Classification: Confidential

Things to check.
TCP Policy Agent
Other users of the poirt (as previously suggested).
OMVS segment for the affected user.
Public/Private keypair definitions and Permissions. SSH is (*VERY PICKY*) about 
file permissions.

I suggest the following reading (thank you Dovetail).
https://coztoolkit.com/docs/sftp/ssh_keys_part2_2012-06-19.pdf
https://coztoolkit.com/docs/sftp/ssh_keys_part1_2012-06-12.pdf

HTH,

-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of 
Wendell Lovewell
Sent: Friday, May 26, 2023 6:49 PM
To: [email protected]
Subject: SSHD terminates immediately with permission(?) problem

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

I've done something wrong that I can't identify, and now SSHD terminates 
immediately after starting.

I'm not getting anything helpful on the console or in the joblog.  But I am 
getting these msgs in syslog:

OMVSKERN SSHD3    sshd[67174408]: error: FOTS1442 Bind to port 22 on :: failed: 
EDC5111I Permission denied. (errno2=0x744C7246).
OMVSKERN SSHD3    sshd[67174408]: error: FOTS1442 Bind to port 22 on 0.0.0.0 
failed: EDC5111I Permission denied. (errno2=0x744C7246).
OMVSKERN SSHD3    sshd[67174408]: fatal: FOTS1464 Cannot bind any address.

I've looked up the 7246 code:
JRPORTACCESSAUTH     EQU 29254        * User does not have authority to access 
this port.

OMVSKERN's is UID(0).  Has ALTER access to BPX.DAEMON.  Port 22 is not in use, 
per D TCPIP,,N,SOCKETS

None of the files in /etc/ssh had changed for 4 years, so I don't think it's 
there.  (I did set LogLevel to DEBUG3, which didn't help any.)

The only things I can think of that I might have messed up something with keys. 
 I did try some weeks ago to set up a certificate to bypass entering my 
password when using "ssh user@zos" and didn't get that to work.   And I did 
install a new CERTAUTH this week for the new IBM service requirement ("DigiCert 
Global Root G2"), 'tho I can't imagine that would matter.

Any suggestions would really be appreciated...I'm not much good with entering 
USS commands via a 3270 screen.

TIA,
Wendell

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
[email protected] with the message: INFO IBM-MAIN
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.
________________________________

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to