Re: SSH & ICSF is not working
Hit to all, I traed the "head /dev/random | od -x", it returns me something like this : 00 ... ... 004220 004240 I changed the hexa values to . On the other side, this is the same user y use in the batch job, but the debug tells me it is using the helper instead of ICSF. Regards, Enrique. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
On Fri, Mar 12, 2010 at 10:55 AM, Paul Gilmartin wrote: > On Fri, 12 Mar 2010 10:52:33 -0500, Hayim Sokolsky wrote: >> >>But in any case, the Open_SSH ported tool - was not coded to interface >>with ICSF, as far as I know. >> > Except through /dev/random? A quick validity check might be: > > head /dev/random | od -x > > -- gil > Exactly! (but use the same userid as the batch job to ensure that the SAF permissions are identical) Kirk Wolf Dovetailed Technologies http://dovetail.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
On Fri, 12 Mar 2010 10:52:33 -0500, Hayim Sokolsky wrote: > >But in any case, the Open_SSH ported tool - was not coded to interface >with ICSF, as far as I know. > Except through /dev/random? A quick validity check might be: head /dev/random | od -x -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
On Fri, Mar 12, 2010 at 9:52 AM, Hayim Sokolsky wrote: > A few points here... > > The ICSF STC is not the API itself. It is the I/O server that reads and > writes to the PKDS and CKDS. > Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret > and ACF/2). > - You didn't say if the CSFSERV class was active or inactive in your > security product. > - You didn't say if the CSFSERV CSFRNG (Random number generate) was > permitted. > > But in any case, the Open_SSH ported tool - was not coded to interface > with ICSF, as far as I know. > > Hayim Hayim, While you are correct - OpenSSH doesn't use ICSF apis directly, it *does* use /dev/random (z/OS 1.7 and later) to get a secure random number, which is critical to the secure cryptography that is does (in software, using OpenSSL). If your SSHD job and SSH client jobs have read access to /dev/random, then they will be *much* faster to start. The fallback is to use the "ssh-rand-helper" program, which is very slow, expensive and *not* very secure. To use /dev/random under z/OS, the userid must have access to certain ICSF SAF profiles (CSFSERV CSFRNG). Its all documented in the Ported Tools User Guide, you just have to RTM. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> its a pity that it is such a hassle on z/OS to provide a /dev/random device to *all* users, all the time. Modern *nix operating systems all have a software implemented /dev/random device that uses a widely accepted algorithm to provide secure random entropy. Good random entropy is the key to secure crypto, and to require crypto coprocessors on z/OS is B.S. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
A few points here... The ICSF STC is not the API itself. It is the I/O server that reads and writes to the PKDS and CKDS. Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret and ACF/2). - You didn't say if the CSFSERV class was active or inactive in your security product. - You didn't say if the CSFSERV CSFRNG (Random number generate) was permitted. But in any case, the Open_SSH ported tool - was not coded to interface with ICSF, as far as I know. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 "MONTERO ROMERO, ENRIQUE ELOI" Sent by: IBM Mainframe Discussion List 2010.03.12 09:04 Please respond to IBM Mainframe Discussion List To IBM-MAIN@bama.ua.edu cc Subject SSH & ICSF is not working Hi to all, We have the ICSF running as an STC in our environment. ===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE. I am trying to SHH against a linux server in BATCH. //SSHCOMM EXEC PGM=BPXBATCH, // PARM=('SH /ZOSAA/bin/ssh -vvv r...