Re: [MVS-OE] Passwordless login omvs

[Jake Anderson]

I enabled debug3 and daemon logging for SSHD task

Finally it was because of bad ownership and modes. Fixed that and its all
good now

Thanks to all who gave your valuable suggestions

On Mon, Mar 14, 2022, 8:29 AM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
>
> >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> >
> So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> range end with FI?)  Have you any constructive suggestions?
>
> >Anyways, I presume that this applies to the client side, and also I
> presume
> >the OP uses the same client system for two different systems, so how could
> >this be the problem?
> >
> Different configurations of the two hosts?
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:

>Just reminds me that sh script is disgusting.  Brainfrack can't be much
>worse.  Is "done" the end of a do?  Shouldn't it be "od"?
>
So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
range end with FI?)  Have you any constructive suggestions?

>Anyways, I presume that this applies to the client side, and also I presume
>the OP uses the same client system for two different systems, so how could
>this be the problem?
>
Different configurations of the two hosts?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Andrew Rowley]

On 14/03/2022 1:07 pm, Steve Smith wrote:

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.


I'm pretty sure it applies to the server side.

From memory, ssh/sshd setup on z/OS is very much the same as on other 
platforms, so any of the how-tos out on the internet give you the steps, 
and the errors and solutions are the same.


Andrew Rowley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Steve Smith]

Just reminds me that sh script is disgusting.  Brainfrack can't be much
worse.  Is "done" the end of a do?  Shouldn't it be "od"?

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.  Maybe it's better that one
learns all the parts, and learns how to put them together.  So be it, but I
can hardly find ssh mentioned anywhere in either CS or USS libraries.

sas


On Sun, Mar 13, 2022 at 5:40 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 13, 2022, at 08:07:33, Jake Anderson 
> wrote:
> >
> > I was able to copy it
> > We have two environment LPAR1 and LPAR2
> >
> > Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> > for password.
> >
> Ssh requires, but does not diagnose clearly, that no directory
> in the path from root to ~/.ssh be writable by other than the
> .ssh owner lest a (fe)malefactor modify the permissions.
>
> This POSIX shell script reports any weaknesses:
> #! /bin/sh
>
> # Doc: Verify that strangers can't modify path to "'".
>
> _UNIX03=YES export _UNIX03
> ${1+cd "$1"} || exit 103  # Defauot is PWD.
> echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
> while :; do
> P=$( pwd -P . ) || exit 104
> L=$( ls -ld "$P" )
> # # echo " Testing: $L" >&2
> case "$L" in
> w* | ?w* )
> echo "!!! writable !!!: $L" >&2
> exit 1;;
> esac
> [ "x/" = "x$P" ] && exit 0
> cd -P .. || exit 102
> done
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

The Next Steps for IBM zCX: Container Orchestration

[Timothy Sipples]

I draw your attention to this Webcast open to all. It’ll stream live at 12:00 
noon Eastern (U.S.) Daylight Time on Tuesday, March 15, 2022:

https://event.on24.com/wcc/r/3614115/176DE0C11FAE053AEBFFFBC690AABD85

This IBM briefing is related to the z/OS Container Extensions (zCX). Hats off 
to the development team; it’s another exciting one.

— — — — —
Timothy Sipples
I.T. Architect Executive
Digital Assets, Industry Solutions, and Cyber Security
IBM Z and LinuxONE
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mar 13, 2022, at 08:07:33, Jake Anderson  wrote:
> 
> I was able to copy it
> We have two environment LPAR1 and LPAR2
> 
> Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> for password.
>  
Ssh requires, but does not diagnose clearly, that no directory
in the path from root to ~/.ssh be writable by other than the
.ssh owner lest a (fe)malefactor modify the permissions.

This POSIX shell script reports any weaknesses:
#! /bin/sh

# Doc: Verify that strangers can't modify path to "'".

_UNIX03=YES export _UNIX03
${1+cd "$1"} || exit 103  # Defauot is PWD.
echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
while :; do
P=$( pwd -P . ) || exit 104
L=$( ls -ld "$P" )
# # echo " Testing: $L" >&2
case "$L" in
w* | ?w* )
echo "!!! writable !!!: $L" >&2
exit 1;;
esac
[ "x/" = "x$P" ] && exit 0
cd -P .. || exit 102
done

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

COPY the id_*.pub from your desktop and append
It to authorized_keys on the host.  You will be
prompted only once to validate the host.  Reply
"Yes".  Do not abbreviate.


