by Alan Winston. This version: 14-DEC-1999
What is SSL?
SSL (Secure Session Layer) is encryption software that supports protocols that are secure on the wire; that is, passwords are never passed in plaintext. SSH (Secure Shell) and TLS are protocols that use SSL.
What are the parts?
a) Crypto Library = OpenSSL b) Certificates = Created with OpenSSL c) make outbound connections = FISH d) allow inbound connections = SSH_SERVER
Installation requirements
a) You can find all the pieces you need on SSRL in the SSRL$PROGRAMS directories. These were compiled on VMS 7.2, and should run fine on Alphas at that OS level. For VAXes, etc, you may need to recompile. b) These may not be the most up-to-date versions of the software. To find the newest versions, check out: http://www.openssl.org for openssl http://www.free.lp.se/openssl for VMS OpenSSL info http://www.free.lp.se/fish for FiSH http://kcgl1.ENG.OHIO-STATE.edu/~jonesd/ssh for SSH_SERVER
Installation
a) OPENSSL It turns out that you don't actually need OPENSSL installed on your system to run FiSH and SSH_SERVER. Unless you need to be able to generate certificates, or insist on compiling and building the applications on your local machine, you can skip this section. If you do need a self-signed certificate, I just put together a web-based application to generate and send you one, which you can see here (It'll send this using SEND/FOREIGN over DECnet to SYSTEM at the node you specify, so if you don't have SYSTEM account access don't bother. However, the audience for this document should have SYSTEM account access.) If you insist on installing OPENSSL, here's how: You can find this in the SSRL::SSRL$PROGRAMS:[OPENSSL] tree. You may as well copy the whole tree over; it's a real pain picking out what parts you need or don't need. (About 50k blocks.) The document [OPENSSL.OPENSSL-0_9_3A]INSTALL.VMS describes how to do an installation on VMS. @INSTALL.COM in the same directory will actually do it, including creating a startup file. Documentation discusses using RSA, but in fact we can't use RSA, so don't worry about it. If you want to do this from scratch, see the instructions at http://www.free.lp.se/openssl/docs/openssl2.html The OPENSSL_STARTUP file will define logicals for these directories: SSLROOT Points to the "root" of the OpenSSL directory. SSLLIB Points to the OpenSSL library directory. SSLINCLUDE Points to the "include" files for OpenSSL. SSLEXE Points to the directory where the OpenSSL EXE's are kept. SSLCERTS Points to a directory where you can put your SSL certificates. SSLPRIVATE Points to a "private" directory for "private" files. These logicals must be defined before you go any further. To make that work globally, you need to pass the "/SYSTEM" parameter to OPENSSL_STARTUP, eg: SSRL::SYS$STARTUP:SSRL_OPENSSL_STARTUP.COM looks like this: $ SET NOON $ write sys$output "SSL startup" $ @ssrl$programs:[openssl.vms]openssl_startup.com "/SYSTEM" $ @ssrl$programs:[openssl.vms]openssl_utils.com b) Create self-signed certificates. Remember, you don't need to do this to run FiSH or SSH_SERVER. First, you have to configure things so that you can do this. Use the SAMPLE_OPENSSL.CNF that's in the SSRL$PROGRAMS:[OPENSSL] directory, and modify with your name and email address. DO NOT use the OPENSSL.CNF file, because that's set up to produce the certificates needed for the web server, which is a different format. See step-by-step instructions here Then follow - or better yet, cut and paste from, these instructions to actually create a certificate. c) To make FISH run, you need to have NETLIB installed. Check to see whether NETLIB is installed with $ SHOW LOG NETLIB_DIR if it's undefined, you need to install it. You can install from the NETLIB022 savesets on SSRL::SSRL$PROGRAMS:[NETLIB], eg @SYS$UPDATE:VMSINSTAL NETLIB022 SSRL::SSRL$PROGRAMS:[NETLIB] If it's there, and the NETLIB_STARTUP is in your startup procedure, go ahead. d) FISH can be found in SSRL::SSRL$PROGRAMS:[FISH] You may as well copy the whole tree over. Follow the instructions in INSTALL.TXT. Briefly, if you've run NETLIB_STARTUP, you can get away with just using the FISH.EXE that's there, but if you installed OpenSSL you can use @LINK to set up FISH, or if you want you can recompile the world if MMS is installed on this system. You can test FISH, assuming all the startups are working right, by doing $ FISH yourusername@SSRL.SLAC.STANFORD.EDU It'll come back and say ssrl.slac.stanford.edu is an unknown system, which just means it hasn't been connected to before. Say "Y" to connecting anyway, and it will ask for your password for your account on that system. It has to use the password because the other authentication method is RSA, which is patented and which we can't yet use. If that works, it'll make the connection and log you in. If you type FISH and nothing happens at all, you probably forgot to start NETLIB. e) SSH_SERVER The SSH_SERVER programs are linked with a shared library called SSHCRYPTOSHR.EXE, but SSHCRYPTOSHR.EXE statically pulled in everything you need from the OPENSSL libraries. You can just make sure to copy CRYPTOSHR.EXE to the new system and specify where to find it. This should make SSH_SERVER installation pretty easy. You need to copy over SSRL$PROGRAMS:[SSH]*.EXE;0 This should get you FT_ACCPORNAM, INITIATOR.EXE, KEY_GENERATOR.EXE, RSA_ENGINE.EXE, SETHOST_SSH.EXE (which you don't really need; it lets you test the SSH connection if you don't have FISH), SSHCRYPTOSHR.EXE, SSH_LOGINOUT.EXE, and SSH_SERVER.EXE. You also need SSHEXEC.COM, SSH_LOGIN.COM, SSH_SERVER_STARTUP.COM, and SSH_PARAMETERS.DAT. You might want to look at SSRL_SSH_SERVER_STARTUP.COM and SSRL_SSH_PARAMETERS.DAT to see how I've customized them for SSRL. You'll need to indicate in SSH_SERVER_STARTUP where SSHCRYPTOSHR is located in order to have anything work. COPY SSHEXEC.COM to SYS$MANAGER, the directory where SYLOGIN.COM is located. If you want to get SSH X11 port forwarding to work, edit SSH_PARAMETERS.DAT and change the x11_decnet_node parameters. [Thanks to Harvey Rarback for this tip.] Edit SYLOGIN.COM to call @[ssh-directory-spec]SSH_LOGIN. Edit SSH_PARAMETERS.DAT and SSH_SERVER_STARTUP.COM to specify the directory you decided to put all the SSH stuff into. Edit the systartup_VMS.com to execute SSH_SERVER_STARTUP.COM. Once only, do @SSH_SERVER_STARTUP INITIAL_KEY to get your first host and session keys defined. These are HKEY.PEM and SKEY.PEM, and they go where you defined them in SSH_PARAMETERS.DAT. SSH_SERVER supports SSL 1.5 ONLY, not 2.0. 2.0 clients have to be told to use 1.5.
Conclusion
a) Once all components are installed and running, you have a secure internet server. b) According to Dan O'Reilly of Process Software, the next version of Multinet will have built-in SSH support, and we won't have to go through all of this stuff. c) Please email me with questions or corrections so that this document can continue to be useful.
Page maintained by Alan Winston
This document last modified: Thursday, 25-Jan-2007 16:35:42 PST Accesses: (none)