SSH Scripting for HP Nonstop Guardian with SAFEGUARD

Question

we have some perl scripts to do things on guardian os on a hp nonstop machine with telnet. Now we have to shut down telnet and have to use the ssh (comforte) connection with a safeguarduser.

We try to connect with the following perl code and anything seems to work but the shell does not keep open.

use Net::SSH::Perl;
use Term::ReadKey;
my $host = "XX.XXX.XXX.XXX";
my $user = "safeguarduser";
my $pass = "";
my $ssh = Net::SSH::Perl->new($host, options => [
"Cipher +aes256-ctr", "MACs +hmac-sha2-256", "HostKeyAlgorithms +ssh-dss"], debug => 1);
$ssh->login($user, $pass);

The debug log says:

p-066280682253: Reading configuration data C:\Users\User\.ssh\config
p-066280682253: Reading configuration data C:\WINDOWS\ssh_config
p-066280682253: Connecting to XX.XXX.XXX.XXX, port 22.
p-066280682253: Remote version string: SSH-2.0-1.37g sshlib: TXXXXH0X_14MAY2018_comForte_SSH2_0105a:\TXXXX.$SSH01
p-066280682253: Remote protocol version 2.0, remote software version 1.37g sshlib: TXXXXH0X_14MAY2018_comForte_SSH2_0105a:\TXXXX.$SSH01
p-066280682253: Net::SSH::Perl Version 2.14, protocol version 2.0.
p-066280682253: No compat match: 1.37g sshlib: TXXXXH0X_14MAY2018_comForte_SSH2_0105a:\TXXXX.$SSH01.
p-066280682253: Connection established.
p-066280682253: Sent key-exchange init (KEXINIT), waiting for response.
p-066280682253: Using diffie-hellman-group-exchange-sha256 for key exchange
p-066280682253: Host key algorithm: ssh-dss
p-066280682253: Algorithms, c->s: aes256-ctr hmac-sha2-512 none
p-066280682253: Algorithms, s->c: aes256-ctr hmac-sha2-512 none
p-066280682253: Entering Diffie-Hellman Group Exchange.
p-066280682253: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<4096<8192) sent
p-066280682253: Sent DH Group Exchange request, waiting for reply.
p-066280682253: Received 2048 bit DH Group Exchange reply.
p-066280682253: Generating new Diffie-Hellman keys.
p-066280682253: Entering Diffie-Hellman key exchange.
p-066280682253: Sent DH public key, waiting for reply.
p-066280682253: Received host key, type 'ssh-dss'.
p-066280682253: Host 'XX.XXX.XXX.XXX' is known and matches the host key.
p-066280682253: Verifying server signature.
p-066280682253: Send NEWKEYS.
p-066280682253: Waiting for NEWKEYS message.
p-066280682253: Enabling encryption/MAC/compression.
p-066280682253: Sending request for user-authentication service.
p-066280682253: Service accepted: ssh-userauth.
p-066280682253: Trying empty user-authentication request.
p-066280682253: Login completed, opening dummy shell channel.
p-066280682253: channel 0: new [client-session]
p-066280682253: Requesting channel_open for channel 0.
p-066280682253: channel 0: open confirm rwindow 1048576 rmax 57344
p-066280682253: Got channel open confirmation, requesting shell.
p-066280682253: Requesting service shell on channel 0.

We can connect and work with Putty. The exec Command in the putty settings is "tacl". With plink it only works when we use the putty session-name. With param and -c tacl we get the same error as with the perl script, there is no shell.

(Info: The client is a Windows PC)

Hope somebody can help us, we have already tried a lot.

Thank you and Best regards

Answer 1

Can you explain exactly what it is you did with telnet sessions before you had to switch to SSH? Off-hand I think you are probably ending up in OSS (the UNIX personality of NonStop) because puTTY (and probably plink) emulate an XTerm. NonStop SSH automatically puts you into OSS if the terminal type specified during SSH negotiations isn't "TN6530-8" (The NonStop Guardian terminal emulator).

I just tried plink (Windows 10 CMD prompt) and got this, which is expected:

C:\Users\andy\Downloads>plink -ssh -pw xxxxxxx [email protected] gtacl -c 'status *,user'

Using keyboard-interactive authentication.

