HP OpenVMS Systems Documentation

HP TCP/IP Services for OpenVMS
Release Notes

Problem:

SSH file transfer clients and server do not handle VMS-style wildcards.

Solution:

Many usages for VMS-style wildcards are now supported. The behavior, where possible, matches that for DCL commands such as $ COPY and $ DIRECTORY . For example, ls afile.* retrieves all versions of a file, while get afile.* retrieves only the highest version number. One extension to the standard VMS set is recognition of the ? in addition to the % to match a single character.

4.19.24 Text Display for Usage Does Not Match Documentation

Problem:

Text display for Usage: does not match documentation or what is supported or tested.

Solution:

"Usage" text reflects what is implemented, and also matches information in any DCL help files.

4.19.25 Allow Restrictions on Execution of SFTP-server2

Problem:

Allow restrictions on access to SSH filecopy.

Solution:

The following methods are available to restrict users who have ssh access to a server from using scp or sftp for filecopy:

1. Use one of the following options in the SSHD2_CONFIG. file:

   DisallowSftpServer Default: "no" "yes" disables sftp-server2 for all users SftpDenyUsers Default: empty string Interprets regular expressions in the same way that DenyUsers does.

   
   Note that SftpDenyUsers is used only if DisallowSftpServer is "no."
2. If neither of the configuration restrictions is used, the server checks for the identifier TCPIP$SSH_FILECOPY_DISALLOWED granted to the current user, in which case access to sftp-server2 is denied.
   To create and grant this identifier, do the following from a privileged account:

   $ MCR AUTHORIZE UAF> ADD /IDENTIFIER TCPIP$SSH_FILECOPY_DISALLOWED %UAF-I-RDBADDMSG, identifier TCPIP$SSH_FILECOPY_DISALLOWED value %X8001009F added to rights database UAF> SHOW /IDENTIFIER TCPIP$SSH_FILECOPY_DISALLOWED Name Value Attributes TCPIP$SSH_FILECOPY_DISALLOWED %X8001009F UAF> GRANT TCPIP$SSH_FILECOPY_DISALLOWED USER1 %UAF-I-GRANTMSG, identifier TCPIP$SSH_FILECOPY_DISALLOWED granted to USER1 UAF> SHOW USER1 Username: USER1 Owner: Default ... Identifier Value Attributes TCPIP$SSH_FILECOPY_DISALLOWED %X8001009F

Problem:

Using SFTP to pull fixed length files with an odd-numbered record length, e.g., 773 bytes, from an OpenVMS system to a system running an operating system other than OpenVMS results in a corrupted file.

Solution:

This problem has been corrected.

4.19.27 Pasting from Text Editor Loses Characters

Problem:

When a user logs in with SSH and pastes from the paste buffer, characters can be lost. If the user is running a text editor, it receives a "data overrun" error.

Solution:

This problem has been corrected.

4.19.28 sftp ls on Directory with a Large Number of Files Cannot Be Interrupted

Problem:

When doing an ls for a directory or search list with a large number of files, entering q at the prompt "<Press any key for more or q to quit>" results in apparent hang that cannot be interrupted with CTRL/C .

Solution:

Pressing q now returns immediately to the sftp> prompt. Additional improvements for ls displays include the following:

1. The display has no blank lines, but does include the q (or other character) entered after the prompt.
2. To start an SFTP session with continuous display use the "-C" (Continuous display) option, e.g.:

   $ sftp "-C" yourremote

   
   Note that the double quotes are required. Within an SFTP session, use the td (toggle display) command to switch between prompted and continuous display.
3. Long directory listings do not cause the %TCPIP-F-SSH_ALLOC_ERROR error.
4. CTRL/C on continuous listings causes return to the sftp> prompt.

The following sections describe SSL problems fixed in this release.

4.20.1 After Installing SSL, POP SSL Ceases to Function

Problem:

After installing the SSL V1.2 kit on TCP/IP Services, POP SSL support ceases to function. The POP server will not listen on its SSL port and, consequently, will not service clients coming in through SSL. The TCPIP$POP_RUN.LOG POP server log file contains these lines:

POP server will not listen for SSL connections.
SSL$LIBCRYPTO_SHR32_INIT status: %LIB-E-KEYNOTFOU, key not found in tree

Solution:

This problem is corrected in this release.

4.21 TELNET Problems Fixed in This Release

The following sections describe TELNET problems fixed in this release.

4.21.1 TELNET Intrusion Detection Inflexibility

Problem:

In certain circumstances, an intrusion (such as an invalid login) by one user can cause the whole system to be locked out, and with multiport servers such as on a terminal server, all ports could be locked out. The workaround has been to set the TCPIP$TELNET_NO_REM_ID logical. However, this allows the intruding user to log in on another port without being locked out.

Solution:

This problem is corrected in this release. The logical name TCPIP$TELNET_TRUST_LOCATION allows you to specify how to handle TELNET intrusion records. When this logical name is defined, any location string specified by the remote client is included in the intrusion record. For example, many terminal servers provide the physical port number, while OpenVMS clients provide the originating user name and terminal line. Including this information in the intrusion records means that only a particular user or port will be locked out, not the entire remote host (and all user ports).

4.22 Miscellaneous Problems Fixed in This Release

The following sections describe miscellaneous problems fixed in this release.

4.22.1 PPP Supports the Scaling Kernel and IA64 Architecture

Problem:

TCPIP SHOW ROUTE dest/mask did not work as expected in few cases. In cases where mask value was greater than or equal to 24, the response to this command as follows:

%TCPIP-E-ROUTEERROR, error accessing routes database(TCPIP$ROUTE)
-TCPIP-W-NORECORD, information not found
This posed problems while checking for the dynamic routes.

Solution:

This problem is fixed in this release. The code now considers the CIDR mask specified while matching the given destination address

This chapter describes updates to the information in the TCP/IP Services product documentation.

This information will be supplied in the final release of TCP/IP Services.

5.1 Documentation Updated for This Release

The following manuals are updated for TCP/IP Services Version 5.6. Documentation changes planned for these manuals are indicated.

• TCP/IP Services for OpenVMS Installation and Configuration
• TCP/IP Services for OpenVMS Management Guide
• TCP/IP Services for OpenVMS Guide to SSH

The following manuals are not updated for TCP/IP Services Version 5.6. Documentation changes planned for these manuals are indicated.

• TCP/IP Services for OpenVMS Concepts and Planning
• TCP/IP Services for OpenVMS Management Command Reference
• TCP/IP Services for OpenVMS Management Command Quick Reference Card
• TCP/IP Services for OpenVMS ONC RPC Programming
• TCP/IP Services for OpenVMS Sockets API and System Services Programming
• TCP/IP Services for OpenVMS Tuning and Troubleshooting
• TCP/IP Services for OpenVMS User's Guide

To set up NTP autokeys, use one of the following procedures:

• For the TC identity scheme, use one of the following methods:
  • Section A.1
  • Section A.2
• For the PC identity scheme, see Section A.3.
• For the IFF scheme, use one of the following methods:
  • Section A.4
  • Section A.5
• For the GQ scheme, see Section A.6.
• For the MV scheme, see Section A.7.

1. Make Alice a stratum 0 server by enabling the lines in TCPIP$NTP.CONF:

   server 127.127.1.0 prefer fudge 127.127.1.0 stratum 0

2. On both Alice (server) and Bob (client), add two lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto

3. On Bob, add the server line for Alice to Bob's TCPIP$NTP.CONF:

   server alice autokey

4. On Alice, generate the keys and trusted certificate:

   ALICE>ntp_keygen -"T"

5. On Bob, generate the keys and non-trusted certificate:

   BOB>ntp_keygen

6. Start NTP on Alice:

   ALICE>@sys$startup:tcpip$ntp_startup

7. Wait until Alice is synchronized to itself. ntpdc -p should show an asterisk (*) in the leftmost column.
8. Start NTP on Bob:

   BOB>@sys$startup:tcpip$ntp_startup

Bob should eventually synch to Alice (this may take up to 10 minutes). ntpdc -p should show an asterisk (*) in the leftmost column.

