On the whole of it, I would tend to agree, Mark. So I double checked things and they looked OK.
Just to be clear on where I stood I started over on the z/OS side with the key stuff. I cleaned up /u/{userid}/.ssh - empty. I cleaned up /etc/ssh except for the config files. I cleaned up and deleted /.ssh (more on that momentarily) I created a new rsa1 key for my user ID, put the public key into the authorized key file for the same user ID on the target Linux. The odd thing is that the creation process shows this fingerprint: 1024 a7:f2:20:71:9a:a9:75:bc:b2:c0:77:56:c4:ea:44:4c [EMAIL PROTECTED] - showing not my ID, but the RACFID associated with the first instance of UID 0. For whatever reason, my ID in USS has UID 0 set for it. I disagree with this, but that's the way it is. I am in the process of requesting another ID as I think this has direct bearing on the issue. I also created /.ssh and copied the /home/{userid}/.ssh/authorized_keys file to /.ssh on the target Linux. When I ran the batch job, after deleting everything in the /.ssh directory on z/OS, and scratching the .ssh dir completely, the batch job re-created the .ssh directory, and created a known_hosts file and a prng_seed file, generating this slightly different message: FSUM1006 A shell was not specified. Processing continues using the default shell name. Warning: Permanently added the RSA host key for IP address '137.70.100.32' to the list of known hosts. FOTS1373 Permission denied (publickey,keyboard-interactive). The target Linux machine is already set up to do a password check for SSH logon against RACF LDAP. When I changed the batch job to use IBMUSER as the ID instead of my ID I did get a confirmed call to RACF LDAP in the log. That is the first thing the PAM module is configured to do - make the RACF LDAP call. I don't know if this is interfering or contributing to the murkiness of this issue. I can get this to work Linux to Linux just fine, and I am clearly communicating to the Linux from z/OS because I see the attempts. It's figuring out what conversation is/needs to take place where I am stuck. IF anyone has further insight into this, I am absolutely receptive. -J "Post, Mark K" <[EMAIL PROTECTED]> Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> To LINUX-390@VM.MARIST.EDU cc 02/12/2006 04:40 PM Subject Re: Attempting to get ported tools SSH to talk to a SLES 9 image on z. Please respond to Linux on 390 Port <LINUX-390@VM.MARIST.EDU> I would agree with Dave that you need to generate a key pair on the z/OS system, and copy the public key to the ~/.ssh/authorized_keys file (create it if it does not exist) on the target system. Mark Post -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of James Melin Sent: Thursday, February 09, 2006 4:48 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Attempting to get ported tools SSH to talk to a SLES 9 image on z. I have beaten it into submission on the z/OS side - I now get: FSUM1006 A shell was not specified. Processing continues using the default shell name. Warning: Permanently added the RSA host key for IP address '137.70.100.15' to the list of known hosts. FOTS1373 Permission denied (publickey,keyboard-interactive). So clearly, the system generated RSA key is being recognized. When I look at the Linux logs, I see this in 'warn' Feb 9 15:12:44 vadnais sshd[23215]: error: PAM: Authentication failure for sytest from owl0.co.{supressed} Feb 9 15:12:45 vadnais last message repeated 2 times So it is reaching the target linux, clearly, and failing there. My pam module was modified to allow for PAM authentication against RACFLDAP and looks like this: #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_env.so auth required pam_unix2.so use_first_pass account sufficient pam_ldap.so account required pam_unix2.so account required pam_nologin.so password sufficient pam_ldap.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none # trace or debug session required pam_limits.so # Enable the following line to get resmgr support for # SSH sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname Is there something that I am missing here? What do I need to change to enable the SSH from z/OS to Linux to work and still have ssh authentication from things like putty work ok. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390