Re: z/OS 2.2 3270 OMVS ssh masks passwords!
>>> On 1/23/2016 at 01:54 PM, Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > Data point: Under 3270 OMVS, the "su" command properly masks the password. > I wonder how it does that? Probably the same way the Linux 3270 console driver does it. It knows enough to set the attribute byte for the field to be non-display. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.2 3270 OMVS ssh masks passwords!
Mark Post wrote: Probably the same way the Linux 3270 console driver does it. It knows enough to set the attribute byte for the field to be non-display. Attended an IBM official SNA course in Phoenix in April, 1998 with a retired-and-back-to-consult IBM'er. He pointed out, "When you enter a password on a 3270 terminal, the only one who can't see it is you." Of course, nowadays the terminal is probably X3270 over an SSH tunnel. -- Jack J. Woehr # Science is more than a body of knowledge. It's a way of www.well.com/~jax # thinking, a way of skeptically interrogating the universe www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.2 3270 OMVS ssh masks passwords!
On Thu, 21 Jan 2016 14:05:35 -0600, Kirk Wolf wrote: >I would agree that it would be great if tcsetattr(NOECHO) actually worked >under 3270 OMVS shells. > Data point: Under 3270 OMVS, the "su" command properly masks the password. I wonder how it does that? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.2 3270 OMVS ssh masks passwords!
On Wed, 20 Jan 2016 17:17:45 -0600, Kirk Wolf wrote: >Hi Gil, > >I'm not sure I understand exactly what you are referring to? > Hmm... No other followups. After the Subject: z/OS 2.2 3270 OMVS ssh masks passwords! ... and that's a good thing, at last. Always previously ssh and sftp refused to work from a 3270/TSO/OMVS session. The most plausible rationale was that they couldn't mask passwords as they were typed -- a security exposure. The z/OS 2.2 Ported Tools now mask passwords and allow ssh and sftp from a 3270. I knew a circumvention. Running the "screen" utility from a 3270 ssh and sftp worked (but passwords were visible). I never reported this, fearing that IBM would break "screen" rather than fixing ssh. I had traced the behavior to what I suspected, tcsetattr(NOECHO) which suppressed password display on a linemode terminal but left it visible on a 3270. I reported this to IBM, submitting both my C code using tcsetattr(NOECHO) and the shell command, "stty -echo" which failed alike on a 3270 even though both work on a line terminal. IBM changed "stty -echo" so it suppresses passwords, but left tcsetattr() broken. Yesterday, I dusted off my C testcase. Still broken. tcsetattr() suppresses password display on a linemode terminal but leaves it visible on a 3270. They might have fixed the problem at the root; instead they trimmed the branch. So Rocket Software cares about customers more than IBM does. Which explains the citations on another list by regular contriutors to this list: http://www.theregister.co.uk/2016/01/19/ibm_revenues_down_again/ http://finance.yahoo.com/news/no-end-in-sight-for-ibm-decline-as-shares-near-six-year-low-141729837.html >On Wed, Jan 20, 2016 at 5:14 PM, Paul Gilmartin wrote: > >> Really! At last! -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.2 3270 OMVS ssh masks passwords!
