Hi
I am trying to run sFTP on z/OS 1.11 and get message
FOTS1945 ssh-rand-helper child produced insufficient data, and RC=255.
The same job runs fine on z/OS 1.9
I've copied ssh-rand-help to /etc/ssh from the /samples directory.
What am I missing?
This is with : Co:Z cozsftp version: 1.3.2 (5.0p1) 2009-07-14
Thanks for any help
FOTS1945 message running Co:ZSFTP on z/OS 1.11
This is a message from IBM Ported Tools OpenSSH.
The best way to avoid this problem is to enable /dev/random via ICSF. This will result in much faster connection establishment and more secure random numbers. See the Ported Tools User's Guide for more information on configuring /dev/random
If you can't use /dev/random, which requires a crypto co-processor, then the ssh-rand-helper must be used. There is information in the IBM Ported Tools User's guide to work around the problem of insufficient random data.
The Ported Tools User's guide can be found here:
http://www-03.ibm.com/systems/z/os/zos/ ... index.html
We also encourage customers to open a requirement with IBM to provide a /dev/random implementation on z/OS that doesn't require a crypto-coprocessor. /dev/random is available on Linux, Solaris, AIX, HPUX, etc using secure software implementations.
The best way to avoid this problem is to enable /dev/random via ICSF. This will result in much faster connection establishment and more secure random numbers. See the Ported Tools User's Guide for more information on configuring /dev/random
If you can't use /dev/random, which requires a crypto co-processor, then the ssh-rand-helper must be used. There is information in the IBM Ported Tools User's guide to work around the problem of insufficient random data.
The Ported Tools User's guide can be found here:
http://www-03.ibm.com/systems/z/os/zos/ ... index.html
We also encourage customers to open a requirement with IBM to provide a /dev/random implementation on z/OS that doesn't require a crypto-coprocessor. /dev/random is available on Linux, Solaris, AIX, HPUX, etc using secure software implementations.
Many thanks for the information.
I think I have found the problem - the user's home directory is defined as '/', to which they have no write access (it's a read only root ). This doesn't seem to matter on z/OS 1.9 but does on 1.11 as the prng_seed is stored in /£HOME/.ssh.
I will get the RACF OMVS segments changed, unless there is a way to override this in the Co:ZSFTP input ?
Thanks
Paul
I think I have found the problem - the user's home directory is defined as '/', to which they have no write access (it's a read only root ). This doesn't seem to matter on z/OS 1.9 but does on 1.11 as the prng_seed is stored in /£HOME/.ssh.
I will get the RACF OMVS segments changed, unless there is a way to override this in the Co:ZSFTP input ?
Thanks
Paul
prng_seed is created by IBM Ported Tools OpenSSH *unless* you have /dev/random available, in which case you don't need it ( it won't be created )..
Our recommendation is that you enable /dev/random (via ICSF) IF AT ALL POSSIBLE.
- ssh connections will start up much faster, and require less resources to start
- the ssh-rand-helper mechanism is vastly inferior to /dev/random in terms of the quality of the random number generation.
Our recommendation is that you enable /dev/random (via ICSF) IF AT ALL POSSIBLE.
- ssh connections will start up much faster, and require less resources to start
- the ssh-rand-helper mechanism is vastly inferior to /dev/random in terms of the quality of the random number generation.