Mainframe OpenSSH

November 2005
March 2008

IBM Ported Tools for z/OS User's Guide



"IBM Ported Tools for z/OS contains the following ported application: OpenSSH.

OpenSSH provides secure encryption for both remote login and file transfer. Some of the
utilities that it includes are:
- ssh, a z/OS client program for logging into a z/OS shell. It can also be used to log into
other platform’s UNIX shells. It is an alternative to rlogin.
- scp for copying files between networks. It is an alternative to rcp.
- sftp for file transfers over an encrypted ssh transport. It is an interactive file
transfer program similar to ftp.
- sshd, a daemon program for ssh that listens for connections from clients. The IBM Ported
Tools for z/OS implementation of sshd supports both SSH protocol versions 1 and 2
simultaneously. The default sshd configuration runs only Protocol Version 2."

Simply stated, these tools provide encrypted access to and from mercury's UNIX.  They do
not support MVS datasets, although work arounds exist for dealing with such datasets.

There are limitations and concerns on exactly how this will fit into our existing
practices.

Assumptions:

- Connections will be initiated from mercury to less secure locations, i.e. Windows servers
or UNIX servers outside the firewall.

- Connections between the mainframe and ISDS servers can be initiated by either, i.e. they
are equally secure.

Limitations:

- Conversions between ebcdic and ascii are automatically done by the Ported Tools version
of OpenSSH.  This occurs when the connection is initiated by the mainframe. 
- Connections initiated by another server into the mainframe do not perform ebcdic and
ascii conversions.  The conversion needs to be performed on the mainframe either before or
after the transfer, depending on the direction of the transfer.

- There is no simple way for a Windows PC to transfer a dataset from mercury to the PC, or
vice versa, assuming a secure method is desired.  Rather than a single step, it will become
a multi step process.  And if the first assumption is true, an intermediate server might be
necessary.
 
- All mainframe users utilizing these tools will require an OMVS segment in their Top
Secret security profile.



Succesful Testing:

- Automatic public/private key handshake between mercury and is-delphi.

- Automatic public/private key handshake between mercury and fa1.finadmin.virginia.edu.

- Automatic public/private key handshake between mercury and
es-update.eservices.virginia.edu (Windows server running VSHELL).

- Batch JCL submission to get or put files to and from is-delphi and es-update.eservices.

Questions remaining:

- How will PC users transfer files to and from the mainframe?  Can FTP continue to be used
since VPN is necessary?


Other notes:


ebcdic/ascii conversion is only done automatically when using the Ported Tools clients.
Otherwise the iconv command must be executed prior to putting a file to a remote host, or
after getting a file from a remote host.  The Ported Tools can NOT be run from within OMVS
due to passwords being displayed.  However, OMVS can be accessed via ssh  (i.e. SecureCRT)
and then an outbound connection can be made.  This provides the built in ebcdic/ascii
conversion of the Ported Tools.  Also, conversion is accomplished when the Ported Tools are
accessed via JCL.

Examples of manual conversion:

iconv -t IBM-1047 -f ISO8859-1 isp-db_file > isp-db_file.ebcdic

iconv -f IBM-1047 -t ISO8859-1 mainframe_file > mainframe_file.ascii




The Ported Tools only work with unix files, not MVS datasets.  So datasets need to be
copied into Unix Services before a transfer to another server.  Likewise, files transferred
to mercury will need to be copied from Unix Services into a dataset.


Requires the creation of key pair, and conversion to and from OpenSSH format.

For transferring from mercury:
On mercury, create the OpenSSH keys and convert to ssh.com format:
ssh-keygen -t dsa   (do not enter passphrase when requested)
ssh-keygen -e -f id_dsa.pub > mercury.pub
Copy the ssh.com format key to the remote host.

VSHELL:
The public key from mercury needs to be converted from the openssh version.

For transferring to mercury:
Copy/paste the public key from the remote host into a file on mercury.
On mercury, convert the SSH protocol version 2 format to OpenSSH compatible private:
ssh-keygen -i -f  > authorized_keys

Example of copying a file from is-delphi to mercury:
scp mercury.txt userid@mercury.itc.virginia.edu:/home/userid/mercury.txt
ssh userid@mercury.itc.virginia.edu "iconv -t IBM-1047 -f ISO8859-1 mercury.txt >
mercury.txt.ebcdic"


Samples of JCL:  (multiple tools can be used, bpxbatch, TSO batch, OGET/OPUT)

Copies mercury unix file to delphi.

//STEPNAME EXEC PGM=BPXBATCH,
// PARM='sh sftp -b sftp-batch userid@is-delphi.admin.virginia.edu'
//SYSPRINT DD SYSOUT=*
//STDOUT   DD  PATH='/home/userid/bpxout.txt',
//             PATHOPTS=(OCREAT,OTRUNC,OWRONLY),PATHMODE=SIRWXU
//STDERR   DD  PATH='/home/userid/bpxerr.txt',
//             PATHOPTS=(OCREAT,OTRUNC,OWRONLY),PATHMODE=SIRWXU
//

/home/userid/sftp-batch on mercury contains:
cd /home/userid
lcd /home/userid
pwd
lpwd
ascii
put hello.c

Or put the sftp commands into a file in /tmp, to allow them to be maintained via JCL:
//STEP010  EXEC PGM=IKJEFT01
//OUTHFS   DD PATH='/tmp/userid',
//             PATHOPTS=(OCREAT,OTRUNC,OWRONLY),PATHMODE=SIRWXU
//SYSIN    DD *
cd /home/userid
lcd /home/userid
pwd
lpwd
ascii
put hello.c
/*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
OCOPY INDD(SYSIN) OUTDD(OUTHFS) TEXT
/*
//STEP020  EXEC PGM=BPXBATCH,
// PARM='sh sftp -b /tmp/userid userid@is-delphi.admin.virginia.edu
//SYSPRINT DD SYSOUT=*
//STDOUT   DD  PATH='/home/userid/bpxout.txt',
//             PATHOPTS=(OCREAT,OTRUNC,OWRONLY),PATHMODE=SIRWXU
//STDERR   DD  PATH='/home/userid/bpxerr.txt',
//             PATHOPTS=(OCREAT,OTRUNC,OWRONLY),PATHMODE=SIRWXU
//

Another option to copy DSN to OMVS:
//XFER EXEC PGM=BPXCOPY,
// PARM='ELEMENT(TEST)'
//SYSUT1   DD DSN=DATASET.NAME,DISP=SHR
//SYSUT2   DD PATH='/tmp'
//SYSTSPRT DD SYSOUT=*