Using SSH to get to z/OS

What is SSH?

SSH is Secure SHell. It allows you to securely logon to a remote Unix-like shell.

SSH has little in common with SSL or TSH. For example you cannot keep “certificates” in z/OS keyrings. (The documentation says you can – but it is talking about something else).

SSH uses a different protocol and certificate to TLS – you cannot use TLS certificate for SSH encryption and authentication because they have different formats.

Basic use

You can issue

ssh colin@10.1.1.2

and this will set up a secure session to the host 10.1.1.2 with the userid colin. By default it will prompt for a password. if you copy a certificate to the server, you can do password-less logons.

The first time you set up a connection you get asked for additional information (along the lines of “are you sure you want to connect to this system“). It stores information so it knows when you reuse the address.

To get out of a remote session command prompt use exit .

Configuring the server

Ive written about configuring the SSH Daemon on z/OS, here.

Different ways of using SSH

Entering the ssh command and the password, may be acceptable in many cases. It many cases, such as within a shell script, you do not want to enter the password. There are several ways of doing this

• Enter the password as part of the ssh command. The command and password can be seen in the history file, and over the shoulder, so is not secure.
• Store the password in a file, read the file and pass the password to the command. For example use sshpass.
• Use keys. You create a key on your client machine, copy the key to userid(s) on the server. When you connect with the key, it checks the userid has the same key; if so it does not need a password.
• Use signed certificates. This make administration much easier (well, different). You create a key, and get an SSH Certificate Authority to generate a certificate which includes your public key, the userids it applies to, and other information such as validity dates. The server has just a copy of CA’s public key. When you send your certificate to the server. the CA’s public key is used to validate it, and use it. The server has no additional work to do.

If you use a pass phrase for a key you have the same problem. How do you enter the passphrase when using a script; so do not specify a pass phrase.

You need to ensure that the password file , passphrase, and key are secure – such as only the owner can read it.

You can store command information in ~/.ssh/config. For example

# simple ssh command
Host 10.1.0.3
        HostName 10.1.0.3
        User colin

# ssh command using certificate and keys
Host 10.1.1.2
        HostName 10.1.1.2
        User ibmuser
        IdentitiesOnly yes
        IdentityFile /home/colinpaice/ssl/ssh/colin.key
        CertificateFile /home/colinpaice/ssl/ssh/colin.key-cert.pub

# ssh command for using a key        
Host ss
        HostName 10.1.1.2
        User adcda
        IdentitiesOnly yes
        IdentityFile /home/colinpaice/ssl/ssh/colin.selfsigned
        

If I use

• ssh 10.1.0.3 it will use the first definition and user colin
• ssh 10.1.1.2 it will logon to userid ibmuser, use the key in the colin.key, and the (signed) certificate in colin.key-cert.pub
• ssh ss it will logon with userid adcda using the colin.selfsigned file. Userid adcda on the server needs a copy of the colin.selfsigned file.

Using plain ol’ SSH with a password

You need do no special setup for this.

Using keys

You need to create the keys once, then use them in future.

You can specify different encryption techniques, for example ed25519, dsa, and rsa. It defaults to rsa-sha2-512.

On Linux create the user certificate ssh-keygen -t ed25519

it prompts

Enter file in which to save the key (/home/colin/.ssh/id_ed25519):to save 

it also creates ~/.ssh/id_ed25519.pub .

You need to copy the .pub file to the server. You can use

ssh-copy-id ibmuser@10.1.1.2

to copy the public key(s) to the userid (ibmuser). It will prompt for the userid’s password.

To use this file use the command

ssh ibmuser@10.1.12

You can explicitly say which keyfile to use. You can specify -f name on the ssh-keygen, and -i name on the ssh-copy and ssh commands to create and use a file name of your chosing.

The command

ssh -Q HostKeyAlgorithms

gives a list

ssh-ed25519                                      
ssh-ed25519-cert-v01@openssh.com                 
sk-ssh-ed25519@openssh.com                       
sk-ssh-ed25519-cert-v01@openssh.com              
ssh-rsa                                          
rsa-sha2-256                                     
rsa-sha2-512                                     

I do not know if this is a prioritised list, but the ssh-ed25519 certificate was chosen for the handshake when I had an rsa and ed25519 certificates.

If you want to be able to logon to multiple userids issue the ssh-copy and ssh commands for each userid.

With this you will not need a password to logon to the server. You may have entered the password as part of the ssh-copy-id command, or copied the file to the userid, so it assumes you have access to the userids’ files.

Note: even if you change the password on the server, you can still logon using the key.

