Re: ssh problem with Multinet 5,3/Itanium

I'm the engineer at Process who created & supported our SSH product.
I have some
responses to your original message mixed in below.

On Jan 8, 8:40 pm, Malcolm Dunnett <noth...@xxxxxxxxxxxxxxxxx> wrote:
I don't know if this is a 5.3 issue or an Itanium specific issue. I'm
sure it's very specific to my environment though.

In order to be able to use LDAP/ACME verification with Multinet I have
written a routine that implements the keyboard-interactive protocol and
authenticates the supplied username/password using ACME and LDAP
(against Active Directory). To make this work with Multinet SSH I
replace the LDAP-PLUGIN program supplied with vanilla Multinet (which is
a placeholder routine that does nothing) with my program and modify the
SSHD2_CONFIG. file to enable keyboard-interactive authentication.

LDAP-PLUGIN is far from a "placeholder". When used with our VMS
Authentication
Module (VAM), it enables full LDAP authentication with any LDAP V3
server, which
includes Active Directory. It's a more complete and flexible
implementation of
LDAP authentication than is ACME LDAP, save for the ability to change
passwords,
which is planned for a future version.

VAM also, by the way, provides not only LDAP authentication but also
authentication
via RSA SecurID and RADIUS, and it provides it not only for SSH but
also other
MultiNet components. I'm currently working on an ACME interface.

This works great on Alpha with Multinet 5.2 but today I tried to
configure it with Multinet 5.3 on an IA64 box. The authentication still
works ok (I get an "Authentication successful." message returned from
the IA64 box). However right after the authentication successful message
the session disconnects. The [.SSH]SSHD.log file on the IA64 contains:

SSHD 0001[3CC0043E]: FATAL:
DISK$MULTINET_V53_A:[MULTINET_V53A.MULTINET.SSH6.LIB.SSHUTIL.SSHADT]SSHADT.C;1:672
SshADT (function name
  unavailable) Precondition failed: container != ((void *) 0)
   dunnett      job terminated at  8-JAN-2010 19:22:57.74

and the SSHD_MASTER.LOG file on the IA64 contains:

log: (08-Jan-2010 19:22:53)  Connection accepted from 142.25.103.71 port
3472
log: (08-Jan-2010 19:22:53)  Executing ssh2 daemon
log: (08-Jan-2010 19:22:53)  Child process started, pid = 3cc0043e
(total active = 1)
log: (08-Jan-2010 19:22:57)  Child process: 3CC0043E terminated (0 remain)
log: (08-Jan-2010 19:22:57)    exit status: %SYSTEM-?-ILLPAGCNT, illegal
page count parameter

This is something I'm aware of and am looking for a solution. It's a
very rare
occurrence (only a very few customers have ever seen this). If you
can make
it happen at will, it would be of great help in researching this
problem.

I realize I'm way out on a limb with unsupported code here but I'm still
hoping there's a simple solution. The lack of ACME support in Multinet
SSH is a real problem because it means that every time a password is
changed the user needs to connect via some other method (eg telnet) in
order to synch the password before ssh can be used with the new
password. Of course what I'd really like is for Multinet SSH to support
ACME/LDAP - but barring that supporting the keyboard-interactive method
would be great.

KEYBOARD-INTERACTIVE has been supported by MutliNet SSH for several
years now.

Barring a Multinet solution, is there an implementation of SSH out there
(open source) that works on VMS and supports keyboard-interactive?

Does anyone know if the next version of TCP/IP services (in VMS 8.4)
will support ACME/LDAP for SSH? (in which case dropping Multinet in
favour of TCP/IP services might offer a solution)

It doesn't appear so.


.

Relevant Pages

  • ANNOUNCE: Exscript 0.9.11
    ... Exscript is a scripting language for automating Telnet or SSH sessions. ... It is now possible to use a different authentication and authorization ... Support for regular expression modifiers was added. ...
    (comp.os.linux.networking)
  • ANNOUNCE: Exscript 0.9.11
    ... Exscript is a scripting language for automating Telnet or SSH sessions. ... It is now possible to use a different authentication and authorization ... Support for regular expression modifiers was added. ...
    (comp.lang.python)
  • Re: [fw-wiz] Proxies, opensource and the general market: whats wrong with us?
    ... one other SSH related thing, a SSH enabled version of cmd-gw ... I hacked in support for simple authentication (validating the user with authsrv) and then added the ability to do some tests and simple work through it and it has proven to be a wonderful tool by allowing other teams to execute commands from the firewalls without having to give them local logins. ...
    (Firewall-Wizards)
  • Re: sFTP from/to z/OS
    ... IBM's Ported Tools for z/OS is fully supported by the IBM support ... IBM's port of OpenSSH, as you point out, does not include support for MVS ... (PKI certificate support, however is not part of the ssh RFC, and as such is ...
    (bit.listserv.ibm-main)
  • Re: Setting up SSH on Snow Leopard
    ... The above indicates that the only two methods of authentication ... I did *not* enable the publickey or ... keyboard-interactive methods in my client. ... being advertised by the SSH server on the Mac client? ...
    (comp.sys.mac.system)