Hi Frank --
BT/DT and it works great.
I took the usual means of capturing the host key of the target: signed
on as the service account and ran 'ssh' interactively. Ever after, the
client would not be prompted, but it would fail if the key changed. (And
that's the point.)
The client signed on using an SSH client key. Of course, I had to break
a rule here and magically obviate the need for a pass phrase. (Dark
magic. Not something we speak about in public.)
In this particular case, I ran it from/etc/inittab on a traditional Unix
(Linux) system. That way when the session would die it would be restarted.
This hack used either -L or -R, I forget which, but established a TCP
listener. All traffic was limited to local (which is the default), so no
risk of someone off-box sending or seeing cleartext.
-- R; <><
On 12/29/23 04:53, Colin Paice wrote:
Frank,
What do you have on the z/OS end? If the back end supports it, it can map
from a certificate to a userid.
See Using certificates to logon to z/OS
<https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/>
andWhat’s the difference between RACDCERT MAP and RACMAP?
<https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/>
Colin
On Fri, 29 Dec 2023 at 06:27, Frank Swarbrick<frank.swarbr...@outlook.com>
wrote:
We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
connection where the application on the other end does not support TLS.
The POC looks to be working. I am now pondering on the steps required to
make setting up the tunnel an automated process. It seems to me that we'd
want the z/OS user to be a "protected" user
(NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use SSH host
based authentication? I imagine that the user would require an OMVS
segment. I wonder if it would need a shell or home directory. Any other
thoughts?
Thanks,
Frank
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
