Re: PAM to authenticate using zVM userid/password
Thanks to all who replied with suggestions. Yes, it's not about being cool, or going boldly where others fear to tread, but rather making people less cranky about password maintenance. In my environment, all zLinux users are also VM/CMS users. They have a userid on VM and the same userid on zLinux. The password complaint I hear most often is... Why can't they be the same? Why do I have to change it in both places? Seems like a CMS LDAP solution for zLinux to use fits the bill nicely. Users may continue to change their VM password in the ol' familiar ways, and that immediately affects the zLinux password. zLinux password maintenance goes away. Users less cranky, me more happy. :-) In many cases, zLinux access is via the IBM Toolkit from a Windows desktop, so users are pretty sheltered from zLinux. And no, in our case we don't have a single, central respository of userid/password for all systems different departments have and manage their own. Separation of duties, or unnecessary duplicated effort? You decide. :-) Cheers, Donald Russell On Wed, Feb 16, 2011 at 13:52, Marcy Cortes marcy.d.cor...@wellsfargo.comwrote: Well, being devil's advocate here... Why is it a cool thing to do? Doesn't it make more sense to use whatever every other Linux/unix box in your shop is using?All those other people may get cranky if you make them get a CMS id to login to Linux or to use a web app. Unless you have no Linux or Unix in your shop and only CMS and no other centralized directory... Marcy -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Dave Jones Sent: Wednesday, February 16, 2011 1:38 PM To: LINUX-390@vm.marist.edu Subject: Re: [LINUX-390] PAM to authenticate using zVM userid/password Hi, Donald. Yeah, it's a cool thing to do, alright. Go with the LDAP-RACF approach Alan and others have mentioned already, if you're already running RACF. If you're not, there are other ways to get PAM on zLinux to authenticate against CMS user ids, and passwords. I can send you more information on how to do that, if you need it. Have a good one. DJ On 02/16/2011 02:53 PM, Donald Russell wrote: Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? For example... I have zLinux (RHEL) running on lpar VMA. I also have a bunch of CMS users on VMA. I would like users to be defined on the zLinux system but let them use their current VMA/CMS userid/password to logon to zLinux. Seems like a cool thing to do. :-) Thanks, -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Dave Jones V/Soft Software www.vsoft-software.com Houston, TX 281.578.7544 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
PAM to authenticate using zVM userid/password
Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? For example... I have zLinux (RHEL) running on lpar VMA. I also have a bunch of CMS users on VMA. I would like users to be defined on the zLinux system but let them use their current VMA/CMS userid/password to logon to zLinux. Seems like a cool thing to do. :-) Thanks, -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: PAM to authenticate using zVM userid/password
Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? I have one mostly complete, but it's not free. Without that, you can probably do it with the CMS LDAP server and the PAM LDAP auth module, although it's a royal PITA to get it set up.
