On Wed, Jul 27, 2011 at 1:35 PM, McKown, John <john.mck...@healthmarkets.com
> wrote:
> SSH requires that the key be readable __ONLY__ by the owner of the file
> which must be the id using the key file. Simply duplicate the key file on
> the remote server by giving everybody their own copy in their ~/.ssh
> subdirectory. ~ is UNIX for "home directory" and is usually something like
> /u/myid or /home/myid where "myid" is the user's id on that machine. And do
> the same on the z/OS system: duplicate the key file. Don't know why you'd
> want to do that, but feel free. I wouldn't allow it. If the auditor's find
> out, they may hit the roof because it is like insisting that all users have
> the same password. I can use my key file to access the remote system using
> the other person's id. Unwise.
>
>
Not 100% true. The OpenSSH ssh command requires that IF a private key file
is owned by the current userid, THEN it must only be readable by that user.
Here's the code from OpenSSH 5.0p1, which I don't believe that IBM has
changed in their port:
int
key_perm_ok(int fd, const char *filename)
{
struct stat st;
if (fstat(fd, &st) < 0)
return 0;
/*
* if a key owned by the user is accessed, then we check the
* permissions of the file. if the key owned by a different user,
* then we don't care.
*/
#ifdef HAVE_CYGWIN
if (check_ntsec(filename))
#endif
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is recommended that your private key files are NOT accessible by
others.");
error("This private key will be ignored.");
return 0;
}
return 1;
}
Given this, you could have your private key files owned by some other user
(say root) with a special group, and then make them "620" and then connect
z/OS userids to that group to permit them access to the private key.
Still not the best, IMO, since any user connected to the group would be able
to copy the key and post it on their facebook page.
Better would be to put the keys in a SAF keyring. Normally SSH keys are in
a SAF keyring owned by each user, but I believe that it is possible to share
them so long as the right SAF permissions are granted to the ring for each
user. Refer to the IBM Ported Tools for z/OS OpenSSH User's Guide
(Release 1.2) (and documentation for your security product) for more
information on using SAF keyrings.
Kirk Wolf
Dovetailed Technologies
http://dovetail.com
PS> We are planning a z/OS SSH Key management webinar for later in the year.
You can sign up to be notified here:
http://dovetail.com/lists/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
