Re: SSH & ICSF is not working
Hit to all, I traed the "head /dev/random | od -x", it returns me something like this : 00 ... ... 004220 004240 I changed the hexa values to . On the other side, this is the same user y use in the batch job, but the debug tells me it is using the helper instead of ICSF. Regards, Enrique. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
On Fri, Mar 12, 2010 at 10:55 AM, Paul Gilmartin wrote: > On Fri, 12 Mar 2010 10:52:33 -0500, Hayim Sokolsky wrote: >> >>But in any case, the Open_SSH ported tool - was not coded to interface >>with ICSF, as far as I know. >> > Except through /dev/random? A quick validity check might be: > > head /dev/random | od -x > > -- gil > Exactly! (but use the same userid as the batch job to ensure that the SAF permissions are identical) Kirk Wolf Dovetailed Technologies http://dovetail.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
On Fri, 12 Mar 2010 10:52:33 -0500, Hayim Sokolsky wrote: > >But in any case, the Open_SSH ported tool - was not coded to interface >with ICSF, as far as I know. > Except through /dev/random? A quick validity check might be: head /dev/random | od -x -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
On Fri, Mar 12, 2010 at 9:52 AM, Hayim Sokolsky wrote: > A few points here... > > The ICSF STC is not the API itself. It is the I/O server that reads and > writes to the PKDS and CKDS. > Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret > and ACF/2). > - You didn't say if the CSFSERV class was active or inactive in your > security product. > - You didn't say if the CSFSERV CSFRNG (Random number generate) was > permitted. > > But in any case, the Open_SSH ported tool - was not coded to interface > with ICSF, as far as I know. > > Hayim Hayim, While you are correct - OpenSSH doesn't use ICSF apis directly, it *does* use /dev/random (z/OS 1.7 and later) to get a secure random number, which is critical to the secure cryptography that is does (in software, using OpenSSL). If your SSHD job and SSH client jobs have read access to /dev/random, then they will be *much* faster to start. The fallback is to use the "ssh-rand-helper" program, which is very slow, expensive and *not* very secure. To use /dev/random under z/OS, the userid must have access to certain ICSF SAF profiles (CSFSERV CSFRNG). Its all documented in the Ported Tools User Guide, you just have to RTM. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> its a pity that it is such a hassle on z/OS to provide a /dev/random device to *all* users, all the time. Modern *nix operating systems all have a software implemented /dev/random device that uses a widely accepted algorithm to provide secure random entropy. Good random entropy is the key to secure crypto, and to require crypto coprocessors on z/OS is B.S. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
A few points here...
The ICSF STC is not the API itself. It is the I/O server that reads and
writes to the PKDS and CKDS.
Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret
and ACF/2).
- You didn't say if the CSFSERV class was active or inactive in your
security product.
- You didn't say if the CSFSERV CSFRNG (Random number generate) was
permitted.
But in any case, the Open_SSH ported tool - was not coded to interface
with ICSF, as far as I know.
Hayim
_
Hayim Sokolsky, CISSP
Mainframe Security Architect
DTCC Corporate Information Security
18301 Bermuda Green Dr, MS 1-CIS
Tampa FL 33647-1760
Tel. (813) 470-2177
"MONTERO ROMERO, ENRIQUE ELOI"
Sent by: IBM Mainframe Discussion List
2010.03.12 09:04
Please respond to
IBM Mainframe Discussion List
To
IBM-MAIN@bama.ua.edu
cc
Subject
SSH & ICSF is not working
Hi to all,
We have the ICSF running as an STC in our environment.
===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
I am trying to SHH against a linux server in BATCH.
//SSHCOMM EXEC PGM=BPXBATCH,
// PARM=('SH /ZOSAA/bin/ssh -vvv r...@xxx.xxx.xxx.xxx ls')
But I am getting this message:
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /u/myuserid/.ssh/config
debug1: Applying options for *
debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper
(rand child) Couldn't exec '/usr/lib/ssh/ssh-rand-helper': EDC5129I No
such file
ssh-rand-helper child produced insufficient data
On the other side,
/ZOSAA/usr/lib/ssh/ is a link to /usr/lib/ssh/
lrwxrwxrwx 1 xxx 12 May 30 2008 usr -> $VERSION/usr
MYUSRXX:/: >cd /usr/lib/ssh
MYUSRXX:/ZOSAA/usr/lib/ssh: >ls -l
total 12992
drwxr-xr-x 2 XXX XXX 8192 Oct 30 11:41 IBM
-rwxr-xr-x 2 XXX XXX 372736 Oct 30 11:41 sftp-server
-rwxr-xr-x 2 XXX XXX 2748416 Oct 30 11:40 ssh-askpass
-rwsr-xr-x 2 XXX XXX 2658304 Oct 30 11:41 ssh-keysign
-rwxr-xr-x 2 XXX XXX 864256 Oct 30 11:41 ssh-rand-helper
MYUSRXX:/ZOSAA/usr/lib/ssh: >
Why if the ICSF is running, I am still getting the ssh-rand-helper instead
of the ICSF ?
Best regards, and happy weekend.
Enrique MOntero
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
_
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSH & ICSF is not working
Read the FAQ in the IBM Ported Tools for z/OS User's Guide on setting
up ICSF and /dev/random.
On Fri, Mar 12, 2010 at 8:04 AM, MONTERO ROMERO, ENRIQUE ELOI
wrote:
> Hi to all,
>
> We have the ICSF running as an STC in our environment.
> ===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
>
> I am trying to SHH against a linux server in BATCH.
>
> //SSHCOMM EXEC PGM=BPXBATCH,
> // PARM=('SH /ZOSAA/bin/ssh -vvv r...@xxx.xxx.xxx.xxx ls')
>
> But I am getting this message:
>
> OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
> debug1: Reading configuration data /u/myuserid/.ssh/config
> debug1: Applying options for *
> debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper
> (rand child) Couldn't exec '/usr/lib/ssh/ssh-rand-helper': EDC5129I No such
> file
> ssh-rand-helper child produced insufficient data
>
>
> On the other side,
>
> /ZOSAA/usr/lib/ssh/ is a link to /usr/lib/ssh/
>
> lrwxrwxrwx 1 xxx 12 May 30 2008 usr -> $VERSION/usr
>
> MYUSRXX:/: >cd /usr/lib/ssh
> MYUSRXX:/ZOSAA/usr/lib/ssh: >ls -l
> total 12992
> drwxr-xr-x 2 XXX XXX 8192 Oct 30 11:41 IBM
> -rwxr-xr-x 2 XXX XXX 372736 Oct 30 11:41 sftp-server
> -rwxr-xr-x 2 XXX XXX 2748416 Oct 30 11:40 ssh-askpass
> -rwsr-xr-x 2 XXX XXX 2658304 Oct 30 11:41 ssh-keysign
> -rwxr-xr-x 2 XXX XXX 864256 Oct 30 11:41 ssh-rand-helper
> MYUSRXX:/ZOSAA/usr/lib/ssh: >
>
> Why if the ICSF is running, I am still getting the ssh-rand-helper instead of
> the ICSF ?
>
> Best regards, and happy weekend.
> Enrique MOntero
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
SSH & ICSF is not working
Hi to all,
We have the ICSF running as an STC in our environment.
===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
I am trying to SHH against a linux server in BATCH.
//SSHCOMM EXEC PGM=BPXBATCH,
// PARM=('SH /ZOSAA/bin/ssh -vvv r...@xxx.xxx.xxx.xxx ls')
But I am getting this message:
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /u/myuserid/.ssh/config
debug1: Applying options for *
debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper
(rand child) Couldn't exec '/usr/lib/ssh/ssh-rand-helper': EDC5129I No such file
ssh-rand-helper child produced insufficient data
On the other side,
/ZOSAA/usr/lib/ssh/ is a link to /usr/lib/ssh/
lrwxrwxrwx 1 xxx 12 May 30 2008 usr -> $VERSION/usr
MYUSRXX:/: >cd /usr/lib/ssh
MYUSRXX:/ZOSAA/usr/lib/ssh: >ls -l
total 12992
drwxr-xr-x 2 XXX XXX 8192 Oct 30 11:41 IBM
-rwxr-xr-x 2 XXX XXX 372736 Oct 30 11:41 sftp-server
-rwxr-xr-x 2 XXX XXX 2748416 Oct 30 11:40 ssh-askpass
-rwsr-xr-x 2 XXX XXX 2658304 Oct 30 11:41 ssh-keysign
-rwxr-xr-x 2 XXX XXX 864256 Oct 30 11:41 ssh-rand-helper
MYUSRXX:/ZOSAA/usr/lib/ssh: >
Why if the ICSF is running, I am still getting the ssh-rand-helper instead of
the ICSF ?
Best regards, and happy weekend.
Enrique MOntero
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
