Re: Passwordless login omvs

[Paul Gilmartin]

On Wed, 16 Mar 2022 12:43:15 +0800, David Crayford wrote:
>...
>z/OS does not ship ssh-copy-id but it's easy to pipe into ssh and create the 
>.ssh directory if it doesn't already exist.
>
>cat ~/.ssh/id_rsa.pub | ssh @ 'umask 0077; mkdir -p .ssh; cat 
>>> .ssh/authorized_keys && echo "Key copied"'
>
Or, use your desktop temnial's COPY/PASTE if available.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Passwordless login omvs

[David Crayford]

ssh-keygen normally does the right thing with file permissions etc. To copy 
keys to remote systems I run:

ssh-copy-id @

z/OS does not ship ssh-copy-id but it's easy to pipe into ssh and create the 
.ssh directory if it doesn't already exist.

cat ~/.ssh/id_rsa.pub | ssh @ 'umask 0077; mkdir -p .ssh; cat 
>> .ssh/authorized_keys && echo "Key copied"'

On Tue, 2022-03-15 at 03:44 -0500, Jantje. wrote:
> On Sun, 13 Mar 2022 10:38:36 +0400, Jake Anderson  
> wrote:
> 
> 
> > The certificate I have kept in my home directory of omvs. So from CENTOS I
> > do SSH certificate_path Mainframeuser@ZOS
> > still it asks for password. Is there any parameter within SSHD_CONFIG had
> > to be tweaked ?
> > 
> The devil is in the details... Ownership of all the files involved, 
> permissions on all the files involved, even their location in the directory 
> structure, it all must be just right on both server
> and client side. And it is not just the certificate... your public key must 
> be known to the server and the server public key must be known to the client 
> (installed in the right file in the right
> directory with the right ownership and permissions).
> 
> You can use the -vvv option on your ssh command line on the client and wade 
> through the log that will produce. Overwhelming at first, but in the end you 
> will find some message indicating what is
> wrong.
> 
> How to fix it? You will want to read some documentation en GIYF.
> 
> Cheers,
> 
> Jantje.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Passwordless login omvs

[Jantje.]

On Sun, 13 Mar 2022 10:38:36 +0400, Jake Anderson  
wrote:


>The certificate I have kept in my home directory of omvs. So from CENTOS I
>do SSH certificate_path Mainframeuser@ZOS
>still it asks for password. Is there any parameter within SSHD_CONFIG had
>to be tweaked ?
>
The devil is in the details... Ownership of all the files involved, permissions 
on all the files involved, even their location in the directory structure, it 
all must be just right on both server and client side. And it is not just the 
certificate... your public key must be known to the server and the server 
public key must be known to the client (installed in the right file in the 
right directory with the right ownership and permissions).

You can use the -vvv option on your ssh command line on the client and wade 
through the log that will produce. Overwhelming at first, but in the end you 
will find some message indicating what is wrong.

How to fix it? You will want to read some documentation en GIYF.

Cheers,

Jantje.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[John McKown]

I wish that IBM could totally replace JCL. Or come up with something
better. But, I have a feeling that few, if any, would use it unless it had
restart capabilities at least as good as CA-11. Take away CA-11 from
product support, and there would be blood running thick in the streets.

That's why REXX cannot replace JCL.

On Mon, Mar 14, 2022, 12:20 Steve Smith  wrote:

> re JCL: Someone in the recent past noted that calling JCL a language was a
> reach exceeding its grasp.  It's certainly not a procedural language; I
> just consider it a work order.  In any case, MVS has scripting capabilities
> (e.g. REXX) if you prefer.
>
> re client/server: that's what I get for presuming.
>
> sas
>
>
> On Mon, Mar 14, 2022 at 12:30 AM Paul Gilmartin <
> 000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
>
> > On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
> >
> > >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> > >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> > >
> > So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> > range end with FI?)  Have you any constructive suggestions?
> >
> > >Anyways, I presume that this applies to the client side, and also I
> > presume
> > >the OP uses the same client system for two different systems, so how
> could
> > >this be the problem?
> > >
> > Different configurations of the two hosts?
> >
> > --
> > gil
> >
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Steve Smith]

re JCL: Someone in the recent past noted that calling JCL a language was a
reach exceeding its grasp.  It's certainly not a procedural language; I
just consider it a work order.  In any case, MVS has scripting capabilities
(e.g. REXX) if you prefer.

re client/server: that's what I get for presuming.

sas


On Mon, Mar 14, 2022 at 12:30 AM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
>
> >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> >
> So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> range end with FI?)  Have you any constructive suggestions?
>
> >Anyways, I presume that this applies to the client side, and also I
> presume
> >the OP uses the same client system for two different systems, so how could
> >this be the problem?
> >
> Different configurations of the two hosts?
>
> --
> gil
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mon, 14 Mar 2022 14:03:22 +, Seymour J Metz wrote:

