Re: [MVS-OE] Passwordless login omvs

[John McKown]

I wish that IBM could totally replace JCL. Or come up with something
better. But, I have a feeling that few, if any, would use it unless it had
restart capabilities at least as good as CA-11. Take away CA-11 from
product support, and there would be blood running thick in the streets.

That's why REXX cannot replace JCL.

On Mon, Mar 14, 2022, 12:20 Steve Smith  wrote:

> re JCL: Someone in the recent past noted that calling JCL a language was a
> reach exceeding its grasp.  It's certainly not a procedural language; I
> just consider it a work order.  In any case, MVS has scripting capabilities
> (e.g. REXX) if you prefer.
>
> re client/server: that's what I get for presuming.
>
> sas
>
>
> On Mon, Mar 14, 2022 at 12:30 AM Paul Gilmartin <
> 000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
>
> > On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
> >
> > >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> > >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> > >
> > So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> > range end with FI?)  Have you any constructive suggestions?
> >
> > >Anyways, I presume that this applies to the client side, and also I
> > presume
> > >the OP uses the same client system for two different systems, so how
> could
> > >this be the problem?
> > >
> > Different configurations of the two hosts?
> >
> > --
> > gil
> >
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Steve Smith]

re JCL: Someone in the recent past noted that calling JCL a language was a
reach exceeding its grasp.  It's certainly not a procedural language; I
just consider it a work order.  In any case, MVS has scripting capabilities
(e.g. REXX) if you prefer.

re client/server: that's what I get for presuming.

sas


On Mon, Mar 14, 2022 at 12:30 AM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
>
> >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> >
> So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> range end with FI?)  Have you any constructive suggestions?
>
> >Anyways, I presume that this applies to the client side, and also I
> presume
> >the OP uses the same client system for two different systems, so how could
> >this be the problem?
> >
> Different configurations of the two hosts?
>
> --
> gil
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mon, 14 Mar 2022 14:03:22 +, Seymour J Metz wrote:

>I believe that the are languages that use inverted keywords to end blocks, 
>leading to the infamous "comment bletch! tnemmoc". Personally, I prefer "end" 
>or "endif", optionally with a label, 
>
What idiot designing JCL's "IF" chose not to require that label fields on "ELSE"
and "ENDIF" match that on the corresponding "IF" for nesting validation‽

>   ... to terminate everything but comments, for which I like the PL/I syntax 
> "/* foo */", although line comments have their uses.
>
Perhaps the worst is ALGOL 60's "end"  ";", leading compiler
implementers to provide a "Delimiter in comment" warning.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Seymour J Metz]

I believe that the are languages that use inverted keywords to end blocks, 
leading to the infamous "comment bletch! tnemmoc". Personally, I prefer "end" 
or "endif", optionally with a label, to terminate everything but comments, for 
which I like the PL/I syntax "/* foo */", although line comments have their 
uses.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Steve Smith [sasd...@gmail.com]
Sent: Sunday, March 13, 2022 10:07 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [MVS-OE] Passwordless login omvs

Just reminds me that sh script is disgusting.  Brainfrack can't be much
worse.  Is "done" the end of a do?  Shouldn't it be "od"?

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.  Maybe it's better that one
learns all the parts, and learns how to put them together.  So be it, but I
can hardly find ssh mentioned anywhere in either CS or USS libraries.

sas


On Sun, Mar 13, 2022 at 5:40 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 13, 2022, at 08:07:33, Jake Anderson 
> wrote:
> >
> > I was able to copy it
> > We have two environment LPAR1 and LPAR2
> >
> > Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> > for password.
> >
> Ssh requires, but does not diagnose clearly, that no directory
> in the path from root to ~/.ssh be writable by other than the
> .ssh owner lest a (fe)malefactor modify the permissions.
>
> This POSIX shell script reports any weaknesses:
> #! /bin/sh
>
> # Doc: Verify that strangers can't modify path to "'".
>
> _UNIX03=YES export _UNIX03
> ${1+cd "$1"} || exit 103  # Defauot is PWD.
> echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
> while :; do
> P=$( pwd -P . ) || exit 104
> L=$( ls -ld "$P" )
> # # echo " Testing: $L" >&2
> case "$L" in
> w* | ?w* )
> echo "!!! writable !!!: $L" >&2
> exit 1;;
> esac
> [ "x/" = "x$P" ] && exit 0
> cd -P .. || exit 102
> done
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Jake Anderson]

I enabled debug3 and daemon logging for SSHD task

Finally it was because of bad ownership and modes. Fixed that and its all
good now

Thanks to all who gave your valuable suggestions

On Mon, Mar 14, 2022, 8:29 AM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
>
> >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> >
> So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> range end with FI?)  Have you any constructive suggestions?
>
> >Anyways, I presume that this applies to the client side, and also I
> presume
> >the OP uses the same client system for two different systems, so how could
> >this be the problem?
> >
> Different configurations of the two hosts?
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:

>Just reminds me that sh script is disgusting.  Brainfrack can't be much
>worse.  Is "done" the end of a do?  Shouldn't it be "od"?
>
So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
range end with FI?)  Have you any constructive suggestions?

