Re: SSH/3270 fullscreen
Not yet. Soon. Very soon. 8-) Is there currently a client supported SSH/3270 full screen sessions for z/VM
Re: SSH For z/VM
On Wednesday, 12/17/2008 at 09:33 EST, Michael Coffin michaelcof...@mccci.com wrote: I know IBM's TCPIP does not support SSH or SSH based SFTP, but does anybody know of any third party products that provide SSH and Secure FTP over SSH to VM/CMS environments? This would be for z/VM 5.4. Is there a problem with secure FTP and secure Telnet? (Now that the SSL support is available.) Alan Altmark z/VM Development IBM Endicott
Re: SSH For z/VM
Yes. It's not a technical problem so much as a policy problem. SSL/TLS works perfectly (well, maybe 1 bug that I know of) on VM/CMS, it's not the problem. A client of mine (you know who I mean Alan) somehow came to the conclusion that Tectia is an Enterprise-wide secure FTP solution, perhaps based on all the spin it has been getting lately (including in z/Journal). So, without REALLY knowing WHAT the Enterprise consisted of, they went forth and procured this product and have mandated that all FTP shall be via Tectia secure FTP. Just one tiny little problem, Tectia is ENTIRELY SSH-based (no SSL/TLS support), and has neither a client nor server component for VM/CMS. So there's my problem in a nutshell. ALL FTP clients and servers OUTSIDE of VM/CMS are going to be SSH-based Tectia. They won't be able to talk to us, and we won't be able to talk to them. :( -Mike -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, December 17, 2008 11:16 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSH For z/VM On Wednesday, 12/17/2008 at 09:33 EST, Michael Coffin michaelcof...@mccci.com wrote: I know IBM's TCPIP does not support SSH or SSH based SFTP, but does anybody know of any third party products that provide SSH and Secure FTP over SSH to VM/CMS environments? This would be for z/VM 5.4. Is there a problem with secure FTP and secure Telnet? (Now that the SSL support is available.) Alan Altmark z/VM Development IBM Endicott
Re: SSH For z/VM
There are no publicly/commercially available implementations of SSH (inbo und or outbound) for VM/CMS. I have been asking for a long time and the most polite answer I get is to use a linux virtual machine as a communications intermediary. I have also gotten answers like VM doesn't need SSH because it is just a host for the real work in linux. When I asked the people who do have a commercial implementation for z/OS if/when they would have any kind of a VM/CMS implementation, they said it wasn't planned at all. /Tom Kern On Wed, 17 Dec 2008 09:32:17 -0500, Michael Coffin michaelcof...@mccci.c om wrote: Hi Folks, I know IBM's TCPIP does not support SSH or SSH based SFTP, but does anybody know of any third party products that provide SSH and Secure FTP over SSH to VM/CMS environments? This would be for z/VM 5.4. PS: Please don't say Just use Linux, this is a VM/CMS production environment - Linux is not an option (unless it is acting as some kind of intermediate gateway, i.e. the SFTP connection is made to a Linux guest, who then deciphers the data stream and sends it unencrypted to the VM/CMS FTP server over a private LAN - and vice/versa for FTP's outbound from VM/CMS to some remote SFTP server). -Mike
Re: SSH For z/VM
On Wednesday, 12/17/2008 at 11:57 EST, Michael Coffin michaelcof...@mccci.com wrote: Yes. It's not a technical problem so much as a policy problem. SSL/TLS works perfectly (well, maybe 1 bug that I know of) on VM/CMS, it's not the problem. FWIW, there is exactly ONE requirement open for SSH on VM and it is for inbound support of ssh3270. A client of mine (you know who I mean Alan) somehow came to the conclusion that Tectia is an Enterprise-wide secure FTP solution, perhaps based on all the spin it has been getting lately (including in z/Journal). So, without REALLY knowing WHAT the Enterprise consisted of, they went forth and procured this product and have mandated that all FTP shall be via Tectia secure FTP. Just one tiny little problem, Tectia is ENTIRELY SSH-based (no SSL/TLS support), and has neither a client nor server component for VM/CMS. That doesn't sound like a security policy so much as a certified parts list. So there's my problem in a nutshell. ALL FTP