3. Configuring PSCSSH

 

This chapter describes how to configure the SSHD Master process, which controls access to the SSH servers for the PSCSSH software.

For a basic configuration, accept the default values for each component, which appear after a prompt. This also helps you step through the process more quickly.

After performing the basic configuration, you must perform the advanced configuration for the SSH1 and SSH2 servers, and for the SSH clients as desired. Chapters 4 through 7 describe the configuration and use of these components.

The SSH Configuration Utility

SSH is the Secure Shell protocol. PSCSSH provides support for both SSH Version 1 protocol and SSH Version 2 protocol.

Please note that in addition to the configuration performed via CNFSSH as described below, there are configuration files for both the SSH1/SSH2 servers and SSH client which must be modified as appropriate to meet the security requirements of your organization. Refer to chapters 4 and 5 of this manual for details on the configuration files.

You can use the CNFSSH utility to configure the SSH server as shown in the below example.

$ @PSCSSH:PSCSSH CONFIGURE

 

 

PSCSSH Version V3.0A SSH Configuration procedure

 

This procedure helps you define the parameters needed to get

PSCSSH running on this system.

 

This procedure creates the configuration data file,

PSCSSH_LOCAL:SSH_CONFIGURE.COM,

to reflect your system's configuration.

 

For detailed information on the following parameters, refer to the

PSCSSH Administration and User Guide.

 

Do you want to enable the SSH2 server [NO]? yes

 

You may specify an alternate configuration file for the SSH2 server. If you

have already specified an alternate configuration file, enter a single space

and hit RETURN at the prompt to reset it to the default file name.

 

Enter an alternate SSH2 configuration filename []: RETURN

 

Specify the level of debug for the SSH2 server.

 

The level is a value from 0 to 50, where zero is no debug and 50 is

the maximum level of debug.  Note that at levels exceeding debug level 8,

there may be a substantial impact on SSH2 server (and possibly, the system,

too) performance due to the amount of information logged.

 

Enter the debug level [0 - 50, 0]: RETURN

 

You may specify the number of seconds a user has to enter a password during

user authentication (default = 600).  In addition, you may allow this

to default to the value used by OpenVMS when a user is logging into a

non-SSH session.  To specify an infinite wait time, enter 0 for the timeout

value.

 

Do you want to change the default login grace time [NO]? RETURN

 

Specify the address for the SSH server to listen on, if you wish to use

an address other than the default listen_address of ANY (0.0.0.0).  Any

valid IPV4 or IPV6 address may be specified, or ANY to listen on all

addresses.

 

Enter address to listen on [ANY]: RETURN

 

Specify the port for the SSH server to listen on, if you wish to use

a port other than the default port of 22.

 

Enter port to use [22]: RETURN

Do you want to suppress SSH server logging (/QUIET mode) [YES]? RETURN

Do you want verbose logging by the SSH server [NO]? RETURN

 

You may specify the maximum number of concurrent SSH sessions to be

allowed on the server. The default is 1000 sessions.

 

Enter maximum number of concurrent SSH sessions [1-1000, 1000]: RETURN

 

You may permit the server to log a brief informational message when a

user is allowed or denied access to a system. 

 

- For SSH2 sessions, an ACCEPT or REJECT event will be logged when the

  user is either successfully authenticated or fails authentication.  The

  message will be of the form:

 

  <date><time> SSH2 (accepted) from user "foo" at [192.168.0.1,111]

  (my.server.com)

 

You may specify the name and location of the log file to record accepted

and/or rejected connections.  If you simply hit RETURN, this information

will be logged to OPCOM as opposed to a disk file.

 

By default, this file will be in the SSH_DIR: directory.  You may

override this by specifying a complete filename, including the directory

specification; or by specifying a logical name that translates to a

full filename specification.

 

Do you want to log accepted sessions [NO] RETURN

Do you want to log rejected sessions [NO] RETURN

 

When generating user keys, a passphrase may be used to further protect

the key.  No limit is normally enforced for the length of the passphrase. 

However, you may specify a minimum length the passphrase may be.

 

What you want the minimum passphrase length to be for SSH2 [0-1024, 0]?

 

 

The SSH2 host key has not yet been generated.  Answer YES to the

following question to generate the key now.  Answer NO to generate

the key manually later by issuing the command:

 

   $ PSCSSH SSHKEYGEN /SSH2/HOST/KEYTYPE=ECDSA/BITS=521

 

Generating a host key can take a few minutes on slow systems.

 

Do you want to generate the SSH2 host key now [YES]? RETURN

Generating 521-bit ecdsa key pair

 

Key generated.

521-bit ecdsa, hunter@x86.goatley.com, Tue May 13 2025 11:40:41 -0400

Private key saved to PSCSSH_ssh2_hostkey_dir:hostkey_ecdsa

Public key saved to PSCSSH_ssh2_hostkey_dir:hostkey_ecdsa.pub

 

Public key digest for DNS:

x86.goatley.com.  IN  SSHFP  3  1  0d0b90403716af7d8191e5eecd67f18cc23bdd1c

x86.goatley.com.  IN  SSHFP  3  2  22aada6b5aa93d362699a85b7ee1d33ee6d885b793589

5090ea34aeed19efeb1

 

 

 

*********************************************************************

*********************************************************************

 

                          PLEASE NOTE

 

The following VERB definitions, provided by TCP/IP Services,

will be deleted, as they will conflict with corresponding

PSCSSH commands:

 

    SSH, SSH2, SCP, SCP2, SFTP, SFTP2

 

Note: %CDU-W-NOSUCHVERB messages may be ignored

 

The CLI table does not contain verb name SCP

The CLI table does not contain verb name SFTP2

 

The following file, supplied by TCP/IP Services, should be edited:

 

    SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM

 

Comment out the command definitions for the foreign TCP/IP Services

commands that are listed under the "ssh2 utilities" heading,

which may include:

 

    scp, sftp, ssh, ssh_add, ssh_agent, ssh_keygen

 

Failure to remove these commands may result in the incorrect SSH

utility being run instead of the intended PSCSSH utility.

 

*********************************************************************

*********************************************************************

 

 

 

SSH Configuration completed.

 

Review the additional steps you may need to perform as described in

the configuration chapters of the PSCSSH Administration and

User Guide before starting SSH.

 

Refer to the "Monitoring and Controlling SSH" chapter of the SSH for

OpenVMS Administration and User Guide for information on starting SSH.

 

$