To stop someone(ibmuser) using the key – remove it from the /u/ibmuser/.ssh/authorized_keys file on the server. There could be several lines in the file. At the end of each line in the file is client userid@system. For my client it was colinpaice@colinpaice . For example

ssh-ed25519 AAAAC3NzaC1...NY3Xpp50OeHB colinpaice@colinpaice
ssh-ed25519 AAAAC3NzaC1...Txwd2NxlrKKZ colin@ColinNew

This file needs limit access (0600), for example

+ ls -ltr .ssh/authorized_keys
-rw-------   1 COLIN    SYS1        2256 Dec 18 08:21 .ssh/authorized_keys

If the logon without a password fails, use ssh -v colin@10.1.12

On the client, you can list the keys in ~/.ssh/known_hosts2 that a client has for a server using

ssh-keygen -F 10.1.1.2

where 10.1.1.2 is the server name.

Using certificates

When you create a certificate the key is signed by the CA. You can also add information such as validity dates, and add a list of userids this certificate can be used for with no password. I think this is a security exposure, as when you sign the certificate you give a list of userid. This action is out of the control of the z/OS systems programmer.

Even if you change the password on the back end, the logon will work – unless the userid is revoked.

Wikibooks has a good article on certificates.

Logically there are three machines involved in this

1. An isolated machine, which has the CA private certificate. Certificates are sent to this machine for signing and returning.
2. My client machine – for me this is running Ubuntu Linux.
3. The server machine – this is z/OS

The steps I took were

• On the isolated CA machine create a Certificate Authority. The command ssh-keygen -t ed25519 -f ~/.ssh/user_ca_key -C ‘User Certificate Authority for *.example.com’ created files
  • /home/colinpaice/.ssh/user_ca_key.pub
  • /home/colinpaice/.ssh/user_ca_key
• On z/OS I created the file /etc/ssh/user_ca_key.pub and copied the user_ca_key.pub file from Linux into it – Using cut and paste.
• Make the z/OS file universal read
  • chmod 644 /etc/ssh/user_ca_key.pub
• On z/OS update /etc/ssh/sshd_config and add the following (to point to the file):
  • TrustedUserCAKeys /etc/ssh/trusted_user_ca_key
• On z/OS restart SSHD
  • C SSHD3
  • S SSHD
• On Linux create the user certificate ssh-keygen -t ed25519 -f colin.key. This creates files
  • colin.key
  • colin.key.pub. This contains data like ssh-ed25519 AAAAC3Nz…OeHB colinpaice@colinpaice
• Send the .pub file to the CA machine
• On the CA machine issue ssh-keygen -s ~/.ssh/user_ca_key -I ‘colin’log -z ‘0002’ -n colin,joe colin.key.pub Where
  • -I colinlog this is the value which is logged. For example on z/OS, when using the certificate; the SSHD log file had
    • Sep 10 13:11:40 S0W1 sshd[50397213]: Accepted certificate ID “colinlog” (serial 0) signed by ED25519 CA SHA256:s…TA via /etc/ssh/user_ca_key.pub
  • -z ‘0002’ you can specify a serial number, or omit this
  • -n colin,joe a list of userids within the certificate. If you want to logon to z/OS userid userid colin or joe you will not be asked for a password.
• This creates colin.key-cert.pub. Send this file back to the requester.
• Connect to z/OS. On Linux
  • ssh -o CertificateFile=colin.key-cert.pub -i colin.key colin@10.1.1.2
• You can store the configuration information in ~/.ssh/config

Host 10.1.1.2
        Hostname 10.1.1.2 
        User colin
        IdentitiesOnly yes
        IdentityFile /home/colinpaice/ssl/ssh/colin.key
        CertificateFile /home/colinpaice/ssl/ssh/colin.key-cert.pub

Where

• Host is the nickname
• Hostname is the address to use
• User is the userid to logon to at the remote machine (z/OS)
• IdentityFile is the private key for my Linux userid
• CertificateFile is the signed certificate sent to the server.

You can then use ssh 10.1.1.2 which will pick up the other parameters from the .ssh/config file.

This will get you into a OMVS session. Use exit to leave.

Another way of doing it.

You can use ssh to copy the key around.

Generate a key if (you do not have one)

Look in ~/.ssh for a file with extension .pub

ssh-keygen -t rsa 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/colinpaice/.ssh/id_rsa): 
/home/colinpaice/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/colinpaice/.ssh/id_rsa
Your public key has been saved in /home/colinpaice/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:7S50/Zf8Q7J2VLH71v2WBB2KEVFwyZn21aeI1Tzhk8c colinpaice@colinpaice

You can specify where to put the private and public keys by using -f /u/colin/.ssh/mykey

Copy the key to z/OS

Specify the public key file, and the target userid and destination

ssh-copy-id -i /home/colinpaice/.ssh/id_rsa.pub colin@10.1.1.2 

Connect without a password

ssh -i /home/colinpaice/.ssh/id_rsa.pub colin@10.1.1.2

If I did not specify the file name, I was prompted for the password.