Re: PAM to authenticate using zVM userid/password
On Wednesday, 02/16/2011 at 03:54 EST, Donald Russell russell@gmail.com wrote: Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? For example... I have zLinux (RHEL) running on lpar VMA. I also have a bunch of CMS users on VMA. I would like users to be defined on the zLinux system but let them use their current VMA/CMS userid/password to logon to zLinux. Seems like a cool thing to do. :-) Yes, via LDAP. You will need to set up RACF and the VM LDAP server. Google it and you will find presentations from me, Rich Smrcina, and others on the subject. You will also find z/OS-related documents that talk about IBM Tivoli Directory Server (ITDS) and remote authentication via LDAP. Those docs are good, too. z/OS ITDS and the z/VM LDAP server are the same entity with the same configuration requirements. You can even map their Linux user name to a different VM user ID. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: PAM to authenticate using zVM userid/password
Yes, using the LDAP support in z/VM, PAM can authenticate against RACF. See various articles in zJournal and doc in the z/VM library and Redbooks. On 02/16/2011 02:53 PM, Donald Russell wrote: Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? For example... I have zLinux (RHEL) running on lpar VMA. I also have a bunch of CMS users on VMA. I would like users to be defined on the zLinux system but let them use their current VMA/CMS userid/password to logon to zLinux. Seems like a cool thing to do. :-) Thanks, -- Rich Smrcina Velocity Software, Inc. http://www.velocitysoftware.com Catch the WAVV! http://www.wavv.org WAVV 2011 - April 15-19, 2011 Colorado Springs, CO -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: PAM to authenticate using zVM userid/password
Hi, Donald. Yeah, it's a cool thing to do, alright. Go with the LDAP-RACF approach Alan and others have mentioned already, if you're already running RACF. If you're not, there are other ways to get PAM on zLinux to authenticate against CMS user ids, and passwords. I can send you more information on how to do that, if you need it. Have a good one. DJ On 02/16/2011 02:53 PM, Donald Russell wrote: Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? For example... I have zLinux (RHEL) running on lpar VMA. I also have a bunch of CMS users on VMA. I would like users to be defined on the zLinux system but let them use their current VMA/CMS userid/password to logon to zLinux. Seems like a cool thing to do. :-) Thanks, -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Dave Jones V/Soft Software www.vsoft-software.com Houston, TX 281.578.7544 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: PAM to authenticate using zVM userid/password
Well, being devil's advocate here... Why is it a cool thing to do? Doesn't it make more sense to use whatever every other Linux/unix box in your shop is using?All those other people may get cranky if you make them get a CMS id to login to Linux or to use a web app. Unless you have no Linux or Unix in your shop and only CMS and no other centralized directory... Marcy -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Dave Jones Sent: Wednesday, February 16, 2011 1:38 PM To: LINUX-390@vm.marist.edu Subject: Re: [LINUX-390] PAM to authenticate using zVM userid/password Hi, Donald. Yeah, it's a cool thing to do, alright. Go with the LDAP-RACF approach Alan and others have mentioned already, if you're already running RACF. If you're not, there are other ways to get PAM on zLinux to authenticate against CMS user ids, and passwords. I can send you more information on how to do that, if you need it. Have a good one. DJ On 02/16/2011 02:53 PM, Donald Russell wrote: Before I go off to investigate what it would take to write one... is there already a PAM module for zLinux that will accept a userid/password and authenticate it against the VM host it's running on? For example... I have zLinux (RHEL) running on lpar VMA. I also have a bunch of CMS users on VMA. I would like users to be defined on the zLinux system but let them use their current VMA/CMS userid/password to logon to zLinux. Seems like a cool thing to do. :-) Thanks, -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Dave Jones V/Soft Software www.vsoft-software.com Houston, TX 281.578.7544 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: PAM to authenticate using zVM userid/password
On Wednesday, 02/16/2011 at 04:53 EST, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: Why is it a cool thing to do? Doesn't it make more sense to use whatever every other Linux/unix box in your shop is using?All those other people may get cranky if you make them get a CMS id to login to Linux or to use a web app. Unless you have no Linux or Unix in your shop and only CMS and no other centralized directory... Yeah, it's not about kewlness. It's most useful for those installations whose Linux admins are also z/OS or z/VM admins. While you can use the VM or MVS LDAP server to centralize authentication, you could also just use another Linux guest. And some like the fact that the LDAP server on VM and MVS is not the same implementation as on Linux (openLDAP). So a vuln in Linux does not imply a vuln in VM or MVS. In this scenario it isn't necessary to give them a virtual machine; it's only necessary to have credentials in the ESM or LDAP. But you have to do more work in your provisioning system to ensure you don't unintentionally create a virtual machine that matches the user name. But watch out. SFS allows you to enroll users that don't have a virtual machine. You can authenticate via FTP even if you don't have a virtual machine. Extra work is required to lock such remote-only users out of your VM or MVS resources. It's also fair to ask why you would have an inboard directory server in the first place. I see it in some DR/failover-sensitive configurations that want to be able to operate without having to drag the corporate AD/LDAP infrastructure with it. The same reason people still use virtual routers on their Guest LANs with dynamic routing -- all self-contained. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/