clients and servers OUTSIDE of VM/CMS are going to be SSH-based Tectia. They won't be able to talk to us, and we won't be able to talk to them. :( Needless to say, I detest security policies that are nothing more than a description of a particular implementation of the policy. I cannot keep security policies from exceeding the capabilities of all platforms to which it will be applied. That is the job of those who review said policies. Since you can't get blood from a stone, I guess Management will have to select from the available options: - Make the security policy state the SECURITY REQUIREMENT, not the IMPLEMENTATION, so that the implementation can change as technology changes. (If SSL/TLS is so bad, why is it ok for http? Oh. So it's not a security issue? It's just about enforcing a fave interactive and file transfer protocol standard? OK, but don't do it under color of authority.) - File an exception and use SSL/TLS - Write or contract for your own ssh implementation on VM - Use an intermediary (more RYO or contracting) - Transfer data using https using a pull model Alan Altmark z/VM Development IBM Endicott
Re: SSH For z/VM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan Altmark wrote: FWIW, there is exactly ONE requirement open for SSH on VM and it is for inbound support of ssh3270. I can't comment about the effort involved in setting up an SSL server and cert database on z/VM. However in the unix world, I've set up and run both local SSL certificate authorities, SSL certified application networks (e.g. ldap client and server with certs on both sides), and obviously use SSH quite a lot in daily life. What I get out of all of this is that SSL is not meant for mere mortals. It's a certifiable pain to set up and maintain over time. Pun intended. :-) SSH, while it obviously trades some security, is convenient. It pretty much just works, with little or no admin intervention required. Ergo, I can understand people wanting SSH connections to z/VM. What they're really saying is they want a boost in security that is convenient to use and administer. Unfortunately, SSL may give the security, but only at considerable overhead. SSH is just the name of the service / product seen to give that desired trade off in other environments, and is thus the obvious name looked for. A classic case of specifying the solution instead of the problem? Yes. Also a classic case of a real need that is currently not easy to meet, though. - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklJhf8ACgkQNObCqA8uBsyxlwCgkof5Jzdz00x5Tyo6wHAjoyZw cY8AnjoVJw9jNBsraXLrdERYXJWhlDl5 =39oX -END PGP SIGNATURE-
Re: SSH For z/VM
Hi Alan, I completely agree with everything you said. One of the things that drives me nuts is that FTP has been labeled as being bad, so it has to be encrypted. Meanwhile just about ANY other file transfer protocol doesn't (shared Windows network drives, Samba, NJE spooling, 3270 transfers using IND$FILE, etc. etc.). If we were using just about ANY other protocol we wouldn't even have to deal with this. SSL/TLS is working perfectly (and yes, it took a little work, but once you get it set up correctly you really don't have to worry about it - unless you are using certificates with short lives and plan on constantly updating them). I think we're just going to have to dig in our heels and say Sorry, if you want to FTP to/from our VM/CMS system you MUST support SSL/TLS. PS: Thanks to Ray Mrohs for the lead on MOVEit, which COULD be used as an intermediate server to accept SSH and retransmit using SSL/TLS: http://www.stdnet.com/products/?category_number=3subcategory_number=1 Unfortunately this would introduce tremendous overhead, delivery delays (many of our files are 2GB each) and programming changes that don't make it a good candidate for us (but it might be useful for others who find themselves in a similar situation where SSH has been mandated for use, despite the fact that SSL/TLS is the supported process for VM/CMS). -Mike -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, December 17, 2008 4:42 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSH For z/VM On Wednesday, 12/17/2008 at 11:57 EST, Michael Coffin michaelcof...@mccci.com wrote: Yes. It's not a technical problem so much as a policy problem. SSL/TLS works perfectly (well, maybe 1 bug that I know of) on VM/CMS, it's not the problem. FWIW, there is exactly ONE requirement open for SSH on VM and it is for inbound support of ssh3270. A client of mine (you know who I mean Alan) somehow came to the conclusion that Tectia is an Enterprise-wide secure FTP solution, perhaps based on all the spin it has been getting lately (including in z/Journal). So, without REALLY knowing WHAT the Enterprise consisted of, they went forth and procured this product and have mandated that all FTP shall be via Tectia secure FTP. Just one tiny little problem, Tectia is ENTIRELY SSH-based (no SSL/TLS support), and has neither a client nor server component for VM/CMS. That doesn't sound like a security policy so much as a certified parts list. So there's my problem in a nutshell. ALL FTP clients and servers OUTSIDE of VM/CMS are going to be SSH-based Tectia. They won't be able to talk to us, and we won't be able to talk to them. :( Needless to say, I detest security policies that are nothing more than a description of a particular implementation of the policy. I cannot keep security policies from exceeding the capabilities of all platforms to which it will be applied. That is the job of those who review said policies. Since you can't get blood from a stone, I guess Management will have to select from the available options: - Make the security policy state the SECURITY REQUIREMENT, not the IMPLEMENTATION, so that the implementation can change as technology changes. (If SSL/TLS is so bad, why is it ok for http? Oh. So it's not a security issue? It's just about enforcing a fave interactive and file transfer protocol standard? OK, but don't do it under color of authority.) - File an exception and use SSL/TLS - Write or contract for your own ssh implementation on VM - Use an intermediary (more RYO or contracting) - Transfer data using https using a pull model Alan Altmark z/VM Development IBM Endicott
Re: ssh
On Thursday, 12/13/2007 at 11:52 EST, Adam Thornton [EMAIL PROTECTED] wrote: Or you can use SSLSERV and just do ssl-wrapped telnet, which isn't ssh but is pretty much as good in terms of protecting your traffic. c/is pretty much as/is just as/ Alan Altmark z/VM Development IBM Endicott
Re: ssh
But I don't think any of it is OpenSSH. I don't know if PuTTY supports a daemon function to handle inbound transactions. It doesn't. PuTTY is outbound only. A non-OpenSSH example is PuTTY. This is a collection of programs for the Windows environment. There is a program that does the terminal traffic (like the TN3270 client in CMS). A PSCP program that does the SCP sub-protocol. A PSFTP command to do the SSH secure ftp-like file transfers. And a PLINK command to do remote commands via SSH protocol. This is probably the best route to getting at least client function going. The 3 commands above are fairly independent, and the command-line orientation is fairly straightforward to read and understand. There is a bunch of code that would have to be written to handle SFS file syntax if you wanted full function, but the simple file case of the current directory, wouldn't be too bad. I can provide a VM userid and a C compiler if someone wants to work on it. We're a teeny bit busy at the moment...8-) -- db
Re: ssh
On Thu, Dec 13, 2007 at 12:17 PM, in message [EMAIL PROTECTED], Thomas Kern [EMAIL PROTECTED] wrote: -snip- But I haven't heard anyone really trying to get CMS to talk to remote SSH servers. But, he's trying to go the other way, i.e., have an SSH client talk to CMS. Mark Post
Re: ssh
We're not trying... But we'd love to have an ssh command on z/VM, just for non-interactive access to linux. scp and sftp would be a bonus. I'd just like to be able to do something like the following on z/VM CMS: ssh [EMAIL PROTECTED] -c uname -a Substitute your favorite configuration or query command within the quotes, and you have a method to talk to your Linux guests to handle many simple problems. -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but in practice, theory and practice are different. On 12/13/07 12:59 PM, Mark Post [EMAIL PROTECTED] wrote: On Thu, Dec 13, 2007 at 12:17 PM, in message [EMAIL PROTECTED], Thomas Kern [EMAIL PROTECTED] wrote: -snip- But I haven't heard anyone really trying to get CMS to talk to remote SSH servers. But, he's trying to go the other way, i.e., have an SSH client talk to CMS. Mark Post
