Re: OpenSSH upgrade option

Gil, You've mentioned this before, where you are essentially are doing back-to-back translations in order to get binary command redirection over z/OS ssh. Again, I'll mention that you can also use the "ChannelConvert" option to get binary command channels: pax -wvXzE -pe -x pax * | \ ssh -p

Re: OpenSSH upgrade option

On 2019-04-15, at 10:40:11, Matt Hogstrom wrote: > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.foto100/fotz112.htm > > > > SSH on z/OS for USS assumes text and doe

Re: OpenSSH upgrade option

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.foto100/fotz112.htm SSH on z/OS for USS assumes text and does conversion. If your transferring files you have to use s

Re: OpenSSH upgrade option

On Mon, Apr 15, 2019 at 11:12 AM Kirk Wolf wrote: > The standard SSH and SFTP protocols (and most implementations) *only* do > binary. > > z/OS OpenSSH is extended to do limited ASCII<->EBCDIC translation. >- it automatically translates "shell" sessions, remote command > execution, scp (clien

Re: OpenSSH upgrade option

The standard SSH and SFTP protocols (and most implementations) *only* do binary. z/OS OpenSSH is extended to do limited ASCII<->EBCDIC translation. - it automatically translates "shell" sessions, remote command execution, scp (client and server), and adds "ascii" and "binary" commands to "sftp

Re: OpenSSH upgrade option

On Mon, 15 Apr 2019 12:37:53 +, Allan Staller wrote: > >SSH defaults to binary transfer. For the issue below (1047-819 translation) a >text mode transfer would have to be specifically requested. >It is presumed that someone that knows enough to request a text mode transfer >would be aware of

Re: OpenSSH upgrade option

"The ssh command performs ASCII<->EBCDIC conversion (for pedants, 1047<->819). I'd expect that to be IBM-specific. Probably not relevant to security, but additional code that must be supported in an IBM instance, or conditionally bypassed if the sources are merged." SSH defaults to binary tra

Re: OpenSSH upgrade option

I would recommend that you check for OpenSSH CVEs in the IBM Z Systems Security Portal, and if not covered then open a PMR. Sadly, security departments don't always consider that there are very often workarounds for OpenSSH CVEs or reasons that they don't apply to your installation. For example, c

Re: OpenSSH upgrade option

On 12/04/2019 5:35 pm, Timothy Sipples wrote: Paul Jodlowski wrote: Currently OpenSSH is at 6.4p1, I have been asked by our Network Security Team to upgrade to OpenSSH 7.4. That's an "amusing" recommendation from your Network Security Team. Unless security patches have been backported and appli

Re: OpenSSH upgrade option

hmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> > Sent: Friday, April 12, 2019 1:06 PM > To: IBM-MAIN@LISTSERV.UA.EDU > S

Re: OpenSSH upgrade option

-dmarc-requ...@listserv.ua.edu> Sent: Friday, April 12, 2019 1:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: OpenSSH upgrade option On Fri, 12 Apr 2019 16:54:08 +, Seymour J Metz wrote: >Who says IBM patches? > Read Timothy Sipples's ply. >How could EBCDIC conceivably be relevant

Re: OpenSSH upgrade option

On Fri, 12 Apr 2019 16:54:08 +, Seymour J Metz wrote: >Who says IBM patches? > Read Timothy Sipples's ply. >How could EBCDIC conceivably be relevant? > The ssh command performs ASCII<->EBCDIC conversion (for pedants, 1047<->819). I'd expect that to be IBM-specific. Probably not relevant t

Re: OpenSSH upgrade option

ursday, April 11, 2019 4:16 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: OpenSSH upgrade option On Thu, 11 Apr 2019 16:01:15 +, Mark Jacobs wrote: >I don't believe so. Latest version shipped with z/OS 2.3 is 6.4p1. IBM does >issue APARs against it for any problems found that are appl

Re: OpenSSH upgrade option

Paul Gilmartin Sent: Friday, April 12, 2019 11:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: OpenSSH upgrade option On Fri, 12 Apr 2019 15:35:55 +0800, Timothy Sipples wrote: >Paul Jodlowski wrote: >>Currently OpenSSH is at 6.4p1, I have been asked by our Network >>Security Tea

Re: OpenSSH upgrade option

PTF. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Allan Staller Sent: Friday, April 12, 2019 9:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: OpenSSH upgrade option Paul Gilmartin wote

Re: OpenSSH upgrade option

On Fri, 12 Apr 2019 15:35:55 +0800, Timothy Sipples wrote: >Paul Jodlowski wrote: >>Currently OpenSSH is at 6.4p1, I have been asked by our >>Network Security Team to upgrade to OpenSSH 7.4. > >That's an "amusing" recommendation from your Network Security Team. Unless >security patches have been

Re: OpenSSH upgrade option

Sent: Thursday, April 11, 2019 3:16 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: OpenSSH upgrade option On Thu, 11 Apr 2019 16:01:15 +, Mark Jacobs wrote: >I don't believe so. Latest version shipped with z/OS 2.3 is 6.4p1. IBM does >issue APARs against it for any problems found tha

Re: OpenSSH upgrade option

Paul Jodlowski wrote: >>Currently OpenSSH is at 6.4p1, I have been asked by our Network Security Team >>to upgrade to OpenSSH 7.4. z/OS OpenSSH at 6.4p1 is a fully supported by IBM. Your Network Security Team is asking you to 'upgrade', but actually they want to have you to upgrade to an unsupp

Re: OpenSSH upgrade option

Paul Jodlowski wrote: >Currently OpenSSH is at 6.4p1, I have been asked by our >Network Security Team to upgrade to OpenSSH 7.4. That's an "amusing" recommendation from your Network Security Team. Unless security patches have been backported and applied to a particular distribution of OpenSSH, Ope

Re: OpenSSH upgrade option

z/OS OpenSSH is currently based on OpenSSH 6.4, but IBM also uses the maintenance stream to include security patches from OpenSSH beyond 6.4. It isn't clean why your Network Security Team is asking for 7.4 - for a new feature or for a security fix?If for the latter, you can check the PTFs to se

Re: OpenSSH upgrade option

On Thu, 11 Apr 2019 16:01:15 +, Mark Jacobs wrote: >I don't believe so. Latest version shipped with z/OS 2.3 is 6.4p1. IBM does >issue APARs against it for any problems found that are applicable to OpenSSH >on zOS. These is/was a list of them in one of the IBM OpenSSH manuals at one >time.

Re: OpenSSH upgrade option

Mark ok thanks will take a look Cheers -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Jacobs Sent: Thursday, April 11, 2019 11:01 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: OpenSSH upgrade option I don't believe so. L

Re: OpenSSH upgrade option

:44 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: OpenSSH upgrade option Is there a way to upgrade OpenSSH on z/OS v2.2? Currently OpenSSH is at 6.4p1, I have been asked by our Network Security Team to upgrade to OpenSSH 7.4. Cheers

Re: OpenSSH upgrade option

I don't believe so. Latest version shipped with z/OS 2.3 is 6.4p1. IBM does issue APARs against it for any problems found that are applicable to OpenSSH on zOS. These is/was a list of them in one of the IBM OpenSSH manuals at one time. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted em

OpenSSH upgrade option

Is there a way to upgrade OpenSSH on z/OS v2.2? Currently OpenSSH is at 6.4p1, I have been asked by our Network Security Team to upgrade to OpenSSH 7.4. Cheers -- For IBM-MAIN subscribe / signoff / archive access instructions, s