Its not unprotected presuming you have a zvm ESM password protecting your console access using authenticated users.
It does work remotely too provided you have a vm operations type product. Of course send should be protected and the ID that is secondary should be restricted as well. Marcy. Sent from my BlackBerry. From: Scott Rohling [mailto:scott.rohl...@gmail.com] Sent: Friday, July 22, 2011 05:27 PM To: IBMVM@LISTSERV.UARK.EDU <IBMVM@LISTSERV.UARK.EDU> Subject: Re: [IBMVM] VM to zLinux Remote Execution On Fri, Jul 22, 2011 at 4:08 PM, Marcy Cortes <marcy.d.cor...@wellsfargo.com<mailto:marcy.d.cor...@wellsfargo.com>> wrote: Another option would be a CP SEND command from a VM user that was SECUSER to the linux console. You have to alter /etc/inittab to have root logged in at boot. It makes security auditors drool and convulse if you do that.. an open console with root access. So anyone with SEND priv can be root. <gasp> REXEC at least does authentication (unencrypted though it may be) This 'is' a nice simple way to talk to a local Linux from CMS in a pinch though.. you will need an EXEC to do the CP SEND so that Address Command can be used and not have it all uppercased. (and set secuser or observer to see the output). I've done this on occasion to diagnose or fix network issues when we can't get in via ssh. But I normally 'login' using the same method (send root - send password -- which glows like a theatre marquee on your own console) - rather than have root logged in automatically. Then start sending commands -- then finish with 'exit'. You also need to know the root (or other user) password though, which you don't if root is automatically logged in. This also (obviously) does not work 'remote' -- only when on the same lpar. I think I've used up my parentheses quota.. Scott Rohling Marcy. Sent from my BlackBerry. ----- Original Message ----- From: Davis, Larry (National VM/VSE Capability) [mailto:larry.dav...@hp.com<mailto:larry.dav...@hp.com>] Sent: Friday, July 22, 2011 04:36 PM To: IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU> <IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU>> Subject: Re: [IBMVM] VM to zLinux Remote Execution Glad to here Larry Davis -----Original Message----- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU>] On Behalf Of Tom Duerbusch Sent: Friday, July 22, 2011 5:26 PM To: IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU> Subject: Re: VM to zLinux Remote Execution How about that. It is there, just like you said. I kept looking for REXEC(D) in the Network Service Configuration panel. Then opening port 512 in the firewall of the Linux machine. And then adding the client machine (VM) to HOSTNAMES on Linux solved the security problem. However, I didn't have to install anything. tcpd was already there in SLES 11 SP 1. But that could have been due to the "patterns" I selected at install time. So everything is working fine....for now. Thanks Tom Duerbusch THD Consulting >>> "Davis, Larry (National VM/VSE Capability)" >>> <larry.dav...@hp.com<mailto:larry.dav...@hp.com>> 7/22/2011 1:07 PM >>> The service is called "exec" in xinetd and it is located in /usr/sbin/tcpd I had to install it from the repository it was not there by default. Try looking for exec or tcpd in the repository Larry Davis -----Original Message----- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU>] On Behalf Of Tom Duerbusch Sent: Friday, July 22, 2011 2:02 PM To: IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU> Subject: Re: VM to zLinux Remote Execution I've searched for the basic REXEC daemon for zSeries SLES 11, but I couldn't find anything. I could have been looking in the wrong place. Tom Duerbusch THD Consulting >>> "Davis, Larry (National VM/VSE Capability)" >>> <larry.dav...@hp.com<mailto:larry.dav...@hp.com>> 7/22/2011 12:34 PM >>> REXEC is available in Linux but you will get Auditors screaming about it. We got a wavier at our site. You can use IPTABLES to restrict REXEC access from/to certain systems. Larry Davis -----Original Message----- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU>] On Behalf Of Tom Duerbusch Sent: Friday, July 22, 2011 1:32 PM To: IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU> Subject: VM to zLinux Remote Execution I'm trying to remotely execute a command with CMS as the client and SLES 11 SP 1 as the server. All documentation I've found so far, shows how to do it from Linux to VM. Apparently the problem is, TCPIP for VM only has the unsecured REXEC client and SLES 11 only has a secured sshd. I've searched the VM download page for a ssh client. I've done some Linux searches for how to dumb down sshd (i.e. to allow unsecured transfers). Of course, there might be program products available, but unless they would be zero cost products, it's not going to happen in the short term. Thanks for any help Tom Duerbusch THD Consulting (Still on z/VM 5.2)
