Secure transfers come out of open shell
May 11, 2009
The Secure Copy Protocol (SCP) is a suite of transfer solutions that's in a transition position for the HP 3000. Enough work has been completed to bring this software into use under MPE/iX.
Donna Hofmeister, an OpenMPE director, has reported that
When Jeff Vance was at HP, he wrote a FTP script that used the Posix program ‘crypt’ to encrypt/decrypt files leaving an MPE system. If the destination system was also MPE, the file would be automatically decrypted upon delivery.
An expert in open source solutions that run on the 3000 says that SCP clients already have logged work on HP 3000s. Server-side SCP components are still in the future, though, for MPE/iX.
Hofmeister added, "I wrote a very simple decryption shell script for Unix/Linux. If someone had a lot of time on their hands and had intimate knowledge of Unix/Linux porting, there’s a remote possibility, I think, of moving this to the 3000. If all that you're looking for is 'push' (from MPE/iX) functionality, sftpput should work for you."
Brian Edminster of Applied Technologies explained the biggest challenge at the moment is finding OpenSSH download sources, since HP pulled the plug on the Invent3k Web server.
SCP (and sftp) clients are available for MPE/iX and work fine on version 7.5. You can contact me if you’d like to discuss how to get a copy of your own. I’ve had extensive experience with the sftp client, and some with the scp client. Both work remarkably well, although there are some ‘quirks’ it helps to be aware of. I’d be happy to discuss those too.
The limitation here is that while files can be put to or retrived from other systems, since only the client is available, the 3000 must originate the transaction. This can make for some process redesigns if your existing applications are used to your 3000 being the ‘server’. And no, jinetd doesn’t need to be running for SCP or sftp to work.
There is a port (although technically not complete) of what is by now a fairly old but still workable version of OpenSSH to MPE/iX. It was done by Ken Hirsh, which he had gratiously made available to the 3000 community via his Invent3k account. Unfortunately, the ‘Invent3k’ community development server that HP had made available some years ago is, like Jazz, no longer online. [OpenMPE has plans to rehost the Invent3k programs.]
I don’t recall what version of MPE was used, but I’ve used the ported software successfully on 7.0 and 7.5. I suspect it’ll work on 6.0 or later, but as yet haven’t tested it myself. His port included the ‘ssh’ command line client, but it had very limited functionality due to technical issues.
It also included the client components sftp and scp, as well as an ‘entropy’ (random number) generator written in Perl. This last piece is necessary because the ‘random’ number functions under MPE/iX aren’t very random. At least, not as far as serious cryptography is concerned. This Perl script (modified by Ken to run on MPE) was originally written by others to get around not having a kernel-based entropy source for their systems either. Poor quality random number generation is not just a MPE/iX issue.
The ‘server’ components (sshd, sftpd, and scpd) were never ported for reasons that Ken could possibly explain. It might have been something as simple as he didn’t need them. From my perspective I’m thankful that Ken did the port in the first place.
I have installed his OpenSSH port many times, and even tightly integrated it with legacy applications. Sftp is still in use many times a day with those applications, and since first installed several years go has safely and securely transferred terabytes of data, with no clear end-date for this application’s life.
I did a presentation on this at the 2008 GHRUG conference. Look at the bottom of the ‘Links & Other Resources’ page at my Web site.
I’m currently in the process of adding even more use of sftp and scp to replace standard FTP in this client’s applications, at the insistence of their PCI auditors -- and so will have more stories to share.