Assistance required please. ------------ Connecting remotely with ssh/22 is success, HOWEVER executing any commands like sysinfo fails with error "Connect to PTYSERVER for service/service menu failed because a PTY has not been allocated from process

[caje...@gmail.com]

Assistance required please.

I am a newbie to tandem

I tried discovering Tandem over or Connecting remotely with ssh/22 port was a success, HOWEVER executing any command/s remotely like sysinfo or time, fails with error "Connect to PTYSERVER for service/service menu failed because a PTY has not been allocated from process"

Any clue ?

Kindly guide

TR/-

[RickPo...@icloud.com]

Please give the exact SSH client and command you are using. If you are using NonStop SSH (from HPE), open a case with HPE. If you are using SecurSSH, open a case with comForte.

[Keith Dick]

I know very little about configuring SSH, but this message seems as if it might be caused by misconfiguration of the NonStop system, or you are not using the connection as it was intended to be used. That would be something for the people managing the system to help you with. Have you asked them about this problem?

I assume you are following directions for connecting given to you by whoever granted you access to the NonStop system. If you are trying to connect to the NonStop system in any way that differs from the directions you were given (or should have been given), try following the directions exactly, to see whether the connection works if done precisely as you were told.

[Randall]

Which server are you using? You will need to ensure you are actually getting a TACL session. If not, you're probably in OSS-land and have to use gtacl to get to GUARDIAN commands (try the command 'gtacl -c sysinfo')

[caje...@gmail.com]

i am trying to connect from linux server with shell script via ssh from linux server to ssh of tandem server... script basically connect to tandem OS via ssh & execute sysinfo tandem commands.. but no go.

[caje...@gmail.com]

i am trying to connect from linux server with shell script via ssh. I even checked with 'gtacl -c sysinfo' , but same error.

May be i am not getting into the tacl session!

[caje...@gmail.com]

I checked with the System admin team, but as per them they have never tried connecting tandem remotely, with ssh, however they shown me connecting via outsideview & MR-win, which establish a telnet session (TELESRV)

[caje...@gmail.com]

If i do a 'ssh user@tandem_server' from linux server, this drops me to following

Available Services:

TACL EXIT
Enter Choice> tacl
TACL 2> logon user_ssh
Password: Password:
...............



but with shell script or single=liner commands, i am looking for help, to get into tandem

[Keith Dick]

Are you able to connect, logon, and run commands successfully using OutsideView?

The answer you got from the system administrator sounds to me as if they have not configured the ssh server to accept connections, and that might be the heart of the problem. As I said before, I don't know much about ssh, but I would expect its default configuration would be not to accept connections. If that is the case, I'm a little surprised that it even lets you get as far as you are getting.

Once you choose TACL from the Available Services choices and enter the logon command and enter the password, what do you see after that?

I have written shell scripts that connect to a NonStop system using ssh, but the password cannot be entered by the script and the user must type the password manually when the script gets to the point at which the ssh command is run. Using telnet has basically the same problem. For my use, entering the password manually was okay, so I accepted that.

I have been told that using the expect command instead of a shell script allows the script to give the password (or all the interaction needed to logon), but I have not tried using the expect command.

The NonStop systems I have used do not show the services menu when connecting via ssh. They only show that when connecting via telnet. Unless you got confused and showed incorrectly that the services menu appears when connecting via ssh, I guess that is an option that our systems do not use. Still, I'm a little suspicious about that. If you can connect via OutsideView using the telnet interface, it might be best for you to forget about using ssh and try writing an expect script using telnet to connect, logon, and run the commands you need to run. Try it manually first, to be certain it works as expected, then make a script to do the same thing.

[Randall]

Since you're going via linux, try using public key authentication instead of going through what appears to be keyboard auth.

[Keith Dick]

Using public key authentication seems like a good idea, but that can be added after he gets it working without it. One thing at a time.

I'm not sure he will be able to get it working with ssh, given some of the things he said. Can public key work when using telnet? Does the NonStop system administrator have to do things to set up public key authentication?

[Rich Pope]

Again, you should open a support case with HPE (for NonStop SSH which is most users)or with comForte (for SecurSH customers). Your userid on the NonStop SSH2 is set up to generate a Telserv-style Enter Choice menu. You apparently are trying to perform a single command SSH session - without creating a PTY (terminal window). The single command style session may only specify OSS commands - and the SSH userid must be configured in the default manner. Your can *NOT* perform single Guardian (TACL) commands. THis is why you need to talk to support.

I am the developer for the STN component of NonStop SSH, so I know all about the Enter Choice menu etc.

[Pierre]

Also see "HPE NonStop SSH Reference Manual" (Tandem does not exist any more for many years now) by getting it here - http://bfy.tw/E98Y

Section of interest to you here is "TACL Subsystem and Command Interpreter
Configuration->Enhanced EXEC Processing"

[wbreidbach]

Finally the answer is pretty simple (see Rich Pope's answer):
1, Start a $PTY server
2. Start the SSH demon

Both are described in the SSH manual but if needed I can supply you with an example.

[Keith Dick]

Both you and Pierre seem to be giving the guy instructions about how to configure SSH. If I interpret what he has written correctly, he is NOT the system administrator, but rather a user somewhere trying to access the NonStop system remotely.

It probably would have helped to mention that the things you two advised are things the NonStop system's administrator has to do in order to allow SSH access to work. He cannot do those things himself.

[RickPo...@icloud.com]

Keith,

Notice the thunderous silence on my suggestions to open a case. As third level support for this product, I am in a position to state that a case is the best path. Yes, it is obvious that he is a user -vs admin, and probably remote (in more ways than one) from the admin and even other NonStop users. But either the admin has config problems, or there has been a misunderstanding between admin and the user. If he has a legitimate need to access the NonStop, then he should push for support from internal resources, like the admin. The admin would then open a case with HPE or comForte. I know that HPE front line guys handle a lot of cases like this themselves, and they regularly foreward the rest to comForte, some of which end up in my inbox. I am frustrated that his inappropriate use of this forum has consumed far more resources than a normal support case - and he is not one inch closer to providing the relevant details (SSH2 and STN config).

Sigh. As NonStop blends more and more into Unix, we see more and more attempts to use common Unix techniques without understanding how they are handled differently in NonStop. Many of these common Unix usages are very inefficient, even grossly wasteful, but many Unix users just see results without concern for the resources consumed. I have had cases where a user fired off hundreds of greps regularly ... besides exceeding some software limits, it really nailed the system. Imagine 20 eager beavers like this pounding away - would take a big chunk out of system resources. Look at the command examples in this quesion: SYSINFO? what casual user needs this? TIME? as a single command? A little odd - legitimate, yes, but what is he really trying to do?

[Pierre]

> > Both you and Pierre seem to be giving the guy instructions about how to configure SSH. If I interpret what he has written correctly, he is NOT the system administrator, but rather a user somewhere trying to access the NonStop system remotely.

Well, he says: "...I am a newbie to tandem...". Not sure where he hears that name. Quite an old name for a new guy.

For all we know he might be fishing trying to issue cmds against the NonStop, who would know? Got to love the NonStop that even with a usr/pwd he's not able to issue Tacl exec cmds. It does depends on the NonStop SSH daemon config, but still.

Sorry Keith I just won't spoon feed someone anonymous on security software else that pointing to the manual. On SSH clients itself Google is your friend.

[caje...@gmail.com]

Thanks to all, & finally i am very near to success

I connected with our SA team & initially they told me that remotely non-interactively fetching command/s output is not possible from any UNIX platform to tandem OS..

Later when Pierre, pointed me the document 'HPE NonStop SSH Reference Manual' & post reading most of it i got to understand that remotely command non-interactive is possible. I went again to SA team & help them to understand the same document.

yesterday, i have successfully connected to tandem from LINUX OS with SSH & non-interactively ran sysinfo command & its output was displayed on my linux terminal.

