Ah... ok. So SSH is used for auth and encryption, and mainly just as a tunnel (as the first mail mentioned). The traffic that's tunnelled may be any protocol or a TCP socket... and the goal is to just use SSH's ubiquity (say port 22) to make life easier w.r.t firewalls and all that.
Is this right? I wonder if spiped fits the bill - https://www.tarsnap.com/spiped.html On Saturday, December 30th, 2023 at 09:17, Paul Gilmartin <0000042bfe9c879d-dmarc-requ...@listserv.ua.edu> wrote: > On Sat, 30 Dec 2023 02:47:28 +0000, kekronbekron wrote: > > > Correct me if I'm wrong but I think "ssh -L ..." is just to get to SSH on a > > target machine via a non-standard port? > > I believe that's "ssh -oPort=nnnn" which I use regularly to get to a > nonstandard > (portmapped) port. > > I once knew how to use ssh to set up an encrypted connection for a > non-encrypted > service, such as ftp. I no longer remember how. Perhaps see "-L" in > https://linux.die.net/man/1/ssh > > > On Friday, December 29th, 2023 at 20:35, Rick Troth wrote: > > > > > I can't speak for Frank, but he started his inquiry with this: > > > > > > > We're looking at using an SSH tunnel (or reverse tunnel)to encrypt a > > > > > > connection > > > > > > > where the application on the other end does not support TLS. > > > > > > SSH is an excellent choice for this kind of job. > > > You can use SSH directly (with client invoking SSH to launch a service > > > program on the target) > > > or you can establish one or more TCP listeners (either direction) over > > > an SSH session, or any combination. > > > ALL of the traffic handled by way of the SSH session would be encrypted. > > > > > > So I might not have understood exactly what Frank needs, but I'm a firm > > > believer in SSH. > > > > > > Authentication of the remote SSH host is done using the SSH host key(s) > > > on the target system. That's standard. > > > > > > Authentication of the client can be done using an SSH client key (as is > > > my practice) or using PKI certificates (as Colin describes in his blog). > > > Frank indicated that what he needs is unattended/automatic, easily > > > supported using either method. > > > > > > Does that help? > > > > > > -- R; <>< > > > > > > On 12/29/23 09:20, kekronbekron wrote: > > > > > > > Hi Rick/Frank, > > > > > > > > If you have time, could you explain more about this setup. > > > > I don't get what's desired.. > > > > > > > > On Friday, December 29th, 2023 at 19:04, Rick Troth tro...@gmail.com > > > > wrote: > > > > > > > > > Hi Frank -- > > > > > > > > > > BT/DT and it works great. > > > > > > > > > > I took the usual means of capturing the host key of the target: signed > > > > > on as the service account and ran 'ssh' interactively. Ever after, the > > > > > client would not be prompted, but it would fail if the key changed. > > > > > (And > > > > > that's the point.) > > > > > > > > > > The client signed on using an SSH client key. Of course, I had to > > > > > break > > > > > a rule here and magically obviate the need for a pass phrase. (Dark > > > > > magic. Not something we speak about in public.) > > > > > > > > > > In this particular case, I ran it from/etc/inittab on a traditional > > > > > Unix > > > > > (Linux) system. That way when the session would die it would be > > > > > restarted. > > > > > > > > > > This hack used either -L or -R, I forget which, but established a TCP > > > > > listener. All traffic was limited to local (which is the default), so > > > > > no > > > > > risk of someone off-box sending or seeing cleartext. > > > > > > > > > > -- R; <>< > > > > > > > > > > On 12/29/23 04:53, Colin Paice wrote: > > > > > > > > > > > Frank, > > > > > > What do you have on the z/OS end? If the back end supports it, it > > > > > > can map > > > > > > from a certificate to a userid. > > > > > > See Using certificates to logon to z/OS > > > > > > https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/ > > > > > > andWhat’s the difference between RACDCERT MAP and RACMAP? > > > > > > https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/ > > > > > > Colin > > > > > > > > > > > > On Fri, 29 Dec 2023 at 06:27, Frank > > > > > > swarbrickfrank.swarbr...@outlook.com > > > > > > wrote: > > > > > > > > > > > > > We're looking at using an SSH tunnel (or reverse tunnel) to > > > > > > > encrypt a > > > > > > > connection where the application on the other end does not > > > > > > > support TLS. > > > > > > > The POC looks to be working. I am now pondering on the steps > > > > > > > required to > > > > > > > make setting up the tunnel an automated process. It seems to me > > > > > > > that we'd > > > > > > > want the z/OS user to be a "protected" user > > > > > > > (NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use > > > > > > > SSH host > > > > > > > based authentication? I imagine that the user would require an > > > > > > > OMVS > > > > > > > segment. I wonder if it would need a shell or home directory. Any > > > > > > > other > > > > > > > thoughts? > > > -- > gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