Last Logon: 03 DEC 2018, 05:37

Last Unsuccessful Attempt: 03 DEC 2018, 05:31 Total Failures: 20

Process Pri PFR %WT Userid Program file Hometerm

$Z4YN B 0,119 146 001 8,1 $SYSTEM.SYS07.TACL $ZTN0.#PTB2NV5

$SSLS 0,504 148 001 8,1 $SYSTEM.SSLPRXY.SSLPRXY $ZPTY.#ZWN0517

$SSFS 0,749 148 001 8,1 $SYSTEM.SSLPRXY.SSLFTPS $ZPTY.#ZWN0517

$Z2TJ 2,74 149 005 8,1 $SYSTEM.SYS07.TACL $ZPTY.#ZWN0882

$Z5MZ 2,75 149 001 8,1 $SYSTEM.SYS07.TACL $ZPTY.#ZWN0886

$Z5NR 2,254 149 004 8,1 $SYSTEM.SYS07.TACL $ZHOME

        2,1019  148     001   8,1   $SYSTEM.SYS07.OSH          $ZPTY.#ZWN0886

     X  2,1098  148     004   8,1   /bin/ksh                   $ZPTY.#ZWN0886

$Z5NQ X 2,1139 149 001 8,1 /bin/gtacl $ZHOME

$Z4YN 3,9 146 001 8,1 $SYSTEM.SYS07.TACL $ZTN0.#PTB2NV5

$Z5MZ B 3,42 149 001 8,1 $SYSTEM.SYS07.TACL $ZPTY.#ZWN0886

$Z2TJ B 3,201 149 001 8,1 $SYSTEM.SYS07.TACL $ZPTY.#ZWN0882

$SSLS B 3,1014 148 001 8,1 $SYSTEM.SSLPRXY.SSLPRXY $ZPTY.#ZWN0517

$SSFS B 3,1018 148 001 8,1 $SYSTEM.SSLPRXY.SSLFTPS $ZPTY.#ZWN0517

$CAIL 3,1045 145 011 8,1 $SYSTEM.SYS07.TELSERV $ZTN0.#PTB2P0J

C:\Users\andy\Downloads>

Answer 2

I don't see the Perl code asking for TACL.

With a completely fresh install of Putty and no configuration of it, I can connect using plink:

PS C:\Program Files\PuTTY> plink [email protected] tacl
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Last Logon:  20 DEC 2018, 01:05
Last Unsuccessful Attempt: 06 DEC 2018, 03:40  Total Failures: 33
Last Logon Failures: 0
TACL (T9205H01 - 24AUG2018), Operating System L06, Release L18.08.01

<usual TACL startup output omitted>

(Invoking $DT.WHOUSE.TACLCSTM)
Current volume is $DT.WHOUSE
$DT WHOUSE 1>

In the SSH audit file on the NonStop, I see:

$SSH00|20Dec18 01:05:29.67|50|10.0.3.40:56431:10.0.0.173: accepted connection from client
$SSH00|20Dec18 01:05:29.68|50|10.0.3.40:56431:10.0.0.173: client version string: SSH-2.0-PuTTY_Release_0.70
$SSH00|20Dec18 01:05:30.75|50|10.0.3.40:56431:10.0.0.173: key-exchange done and server authentication by client successful.
$SSH00|20Dec18 01:05:30.75|40|10.0.3.40:56431:10.0.0.173: SSH session established. 
$SSH00|20Dec18 01:05:31.44|20|10.0.3.40:56431:10.0.0.173: gssapi-with-mic authentication failed: GSSAPI not available
$SSH00|20Dec18 01:05:36.81|40|10.0.3.40:56431:10.0.0.173: keyboard-interactive dialog successful for user 'd.trump', keyboard-interactive authentication successful
$SSH00|20Dec18 01:05:37.50|50|10.0.3.40:56431:10.0.0.173: channel exec request, launching /bin/sh -c param -c tacl 
$SSH00|20Dec18 01:05:37.63|50|10.0.3.40:56431:10.0.0.173: spawned program /bin/sh successfully (pid 520093761) 
$SSH00|20Dec18 01:05:37.67|50|10.0.3.40:56431:10.0.0.173: spawned program /bin/sh terminated with exit code 127
$SSH00|20Dec18 01:05:38.02|40|10.0.3.40:56431:10.0.0.173: SSH session terminated 
$SSH00|20Dec18 01:06:04.79|50|10.0.3.40:56440:10.0.0.173: accepted connection from client
$SSH00|20Dec18 01:06:04.80|50|10.0.3.40:56440:10.0.0.173: client version string: SSH-2.0-PuTTY_Release_0.70
$SSH00|20Dec18 01:06:05.87|50|10.0.3.40:56440:10.0.0.173: key-exchange done and server authentication by client successful.
$SSH00|20Dec18 01:06:05.87|40|10.0.3.40:56440:10.0.0.173: SSH session established. 
$SSH00|20Dec18 01:06:06.55|20|10.0.3.40:56440:10.0.0.173: gssapi-with-mic authentication failed: GSSAPI not available
$SSH00|20Dec18 01:06:10.92|40|10.0.3.40:56440:10.0.0.173: keyboard-interactive dialog successful for user 'd.trump', keyboard-interactive authentication successful
$SSH00|20Dec18 01:06:11.61|50|10.0.3.40:56440:10.0.0.173: channel request for subsystem tacl, launching \XXX.$SYSTEM.SYS03.TACL with process name '\XXX.$Z4ML' 
$SSH00|20Dec18 01:06:11.67|50|10.0.3.40:56440:10.0.0.173: launched program \XXX.$SYSTEM.SYS03.TACL successfully (\XXX.$Z4ML:3750193)