>Anyways, I presume that this applies to the client side, and also I presume
>the OP uses the same client system for two different systems, so how could
>this be the problem?
>
Different configurations of the two hosts?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Andrew Rowley]

On 14/03/2022 1:07 pm, Steve Smith wrote:

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.


I'm pretty sure it applies to the server side.

From memory, ssh/sshd setup on z/OS is very much the same as on other 
platforms, so any of the how-tos out on the internet give you the steps, 
and the errors and solutions are the same.


Andrew Rowley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Steve Smith]

Just reminds me that sh script is disgusting.  Brainfrack can't be much
worse.  Is "done" the end of a do?  Shouldn't it be "od"?

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.  Maybe it's better that one
learns all the parts, and learns how to put them together.  So be it, but I
can hardly find ssh mentioned anywhere in either CS or USS libraries.

sas


On Sun, Mar 13, 2022 at 5:40 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 13, 2022, at 08:07:33, Jake Anderson 
> wrote:
> >
> > I was able to copy it
> > We have two environment LPAR1 and LPAR2
> >
> > Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> > for password.
> >
> Ssh requires, but does not diagnose clearly, that no directory
> in the path from root to ~/.ssh be writable by other than the
> .ssh owner lest a (fe)malefactor modify the permissions.
>
> This POSIX shell script reports any weaknesses:
> #! /bin/sh
>
> # Doc: Verify that strangers can't modify path to "'".
>
> _UNIX03=YES export _UNIX03
> ${1+cd "$1"} || exit 103  # Defauot is PWD.
> echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
> while :; do
> P=$( pwd -P . ) || exit 104
> L=$( ls -ld "$P" )
> # # echo " Testing: $L" >&2
> case "$L" in
> w* | ?w* )
> echo "!!! writable !!!: $L" >&2
> exit 1;;
> esac
> [ "x/" = "x$P" ] && exit 0
> cd -P .. || exit 102
> done
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mar 13, 2022, at 08:07:33, Jake Anderson  wrote:
> 
> I was able to copy it
> We have two environment LPAR1 and LPAR2
> 
> Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> for password.
>  
Ssh requires, but does not diagnose clearly, that no directory
in the path from root to ~/.ssh be writable by other than the
.ssh owner lest a (fe)malefactor modify the permissions.

This POSIX shell script reports any weaknesses:
#! /bin/sh

# Doc: Verify that strangers can't modify path to "'".

_UNIX03=YES export _UNIX03
${1+cd "$1"} || exit 103  # Defauot is PWD.
echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
while :; do
P=$( pwd -P . ) || exit 104
L=$( ls -ld "$P" )
# # echo " Testing: $L" >&2
case "$L" in
w* | ?w* )
echo "!!! writable !!!: $L" >&2
exit 1;;
esac
[ "x/" = "x$P" ] && exit 0
cd -P .. || exit 102
done

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

COPY the id_*.pub from your desktop and append
It to authorized_keys on the host.  You will be
prompted only once to validate the host.  Reply
"Yes".  Do not abbreviate.


(More):
ssh is prudently fussy about permissions.  I use:

#! /bin/sh -x

# Doc: Set useful and safe permissions for ~/.ssh

: "in $0"
: "ssh requires that no one other than user be able to write \$HOME"
cd && chmod u+rwx .ssh && cd .ssh && chmod og-w .. || exit $?
:
: >>authorized_keys # Create but don't update timestamps 
chmod -R og-rwx . && {  # Prevent browsing -- especially authorized_keys
chmod -R u+rw . # User can read and write everything.
chmod a+x . # Allow everyone to search .ssh
chmod a+r *.pub # and to read public keys.
ls -al;  }  # Did we do it right?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Jake Anderson]

I was able to copy it

We have two environment LPAR1 and LPAR2

Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
for password.

I did enabled -VV with SSH login to check in debug mode but I don't see any
error or any reason why it expects password even though the same
certificate works fine with other LPAR2.

SSHD configuration are same on both the LPARS. Is there any places that I
need to be looking for ?

On Sun, Mar 13, 2022, 5:49 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 12, 2022, at 23:38:36, Jake Anderson wrote:
> >
> > I generated the .pub certificate from the both the end but still when I
> do
> > SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
> > task.
> >
> COPY the id_*.pub from your desktop and append
> It to authorized_keys on the host.  You will be
> prompted only once to validate the host.  Reply
> "Yes".  Do not abbreviate.
>  >
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mar 12, 2022, at 23:38:36, Jake Anderson wrote:
> 
> I generated the .pub certificate from the both the end but still when I do
> SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
> task.
>  
COPY the id_*.pub from your desktop and append
It to authorized_keys on the host.  You will be
prompted only once to validate the host.  Reply
"Yes".  Do not abbreviate.


-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN