Re: SSH and LDAP/RACF
On Mon, Jul 23, 2012 at 10:25:34AM +0100, Malcolm Beattie wrote: There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. It should be sufficient to setup NSS to list the locked password in getent shadow (as root). Normally you have libnss-ldap(d) in addition to libpam-ldap(d). Kind regards Philipp Kern -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
New Performance Whitepaper: Using the Linux cpuplugd Daemon to manage CPU and memory resources from z/VM Linux guests
Using the Linux cpuplugd Daemon to manage CPU and memory resources from z/VM Linux guests The following paper is available at developerWorks www.ibm.com/developerworks/linux/linux390/perf/tuning_cpuhotplug.html#cpuplugd IBM Information Center http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaag%2Fl0cpup00_2012.htm Sizing Linux z/VM guests can be a challenging task. Oversized guests often cause additional management effort by the Hypervisor and undersized guests often have performance-related issues with workload peaks. A large amount of guests with large ratios of resource overcommitment (more virtual resources than are physically available) and changing workload characteristics over time makes a correct sizing even more challenging. There is an updated version of the cpuplugd daemon available starting with SUSE Linux Enterprise Server (SLES) SP2 or Red Hat Enterprise Linux (RHEL) 6.2, which greatly enhances the capability to define rules and the available performance parameters for the rule set. This tool now provides exactly what is required to enable the operating system of the guest to manage the resources within the range of the guest definition. This study analyzes various rules for the Linux cpuplugd daemon, which can be used to automatically adjust CPU and memory resources of a Linux z/VM guest. Dorothea Matthaeus Linux on System z Information Development IBM Deutschland Entwicklung GmbH Mit freundlichen Grüßen / Kind regards Dr. Dorothea Matthaeus Planning, Project Management, and Strategy for ID deliverables IBM Systems Technology Group, Systems Software Development / SW Information Entwicklung Service
SMT Repository question
Hi, This question is for those who are running SMT to service your SLES11 virtual Linux servers. Do you maintain the repositories on x86 servers, z/Linux servers, or other? Are there any security, capacity, or usability issues that determined how your SMT is deployed? Thanks. Ray Mrohs -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
2014 (yes, 2014) VM Workshop location survey online.
Cross-posted to Linux-390, IBVVM, and IBM-MAIN discussion lists. To: VM Workshop attendees and those who would like to attend, Background: The VM Workshop is a very inexpensive (registration only $100 each of the last 2 years), all-volunteer, 2.5 day technical conference held in mid-June and focused on z/VM, Linux for System z, and support of other guest operating systems (E.g. z/OS, z/VSE). For more info: see http://www.vmworkshop.org Were the locations of the latest two revived VM Workshops, and the previous workshop era sites unsuitable for your attendance? Do you have your own ideas for other VM Workshop locations that would encourage your attendance? Well... you now have a vote in future site selection! To submit your vote, please visit: http://www.vmworkshop.org/2014SiteSurvey The text before the survey describes the site selection criteria (cheap, easy airport/driving access, central-U.S.) and permits voting for up to two 2014 sites (2013 sites are already being analyzed). The survey probably won't be closed until mid-2013, so you can change your mind later and vote again - only your most recent vote will be counted. You are NOT required to be registered with a VM Workshop web site userid to vote; that's the point - permit those who have not attended to have a voice in the 2014 site selection so they can attend, too. Mike Walter On behalf of the VM Workshop Planning Committee -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SMT Repository question
Dear Ray, I host the SMT on a z/LINUX machine which is called installation directory. In order to get enough disk space for the repositories, the disk is put on a FBA device (around 150 GB) and setup as LVM in order to make it easily expandable. I host on that server s390x and also x86_64 repositories for the base Product SLES11, the SP1 and SP2, SDK SP1, SP2, and one additional private YUM repository. Meanwhile we got about 80 rpms of various programs especially compiled for z/Series that are not available on the common distributions. Additionally I use the SMT server also as FTP Server for z/VM installation hosting the installation media. The whole thing is quite versatile since I can serve also our Intel servers from that installation point as well. One goal of introduction of zSeries was consolidation of all services flying around on heterogeneous infrastructure into one box. Especially in the LINUX area we are on good track. Next we will consolidate our AIX machines on zSeries. Part of the workload will go to z/OS (DB2 and WebSphere) parts to zLINUX (Tomcat, mysql etc.) Up to now I didn't encounter any security issues. The SMT is protecting itself very well. HTH Kind regards, Florian On Tue, Jul 24, 2012 at 5:25 PM, Mrohs, Ray (JMD) ray.mr...@usdoj.govwrote: Hi, This question is for those who are running SMT to service your SLES11 virtual Linux servers. Do you maintain the repositories on x86 servers, z/Linux servers, or other? Are there any security, capacity, or usability issues that determined how your SMT is deployed? Thanks. Ray Mrohs -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
Dear Philip I tried to look into that deeper but I could not find any information about how to configure that: nsswitch.conf states: shadow: ldap files A getent delivers: $ getent shadow bilek1 bilek1:*:::0 There is no difference if the user is locked or not. In case I state a userid which does not exists getent delivers nothing. Kind regards, Florian On Tue, Jul 24, 2012 at 8:52 AM, Philipp Kern pk...@debian.org wrote: On Mon, Jul 23, 2012 at 10:25:34AM +0100, Malcolm Beattie wrote: There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. It should be sufficient to setup NSS to list the locked password in getent shadow (as root). Normally you have libnss-ldap(d) in addition to libpam-ldap(d). Kind regards Philipp Kern -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
Hi Malcom, I will give this work around a try. But the idea was that a simple CMS 'rac alu userid' revoke would deny access of a user to all systems. With the workaround I need again a sort of exec that connects/disconnects the user to a NOLOG group. Or I need to disable the whole feature with the RSA keys which is also quite painful when you have to maintain a lot of LINUX guests. Maybe I find another way to configure the PAM properly. BTW: I find it a pity that there is no easy way to use the OVM segment of the RACF user profile to save the default shell, uid and gid etc. It is required to mess around with the posixAccount objectclass which is not even part of the official delivery of the IBM/Tivoli LDAP server and requires schema modifications etc. It works but it requires a lot of work to make that work. Seems there is a lot of room for improvements. ;-) BR Florian On Mon, Jul 23, 2012 at 11:25 AM, Malcolm Beattie beatt...@uk.ibm.comwrote: Florian Bilek writes: 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. What about, as a workaround, creating a RACF group named NOLOGIN, connecting revoked users to that group (an extra step, but that's why I called it a workaround not a proper solution) and then putting DenyGroups nologin in your sshd_config? If z/VM LDAP doesn't special case group membership lookups for revoked users then I think that may work. --Malcolm -- Malcolm Beattie Mainframe Systems and Software Business, Europe IBM UK -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/