Re: Attempting to get ported tools SSH to talk to a SLES 9 image on z.

Mon, 13 Feb 2006 08:33:34 -0800 

On the whole of it, I would tend to agree, Mark. So I double checked things and 
they looked OK.

Just to be clear on where I stood I started over on the z/OS side with the key 
stuff.

I cleaned up /u/{userid}/.ssh - empty.
I cleaned up /etc/ssh except for the config files.
I cleaned up and deleted /.ssh (more on that momentarily)

I created a new rsa1 key for my user ID, put the public key into the authorized 
key file for the same user ID on the target Linux.

The odd thing is that the creation process shows this fingerprint:

1024 a7:f2:20:71:9a:a9:75:bc:b2:c0:77:56:c4:ea:44:4c [EMAIL PROTECTED] - 
showing not my ID, but the RACFID associated with the first instance of UID 0. 
For
whatever reason, my ID in USS has UID 0 set for it. I disagree with this, but 
that's the way it is. I am in the process of requesting another ID as I
think this has direct bearing on the issue.

I also created /.ssh and copied the /home/{userid}/.ssh/authorized_keys file to 
/.ssh on the target Linux.

When I ran the batch job, after deleting everything in the /.ssh directory on 
z/OS, and scratching the .ssh dir completely,  the batch job re-created
the .ssh directory, and created a known_hosts file and a prng_seed file, 
generating this slightly different message:

FSUM1006 A shell was not specified. Processing continues using the default 
shell name.
Warning: Permanently added the RSA host key for IP address '137.70.100.32' to 
the list of known hosts.
FOTS1373 Permission denied (publickey,keyboard-interactive).

The target Linux machine is already set up to do a password check for SSH logon 
against RACF LDAP. When I changed the batch job to use IBMUSER as the
ID instead of my ID I did get a confirmed call to RACF LDAP in the log.  That 
is the first thing the PAM module is configured to do - make the RACF
LDAP call.  I don't know if this is interfering or contributing to the 
murkiness of this issue.

I can get this to work Linux to Linux just fine, and I am clearly communicating 
to the Linux from z/OS because I see the attempts. It's figuring out
what conversation is/needs to take place where I am stuck.

IF anyone has further insight into this, I am absolutely receptive.

-J




             "Post, Mark K" <[EMAIL PROTECTED]>
             Sent by: Linux on 390 Port
             <LINUX-390@VM.MARIST.EDU>                                          
                                                                   To
                                                                     
LINUX-390@VM.MARIST.EDU
                                                                                
                                                                   cc
             02/12/2006 04:40 PM
                                                                                
                                                              Subject
                                                                     Re: 
Attempting to get ported tools SSH to talk to a SLES 9 image on z.
                            Please respond to
               Linux on 390 Port <LINUX-390@VM.MARIST.EDU>








I would agree with Dave that you need to generate a key pair on the z/OS
system, and copy the public key to the ~/.ssh/authorized_keys file
(create it if it does not exist) on the target system.


Mark Post

-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
James Melin
Sent: Thursday, February 09, 2006 4:48 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: Attempting to get ported tools SSH to talk to a SLES 9
image on z.


I have beaten it into submission on the z/OS side - I now get:

FSUM1006 A shell was not specified. Processing continues using the
default shell name.
Warning: Permanently added the RSA host key for IP address
'137.70.100.15' to the list of known hosts.
FOTS1373 Permission denied (publickey,keyboard-interactive).

So clearly, the system generated RSA key is being recognized.

When I look at the Linux logs, I see this in 'warn'

Feb  9 15:12:44 vadnais sshd[23215]: error: PAM: Authentication failure
for sytest from owl0.co.{supressed}
Feb  9 15:12:45 vadnais last message repeated 2 times

So it is reaching the target linux, clearly, and failing there.

My pam module was modified to allow for PAM authentication against
RACFLDAP and looks like this:

#%PAM-1.0
auth     required       pam_nologin.so
auth     sufficient     pam_ldap.so
auth     required       pam_env.so
auth     required       pam_unix2.so use_first_pass
account  sufficient     pam_ldap.so
account  required       pam_unix2.so
account  required       pam_nologin.so
password sufficient     pam_ldap.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session  required       pam_unix2.so    none # trace or debug
session  required       pam_limits.so
# Enable the following line to get resmgr support for
# SSH sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname

Is there something that I am missing here? What do I need to change to
enable the SSH from z/OS to Linux to work and still have ssh
authentication
from things like putty work ok.

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to