Re: ssh
Sorry, I did misread the original posting. I am so used to the outbound problems, I just assumed that was what he wanted. /Tom Kern Mark Post wrote: On Thu, Dec 13, 2007 at 12:17 PM, in message [EMAIL PROTECTED], Thomas Kern [EMAIL PROTECTED] wrote: -snip- But I haven't heard anyone really trying to get CMS to talk to remote SSH servers. But, he's trying to go the other way, i.e., have an SSH client talk to CMS. Mark Post
Re: ssh
Alan Altmark wrote: This is incorrect. As of z/VM 5.3 the CMS ftp client, telnet client, the ldap client utilities, and the SMTP server (which is also an SMTP client) are SSL-enabled. This is in addition to the updates to the telnet and ftp servers to support negotiated (aka explicit) SSL, as is required to do secure SMTP, in addition to their existing support for static or implicit SSL. Do the new CMS clients really use the SSL server to do the encryption or is there encryption code in each client? The ssh and scp client-side commands have generated more interest than an ssh server. With an ssh client you do all sorts of automated management things, including allocating storage in the disk controllers! Also centralizing userid management, server backups, webserver configuration. Thinking about implementing a server, OTOH, gives me a migraine and heart palpitations. Among other things, it introduces a significant challenge because of the expectation (reasonable or not) that it would allow fullscreen interaction. And I'm not convinced the benefit would be worth the expense. My first choice would be for the client-side command-line processes. I understand that creating an inbound SSH protocol server would be difficult but I would definitely accept a LINEMODE interaction because I think that the screen manipulation is probably best done on the client side of that transaction. Let z/VM deliver line by line and let a PuTTY type program use my PC screen whatever way I set it up. Alan Altmark z/VM Development IBM Endicott /Tom Kern
Re: ssh
There is a SCIF package on th IBM Downloads page that is useful for this, but the secondary user interface is sometimes difficult to automate. http://www.vm.ibm.com/download/packages/descript.cgi?SCIF /Tom Kern Brian Nielsen wrote: On Thu, 13 Dec 2007 13:03:18 -0600, RPN01 [EMAIL PROTECTED] wrote: We're not trying... But we'd love to have an ssh command on z/VM, just for non-interactive access to linux. scp and sftp would be a bonus. I'd just like to be able to do something like the following on z/VM CMS: ssh [EMAIL PROTECTED] -c uname -a Substitute your favorite configuration or query command within the quotes, and you have a method to talk to your Linux guests to handle many simple problems. I do that via the SECUSER interface. I got fancy and wrote a short REXX EXEC that uses the STARMSG service in a pipeline to give me an interactive session and log the console traffic to a file on my A-disk. It's on my todo list to make a version to pass one or more commands non-interactively to a list of Linux guests. Brian Nielsen
Re: ssh
On Thu, 13 Dec 2007, Alan Altmark wrote: The ssh and scp client-side commands have generated more interest than an ssh server. With an ssh client you do all sorts of automated management things, including allocating storage in the disk controllers! Yes. The client gives a lot of mileage. Also, the OE support which is already in z/VM goes a long way toward making it happen. (The SSH executable from USS actually does run on OpenVM. It croaks when you try to generate entropy for anything other than the usage message.) Thinking about implementing a server, OTOH, gives me a migraine and heart palpitations. Among other things, it introduces a significant challenge because of the expectation (reasonable or not) that it would allow fullscreen interaction. And I'm not convinced the benefit would be worth the expense. Nhhh. We also (as a community) very much SSH access into z/VM. I know of one site that uses Linux to proxy their SSH traffic. What happens is that you (appear to) SSH into VM and the port 22 traffic is magically handed