On Fri, Mar 12, 2010 at 9:52 AM, Hayim Sokolsky <[email protected]> wrote: > A few points here... > > The ICSF STC is not the API itself. It is the I/O server that reads and > writes to the PKDS and CKDS. > Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret > and ACF/2). > - You didn't say if the CSFSERV class was active or inactive in your > security product. > - You didn't say if the CSFSERV CSFRNG (Random number generate) was > permitted. > > But in any case, the Open_SSH ported tool - was not coded to interface > with ICSF, as far as I know. > > Hayim
Hayim, While you are correct - OpenSSH doesn't use ICSF apis directly, it *does* use /dev/random (z/OS 1.7 and later) to get a secure random number, which is critical to the secure cryptography that is does (in software, using OpenSSL). If your SSHD job and SSH client jobs have read access to /dev/random, then they will be *much* faster to start. The fallback is to use the "ssh-rand-helper" program, which is very slow, expensive and *not* very secure. To use /dev/random under z/OS, the userid must have access to certain ICSF SAF profiles (CSFSERV CSFRNG). Its all documented in the Ported Tools User Guide, you just have to RTM. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> its a pity that it is such a hassle on z/OS to provide a /dev/random device to *all* users, all the time. Modern *nix operating systems all have a software implemented /dev/random device that uses a widely accepted algorithm to provide secure random entropy. Good random entropy is the key to secure crypto, and to require crypto coprocessors on z/OS is B.S. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
