PEPOPTICS - MCC
Integration Tools
Terri Lahey,
Revised:
26-Sep-2003
This document gives
examples of Secure Shelll (SSH) between MCC (OpenVMS)
and PEPOPTICS (LINUX). The goal is to document PEPII OPTICS methods to a) move
files between MCC and PEPOPTICS, and b) to execute remote commands. The LINUX
examples generally work on SCS taylored UNIX nodes,
too.
PEPOPTICS
is a taylored AFS LINUX machine,
that also has local accounts and local disks. You can login with your AFS
account or your local account. For production PEP running, use your local
PEPOPTICS account. PEPOPTICS is running OpenSSH. MCC
is an OpenVMS machine, running multinet (commercial)
SSH. On MCC, the secure copy
command is scp2 (not scp).
This document
contains:
Introduction
Create your
SSH keys
Enable
Public Keys between LINUX and VMS
Enable
Public Keys between AFS and other accounts
Example SCP
and SSH Commands
SSH
- Remote Command and Script execution
Additional
Hints
File
conversion between UNIX and VMS
SSH
provides:
·
Login (replaces
telnet)
·
Secure Copy (scp) to copy files between nodes
·
Remote command
execution
using encrypted tunnels,
ie. not clear text. SSH has two versions, v1 and v2. In many cases a server will support both
v1 and v2 clients. VMS Secure Copy (scp2) supports only v2, which most SLAC
nodes support. Use SSH v2 if possible.
Note
that Command Server is another way to remotely execute a UNIX command from MCC.
This is a software package that is used in the control system. At the current
time, PEPOPTICS is using ssh
to remotely execute commands.
With ssh, you can authenticate
(login)
·
with password,
which means that you type your remote account password,
·
RSA
Authentication or public key,
which uses a passphrase, public key, and private key,
that you create using ssh-keygen.
If you are careful to
protect your private key files, you can specify a null passphrase. This allows you to use ssh without typing a passphrase or password. Use this in remote execution of
linux scripts or vms command
procedures.
If you authenticate
with public key (RSA or DSA) from a non-taylored node to a SLAC taylored
linux node, linux does not
allocate an AFS token, so you cannot write to afs
diskspace, and
you cannot use Xwindows tunneled back through
SSH. If you need write access to AFS disks or x11 windows tunneled through SSH,
then use password authentication.
PEPOPTICS has local
disks that are not affected by this restriction on AFS disks, so you can scp2
from MCC to PEPOPTICS.
Addition information is
available:
·
SCS’s Secure Shell (SSH) at
SLAC
·
UNIX man pages
·
VMS multinet manual, and
·
VMS “$ help multinet ssh”.
Create Public/Private
Key:
Public key authentication is useful
for login and file transfer between PEPOPTICS and MCC because PEPOPTICS has
local disks that do not require AFS tokens. But skip
this section if you are trying to a) scp2 from MCC to an afs disk, or b) use ssh with x11
forwarding. Use password authentication for these functions.
When using public key
authentication, the client node has a copy of the private key and public key
files. It is critical that you protect the private key files. In addition, if
you enter a null passphrase, and do not set file
permissions correctly, then anyone can copy the files, and login to your
account; in some cases, ssh
login will fail, but be very careful with file permissions. SCS unix wrappers protect the private
key files on AFS unix nodes. These examples show how
to define the keys on VMS and LINUX, including required file protection.
Background:
The following files are used for
private/public key authentication. You will copy the associated public key to
the authorized key file on the server. The private key is used only on the
client. The filenames differ
somewhat for UNIX (OpenSSH) and VMS (Multinet that looks like f-secure datafellows).
UNIX CLIENT:
UNIX SERVER:
identity v1 private key
authorized_keys contains both v1 and v2 public
keys
identity.pub v1 public key
authorized_keys2 v2 public keys
id_dsa v2 DSA private
key
id_dsa.pub v2 DSA public
key
id_rsa v2 RSA private
key
id_rsa.pub v2 RSA public
key
Directories used
are:
~/.ssh/.public contains the public files
including client public keys and server authorized_keys*
~/.ssh
contains the private files and soft links to the public files; Beware: permissions are important.