over to port 22 (and 'sshd') on Linux. You wind up in BASH. Once in Linux, you get cms hcp pipe to drive the respective environments. They connect from the Linux virtual machine where SSH runs back to an agent on your very own CMS virtual machine, so the commands run with your credentials and in your environment. Obviously, fullscreen programs don't work in this context. But some fullscreen programs can be re-done to get a similar effect using Linux-side resources. (eg: 'peek' would snag the RDR file and throw it into a Linux editor) *** DETAILS *** 'cms' issues a CMS command and returns the output to your Linux session. CMS programs which require input are not recommended here. CMS programs which drive fullscreen (eg: XEDIT) don't work here. 'hcp' issues CP commands. These are safer because you are much less likely to get into an input mode on your v-machine. 'hcp' captures the CP output (so it is more than just shorthand for 'cms cp' which would drop the CP output on the v-machine console). 'pipe' is the baby! You get input from and output to the Linux side while driving any arbitrary CMS Pipeline. A simplistic example is pipe cms which then reads CMS commands from stdin until EOF (usually Ctrl-D) and writes output to stdout. I find this utility really useful. -- R; () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
Re: SSH in TCP/IP for VM
On Tuesday, 07/31/2007 at 12:21 EDT, Roland P. Chung [EMAIL PROTECTED] wrote: Hello Listers, could any one tell me in which release of TCP/IP for VM SSH is available? TIA There is no IBM-provided SSH server or client for z/VM. Right now, I have inferred a consensus in the community that an SSH client would be more useful to more people than an SSH daemon. This is primarily due to the ease of using CMS as a scripting environment and the fact that z/VM has secure telnet (client and server) today. advert If you would like to see this or any other new functionality in z/VM, please work with your fave global or regional user group to get them to sponsor a requirement to IBM. If you are not affilliated with a user group, you should be. [If there isn't one in your area, there's probably a need for one!] But if that just isn't in the cards, the Support Center can open an individual requirement on your behalf or put you on the Interested Parties list of an existing requirement. /advert Alan Altmark z/VM Development IBM Endicott
Re: SSH in TCP/IP for VM
Thanks Alan. I will talk to the customer about that. ...Roland Alan Altmark [EMAIL PROTECTED] wrote: On Tuesday, 07/31/2007 at 12:21 EDT, Roland P. Chung wrote: Hello Listers, could any one tell me in which release of TCP/IP for VM SSH is available? TIA There is no IBM-provided SSH server or client for z/VM. --snipped -- Alan Altmark z/VM Development IBM Endicott
Re: SSH in TCP/IP for VM
Some Future Release. SSH is not available with the IBM TCPIP stack. From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Roland P. Chung Sent: Tuesday, July 31, 2007 12:21 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSH in TCP/IP for VM Hello Listers, could any one tell me in which release of TCP/IP for VM SSH is available? TIA ...Roland
Re: SSH and VM
Sine Nomine Associates has a SSH appliance that runs in a Linux virtual machine, but it might be only for TN3270 traffic. I'm sure David or Adam will pipe in with details, or check the web site. Brian Ferguson wrote: Hello, I'm getting a request to improve security on my VM system by replacing th e existing REXEC service with SSH. (Like the MVS guys did...) And I've looked around and I'm wondering if someone could direct me to a short explanation on just where SSH for a VM system could be found. z/VM 5.2 Thanks Brian Ferguson -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
Re: SSH and VM
And I've looked around and I'm wondering if someone could direct me to a short explanation on just where SSH for a VM system could be found. z/VM 5.2 AFAIK, there isn't one (yet). SSH operates on some assumptions that are very hard to implement in the VM model. We've built a proxy appliance that can be used to completely contain REXEC within the VM system and front-end remote execution processing, but it does take some integration work to work with the CMS environment.