On Monday, 04/28/2008 at 05:05 EDT, "McKown, John" <[EMAIL PROTECTED]> wrote: > Why? What is wrong with OpenSSH?
Trick question. :-) There is nothing wrong with OpenSSH. But remember that in a VM system, we're talking about virtual machines, not processes. There is no hierarchy of virtual machines. No parent-child or sibling connection, no fork()/exec(),no inheritance of files or file descriptors or sockets. The ssh daemon runs in a virtual machine that is NOT the end user's virtual machine. The daemon can listen for ssh connections, encrypt the session, and even challenge the user for a userid and password. ssh requires implementation of public/private key pairs, too. Troublesome, but not impossible to solve as long as I have a central place for all users' public/private keypairs. <lightning flashes> Done. I have an ssh interactive session. I have created an LDEV (logical 3270 device) and logged you onto it. I am now getting 3270 traffic from CP. Drats. This session is really intended for native ASCII. OK, forget the LDEV. I'll use (horror!) *CCS and create a linemode session instead, with all the EBCDIC traffic converted to ASCII and some sort of control characters (should I use VT220?) thrown in. Now you want to use x3270. Drats. I'm in line mode. Not to mention the block vs. character mode difference. The guest doesn't see a file descriptor to write stdout and stderr, and read from stdin. It sees a virtual 3215 or 3270. But, ok, let's wave our hands and move past it. <another flash of lightning> You have a terminal session. You enter "scp". It wants to use the ssh tunnel. R'uh r'oh! What tunnel? The tunnel isn't in YOUR virtual machine. There is no socket available to you that represents the tunnel. "Drats, drats, and double drats," said Dick Dasterdly to Penelope Pitstop. (I can hear his dog, Muttley, laughing.) The ssh clients are relatively easy since those connections DO originate in the user's virtual machine. You would have to tell the remote system that your console is "dumb" so that it will just run in easy-to-translate line mode. No VT. No character mode. All of this jabbering to illustrate three things: 1. That OpenSSH isn't the problem. Rather, the basic assumption of the ssh protocol, that the target user process has access to the ssh tunnel, doesn't mesh with how consoles are handled in VM. 2. I understand the seductive desire for ssh, reinforced by misguided or misinformed security "experts". 3. We *have* given it some considerable thought. OK, four things: 4. All that thinking makes my head hurt. Alan Altmark z/VM Development IBM Endicott