A.2 Default TC Identity Scheme (method 2)

1. Make Alice a stratum 0 server by enabling the lines in TCPIP$NTP.CONF:

   server 127.127.1.0 prefer fudge 127.127.1.0 stratum 0

2. On Alice, add two lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw littlesecret

3. On Bob, add three lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw bigsecret server alice autokey

4. On Alice, generate the keys and trusted certificate using passwords:

   ALICE>ntp_keygen -"T" -p littlesecret -q bigsecret

5. On Bob, generate the keys and non-trusted certificate using passwords:

   BOB>ntp_keygen -q bigsecret

6. Start NTP on Alice:

   ALICE>@sys$startup:tcpip$ntp_startup

7. Wait 5 minutes until Alice is synchronized to itself. ntpdc -p should show an asterisk (*) in the leftmost column.
8. Start NTP on Bob:

   BOB>@sys$startup:tcpip$ntp_startup

Bob should eventually synch to Alice (maybe around 10 minutes). ntpdc -p should show an asterisk (*) in the leftmost column.

A.3 PC Identity Scheme

1. Make Alice a stratum 0 server by enabling the lines in TCPIP$NTP.CONF:

   server 127.127.1.0 prefer fudge 127.127.1.0 stratum 0

2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw littlesecret

3. On Bob, add the server line for Alice to Bob's TCPIP$NTP.CONF:

   server alice autokey

4. On Alice, generate the keys and certificate:

   ALICE>ntp_keygen -"P" -p littlesecret

5. Copy the certificate ( tcpip$ntpkey_rsa-md5cert_alice.timestamp ) and the key ( tcpip$ntpkey_rsakey_alice.timestamp ) from Alice to Bob's keysdir .
6. On Bob, create symbolic links to the files:

   BOB>ntp_keygen -"P" -l tcpip$ntpkey_rsakey_alice.timestamp - _BOB> tcpip$ntpkey_rsa-md5cert_alice.timestamp

7. Start NTP on Alice:

   ALICE>@sys$startup:tcpip$ntp_startup

8. Wait 5 minutes until Alice is synchronized to itself. ntpdc -p should show an asterisk (*) in the leftmost column.
9. Start NTP on Bob:

   BOB>@sys$startup:tcpip$ntp_startup

Bob should eventually synch to Alice (this may take up to 10 minutes). ntpdc -p should show an asterisk (*) in the leftmost column.

A.4 IFF scheme (method 1)

1. Make Alice a stratum 0 server by enabling the lines in TCPIP$NTP.CONF:

   server 127.127.1.0 prefer fudge 127.127.1.0 stratum 0

2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw littlesecret

3. On Bob, add the server line for Alice to Bob's TCPIP$NTP.CONF:

   server alice autokey

4. On Alice, create the trusted public key and identity scheme parameter file.
   Use a password with at least 4 characters. This example is for the IFF identity scheme:

   ALICE>ntp_keygen -"T" -"I" -p littlesecret

5. On Bob, generate the client parameters using the server password:

   BOB>ntp_keygen -"H" -p littlesecret

6. Copy the tcpip$ntpkey_iffpar_alice.timestamp file from Alice to Bob's keysdir .
7. On Bob, create a symbolic link to the file:

   BOB>ntp_keygen -"I" -l tcpip$ntpkey_iffpar_alice_tcpip_zko_h.3344261784

8. Start NTP on Alice:

   ALICE>@sys$startup:tcpip$ntp_startup

9. Wait 5 minutes until Alice is synchronized to itself. ntpdc -p should show an asterisk (*) in the leftmost column.
10. Start NTP on Bob:

    BOB>@sys$startup:tcpip$ntp_startup

Bob should eventually synch to Alice (this may take up to 10 minutes). ntpdc -p should show an asterisk (*) in the leftmost column.