I would agree that it would be great if tcsetattr(NOECHO) actually worked under 3270 OMVS shells. But, under a TSO OMVS 3270 shell, using HOS1130 or HOS2220, don't you get this: ? zos$ ssh -oPubKeyAuthentication=no 127.0.0.1 FOTS3322 Passwords may not be entered from 3270 terminals (terminates) But the above behavior is still a big improvement: you can now do basic connectivity tests and anything else as long as you don't need to prompt for a password. So keys work fine. Kirk Wolf Dovetailed Technologies http://dovetail.com On Thu, Jan 21, 2016 at 11:39 AM, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Wed, 20 Jan 2016 17:17:45 -0600, Kirk Wolf wrote: > > >Hi Gil, > > > >I'm not sure I understand exactly what you are referring to? > > > Hmm... No other followups. After the Subject: > > z/OS 2.2 3270 OMVS ssh masks passwords! > > ... and that's a good thing, at last. Always previously ssh and sftp > refused to work from a 3270/TSO/OMVS session. The most plausible > rationale was that they couldn't mask passwords as they were typed > -- a security exposure. The z/OS 2.2 Ported Tools now mask passwords > and allow ssh and sftp from a 3270. > > I knew a circumvention. Running the "screen" utility from a 3270 > ssh and sftp worked (but passwords were visible). I never reported > this, fearing that IBM would break "screen" rather than fixing ssh. > > I had traced the behavior to what I suspected, tcsetattr(NOECHO) > which suppressed password display on a linemode terminal but > left it visible on a 3270. I reported this to IBM, submitting both > my C code using tcsetattr(NOECHO) and the shell command, > "stty -echo" which failed alike on a 3270 even though both work > on a line terminal. IBM changed "stty -echo" so it suppresses > passwords, but left tcsetattr() broken. > > Yesterday, I dusted off my C testcase. Still broken. tcsetattr() > suppresses password display on a linemode terminal but leaves > it visible on a 3270. They might have fixed the problem at the > root; instead they trimmed the branch. > > So Rocket Software cares about customers more than IBM does. > Which explains the citations on another list by regular contriutors > to this list: > > http://www.theregister.co.uk/2016/01/19/ibm_revenues_down_again/ > > http://finance.yahoo.com/news/no-end-in-sight-for-ibm-decline-as-shares-near-six-year-low-141729837.html > > >On Wed, Jan 20, 2016 at 5:14 PM, Paul Gilmartin wrote: > > > >> Really! At last! > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.2 3270 OMVS ssh masks passwords!
On Thu, 21 Jan 2016 14:05:35 -0600, Kirk Wolf wrote: >I would agree that it would be great if tcsetattr(NOECHO) actually worked >under 3270 OMVS shells. > Why don't they just fix it!? >But, under a TSO OMVS 3270 shell, using HOS1130 or HOS2220, don't you get >this: ? > >zos$ ssh -oPubKeyAuthentication=no 127.0.0.1 >FOTS3322 Passwords may not be entered from 3270 terminals >(terminates) > Sometimes. It seems to depend on a lot of things; too many variables to characterize: o What if the remote user ID doesn't exist? o What if the remote user exists but has no .ssh directory? o Others (perhaps)? And FTP sometimes gives me: And I just got: user@OS/390.25.00: ssh UNIXuser@Solaris The authenticity of host 'Solaris (10.xx.yy.zz)' can't be established. RSA key fingerprint is d9:9f:85:53:d4:fa:dd:81:aa:29:73:f5:9e:ff:b8:5f. Are you sure you want to continue connecting (yes/no)? yes FOTS2274 Warning: Permanently added 'Solaris,10.xx.yy.zz' (RSA) to the list of known hosts. Password: ===> INPUT HIDDEN/INPUT I don't know what makes that happen; usually I get FOTS3322. I had: user@OS/390.25.00: ls -al .ssh total 120 drwx-- 2 user group8192 Jan 21 14:52 . drwxr-xr-x 49 user group 49152 Jan 21 14:50 .. -rw-r--r-- 1 user group 412 Jan 21 14:59 known_hosts user@OS/390.25.00: >But the above behavior is still a big improvement: you can now do basic >connectivity tests and anything else as long as you don't need to prompt >for a password. So keys work fine. > And a misbehavior. If I ssh to a Solaris system I get no terminal output, but I can see from file changes that my commands are being executed. I wonder what's funny about Solaris pty handling? I need to log and see what my $TERM is. And a glaring hole. If I ssh to a Linux system and thence to a system on which I have no key, Linux ssh suppresses echo (tcsetattr()?) and prompts for a password. But OMVS doesn't know that echoes aren't happening -- it's working blockmode, and my password appears as I type it. This feels like too much WAD; OMVS support would surely blame Linux. I think the moral is, Don't use 3270. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.2 3270 OMVS ssh masks passwords!
Hi Gil, I'm not sure I understand exactly what you are referring to? Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Jan 20, 2016 at 5:14 PM, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > Really! At last! > > Many years ago I submitted an SR; Security; against tcsetattr() where > I suspected the problem lay. (Before Ported Tools; I found breakage > with my own code.) IBM whitewashed the problem in "stty -echo" > but left tcsetattr() broken. I suppose their attitude was, "Don't do > that!" I need to test whether tcsetattr() now works or whether there's > more whitewash in SSL. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