VMS V2 CLIENT:
VMS V2 SERVER:
identification. List of private
key files
authorization. List of public key files
id_dsa_1024_*. is DSA
private key
*.pub as copied from vms and unix client
nodes
id_dsa_1024_*.pub is DSA public
key
id_rsa_1024_*. Is RSA private
key
id_rsa_1024_*.pub is RSA public
key
where * is a, b, c for the nth key
created.
The directory used for v2 files
is: [.ssh2]
VMS V1 CLIENT:
VMS V2 SERVER:
identity. private
key
authorized_keys. public
keys
The directory used for v1 file
is: [.ssh]
Generate a v2 DSA or RSA public
key:
ssh pepoptics (or
Login at PEPOPTICS console)
ssh-keygen -t dsa
…or
ssh-keygen -t rsa
…but
these examples assume dsa
To support ssh to a unix server for the current account:
cd ~/.ssh/.public
cat id_dsa.pub >> authorized_keys
…and create a new authorized_keys2 files (or append id_dsa.pub to authorized_keys2)
cat authorized_keys > authorized_keys2
Repeat
for id_rsa.pub if you created an RSA public
key
cat id_rsa.pub >> authorized_keys
cat authorized_keys >>
authorized_keys2
Test ssh with passphrase:
ssh pepoptics
Login should work with
your passphrase, and give you another login in the
same window. Note that if ssh
queries for your password, the RSA authentication is not yet
working.
Note, when you are logged into your
PEPOPTICS local account, your AFS account’s SSH public files are located in
~/afs/.ssh/.public
Login to MCC (or any VMS cluster
member):
$set def sys$login
$mu
sshkeygen/ssh2
The generated key files are named
id_dsa_1024_*.*
If you
need a v2 RSA key:
$mu sshkeygen/ssh2/keytype=rsa
…the
files are named id_rsa_1024_*.*
Create the IDENTIFICATION. and AUTHORIZATION. files for secure
copy and ssh, entering the filenames of your UNIX and
VMS keys. Create these files the
first time; later edit the file with the EVE or LSE
editor.
Create the file IDENTIFICATION.
contains filenames of VMS private keys (no file
extension)
$create [.ssh2]identification.
idkey
ID_DSA_1024_A.
...type control-Z to exit the file
create...
The file
AUTHORIZATION.
contains filesnames of VMS
and UNIX public keys (*.pub)
$create [.ssh2]authorization.
key
ID_DSA_SECSH.PUB
key
ID_DSA_1024_A.PUB
...type control-Z to exit the file
create...
Note, the
identification and authorization files use different keywords, key vs. idkey.
Test ssh with passphrase:
ssh mccdev
Login should work with
your passphrase. Note that if ssh queries for your password, the RSA authentication
is not yet working.
Login to your unix node, and type following
commands to convert and copy VMS and UNIX public keys to the other system. Enter
your normal unix or vms password until your public key files are copied to
server systems.
Copy UNIX Public Key to
VMS:
Convert the linux (openssh) key format to
vms (datafellows) key
format, and copy it to VMS.
ssh pepoptics
cd ~/.ssh/.public
ssh-keygen -e -f id_dsa.pub -t dsa > id_dsa_secsh.pub
scp -oProtocol=2 id_dsa_secsh.pub mcc:’ssh2/id_dsa_secsh.pub’
…or, if your account names
are the different on VMS and PEPOPTICS:
scp -oProtocol=2
id_dsa_secsh.pub mailto:YOURVMSACCOUNT@mcc:'ssh2/id_dsa_secsh.pub’
...and enter vms password at password prompt
On VMS terminal, if you
have not yet done so, edit [.ssh2]authorization. and add
idkey id_dsa_secsh.pub
Test ssh with passphrase:
ssh mcc
Login should work with
your passphrase. Note that if ssh queries for your password, the RSA authentication
is not yet working.
Copy VMS Public Key to
UNIX:
Find the filename of the public key file
on VMS, eg. id_dsa_1024_a.pub
ssh pepoptics
cd ~/.ssh/.public
scp –oProtocol=2 mcc:”ssh2/id_dsa_1024_a.pub”
.
…or, if your account names
are the different on VMS and PEPOPTICS:
scp –oProtocol=2 YOURVMSACCOUNT@mcc:”ssh2/id_dsa_1024_a.pub”
.
...and enter vms password at password prompt
ssh-keygen –I –f id_dsa_1024_a.pub >>
authorized_keys
cat authorized_keys > authorized_keys2
Test ssh with passphrase:
From MCC decterm or ssh terminal:
Ssh pepoptics
Login should work with
your passphrase. Note that if ssh queries for your password, the RSA authentication
is not yet working.
The private/public key files are
located in .ssh/.public. Follow the above instructions
for creating keys and releasing them to the server nodes. For example, login to
flora and generate a public key on flora, and release it to pepoptics local account, per instructions in previous
sections.
One
additional option for releasing your MCC and PEPOPTICS keys to AFS
nodes:
ssh pepoptics using
your local pepoptics account
cd .ssh/.public
cat id_dsa.pub
>> ~/afs/.ssh/.public/authorized_keys
ssh-keygen –I –f
id_dsa_1024_a.pub >> ~/afs/.ssh/.public/authorized_keys
cd ~/afs/.ssh/.public
cat authorized_keys > authorized_keys2
This step
is probably not needed, but included just in case: Create linux soft link to VMS public key:
cd ~/.ssh
ln –s
.public/id_dsa_1024_a.pub .
Creating
v1 keys: SKIP this step if you client and server systems support V2 keys.
Linux/Unix:
ssh-keygen –t rsa1
scp -v ~/.ssh/.public/identity.pub YOURACCOUNT@NODE:.ssh/identity_YOURACCOUNT.pub
Then
login to target node, and type:
cat identity_YOURACCOUNT.pub >> authorized_keys
VMS:
$set def
sys$login
$mu sshkeygen/ssh1
…Now copy
the public key to unix
…login to
unix
node
…scp –oProtocol=2 mcc:’ssh/identity.pub.
~/.ssh/.public/identity_vms
…convert
the key from commercial (vms) to OpenSSH format
…and
append the converted public key to /.ssh/.public/authorized_keys
and then
copy the v1 public keys to any other systems that you need to ssh to.
SSH to secure copy (scp/scp2) a file
or remotely execute a command (ssh/ssh2)
Copy a VMS file to
UNIX:
Source file is in pep_optics:[scratch]:
scp -oProtocol=2 mcc:’/pep_optics/scratch/temp.cnf’ /tmp
or if
your account name is different on VMS and PEPOPTICS:
scp -oProtocol=2
YOURVMSACCT@mcc:'/pep_optics/scratch/pep2herys96.cnf'
.
Copy a UNIX file to
VMS:
scp -oProtocol=2
/tmp/pep2herys96.cnf
mcc:’/pep_optics/scratch/temp.cnf’
scp -oProtocol=2 /tmp/pep2herys96.cnf YOURVMSACCT@mcc:’/pep_optics/scratch/temp.cnf’
Copy a VMS file to
UNIX:
scp2 myfile.m "pepoptics::/tmp/"
…or
scp2 myfile.m "YOURPEPACCT@pepoptics::/tmp/"
If you get a file format problem
with end-of-line characters (that are treated differently on VMS and UNIX),
convert the file, and add switch “/translate_vms=NONE”
convert/fdl=pep_optics:[com]unixfile mycnf.cnf mycnf1.cnf
scp2 /translate_vms=NONE mycnf1.cnf "pepoptics::/tmp/"
…or
scp2 /translate_vms=NONE myfile.m "YOURPEPACCT@pepoptics::/tmp/"
Copy a UNIX file to
VMS:
scp2 "pepoptics::/tmp/myfile.m " [ ]
…or
scp2 "YOUPEPACCT@pepoptics::/tmp/myfile.m " [ ]
From a VMS client (eg decterm)
To remotely execute a command on
unix, you can use either
ssh or the Controls-built command
server.
a) via
ssh:
In the following ssh examples:
·
On VMS, verbs ssh2 and
ssh use v2
·
if your accountname on MCC and PEPOPTICS are the same, then don’t’
enter /user switch.
