On Wed, 7 Dec 2016 12:40:30 -0600, Kirk Wolf wrote: > >But: starting in z/OS P.T. OpenSSH 1.3 (HOS1130), you *can* use ssh, >sftp, scp from a 3270 OMVS shell - you just can't prompt the terminal for a >password or passphrase since it is not a real tty and OpenSSH requires tty >password masking. > "real" tty!? I used to use one of those, an ASR-33.
There's a flaw in the intended security wall, even earlier. I can run "ssh" under "script" from tn3270, and it will prompt for a password. And fail to mask it. Apparently script creates a pty real enough for ssh. Years ago, I submitted an SR about tcsetattr()'s apparent failure to mask the tn3270 input line as it does on other species of pty. IBM patched my test case but (admittedly) left the underlying problem. I suspect this is the root cause of the ssh prompt restriction. This hole ought to be fixed properly. It remains a pitfall for someone who authors or ports a program which uses tcsetattr() to mask passwords; tests it on a VT-100 session; and pronounces it good without verifying it on tn3270. "Don't do that!" is not sufficient guarantee of security. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
