In my case, the access through the 3270 console of Linux guests is safe. Since I have incorporated the protection of a password protected by ESM. And additionally use Operations Manager to access the consoles and the product also provides an authentication mechanism to allow access to consoles. So only authorized personnel can access.
Using a console management tool is not only limited to sending commands to the linux guest, you can additionally detect command responses and take actions based on these responses. That can range from a simple command, to something more complex as sending an email or a modification to the virtual machine dynamically. You could even send a script to linux guests through console 3270. In my case I use it for shutdown/startup of applications linux from cms. Obviously this helps my case, but if you want to edit files on linux or use panels that is not the solution. Regards and Have a great day. -- Victor Hugo Ochoa Avila z/OS & z/VM systems programmer Mexico, City. 2011/7/22 Marcy Cortes <marcy.d.cor...@wellsfargo.com> > Its not unprotected presuming you have a zvm ESM password protecting your > console access using authenticated users. > > It does work remotely too provided you have a vm operations type product. > > Of course send should be protected and the ID that is secondary should be > restricted as well. > > > Marcy. Sent from my BlackBerry. > > > *From*: Scott Rohling [mailto:scott.rohl...@gmail.com] > *Sent*: Friday, July 22, 2011 05:27 PM > > *To*: IBMVM@LISTSERV.UARK.EDU <IBMVM@LISTSERV.UARK.EDU> > *Subject*: Re: [IBMVM] VM to zLinux Remote Execution > > On Fri, Jul 22, 2011 at 4:08 PM, Marcy Cortes < > marcy.d.cor...@wellsfargo.com> wrote: > >> Another option would be a CP SEND command from a VM user that was SECUSER >> to the linux console. You have to alter /etc/inittab to have root logged in >> at boot. > > > It makes security auditors drool and convulse if you do that.. an open > console with root access. So anyone with SEND priv can be root. <gasp> > REXEC at least does authentication (unencrypted though it may be) > > This 'is' a nice simple way to talk to a local Linux from CMS in a pinch > though.. you will need an EXEC to do the CP SEND so that Address Command > can be used and not have it all uppercased. (and set secuser or observer > to see the output). I've done this on occasion to diagnose or fix network > issues when we can't get in via ssh. But I normally 'login' using the same > method (send root - send password -- which glows like a theatre marquee on > your own console) - rather than have root logged in automatically. Then > start sending commands -- then finish with 'exit'. You also need to know > the root (or other user) password though, which you don't if root is > automatically logged in. > > This also (obviously) does not work 'remote' -- only when on the same > lpar. > > I think I've used up my parentheses quota.. > > Scott Rohling > > >> >> >> >> >> Marcy. Sent from my BlackBerry. >> >> >> ----- Original Message ----- >> From: Davis, Larry (National VM/VSE Capability) [mailto: >> larry.dav...@hp.com] >> Sent: Friday, July 22, 2011 04:36 PM >> To: IBMVM@LISTSERV.UARK.EDU <IBMVM@LISTSERV.UARK.EDU> >> Subject: Re: [IBMVM] VM to zLinux Remote Execution >> >> Glad to here >> >> >> Larry Davis >> >> >> -----Original Message----- >> From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On >> Behalf Of Tom Duerbusch >> Sent: Friday, July 22, 2011 5:26 PM >> To: IBMVM@LISTSERV.UARK.EDU >> Subject: Re: VM to zLinux Remote Execution >> >> How about that. It is there, just like you said. >> I kept looking for REXEC(D) in the Network Service Configuration panel. >> Then opening port 512 in the firewall of the Linux machine. >> >> And then adding the client machine (VM) to HOSTNAMES on Linux solved the >> security problem. >> >> However, I didn't have to install anything. tcpd was already there in >> SLES 11 SP 1. But that could have been due to the "patterns" I selected at >> install time. >> >> So everything is working fine....for now. >> >> Thanks >> >> Tom Duerbusch >> THD Consulting >> >> >>> "Davis, Larry (National VM/VSE Capability)" <larry.dav...@hp.com> >> 7/22/2011 1:07 PM >>> >> The service is called "exec" in xinetd and it is located in /usr/sbin/tcpd >> I had to install it from the repository it was not there by default. >> Try looking for exec or tcpd in the repository >> >> Larry Davis >> >> >> -----Original Message----- >> From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On >> Behalf Of Tom Duerbusch >> Sent: Friday, July 22, 2011 2:02 PM >> To: IBMVM@LISTSERV.UARK.EDU >> Subject: Re: VM to zLinux Remote Execution >> >> I've searched for the basic REXEC daemon for zSeries SLES 11, but I >> couldn't find anything. I could have been looking in the wrong place. >> >> Tom Duerbusch >> THD Consulting >> >> >>> "Davis, Larry (National VM/VSE Capability)" <larry.dav...@hp.com> >> 7/22/2011 12:34 PM >>> >> REXEC is available in Linux but you will get Auditors screaming about it. >> We got a wavier at our site. >> You can use IPTABLES to restrict REXEC access from/to certain systems. >> >> Larry Davis >> >> >> -----Original Message----- >> From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On >> Behalf Of Tom Duerbusch >> Sent: Friday, July 22, 2011 1:32 PM >> To: IBMVM@LISTSERV.UARK.EDU >> Subject: VM to zLinux Remote Execution >> >> I'm trying to remotely execute a command with CMS as the client and SLES >> 11 SP 1 as the server. >> >> All documentation I've found so far, shows how to do it from Linux to VM. >> >> Apparently the problem is, TCPIP for VM only has the unsecured REXEC >> client and SLES 11 only has a secured sshd. >> >> I've searched the VM download page for a ssh client. >> I've done some Linux searches for how to dumb down sshd (i.e. to allow >> unsecured transfers). >> >> Of course, there might be program products available, but unless they >> would be zero cost products, it's not going to happen in the short term. >> >> Thanks for any help >> >> Tom Duerbusch >> THD Consulting >> (Still on z/VM 5.2) >> > >
