Dynamic Allocation with Dataset Pipes.
Dynamic Allocation with Dataset Pipes.
We are wanting to use the dovetail dataset pipes program to enable
inbound transmission sent through SSH SFTP to a MVS dataset instead of a UNIX file.
Will dataset pipes do this without allowing people terminal access?
Thanks in advance,
John Murray
inbound transmission sent through SSH SFTP to a MVS dataset instead of a UNIX file.
Will dataset pipes do this without allowing people terminal access?
Thanks in advance,
John Murray
John,
Co:Z does allow you to use the dataset pipes commands (todsn and fromdsn) to read and write MVS datasets over an ssh connection.
sftp is the file transfer program that comes with ssh that uses ssh connections to transfer Unix files. Co:Z doesn't use sftp, but it does use ssh (just like sftp).
The user must still have a valid z/OS userid with a OMVS segment, but to prevent "terminal access" you can define the userid with a shell of /bin/true. I'm not sure off hand how to prevent the user from using TSO, but I assume that RACF or your security product can do that.
Co:Z does allow you to use the dataset pipes commands (todsn and fromdsn) to read and write MVS datasets over an ssh connection.
sftp is the file transfer program that comes with ssh that uses ssh connections to transfer Unix files. Co:Z doesn't use sftp, but it does use ssh (just like sftp).
The user must still have a valid z/OS userid with a OMVS segment, but to prevent "terminal access" you can define the userid with a shell of /bin/true. I'm not sure off hand how to prevent the user from using TSO, but I assume that RACF or your security product can do that.
John,
With a little digging I found out that SSHD actually starts programs and subsystems (like sftp-server and cozserver) using:
<default shell> -c command
So, you have to have a shell to start anything with sshd.
The common solution that people use is to replace the default shell with another program that only allows execution of certain commands.
Fortunately, you can write this program as a shell script.
Here's one that I wrote that allows you to restrict command execution to a list of programs:
Note: In the above script, remove the space in the first line after
"/bin" -- this goofy PHPBB BBS won't allow the shell name in a post
otherwise.
So put this script in a USS file, say /opt/dovetail/coz/bin/restricted-shell,
and "chmod 755" it to make it executable and then set it as the default program/shell for your users.
With a little digging I found out that SSHD actually starts programs and subsystems (like sftp-server and cozserver) using:
<default shell> -c command
So, you have to have a shell to start anything with sshd.
The common solution that people use is to replace the default shell with another program that only allows execution of certain commands.
Fortunately, you can write this program as a shell script.
Here's one that I wrote that allows you to restrict command execution to a list of programs:
Code: Select all
#!/bin/ sh
# A shell script which can be set as a users default shell
# to only allow certain commands or ssh subsystems to run,
# disallowing full shell logins.
if [ $# -ge 2 -a "$1" = "-c" ]; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lib/ssh/sftp-server) exec $2;;
/u/dovetail/coz/bin/dspipes) exec $2;;
/u/dovetail/coz/bin/cozserver) exec $2;;
*);;
esac
fi
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed from this account"
exit 1
"/bin" -- this goofy PHPBB BBS won't allow the shell name in a post
otherwise.
So put this script in a USS file, say /opt/dovetail/coz/bin/restricted-shell,
and "chmod 755" it to make it executable and then set it as the default program/shell for your users.
Your method to lock the terminal is cool. I tried it but got a couple errors that need to be worked out. I will get back with you next week to try to hash these out.
Do you know what type of SMF record that dataset pipes will cut whenever you use the todsn command to put a Unix file to a MVS dataset?
Thanks
Do you know what type of SMF record that dataset pipes will cut whenever you use the todsn command to put a Unix file to a MVS dataset?
Thanks
When you set this shell script as the default shell for a user, then it is executed whenever the user logs in. The script only allows the arguments:
-c program_name
Which is the syntax that a shell uses to execute a program (as opposed to an interactive shell). So if the shell is invoked some other way, then it is coded to exit with a nice error message. It is also coded to only allow certain commands to be executed, which is how sshd executes "subsystems" such as sftp-server or cozserver (aka dspipes).
There is one issue that you should be aware of: the cozserver / dspipes subsystem allows for arbitrary commands to be executed, not just fromdsn and todsn. So, while this technique will prevent normal interactive shells (including OMVS under TSO), it will completely lock you out of executing commands. We are planning on enhancing Co:Z soon to add capabilities to filter commands using a configuration file that maps them into SAF checks.
-c program_name
Which is the syntax that a shell uses to execute a program (as opposed to an interactive shell). So if the shell is invoked some other way, then it is coded to exit with a nice error message. It is also coded to only allow certain commands to be executed, which is how sshd executes "subsystems" such as sftp-server or cozserver (aka dspipes).
There is one issue that you should be aware of: the cozserver / dspipes subsystem allows for arbitrary commands to be executed, not just fromdsn and todsn. So, while this technique will prevent normal interactive shells (including OMVS under TSO), it will completely lock you out of executing commands. We are planning on enhancing Co:Z soon to add capabilities to filter commands using a configuration file that maps them into SAF checks.
I tried the same thing and it doesn't work for me.
I defined the script as listed... i setup the user with it in RACF as below.
OMVS INFORMATION
----------------
UID= 0009304912
HOME= /u/U304912
PROGRAM= /usr/lpp/coz/bin/dovetail-secure-sh
CPUTIMEMAX= NONE
ASSIZEMAX= NONE
When I perform and SFTP from a PC command prompt to this region I just get the following......
input_userauth_banner
*******************************************************************************
** WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING **
*******************************************************************************
* To protect the system from unauthorised use and to ensure the system is **
* functioning properly,activities on this system are monitored,recorded and **
* subject to audit.Use of this system is expressed consent to such monitoring**
* and recording.Any unauthorised access or use of this Automated Information **
* System is prohibited and could be subject to criminal and civil penalties. **
*******************************************************************************
debug1: none auth failure.
debug1: Authentications that server will allow: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Next authentication method: keyboard-interactive
debug1: Attempt to authenticate with keyboard interactive.
debug1: keyboard-interactive auth failure.
debug1: Authentications that server will allow: publickey,password,keyboard-interactive
debug1: Next authentication method: password
Enter password for u304912@mvs1:
debug1: Trying to authenticate with a password.
debug1: Authentication succeeded (password).
debug1: Login completed
debug1: Cleanup PKI subsystem
debug1: PKI_DestroySession called. Session id: -100956622
debug1: PKI_Cleanup called. Reference count: 1
debug1: Starting client_loop
debug1: channel 0: new [client-session]
debug1: Sending subsystem: sftp
debug1: channel 0: request subsystem
debug1: channel 0: open confirm rwindow 0 rmax 32768
Couldn't initialise connection to server <<<<<<<<<<<<error
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Unfortunately, its hard to tell what you did wrong....
Take a look at this writeup in the Co:Z SFTP User's Guide:
http://dovetail.com/docs/sftp/sftp-restrict.html
o Are your script permissions set correctly?
o Have you customized the script to point to your coz/bin directory?
Take a look at this writeup in the Co:Z SFTP User's Guide:
http://dovetail.com/docs/sftp/sftp-restrict.html
o Are your script permissions set correctly?
o Have you customized the script to point to your coz/bin directory?
yep I double checked that.
The script i have defined is....
#!/bin/sh
# A shell script which can be set as a users default shell
# to only allow certain commands or ssh subsystems to run,
# disallowing full shell logins.
if [ $# -ge 2 -a "$1" = "-c" ]; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lpp/coz/bin/sftp-server.sh) exec $2;;
/usr/lpp/coz/bin/cozserver) exec $2;;
*);;
esac
fi
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed \
from this account."
exit 1
and is defined with the following permissions..
File 755 2010-06-10 04:50 LRSSERV 622 dovetail-secure-sh
which is also the same as what is defined in the sshd_config file
Subsystem.sftp./usr/lpp/coz/bin/sftp-server.sh
It works if I just use the /bin/sh without any issues just not with this.
The script i have defined is....
#!/bin/sh
# A shell script which can be set as a users default shell
# to only allow certain commands or ssh subsystems to run,
# disallowing full shell logins.
if [ $# -ge 2 -a "$1" = "-c" ]; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lpp/coz/bin/sftp-server.sh) exec $2;;
/usr/lpp/coz/bin/cozserver) exec $2;;
*);;
esac
fi
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed \
from this account."
exit 1
and is defined with the following permissions..
File 755 2010-06-10 04:50 LRSSERV 622 dovetail-secure-sh
which is also the same as what is defined in the sshd_config file
Subsystem.sftp./usr/lpp/coz/bin/sftp-server.sh
It works if I just use the /bin/sh without any issues just not with this.
I now get the following.....
Enter password for u304912@mvs1:
debug1: Trying to authenticate with a password.
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: Login completed
debug1: Cleanup PKI subsystem
debug1: PKI_DestroySession called. Session id: 1463965465
debug1: PKI_Cleanup called. Reference count: 1
debug1: Starting client_loop
debug1: channel 0: new [client-session]
debug3: num_channels = 1
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug2: ssh_session2_setup: id 0
debug1: Sending subsystem: sftp
debug1: channel 0: request subsystem
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug3: Waiting for sftp subsystem to get setup...
debug3: Received message too long -694840408
debug3: error in recieving SSH FXP version
Couldn't initialise connection to server
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: client_input_channel_req: exit-status: 1
Enter password for u304912@mvs1:
debug1: Trying to authenticate with a password.
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: Login completed
debug1: Cleanup PKI subsystem
debug1: PKI_DestroySession called. Session id: 1463965465
debug1: PKI_Cleanup called. Reference count: 1
debug1: Starting client_loop
debug1: channel 0: new [client-session]
debug3: num_channels = 1
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug2: ssh_session2_setup: id 0
debug1: Sending subsystem: sftp
debug1: channel 0: request subsystem
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug3: Waiting for sftp subsystem to get setup...
debug3: Received message too long -694840408
debug3: error in recieving SSH FXP version
Couldn't initialise connection to server
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: client_input_channel_req: exit-status: 1