRED,O:WRED,G:RE,W:R) [.SSH2]REMY-GATEWAY.PUB
    

You can check the current permissions with the `SHOW SECURITY` command:

    
    
     $ SHOW SECURITY [.SSH2]REMY-GATEWAY.PUB
    
    EISNER$DRA3:[DECUSERVE_USER.EXAMPLE.SSH2]REMY-GATEWAY.PUB;2 object of class FILE
         Owner: [EXAMPLE]
         Protection: (System: RWED, Owner: RWED, Group: RE, World: R)
         Access Control List: <empty>
    

By default, or at least on DECUServe my files get the following permissions:

    
    
         Protection: (System: RWED, Owner: RWED, Group, World)
    

Now you should be all set to go. Login specifically disabling password login
using your key:

    
    
    $ ssh -oHostKeyAlgorithms=+ssh-dss -o "PasswordAuthentication no"  EXAMPLE@eisner.decus.org
    

Output:

    
    
    The authenticity of host 'eisner.decus.org (104.207.199.162)' can't be established.
    DSA key fingerprint is SHA256:S0vOOBec5QvjeC1aLvnSccBewSgOvsF2s97KGaY1pnE.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'eisner.decus.org,104.207.199.162' (DSA) to the list of known hosts.
    
                                    N O T I C E
    
    This is Encompasserve.  Access is for subscribed individuals only.
    
     o  By logging into the system you agree to abide by the Encompasserve
        Canons of Conduct.
    
     o  Source code or any other information posted on this system is not
        warranted in any way.  YOU USE IT AT YOUR OWN RISK.
    
     o  If you submit source code to or post information on this system, you
        must allow its unrestricted use.  You must have the right to grant
        such permission.
    
     o  Refer to the Encompasserve Canons of Conduct, posted in the
        DECUServe_Information conference topic 4.3, for further guidance.
    
     o  Report problems in DECUServe_Forum.
    
    
    For information about Encompasserve please login under -> Username INFORMATION
    To subscribe to Encompasserve       please login under -> Username REGISTRATION
    To report any form of a problem     please login under -> Username PROBLEMS
    To renew an Expired account         please login under -> Username REGISTRATION
    
    Permission denied (publickey,password).
    

Err, what? We followed the documentation to the letter?

### Why does it not work?

This problem took me a few days to resolve. As I have no access to logging on
the OpenVMS system and no knowledge of how to view said logging, I was left to
trial and error.

To save you time and trouble, it appears that the key file was not in the
correct format for OpenVMS. We pasted the OpenSSH key format in the key file but
there is another format. I found this on a USENET newsgroup, you know you're far
in the exotic corners of the internet when you're searching `comp.os.vms`. But
hey, it helped me solve this issue.

OpenVMS uses IEFT SECSH (Tectia) format keys. There is an IETF [document][8]
describing the format and [a document][9] on the SSH key subsystem if you want
to know more.

The DECUServe system does not have the `SSH-KEYGEN` OpenVMS program installed or
at least I got an error when trying to execute it. Otherwise I would have tried
to create a key there and compare the files and permissions with my own file.

OpenSSH uses, suprisingly, `openssh` format public keys. The ones you know and
probably 99% of the regular internet uses. But as always there are special
snowflakes and it seems this is one of them. Googling around also gave lot's of
hits for IBM and `z/OS`.

Using `ssh-keygen` (on linux) we can convert a private key to this format with
the `-e` option. From the man page:

    
    
     -e Extract/convert from OpenSSH private key file to SECSH public key format 
    

In my case:

    
    
    $ ssh-keygen -e -f ~/.ssh/id_rsa
    

Output:

    
    
    ---- BEGIN SSH2 PUBLIC KEY ----
    Comment: "2048-bit RSA, converted by remy@gateway from OpenSSH"
    AAAAB3NzaC1yc2EAAAADAQABAAABAQCq1vxYvJNBZMtrufZD0ivHXrt0A+WhslMcWeQTU2
    du2jznw64ScrxN+EYXVGg3JKu8N/QK/0VrtsxITFthHJQP0FkC0J8GnWeT3x2y0N38P+H3
    B/h1rh9DBY/GTUlXY9Q0MKAOEdTjSecK11Nd5183Xcygnv5xAxLqzqmnllumAE1Wd/B0No
    KrcSy51hERn0kKTR9hIw8FTOUNPAwTgsMJ+A10aJtqjlk4OrOd1KOHi1jWNTc5wcW6xgWz
    Mksdw++fBBPcJN9Bgihxz9kSwdpkcIYlBkIZZEwZtTvNy7K2nKw94omWmdr0ZlqsNwfOih
    yQpo4wtusjakTmM4GA+bH3
    ---- END SSH2 PUBLIC KEY ----
    