·
/no_x11 disables x11 forwarding so that you can
remove delays when ssh with
passphrase from VMS; otherwise ssh delays about 20-30 seconds while unix times out trying to update .Xauthority file.
ssh /no_x11 pepoptics ls
ssh /user=YOURUNIXACCT /no_x11 pepoptics ls
ssh
/user=YOURUNIXACCT /no_x11 /verbose pepoptics "source
testscript tmp/optics"
b) Command
Server:
If you want to monitor status of the triggered unix process, or control the number of processes, Ron MacKenzie's command server is a useful technique that we use in the control system.
From a UNIX or LINUX
client
In the following
examples:
·
if your accountname on MCC and PEPOPTICS differ, then change mcc to YOURVMSACCT@mcc
·
ssh allows you to use
option –2 instead of –oProtocol=2
a) Execute a remote
DIRectory command:
ssh -oProtocol=2 mcc
dir
ssh -oProtocol=2 mcc ‘dir
scrcnf_prod:pep2*’
ssh -oProtocol=2 mcc 'dir scr_cnf_prod:[pep2lery]'
b) Both of these ssh commands execute test.com in my
home directory:
ssh -oProtocol=2 mcc
@test
ssh -oProtocol=2 mcc
'@test'
c) and
here's one that passes a parameter to and executes the VMS command procedure
getc.com in the default user login directory:
ssh -oProtocol=2 mcc '@getc scr_cnf_prod:[pep2lery]*56.cnf'
or in pep_optics directory for com files:
ssh -oProtocol=2 mcc '@/pep_optics/com/getc scr_cnf_prod:[pep2lery]*56.cnf'
ssh -oProtocol=2 mcc 'dir scr_cnf_prod:[pep2hery]/sin=1-nov/da'
…
Directory SCR_CNF_PROD:[PEP2HERY]
PEP2HERY$95.CNF;1
PEP2HERY$96.CNF;1
Or execute getc.com
from pep_optics:[com]
directory:
ssh -oProtocol=2 mcc '@pep_optics:[com]getc scr_cnf_prod:[pep2hery]pep2hery-96.cnf'
Logical names can be used in ssh and scp commands. Use either system-wide logicals like:
Scratch Configs:
scr_cnf_prod points at scratch configs. You must specify
:[regionname]
scrcnf_prod points at top of scratch configs – regionname cannot be
specified
Normal Configs:
slc_cnf_prod points at normal configs. You must specify
:[regionname]
slccnf_prod points at top of normal configs – regionname cannot be
specified
Physics3_data
disk
pep_optics points at physics3_data:[pepoptics.] You must specify a subdirectory, eg. [scratch]
You can also define
your own personal logicals to use during your login,
ssh, or scp session. Using lse or eve
editor:
$lse
login.com
…go to end of login.com file after
$endbatch:
$ENDBATCH:
$ def/job pler
physics3_data:[pep2.ler.2002nov.mia]
$ def/job pher physics3_data:[pep2.her.2002nov.mia]
VMS currently does not
support SECURE COPY of filenames with a $. This seems like a bug, and might be
fixed in the future. Until then, a workaround is to rename the file, and remove
the $, or replace $ with – or another character. Then scp or scp2 the new filename.
Two example command procedures
rename and convert cnf files for transfer between MCC
and PEPOPTICS:
pep_optics:[com]getc.com (to get a scratch or normal config; convert it & copy to
PEPOPTICS)
pep_optics:[com]putc.com (to move a cnf file from PEPOPTICS to MCC, convert it to cnf file)
VMS and UNIX files sometimes handle
the end-of-line differently. To fix this, use the VMS convert utitily. For example, CONFIG (.cnf) files must be converted.
Convert to UNIX
format:
$ set dev
pep_optics:[scratch]
$ convert/fdl=pep_optics[com]unixfile
SRCFILE.CNF pep_optics:[scratch]
Convert to VMS
format:
$ set dev
pep_optics:[scratch]
$ convert/fdl=pep_optics:[com]vmsfile
SRCFILE.CNF pep_optics:[scratch]
Two example VMS command
procedures (getc & puts) exist that use this
convert utility. See above section.