In the SSH log file I see:

$SSH00|20Dec18 01:06:06|10.0.3.40:56440:10.0.0.173: [email protected] authentication failed (method gssapi-with-mic): GSSAPI not available.
$SSH00|20Dec18 01:06:10|10.0.3.40:56440:10.0.0.173: [email protected] authentication granted (method keyboard-interactive): keyboard-interactive dialog successful. System user: d.trump 
$SSH00|20Dec18 01:06:11|10.0.3.40:56440:10.0.0.173: [email protected] subsystem tacl granted (process: \XXX.$Z4ML) 

Try to look in the SSH log file and compare what happens when things work with what happens when things don't work. Remember that you can pass this on to TNSC if you are really stuck.

Answer 3

Having finally wrangled a Perl install to do what I want, I think that I understand what you are saying (I see the same output-wise), but it doesn't look as though anything is broken. If I add a command after logging on, it works.

use Net::SSH::Perl;
use Term::ReadKey;
my $host = "x.x.x.x";
my $user = "group.user";
my $pass = "secretsanta";
my $ssh = Net::SSH::Perl->new($host, options => [
"Cipher +aes256-ctr", "MACs +hmac-sha2-256", "HostKeyAlgorithms +ssh-dss"], debug => 1);
$ssh->login($user, $pass);

print "Enter a command to execute: [ls -l] ";
chomp(my $cmd = <STDIN>);

my($out, $err) = $ssh->cmd($cmd || "ls -l");
print $out;

log:

dev-as: Requesting service shell on channel 0.
Enter a command to execute: [ls -l] ls -la
dev-as: channel 1: new [client-session]
dev-as: Requesting channel_open for channel 1.
dev-as: Entering interactive session.
dev-as: Requesting service exec on channel 1.
dev-as: channel 1: open confirm rwindow 1048576 rmax 57344
dev-as: input_channel_request: rtype exit-status reply 0
dev-as: channel 1: rcvd eof
dev-as: channel 1: output open -> drain
dev-as: channel 1: obuf empty
dev-as: channel 1: output drain -> closed
dev-as: channel 1: close_write
dev-as: channel 1: rcvd close
dev-as: channel 1: input open -> closed
dev-as: channel 1: close_read
dev-as: channel 1: send close
dev-as: channel 1: full closed
total 388615
-rw-rw-rw-    1 GROUP.USER            COMF      810000 Nov 21 23:07 test1

Answer 4

I worked myself on a solution for this and did use the "ssh" command directly from the command line in Powershell and also in Ubuntu.

ssh -t -o HostKeyAlgorithms=+ssh-dss safeguarduser@XXXX tacl

Actually it covers all the things in your script, but adds the -t option which is standing for creating a PTY allocation request. This seems to be needed for some legacy systems. Please adjust your perl-script to consider this flag aswell and let us know if it's working.