Use the editor to update your KEY file on OpenVMS, in my case `[.SSH]REMY-
GATEWAY.PUB`. Save with `CTRL+Z` and retry:

    
    
    $ ssh -oHostKeyAlgorithms=+ssh-dss -o "PasswordAuthentication no" -i .ssh/id_rsa EXAMPLE@eisner.decus.org
    

Output:

    
    
                                    N O T I C E
    
    This is Encompasserve.  Access is for subscribed individuals only.
    
     o  By logging into the system you agree to abide by the Encompasserve
        Canons of Conduct.
    
     o  Source code or any other information posted on this system is not
        warranted in any way.  YOU USE IT AT YOUR OWN RISK.
    
     o  If you submit source code to or post information on this system, you
        must allow its unrestricted use.  You must have the right to grant
        such permission.
    
     o  Refer to the Encompasserve Canons of Conduct, posted in the
        DECUServe_Information conference topic 4.3, for further guidance.
    
     o  Report problems in DECUServe_Forum.
    
    
    For information about Encompasserve please login under -> Username INFORMATION
    To subscribe to Encompasserve       please login under -> Username REGISTRATION
    To report any form of a problem     please login under -> Username PROBLEMS
    To renew an Expired account         please login under -> Username REGISTRATION
    
        Last interactive login on Thursday,  5-APR-2018 14:10:22.71
    
    
    %DCL-S-SPAWNED, process EXAMPLE_62002 spawned
      User [EXAMPLE] has 132 blocks used, 9868 available,
      of 10000 authorized and permitted overdraft of 0 blocks on DISK_USER
     $
    Subprocess EXAMPLE_62002 has completed
     $
    

Yay!

### Conclusion

I learned a lot, again. I notice that filesystem actions like editing and
permissions are a bit easier for me since I'm beginning to grasp the concepts
and commands. To summarize:

  * OpenVMS supports public key authentication
  * It's almost the same as with OpenSSH on Linux
  * Define your public key in an `AUTHORIZATION` file and place the key on the system
  * Make sure it is the correct key format
  * Set the correct permissions
  * ???
  * PROFIT!!

### One more thing, LOGOUT of OpenVMS

In an earlier article I wrote that I was unable to logout on OpenVMS since
`exit` and `CTRL+D` not exited the SSH session. I stopped my sessions using
either `~.` or by closing the window.

In the same `comp.os.vms` I found the `LOG` command. The help says:

    
    
     $ HELP LOG
    
    [...]
    LOGOUT
    
         Terminates an interactive terminal session.
    
         Format
    
           LOGOUT
    

So, now I can type 'LOG' on the prompt and exit OpenVMS.

   [1]: https://raymii.org/s/inc/img/ovmsdec.png
   [2]: https://raymii.org/s/tags/openvms.html
   [3]: https://www.digitalocean.com/?refcode=7435ae6b8212
   [4]: https://web.archive.org/web/20180405170159/http://h41379.www4.hpe.com/doc/83final/ba548_90007/index.html
   [5]: http://decus.org
   [6]: https://raymii.org/s/tags/hsm.html
   [7]: https://web.archive.org/web/20180405171201/http://h41379.www4.hpe.com/doc/83final/ba548_90007/ch03s08.html
   [8]: https://www.ietf.org/proceedings/50/I-D/secsh-publickeyfile-01.txt
   [9]: https://tools.ietf.org/html/draft-ietf-secsh-publickey-subsystem-08

---

License:
All the text on this website is free as in freedom unless stated otherwise. 
This means you can use it in any way you want, you can copy it, change it 
the way you like and republish it, as long as you release the (modified) 
content under the same license to give others the same freedoms you've got 
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for 
advertisements. You are tracked and Google knows everything about you. 
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license 
unless already licensed under a license which does not allows this form 
of licensing or if another license is stated on that page / in that software:

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational 
purposes and you use it at your own risk. I do not take responsibility if you 
screw something up. Use common sense, do not 'rm -rf /' as root for example. 
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.