I think you missunderstand me here. I will not use telnet to login or anything like that, it was just an example of how to make the Linux read data from a predefined cmsfile, that has accessrules protecting it. Not to mention you need a VMuserid to get in.
So you need access in z/VM to write any useful data into that cmsfile, then for example ssh into port xxxxx With a short timeout, and not even expecting to get logged in. No way to mess with that cmsfile unless you have a VMuserid and the access. _________________________________________________ Tore Agblad System programmer, Volvo IT certified IT Architect Volvo Information Technology Infrastructure Mainframe Design & Development, Linux servers Dept 4352 DA1S SE-405 08, Gothenburg Sweden Telephone: +46-31-3233569 E-mail: [email protected] http://www.volvo.com/volvoit/global/en-gb/ -----Original Message----- From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Alan Altmark Sent: den 20 september 2011 23:36 To: [email protected] Subject: Re: RSH RPM On Tuesday, 09/20/2011 at 05:09 EDT, David Boyes <[email protected]> wrote: > > Well, if you have a little knowledge about iptables, you could trigger some > > action when someone tries to connect to some port. > > So by telnet to for example port 48113, and have iptables trigger this and > > start a script that reads from a predefined cms-filename, you have the trigger > > functionality there. > > > > Maybee this is some overkill... :) > > Big problem here: no authentication of originator (telnet doesn't do that), no > way to set the effective uid of the executor (do you want all your users > executing things as root?) and there's no way to return values to the > originator. Rsh (for all its warts) at least does these 3 things right. Amen. In any peer-peer protocol, there are two important attributes: 1. Authentication 2. Privacy Rsh on an internal z/VM virtual network achieves both. Things like Live Guest Relocation introduces an anomaly into the equation, since a what appears as "internal" one moment may in fact be "remote" at the next. Of course, protocol security discussions rarely deal with common sense, but with Rules Made To Be Followed Without Exception Because My Grandfather Told Me So. Hence the descent into "rsh/rexec madness" and the unblinking acceptance of unsecured telnet. Go figure. (I can't believe that in 2011 secure telnet is not de rigueur.) Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
