Known software issues when working with FoxT BoKS

2009-09-11 08:12:00

Unfortunately not all software plays nicely with BoKS. Some of them have special needs, or need to be configured in a particular manner. This page discusses the known issues. Luckily in most cases all you need to do is tweak one or two settings.

ProFTPd

We have found that recent versions of ProFTPd report FROMHOST IP addresses in the IPv6-IPv4 hybrid mode. This currently (Feb 2010) breaks the BoKS login call because the servc daemon cannot process a FROMHOST formatted as :::ffff:192.168.0.1. You will not see any logging in the BoKS transaction log, but if you bdebug the ftpd process on the agent you'll see that servc returns an ERR-9.

For some reason using the -ipv4 of -4 flags from the command line in order to force ProFTPd into IPv4 mode do not work. Instead you will need to edit proftpd.conf and set the flag "UseIPv6" to "off" (Source).

F-Secure

Connecting to a BoKS server with F-Secure

SSH keys generated by F-Secure are usually in the SSH2 format. Before you can import them on your BoKS server they will need to be converted to OpenSSH format. You cannot simply add them to ~/.ssh/authorized_keys. This conversion is done using the "ssh-keygen" command on your Unix box.

1. Copy the source user's SSH2 public key (RSA or preferably DSA) to your server.
2. Login as the destination user.
3. Run: cd ~/.ssh
4. Run: /opt/boksm/bin/ssh-keygen -i -f $PATH/TO/PUBKEY >> authorized_keys

You have now converted and added the public key to the authorized_keys file.

Now, if you forego the use of SSH keys and would like to use passwords instead, you will need to force F-Secure SSH to use the "keyboard interactive" authentication method. Per default it will use "password", which will not work properly. Both methods are very similar insofar that "keyboard-interactive" actually includes "password" authentication, but it includes a few additional handshakes that BoKS' OpenSSH needs.

If you're coming from a Unix server you'll need to enable "keyboard-interactive" in either your personal ssh_config file, or in the systemwide file under /etc/ssh/ssh_config.

Connecting to an F-Secure server with BoKS' OpenSSH

Again there's a difference insofar that F-Secure uses SSH2 keys as opposed to the OpenSSH format. Your key will need to be transformed before transfering it to the remote server. The authorized_keys file on the other side will also work differently from what you're used to. The F-Secure authorized_keys file is not a list of keys, but a list of pubkey file names.

1. Login as the source user.
2. Run: cd ~/.ssh
3. Run: /opt/boksm/bin/ssh-keygen -o -f ./id_dsa.pub
4. Copy the resulting output.
5. Login to the remote server as the destination user.
6. Run: cd ~/.ssh
7. Paste the copied text into a new public key file, like id_dsa.remote.pub.
8. Edit the authorized_keys file and add a line: key id_dsa.remote.pub

ComForte SFTP

ComForte is an SFTP client used on Tandem servers. It's not a piece of client software like the ones we're used to! It was originally meant for file transfer between Tandem servers. From our experiences it seems to be a daemon running on Tandem that acts as a pass-through for regular FTP traffic, which it then sends through SSH or SSL. It's really rather wonderfully weird :)

We've seen in the past that ComForte SFTP cannot work with keyboard-interactive authentication, since the client software simply does not recognize the method returned by BoKS. Unfortunately to my knowledge BoKS' SSH daemon in turn does not allow the old "password" method to be enabled. Hence with ComForte we must use SSH public key authentication. That's the only way it's going to work.

I have actually never witnessed the configuration process of ComForte, but it seems to work something like this.

• Generate an SSH key pair for use with ComForte SFTP. This comes in SSH2 format.
• Import the new SSH key pair in the desired user's profile for ComForte.
• Usually people generate one key pair per desired connection, hence one user can have multiple pairs.
• Configure the new connection and specifically point to the right key pair.
• Copy the SSH2 key to Unix, convert it and then import it (see above).
• Attempt a first SFTP connection which notices a new host key on the other end.
• "Unfreeze" the SFTP connection (that's actually what it's called).
• Retry the SFTP connection, which should now work.

Putty and WinSCP

Putty and WinSCP are based on the same piece of simple, elegant software and both should work straight out of the "box". Seeing how they're standalone binaries you won't even have to actually install them in Windows.

If you do discover that your password-based login fails, make sure to check your SSH authentication settings. Just like with F-Secure the "keyboard-interactive" method should be enabled and on the top of your list.

Update 10 Sept 2009:

My colleague Frank vd Bilt has informed me of a semi-bug in a very recent version of Putty. Apparently this version of Putty bombs when used together with the boks_sshd daemon. Even a few "ls -lrt" commands are enough to crash the connection. The error message you'll get is: Disconnected: Received SSH_MSG_CHANNEL_SUCCESS for "winadj@putty.projects.tartarus.org".

You can read the Putty bug report over here.

kilala.nl tags: boks, sysadmin,

View or add comments (curr. 0)