Re: STP
On 20 July 2012 21:53, Alan Altmark alan_altm...@us.ibm.com wrote: Except for I/O timestamping, CP will not otherwise pay attention to STP once he has IPLed. But even so, STP will work to keep the LPAR time in sync with the external time reference through TOD clock steering. Just be aware that if the time reference and the LPAR time are too far apart, the steering will not be enough to fix the LPAR time in a reasonable time period. Hear, hear! Could we get that engraved in a place where IBM Sales people see it. Ever since my presentation in 2005, I find customers who were told by their friendly IBMer not to get STP/ETR on the machine because it's not supported by z/VM The STP/ETR feature is a priced feature that is best negotiated into the deal early rather than acquired separately later. When the LPAR TOD is kept in synch with the world, by pure magic CP, CMS as well as Linux guests will see accurate time. There is no need for ntpd in Linux (in fact, doing that will make things worse). The only disruptive time shift would be when you POR with the feature on. Since the LPAR also picks up the actual time at activation, there should not be a jump. And STP/ETR will nicely speed up TOD increments to make it match real time. Except when the leap second meets a software bug and takes the system down :-) Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
SSH and LDAP/RACF
Dear all, I have a quite some difficult problems in the configuration of SLES 11 SP2 and SSH when using LDAP (on z/VM with RACF) for user authentication. That configuration works in principle quite well. Nevertheless I have following issues which I don't know how to solve: 1.) In this configuration I have now three components (RACF, LDAP and SLES) who can enforce password checking rules. In LDAP and RACF there are NO rules set yet. I have tried several combinations in the PAM configs but I do not succeed in having one common policy. I want to have a minimum length of 5 characters but I cannot convince SLES to allow this. It asks always for minimum 6 characters. 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? Do you have any hints how those problems can be solved? Of course it has to do with PAM configuration but for the moment is looks like voodoo to me. Any help would be appreciated. Thank you very much in advance. -- Best regards Florian -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
I don't have a sles handy to take a look and see about the password length, but solving the key issue is simple: Edit /etc/ssh/sshd_config and change PubkeyAuthentication to no. This way nobody can login using a key and RACF takes care is auth for you. Em 21/07/2012 16:43, Florian Bilek florian.bi...@gmail.com escreveu: Dear all, I have a quite some difficult problems in the configuration of SLES 11 SP2 and SSH when using LDAP (on z/VM with RACF) for user authentication. That configuration works in principle quite well. Nevertheless I have following issues which I don't know how to solve: 1.) In this configuration I have now three components (RACF, LDAP and SLES) who can enforce password checking rules. In LDAP and RACF there are NO rules set yet. I have tried several combinations in the PAM configs but I do not succeed in having one common policy. I want to have a minimum length of 5 characters but I cannot convince SLES to allow this. It asks always for minimum 6 characters. 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? Do you have any hints how those problems can be solved? Of course it has to do with PAM configuration but for the moment is looks like voodoo to me. Any help would be appreciated. Thank you very much in advance. -- Best regards Florian -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/