Re: z/OS 2.2 3270 OMVS ssh masks passwords!

[Paul Gilmartin]

On Thu, 21 Jan 2016 14:05:35 -0600, Kirk Wolf  wrote:

>I would agree that it would be great if tcsetattr(NOECHO) actually worked
>under 3270 OMVS shells.
>
Why don't they just fix it!?

>But, under a TSO OMVS 3270 shell, using HOS1130 or HOS2220, don't you get
>this: ?
>
>zos$ ssh -oPubKeyAuthentication=no 127.0.0.1
>FOTS3322 Passwords may not be entered from 3270 terminals
>(terminates)
>
Sometimes.  It seems to depend on a lot of things; too many variables
to characterize:

o What if the remote user ID doesn't exist?

o What if the remote user exists but has no .ssh directory?

o Others (perhaps)?

And FTP sometimes gives me:

And I just got:

user@OS/390.25.00: ssh UNIXuser@Solaris                                         
                                                   
The authenticity of host 'Solaris  (10.xx.yy.zz)' can't be established.         
                                                   
RSA key fingerprint is d9:9f:85:53:d4:fa:dd:81:aa:29:73:f5:9e:ff:b8:5f.         
                                                   
Are you sure you want to continue connecting (yes/no)? yes                      
                                                   
FOTS2274 Warning: Permanently added 'Solaris,10.xx.yy.zz' (RSA) to the list of 
known hosts.                                       
Password:                                                                       
                                                   
 ===>                                                                           
                                                
                                                                          INPUT 
HIDDEN/INPUT

I don't know what makes that happen; usually I get FOTS3322.  I had:

user@OS/390.25.00: ls -al .ssh                                                  
          
total 120
drwx------   2 user group    8192 Jan 21 14:52 .
drwxr-xr-x  49 user group   49152 Jan 21 14:50 ..
-rw-r--r--   1 user group     412 Jan 21 14:59 known_hosts
user@OS/390.25.00: 

>But the above behavior is still a big improvement:  you can now do basic
>connectivity tests and anything else as long as you don't need to prompt
>for a password.  So keys work fine.
>
And a misbehavior.  If I ssh to a Solaris system I get no terminal output,
but I can see from file changes that my commands are being executed.
I wonder what's funny about Solaris pty handling?  I need to log and
see what my $TERM is.

And a glaring hole.  If I ssh to a Linux system and thence to a system on
which I have no key, Linux ssh suppresses echo (tcsetattr()?) and prompts
for a password.  But OMVS doesn't know that echoes aren't happening --
it's working blockmode, and my password appears as I type it.

This feels like too much WAD; OMVS support would surely blame Linux.

I think the moral is, Don't use 3270.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN