Gil, Using Ported Tools OpenSSH does not *require* /dev/random, but if you don't have it it falls back to a slow "ssh-rand-helper" thing. In OpenSSH, this is used for PRNG during initialization of a session (only).
Its a PITA that z/OS doesn't include a secure software /dev/random, like every other modern Unix/Linux implementation. Some shops, especially in sandbox LPARs, don't have a crypto card and ICSF. We have considered writing an open source ssh-rand-helper (or even a /dev/random device or daemon) that uses the CPACF and reasonable z/OS entropy sources for a low-cost alternative, but haven't gotten around to it. But you don't need a hardware /dev/random to run Ported Tools OpenSSH, but it does speed up session startup(only) if you do have it. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> We offer a new product that accelerates the ciphers and HMACs in Ported Tools OpenSSH 1.2 using CPACF instructions. See: "OpenSSH Accelerator for z/OS" http://dovetail.com/solutions.html Also, there is a chart on slide 14 of the following presentation that compares crypto features of Ported Tools OpenSSH file transfer to FTP/TLS: http://dovetail.com/docs/oshxl/openssh-accelerator-webinar.pdf On Thu, May 5, 2011 at 8:54 AM, Paul Gilmartin <[email protected]> wrote: > On Thu, 5 May 2011 08:55:15 -0400, Rob Schramm wrote: > >>I might understand (due to "I don't want to set it up") not setting up SSH. >> But are there any installations not running TCP/IP these days? >> > I should add we have SSH installed but not successfully configured > on some of our systems because we lack the (separately priced? Am > I correct?) hardware feature required for /dev/random. The mind > boggles; z/OS /dev/random uses a PRNG, and for that specialized > hardware is necessary? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