>I believe that the are languages that use inverted keywords to end blocks, 
>leading to the infamous "comment bletch! tnemmoc". Personally, I prefer "end" 
>or "endif", optionally with a label, 
>
What idiot designing JCL's "IF" chose not to require that label fields on "ELSE"
and "ENDIF" match that on the corresponding "IF" for nesting validation‽

>   ... to terminate everything but comments, for which I like the PL/I syntax 
> "/* foo */", although line comments have their uses.
>
Perhaps the worst is ALGOL 60's "end"  ";", leading compiler
implementers to provide a "Delimiter in comment" warning.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Seymour J Metz]

I believe that the are languages that use inverted keywords to end blocks, 
leading to the infamous "comment bletch! tnemmoc". Personally, I prefer "end" 
or "endif", optionally with a label, to terminate everything but comments, for 
which I like the PL/I syntax "/* foo */", although line comments have their 
uses.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Steve Smith [sasd...@gmail.com]
Sent: Sunday, March 13, 2022 10:07 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [MVS-OE] Passwordless login omvs

Just reminds me that sh script is disgusting.  Brainfrack can't be much
worse.  Is "done" the end of a do?  Shouldn't it be "od"?

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.  Maybe it's better that one
learns all the parts, and learns how to put them together.  So be it, but I
can hardly find ssh mentioned anywhere in either CS or USS libraries.

sas


On Sun, Mar 13, 2022 at 5:40 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 13, 2022, at 08:07:33, Jake Anderson 
> wrote:
> >
> > I was able to copy it
> > We have two environment LPAR1 and LPAR2
> >
> > Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> > for password.
> >
> Ssh requires, but does not diagnose clearly, that no directory
> in the path from root to ~/.ssh be writable by other than the
> .ssh owner lest a (fe)malefactor modify the permissions.
>
> This POSIX shell script reports any weaknesses:
> #! /bin/sh
>
> # Doc: Verify that strangers can't modify path to "'".
>
> _UNIX03=YES export _UNIX03
> ${1+cd "$1"} || exit 103  # Defauot is PWD.
> echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
> while :; do
> P=$( pwd -P . ) || exit 104
> L=$( ls -ld "$P" )
> # # echo " Testing: $L" >&2
> case "$L" in
> w* | ?w* )
> echo "!!! writable !!!: $L" >&2
> exit 1;;
> esac
> [ "x/" = "x$P" ] && exit 0
> cd -P .. || exit 102
> done
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Jake Anderson]

I enabled debug3 and daemon logging for SSHD task

Finally it was because of bad ownership and modes. Fixed that and its all
good now

Thanks to all who gave your valuable suggestions

On Mon, Mar 14, 2022, 8:29 AM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:
>
> >Just reminds me that sh script is disgusting.  Brainfrack can't be much
> >worse.  Is "done" the end of a do?  Shouldn't it be "od"?
> >
> So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
> range end with FI?)  Have you any constructive suggestions?
>
> >Anyways, I presume that this applies to the client side, and also I
> presume
> >the OP uses the same client system for two different systems, so how could
> >this be the problem?
> >
> Different configurations of the two hosts?
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Sun, 13 Mar 2022 22:07:28 -0400, Steve Smith wrote:

>Just reminds me that sh script is disgusting.  Brainfrack can't be much
>worse.  Is "done" the end of a do?  Shouldn't it be "od"?
>
So it's not your favorite language.  JCL iisn't mine (Shouldn't an IF
range end with FI?)  Have you any constructive suggestions?

>Anyways, I presume that this applies to the client side, and also I presume
>the OP uses the same client system for two different systems, so how could
>this be the problem?
>
Different configurations of the two hosts?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Andrew Rowley]

On 14/03/2022 1:07 pm, Steve Smith wrote:

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.


I'm pretty sure it applies to the server side.

From memory, ssh/sshd setup on z/OS is very much the same as on other 
platforms, so any of the how-tos out on the internet give you the steps, 
and the errors and solutions are the same.


Andrew Rowley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Steve Smith]

Just reminds me that sh script is disgusting.  Brainfrack can't be much
worse.  Is "done" the end of a do?  Shouldn't it be "od"?

Anyways, I presume that this applies to the client side, and also I presume
the OP uses the same client system for two different systems, so how could
this be the problem?

I would like to see complete set up instructions for ssh/sshd, like JES2
provides for its (ridiculous) notify to email.  Maybe it's better that one
learns all the parts, and learns how to put them together.  So be it, but I
can hardly find ssh mentioned anywhere in either CS or USS libraries.

sas


On Sun, Mar 13, 2022 at 5:40 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 13, 2022, at 08:07:33, Jake Anderson 
> wrote:
> >
> > I was able to copy it
> > We have two environment LPAR1 and LPAR2
> >
> > Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> > for password.
> >
> Ssh requires, but does not diagnose clearly, that no directory
> in the path from root to ~/.ssh be writable by other than the
> .ssh owner lest a (fe)malefactor modify the permissions.
>
> This POSIX shell script reports any weaknesses:
> #! /bin/sh
>
> # Doc: Verify that strangers can't modify path to "'".
>
> _UNIX03=YES export _UNIX03
> ${1+cd "$1"} || exit 103  # Defauot is PWD.
> echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
> while :; do
> P=$( pwd -P . ) || exit 104
> L=$( ls -ld "$P" )
> # # echo " Testing: $L" >&2
> case "$L" in
> w* | ?w* )
> echo "!!! writable !!!: $L" >&2
> exit 1;;
> esac
> [ "x/" = "x$P" ] && exit 0
> cd -P .. || exit 102
> done
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mar 13, 2022, at 08:07:33, Jake Anderson  wrote:
> 
> I was able to copy it
> We have two environment LPAR1 and LPAR2
> 
> Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
> for password.
>  
Ssh requires, but does not diagnose clearly, that no directory
in the path from root to ~/.ssh be writable by other than the
.ssh owner lest a (fe)malefactor modify the permissions.

This POSIX shell script reports any weaknesses:
#! /bin/sh

# Doc: Verify that strangers can't modify path to "'".

_UNIX03=YES export _UNIX03
${1+cd "$1"} || exit 103  # Defauot is PWD.
echo " Testing: $( ls -ld "$( pwd -P . )" )" >&2
while :; do
P=$( pwd -P . ) || exit 104
L=$( ls -ld "$P" )
# # echo " Testing: $L" >&2
case "$L" in
w* | ?w* )
echo "!!! writable !!!: $L" >&2
exit 1;;
esac
[ "x/" = "x$P" ] && exit 0
cd -P .. || exit 102
done

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

COPY the id_*.pub from your desktop and append
It to authorized_keys on the host.  You will be
prompted only once to validate the host.  Reply
"Yes".  Do not abbreviate.


(More):
ssh is prudently fussy about permissions.  I use:

#! /bin/sh -x

# Doc: Set useful and safe permissions for ~/.ssh

: "in $0"
: "ssh requires that no one other than user be able to write \$HOME"
cd && chmod u+rwx .ssh && cd .ssh && chmod og-w .. || exit $?
:
: >>authorized_keys # Create but don't update timestamps 
chmod -R og-rwx . && {  # Prevent browsing -- especially authorized_keys
chmod -R u+rw . # User can read and write everything.
chmod a+x . # Allow everyone to search .ssh
chmod a+r *.pub # and to read public keys.
ls -al;  }  # Did we do it right?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Jake Anderson]

I was able to copy it

We have two environment LPAR1 and LPAR2

Certificate based SSH login is successful on LPAR2 but for LPAR1 It asks
for password.

I did enabled -VV with SSH login to check in debug mode but I don't see any
error or any reason why it expects password even though the same
certificate works fine with other LPAR2.

SSHD configuration are same on both the LPARS. Is there any places that I
need to be looking for ?

On Sun, Mar 13, 2022, 5:49 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mar 12, 2022, at 23:38:36, Jake Anderson wrote:
> >
> > I generated the .pub certificate from the both the end but still when I
> do
> > SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
> > task.
> >
> COPY the id_*.pub from your desktop and append
> It to authorized_keys on the host.  You will be
> prompted only once to validate the host.  Reply
> "Yes".  Do not abbreviate.
>  >
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [MVS-OE] Passwordless login omvs

[Paul Gilmartin]

On Mar 12, 2022, at 23:38:36, Jake Anderson wrote:
> 
> I generated the .pub certificate from the both the end but still when I do
> SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
> task.
>  
COPY the id_*.pub from your desktop and append
It to authorized_keys on the host.  You will be
prompted only once to validate the host.  Reply
"Yes".  Do not abbreviate.


-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Passwordless login omvs

[Jake Anderson]

Hello Ed

I generated the .pub certificate from the both the end but still when I do
SSH from CentOS to OMVS it asks for a password. OMVS is running the SSHD
task.

The certificate I have kept in my home directory of omvs. So from CENTOS I
do SSH certificate_path Mainframeuser@ZOS

still it asks for password. Is there any parameter within SSHD_CONFIG had
to be tweaked ?

On Sun, Mar 13, 2022, 9:53 AM Ed Jaffe  wrote:

> On 3/12/2022 9:46 PM, Jake Anderson wrote:
> > Hello
> >
> > Cross posted
> >
> >
> > Is it possible to do a passwordless login from my CentOS Linux to OMVS ?
> Is
> > there any documentation which helps ?
>
> If you connect via SSH, you can easily set things up so no password is
> needed.
>
>
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
>
> 
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system
> into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Passwordless login omvs

[Ed Jaffe]

On 3/12/2022 9:46 PM, Jake Anderson wrote:

Hello

Cross posted


Is it possible to do a passwordless login from my CentOS Linux to OMVS ? Is
there any documentation which helps ?


If you connect via SSH, you can easily set things up so no password is 
needed.



--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/



This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Passwordless login omvs

[Jake Anderson]

Hello

Cross posted


Is it possible to do a passwordless login from my CentOS Linux to OMVS ? Is
there any documentation which helps ?

Jake

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN