On Wed, 4 Feb 2015 17:11:12 -0500, Mark Jacobs - Listserv wrote:
>You should really, really use public key authentication instead of
>user/passwords.
>
I suggested that initially. But now I think of one utility my
employer supplies which requires user/password. The admins
are shirking the chore of adding each entitled public key to
the utility's .ssh directory.
Process. If a user becomes disentitled, established process
removes him from LDAP, and user/password is disabled.
Of course that process should also lock the user's HOME directory,
likewise disabling ssh/sftp.
And, FWIW, ssh/sftp transfer the password *after* securing the
connection.
On 2015-02-04 15:08, Grinsell, Don wrote:
> This is what I use:
> //*
> //STDENV DD DSN=USERID.TSOLIB.PDS(ASKPASS),DISP=SHR
> ...
> USERID.TSOLIB.PDS(ASKPASS) contains:
> SSH_ASKPASS=/u/systech/userid/.ssh/askpassrds.sh
>
Kinda circuitous. Why not simply code that value in an instream STDPARM?
(But you might instead want the flexibility of:
//STDENV DD DSN=&SYSUID.TSOLIB.PDS(ASKPASS),DISP=SHR
)
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