However only interactive was to pass the 'password'

I am now thinking that expect script should help me overcome passing 'password' as well.

Do any one of you have script(i remember Keith mentioned one) or any other idea or suggestion to overcome passing password while executing commands from linux OS via ssh to tandem.

Once again thanks in advance to all.

TR/-

[Keith Dick]

I do not have any examples of using expect. As I mentioned, I stopped when I got to the point where I only had to enter the password, since my situation did not require complete automation. You can find tutorials on using expect with a simple web search. I image that would be enough to show you what you need to know.

Please do not overlook Randall's suggestion to use the public key method of authentication. I did not know it could be set up on the NonStop system, but since Randall suggested it, I imagine he knows that it can be done. That is significantly more secure than traditional passwords. Also, I believe it would eliminate the need for you to figure out how to use expect, since I believe using public key authentication would avoid having the NonStop system prompt you for a password (except I believe there typically is a short dialog the first time you connect to the system for a given userid).

[RickPo...@icloud.com]

Keith,

I just noticed this in your Sep 25 post "The NonStop systems I have used do not show the services menu when connecting via ssh. They only show that when connecting via telnet. " This depends on userid in SSH2. Default is to start a TACL (for 6530 emulators) or OSS shell (all others). But a userid can be config by SSHCOM for CI-PROGRAM or SHELL-PROGRAM *MENU* in which case the Services are displayed and the Enter Choice> prompt. You can also config CI_PROGRAM *MENU* NAME and that NAME service will be always used. Or CI-PROGRAM #WINDOW to get so s SU or STATIC window where the application is already running. This is all in the manual. When SSH starts a PTY (terminal window) that the session is handled by the STN process behind $SSH2 and in front of the TACL/shell/etc applications. Another variant of STN is comForte's SecurTN product which is a Telserv replacement (with added features like SSL, 3270, Dynamic Pathway, ...). That is why the Enter Choice stuff got into SSH as a bonus.

[Randall]

In order to use public key authentication, you need to add the key's fingerprint to your user id in SSHCOM (daemon mode). You also have to ensure that this authentication method is allowed in the SSHCOM configuration. That is described in the NonStop SSH manual rather extensively. On the Unix side, you would need to specify the private key file in your ~/.ssh/config file where you have configured your NonStop server. An example of this file is (use tabs not spaces):

IdentityFile = /home/you/.ssh/id_rsa <- your general private key
UserKnownHostsFile = /home/you/.ssh/knownhosts <- known fingerprints

Host yournonstop <- the host name short-cut you can use in the ssh command
HostName somedns.com <- the dns entry of your NonStop
User youruseralias <- the alias in NonStop SSH with your fingerprint
IdentityFile = /home/you/.ssh/id_rsa_ns <- NonStop-specific private key

use ssh-keygen to generate the public and private key pairs.

Your linux box will prompt you for the private key passphrase to allow you to use the private key. It and the fingerprint of the private key are used in an SSH key exchange to allow the session to proceed without the server prompting you for a password (which would happen when keyboard-authentication is used).

[Randall]

I forgot to mention - NEVER EVER use key pairs for personal identification that have blank passphrases. Don't do it. Just don't. If you want to get yourself some identity theft, that's one way to allow it to happen.

A blank passphrase is sometimes - rarely, seriously too much - used for functional ids that have no log-on ability and have the private key file protected very securely by other means, but these users never ever can log-on.

[Pierre]

> I forgot to mention - NEVER EVER use key pairs for personal identification that have blank passphrases. Don't do it. Just don't. If you want to get yourself some identity theft, that's one way to allow it to happen.
>
> A blank passphrase is sometimes - rarely, seriously too much - used for functional ids that have no log-on ability and have the private key file protected very securely by other means, but these users never ever can log-on.

Yes if you want to achieve Multi-factor authentication(MFA) and comply to the PCI DSS 3.2 standard for example MFA is required. Using PKI without a passphrase is not MFA.

BTW You could configure the NonStop SSH daemon to require password + publickey authentication. Other custom options like OATH-TOTP also falls under MFA.