A.5 Alternate IFF Scheme (method 2)

1. Make Alice a stratum 0 server by enabling the lines in TCPIP$NTP.CONF:

   server 127.127.1.0 prefer fudge 127.127.1.0 stratum 0

2. On Alice, add two lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw littlesecret

3. On Bob, add three lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw bigsecret server alice autokey

4. On Alice, create the trusted public key and identity scheme parameter file.
   Use a password with at least 4 characters. This example is for the IFF identity scheme:

   ALICE>ntp_keygen -"T" -"I" -p littlesecret

5. On Bob, generate the client parameters using the client password:

   BOB>ntp_keygen -"H" -p bigsecret

6. On Alice, extract the client key specifying the server password and the client password:

   ALICE>ntp_keygen -e -q littlesecret -p bigsecret

   
   The output will go to the screen.
7. On Bob, create a file with the name specified in the screen output from step 6, the file name after "Writing new IFF key". Paste the output from step 6 into the file. Here is an example of the final file on Bob (the first two line starting with # are just comments):

   BOB> typ SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTPKEY_IFFKEY_ALICE.3344272304 # SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTPKEY_IFFKEY_ALICE.3344272304 # Thu Dec 22 15:32:10 2005 -----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,E03763213C218BDC O9xAmWUEfJzCYEO6Zgn1KWm67M9NKlc/LzqHH+1K/kWQ/YXudUIf1ugdj+Umpphy R5UyrpVz8kWms4M/VsPZBvMgP2SIXPyYO5ANz0WlMYbk9Myd8Xfc/6LEhYMEhxeM Mjo95aUuWq/+YtlEAzrVvWjhQnHvNpHJtQxNw/7L6/ftVOGT0MuB1e9jJoaGo+lp yBSbhUYmwiyZfJUYvteXfOME/XH3rEx3h8/8k88zL1qACetHxeFmUMIoQq7lUqjg CeKMAidxgUWlmhixYVcUtvuD0ZNYqQ4jjUFfDrlgfAPmeHNLndehEStcQbB3ItLC -----END DSA PRIVATE KEY-----

8. Create a symbolic link to the client key:

   BOB>ntp_keygen -"I" -l tcpip$ntpkey_iffkey_alice.3344272304

9. Start NTP on Alice:

   ALICE>@sys$startup:tcpip$ntp_startup

10. Wait 5 minutes until Alice is synchronized to itself. ntpdc -p should show an asterisk (*) in the leftmost column.
11. Start NTP on Bob:

    BOB>@sys$startup:tcpip$ntp_startup

Bob should eventually synch to Alice (this may take up to 10 minutes). ntpdc -p should show an asterisk (*) in the leftmost column.

A.6 GQ scheme

1. Make Alice a stratum 0 server by enabling the lines in TCPIP$NTP.CONF:

   server 127.127.1.0 prefer fudge 127.127.1.0 stratum 0

2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:

   keysdir SYS$SPECIFIC:[TCPIP$NTP] crypto pw littlesecret

3. On Bob, add the server line for Alice to Bob's TCPIP$NTP.CONF:

   server alice autokey

4. On Alice, generate the GQ parameters:

   ALICE>ntp_keygen -"T" -"G" -p littlesecret

5. On Bob, generate the client parameters using the server password:

   BOB>ntp_keygen -"H" -p littlesecret

6. Copy the GQ group key tcpip$ntpkey_gqpar_alice.timestamp from Alice to Bob's keysdir .
7. On Bob, create a symbolic link to the file, using the -r option to specify the server name:

   BOB>ntp_keygen -"G" -r alice -l tcpip$ntpkey_gqpar_alice.timestamp

8. Start NTP on Alice:

   ALICE>@sys$startup:tcpip$ntp_startup

9. Wait 5 minutes until Alice is synchronized to itself. <code-example>(ntpdc -p) should show an asterisk (*) in the leftmost column.
10. Start NTP on Bob:

    BOB>@sys$startup:tcpip$ntp_startup

Bob should eventually synch to Alice (this may take up to 10 minutes). ntpdc -p should show an asterisk (*) in the leftmost column.