(More):
ssh is prudently fussy about permissions.  I use:

#! /bin/sh -x

# Doc: Set useful and safe permissions for ~/.ssh

: "in $0"
: "ssh requires that no one other than user be able to write \$HOME"
cd && chmod u+rwx .ssh && cd .ssh && chmod og-w .. || exit $?
:
: >>authorized_keys # Create but don't update timestamps 
chmod -R og-rwx . && {  # Prevent browsing -- especially authorized_keys
chmod -R u+rw . # User can read and write everything.
chmod a+x . # Allow everyone to search .ssh
chmod a+r *.pub # and to read public keys.
ls -al;  }  # Did we do it right?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Jake Anderson]

I was able to copy it

We have two environment LPAR1 and LPAR2

Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
for password.

I did enabled -VV with SSH login to check in debug mode but I don't see any
error or any reason why it expects password even though the same
certificate works fine with other LPAR2.

SSHD configuration are same on both the LPARS. Is there any places that I
need to be looking for ?

On Sun, Mar 13, 2022, 5:49 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 12, 2022, at 23:38:36, Jake Anderson wrote:
> >
> > I generated the .pub certificate from the both the end but still when I
> do
> > SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
> > task.
> >
> COPY the id_*.pub from your desktop and append
> It to authorized_keys on the host.  You will be
> prompted only once to validate the host.  Reply
> "Yes".  Do not abbreviate.
>  >
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mar 12, 2022, at 23:38:36, Jake Anderson wrote:
> 
> I generated the .pub certificate from the both the end but still when I do
> SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
> task.
>  
COPY the id_*.pub from your desktop and append
It to authorized_keys on the host.  You will be
prompted only once to validate the host.  Reply
"Yes".  Do not abbreviate.


-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Update: The real priority for mainframers

[Seymour J Metz]

While I'm always skeptical of security presentations that plug a product, the 
insider threat is real and the threat via end nodes is real. Never trust 
anybody - including yourself; it doesn't take a dishonest employee, merely a 
moment of carelessness.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Mark Regan [marktre...@gmail.com]
Sent: Sunday, March 13, 2022 9:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Fwd: Mainframe Update: The real priority for mainframers

https://secure-web.cisco.com/1maxsHoK2YuBt-NaU_qLQtr5hi1pmqDV9nwnPmw6TGtvOJOA-f_w8JTN34i8wzQtJwWRz9UlSHw8qfXxLFLu75FX_6kBBe_CqWYRRCOE6WwpyvVGw5woKDcK7Nv2nLNfF5oFjidoRjKSzKVNq56SrPmOHTeINTJYmxDubMXbAvUEBQeR-RibzCGYXMDtIIF2cIm9Jn6rb61c8s8nuyrDMtqYwppVblYIDu9DxEyCoasc_KLdbunJquQK5gzYDrWe-OGjPhiXNknl9uhcEGlGENsLiTgBN5H5nLWAO83dRfv9B6ZaiNhQ3_mAYwGxPQqsUBPwLTrOW2FJqIYUsa5p-DV4CbMnS_ZYFe0i3_cHVDNPsIkZ0eFlRlz6R5kYn22x4IStZNkbxcW17xlUS8Vnxg-nxPhX8DWuscNg3NWwdpNHoImtnRsHQd6h0Chc8PbV_/https%3A%2F%2Fmainframeupdate.blogspot.com%2F2022%2F03%2Fthe-real-priority-for-mainframers.html



Regards,

Mark Regan, K8MTR General, EN80tg
CTO1 USNR-Retired (1969-1991),

RUENAAA/CNO WASHINGTON DC//OP-009QCP

Nationwide Insurance, Retired, 1986-2017
z/OS Network Software Consultant (z NetView, z/OS Communications Server)
Contractor, Checks & Balances, Inc.
Email: marktre...@gmail.com 
LinkedIn:  
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmark-t-regandata=04%7C01%7Csmetz3%40gmu.edu%7C3c2fc29237e645f0f76f08da04f250d1%7C9e857255df574c47a0c00546460380cb%7C0%7C0%7C637827736051484793%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=fmm%2B0VaMShH%2BNUEh3Y28U5JocVhRYYstLGqbHjxpaUc%3Dreserved=0






--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Fwd: Mainframe Update: The real priority for mainframers

[Mark Regan]

https://mainframeupdate.blogspot.com/2022/03/the-real-priority-for-mainframers.html
 

 

​Regards,

Mark Regan, K8MTR General, EN80tg
CTO1 USNR-Retired (1969-1991), 

RUENAAA/CNO WASHINGTON DC//OP-009QCP

Nationwide Insurance, Retired, 1986-2017
z/OS Network Software Consultant (z NetView, z/OS Communications Server)
Contractor, Checks & Balances, Inc.
Email: marktre...@gmail.com  
LinkedIn:  https://www.linkedin.com/in/mark-t-regan

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN