This chapter describes how to configure the SSHD Master process, which controls access to the SSH servers for the PSCSSH software.
For a basic configuration, accept the default values for each component, which appear after a prompt. This also helps you step through the process more quickly.
After performing the basic configuration, you must perform the advanced configuration for the SSH1 and SSH2 servers, and for the SSH clients as desired. Chapters 4 through 7 describe the configuration and use of these components.
SSH is the Secure Shell protocol. PSCSSH provides support for both SSH Version 1 protocol and SSH Version 2 protocol.
Please note that in addition to the configuration performed via CNFSSH as described below, there are configuration files for both the SSH1/SSH2 servers and SSH client which must be modified as appropriate to meet the security requirements of your organization. Refer to chapters 4 and 5 of this manual for details on the configuration files.
You can use the CNFSSH utility to configure the SSH server as shown in the below example.
$ @PSCSSH:PSCSSH CONFIGURE
PSCSSH Version V3.0A SSH Configuration procedure
This procedure helps you define the parameters needed to get
PSCSSH running on this system.
This procedure creates the configuration data file,
PSCSSH_LOCAL:SSH_CONFIGURE.COM,
to reflect your system's configuration.
For detailed information on the following parameters, refer to the
PSCSSH Administration and User Guide.
Do you want to enable the SSH2 server [NO]? yes
You may specify an alternate configuration file for the SSH2 server. If you
have already specified an alternate configuration file, enter a single space
and hit RETURN at the prompt to reset it to the default file name.
Enter an alternate SSH2 configuration filename []: RETURN
Specify the level of debug for the SSH2 server.
The level is a value from 0 to 50, where zero is no debug and 50 is
the maximum level of debug. Note that at levels exceeding debug level 8,
there may be a substantial impact on SSH2 server (and possibly, the system,
too) performance due to the amount of information logged.
Enter the debug level [0 - 50, 0]: RETURN
You may specify the number of seconds a user has to enter a password during
user authentication (default = 600). In addition, you may allow this
to default to the value used by OpenVMS when a user is logging into a
non-SSH session. To specify an infinite wait time, enter 0 for the timeout
value.
Do you want to change the default login grace time [NO]? RETURN
Specify the address for the SSH server to listen on, if you wish to use
an address other than the default listen_address of ANY (0.0.0.0). Any
valid IPV4 or IPV6 address may be specified, or ANY to listen on all
addresses.
Enter address to listen on [ANY]: RETURN
Specify the port for the SSH server to listen on, if you wish to use
a port other than the default port of 22.
Enter port to use [22]: RETURN
Do you want to suppress SSH server logging (/QUIET mode) [YES]? RETURN
Do you want verbose logging by the SSH server [NO]? RETURN
You may specify the maximum number of concurrent SSH sessions to be
allowed on the server. The default is 1000 sessions.
Enter maximum number of concurrent SSH sessions [1-1000, 1000]: RETURN
You may permit the server to log a brief informational message when a
user is allowed or denied access to a system.
- For SSH2 sessions, an ACCEPT or REJECT event will be logged when the
user is either successfully authenticated or fails authentication. The
message will be of the form:
<date><time> SSH2 (accepted) from user "foo" at [192.168.0.1,111]
(my.server.com)
You may specify the name and location of the log file to record accepted
and/or rejected connections. If you simply hit RETURN, this information
will be logged to OPCOM as opposed to a disk file.
By default, this file will be in the SSH_DIR: directory. You may
override this by specifying a complete filename, including the directory
specification; or by specifying a logical name that translates to a
full filename specification.
Do you want to log accepted sessions [NO] RETURN
Do you want to log rejected sessions [NO] RETURN
When generating user keys, a passphrase may be used to further protect
the key. No limit is normally enforced for the length of the passphrase.
However, you may specify a minimum length the passphrase may be.
What you want the minimum passphrase length to be for SSH2 [0-1024, 0]?
The SSH2 host key has not yet been generated. Answer YES to the
following question to generate the key now. Answer NO to generate
the key manually later by issuing the command:
$ PSCSSH SSHKEYGEN /SSH2/HOST/KEYTYPE=ECDSA/BITS=521
Generating a host key can take a few minutes on slow systems.
Do you want to generate the SSH2 host key now [YES]? RETURN
Generating 521-bit ecdsa key pair
Key generated.
521-bit ecdsa, hunter@x86.goatley.com, Tue May 13 2025 11:40:41 -0400
Private key saved to PSCSSH_ssh2_hostkey_dir:hostkey_ecdsa
Public key saved to PSCSSH_ssh2_hostkey_dir:hostkey_ecdsa.pub
Public key digest for DNS:
x86.goatley.com. IN SSHFP 3 1 0d0b90403716af7d8191e5eecd67f18cc23bdd1c
x86.goatley.com. IN SSHFP 3 2 22aada6b5aa93d362699a85b7ee1d33ee6d885b793589
5090ea34aeed19efeb1
*********************************************************************
*********************************************************************
PLEASE NOTE
The following VERB definitions, provided by TCP/IP Services,
will be deleted, as they will conflict with corresponding
PSCSSH commands:
SSH, SSH2, SCP, SCP2, SFTP, SFTP2
Note: %CDU-W-NOSUCHVERB messages may be ignored
The CLI table does not contain verb name SCP
The CLI table does not contain verb name SFTP2
The following file, supplied by TCP/IP Services, should be edited:
SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM
Comment out the command definitions for the foreign TCP/IP Services
commands that are listed under the "ssh2 utilities" heading,
which may include:
scp, sftp, ssh, ssh_add, ssh_agent, ssh_keygen
Failure to remove these commands may result in the incorrect SSH
utility being run instead of the intended PSCSSH utility.
*********************************************************************
*********************************************************************
SSH Configuration completed.
Review the additional steps you may need to perform as described in
the configuration chapters of the PSCSSH Administration and
User Guide before starting SSH.
Refer to the "Monitoring and Controlling SSH" chapter of the SSH for
OpenVMS Administration and User Guide for information on starting SSH.
$