@xxx.xxx.xxx.xxx ls') But I am getting this message: OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /u/myuserid/.ssh/config debug1: Applying options for * debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper (rand child) Couldn't exec '/usr/lib/ssh/ssh-rand-helper': EDC5129I No such file ssh-rand-helper child produced insufficient data On the other side, /ZOSAA/usr/lib/ssh/ is a link to /usr/lib/ssh/ lrwxrwxrwx 1 xxx 12 May 30 2008 usr -> $VERSION/usr MYUSRXX:/: >cd /usr/lib/ssh MYUSRXX:/ZOSAA/usr/lib/ssh: >ls -l total 12992 drwxr-xr-x 2 XXX XXX 8192 Oct 30 11:41 IBM -rwxr-xr-x 2 XXX XXX 372736 Oct 30 11:41 sftp-server -rwxr-xr-x 2 XXX XXX 2748416 Oct 30 11:40 ssh-askpass -rwsr-xr-x 2 XXX XXX 2658304 Oct 30 11:41 ssh-keysign -rwxr-xr-x 2 XXX XXX 864256 Oct 30 11:41 ssh-rand-helper MYUSRXX:/ZOSAA/usr/lib/ssh: > Why if the ICSF is running, I am still getting the ssh-rand-helper instead of the ICSF ? Best regards, and happy weekend. Enrique MOntero -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html _ DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
Read the FAQ in the IBM Ported Tools for z/OS User's Guide on setting up ICSF and /dev/random. On Fri, Mar 12, 2010 at 8:04 AM, MONTERO ROMERO, ENRIQUE ELOI wrote: > Hi to all, > > We have the ICSF running as an STC in our environment. > ===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE. > > I am trying to SHH against a linux server in BATCH. > > //SSHCOMM EXEC PGM=BPXBATCH, > // PARM=('SH /ZOSAA/bin/ssh -vvv r...@xxx.xxx.xxx.xxx ls') > > But I am getting this message: > > OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 > debug1: Reading configuration data /u/myuserid/.ssh/config > debug1: Applying options for * > debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper > (rand child) Couldn't exec '/usr/lib/ssh/ssh-rand-helper': EDC5129I No such > file > ssh-rand-helper child produced insufficient data > > > On the other side, > > /ZOSAA/usr/lib/ssh/ is a link to /usr/lib/ssh/ > > lrwxrwxrwx 1 xxx 12 May 30 2008 usr -> $VERSION/usr > > MYUSRXX:/: >cd /usr/lib/ssh > MYUSRXX:/ZOSAA/usr/lib/ssh: >ls -l > total 12992 > drwxr-xr-x 2 XXX XXX 8192 Oct 30 11:41 IBM > -rwxr-xr-x 2 XXX XXX 372736 Oct 30 11:41 sftp-server > -rwxr-xr-x 2 XXX XXX 2748416 Oct 30 11:40 ssh-askpass > -rwsr-xr-x 2 XXX XXX 2658304 Oct 30 11:41 ssh-keysign > -rwxr-xr-x 2 XXX XXX 864256 Oct 30 11:41 ssh-rand-helper > MYUSRXX:/ZOSAA/usr/lib/ssh: > > > Why if the ICSF is running, I am still getting the ssh-rand-helper instead of > the ICSF ? > > Best regards, and happy weekend. > Enrique MOntero > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SSH & ICSF is not working
Hi to all, We have the ICSF running as an STC in our environment. ===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE. I am trying to SHH against a linux server in BATCH. //SSHCOMM EXEC PGM=BPXBATCH, // PARM=('SH /ZOSAA/bin/ssh -vvv r...@xxx.xxx.xxx.xxx ls') But I am getting this message: OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /u/myuserid/.ssh/config debug1: Applying options for * debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper (rand child) Couldn't exec '/usr/lib/ssh/ssh-rand-helper': EDC5129I No such file ssh-rand-helper child produced insufficient data On the other side, /ZOSAA/usr/lib/ssh/ is a link to /usr/lib/ssh/ lrwxrwxrwx 1 xxx 12 May 30 2008 usr -> $VERSION/usr MYUSRXX:/: >cd /usr/lib/ssh MYUSRXX:/ZOSAA/usr/lib/ssh: >ls -l total 12992 drwxr-xr-x 2 XXX XXX 8192 Oct 30 11:41 IBM -rwxr-xr-x 2 XXX XXX 372736 Oct 30 11:41 sftp-server -rwxr-xr-x 2 XXX XXX 2748416 Oct 30 11:40 ssh-askpass -rwsr-xr-x 2 XXX XXX 2658304 Oct 30 11:41 ssh-keysign -rwxr-xr-x 2 XXX XXX 864256 Oct 30 11:41 ssh-rand-helper MYUSRXX:/ZOSAA/usr/lib/ssh: > Why if the ICSF is running, I am still getting the ssh-rand-helper instead of the ICSF ? Best regards, and happy weekend. Enrique MOntero -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html