Tag: sftp

Getting sshfs to work to z/OS

You can “mount” a remote file system as a local directory over sshfs. (ssh file system).

Getting this working was a challenge. I do not know if it is an FTP problem, or a z/OS problem

The command, from Linux, is

sshfs colin@10.1.1.2: ~/mountpoint

where mountpoint is a local directory, and my z/OS system is on 10.1.1.2

This flows into the SSH daemon (SSHD) on z/OS which handles the handshake and encryption.

For the IBM provided SSHD, the /etc/ssh/sshd_config config file has

Subsystem sftp /usr/lib/ssh/sftp-server

Where /usr/lib/ssh/sftp-server is the executable to do the work. The IBM supplied object is a load module. You could replace this with a script or other module.

Once the session has been established you can access the files, as if they were on the local system.

What is running on z/OS?

If you use the ps -ef command it displays

     UID        PID       PPID  CMD                                               
OMVSKERN   50397264   67174474  /usr/sbin/sshd -f /etc/ssh/sshd_config -R                                          
   COLIN   67174482   50397264  /usr/sbin/sshd -f /etc/ssh/sshd_config -R         
   COLIN   50397267   67174482  sh -c /usr/lib/ssh/sftp-server
   COLIN   83951719   50397267  /usr/lib/ssh/sftp-server

This shows the calling chain – the first (SSHD) is at the top, and the last, /usr/lib/ssh/sftp-server, is doing the work to process the files

The shell used depends on the OMVS(PROGRAM()) defined for the userid.

When did sshfs work?

If I had OMVS(PROGRAM(‘/bin/sh’)) then the sshfs worked ok, I could used the files as expected.

If the program was for bash or for zhs, then the data as seen from Linux was in EBCDIC and so was not usable.

So how do I use zsh or bash?

I got round this problem…

I specified the userid as having OMVS(PROGRAM(‘/bin/sh’)), and changed to use the bash shell in the logon script

If I logon with ssh colin@10.1.1.2 then there are environment variables in /etc/profile and ~/.profile. 

SSH_CLIENT="10.1.0.2 44898 22"
SSH_CONNECTION="10.1.0.2 44898 10.1.1.2 22"
SSH_TTY="/dev/ttyp0000"

In my ~/.profile I’ve put 

if [[ ! -z "$SSH_CLIENT"  ]] 
   then 
     set -x 
#       SSH_CLIENT has a value ...  so an SSH terminal 
#     bash="/usr/lpp/Rocket/rsusr/ported/bin/bash" 
      bash="/u/zopen/usr/local/bin/bash" 
      echo "shell  $SHELL bash $bash" 
      if [[ $SHELL != $bash ]] 
        then 
          echo "using the bash shell" 
          export SHELL="$bash" 
          exec "$bash" # replace the current script with bash
         # any code after the exec is not executed  
      fi 
 fi

which says. If the $SSH_CLIENT variable is not the empty string, (the session came in over an ssh connection) then invoke $bash, and it replaces the current environment with the /u/zopen/usr/local/bin/bash.

With this I could use both sshfs for remote file access, and ssh for terminal access.

If there are better ways of doing this, please let me know

Setting up sftp on z/OS with ADCD

SFTP is an FTP implementation from openssl, it copies files to and from Unix Services.

The documentation z/OS OpenSSH User’s Guide(SC27-6806-50) is very good. It is clear, and answered most of my questions.

The ADCD implementation is not 100% complete, but it does not take much to fix it.

Background

The server runs in Unix Services. When you use “START SSHD”, it runs the started task SSHD which attaches a process in Unix Services, and then the started task ends! If you use the operator command “D A,SSH*” it will show it is running in Unix Services.

The documentation has several ways of stopping it – I just use cancel!

Messages are written to the syslog daemon.

It uses port 22. ADCD.Z24C.TCPPARMS(PROF2) has the statement

PORT                                                                 
    ...                         
    22 TCP SSHD*               ; port for sshd daemonrver

This means that jobs SSHD* are authorised to use port 22.

Getting it working

Configure syslogd

See Setting up syslogd on z/OS.

To capture messages produced by SSHD, you need syslogd configured for SSHD. For example add to /etc/syslog.conf

*.SSHD.*.* /var/log/SSHD

Generate the missing certificates

From IBMUSER in OMVS, I issued

/usr/sbin/sshd -f /etc/ssh/sshd_config

This reported two cipher specs were missing. I used the command

ssh-keygen -A

This gave me

ssh-keygen: generating new host keys: ECDSA ED25519

Starting the sshd server

Use the operator command D A,SSH* to see if it is already running. if you want to restart it, cancel it using the operator command C SSHD…

Issue the operator command start SSHD. The started task will start, and then end, but will leave a Unix Services task running.

Note: After IPL, D SSH* gives

SSHD     SSHD     *OMVSEX  OWT  SO  A=0042   PER=NO   SMC=000 
                                    WUID=STC03715 USERID=START1       
                                    WKL=STARTED  SCL=STCLOM   P=1

after SSHD is cancelled and restarted the output is 

SSHD3    STEP1    START1   OWT  AO  A=0034   PER=NO   SMC=000       
                                    WUID=STC03701 USERID=START1      
                                    WKL=SERVERS  SCL=SRVOMVS  P=1

so its workload behaviour may be different.

Use it

From my Linux machine I was able to use sftp colin@10.1.1.2 .