Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Useful tools for z/OS UNIX > The ssh daemon - Pg. 387

10.1.3 OpenSSH OpenSSH is a suite of network connectivity tools that provide secure encrypted communications between two untrusted hosts over an insecure network. OpenSSH software tools support the SSH1 and SSH2 protocols. The tools provide shell functions where network traffic is encrypted and authenticated. OpenSSH is based on client and server architecture. It runs the sshd daemon process on the AIX host and waits for the connection from clients. It supports public key and private key pairs for authentication and encryption of channels to ensure secure network connections and host-based authentication. For more information about OpenSSH, see the following Web site: This site provides the man page information for the OpenSSH commands. To set up the tools in the past, it was necessary to download the binaries from the z/OS UNIX Tools and Toys Web site. The following files were needed: openssh-3.5p1-ebcdic-bin.pax.tgz openssl-0.9.7a-ebcdic-bin.pax Then you had to put these files into a temporary directory on z/OS UNIX. You could use ftp to download them. To unpack the openssh binaries, the following commands could be used: pax -pe -rvf openssh-3.5p1-ebcdic-bin.pax.tgz pax -pe -rvf openssl-0.9.7a-ebcdic-bin.pax The default output directory was /usr/local. Important: OpenSSH is now available as a unpriced feature, named IBM Ported Tools for z/OS, that runs on z/OS V1R4 or higher. This means it is no longer necessary to get it from the OpenSSH Web site, and it is officially supported. The initial version was OpenSSH 3.5p1 (based on OpenSSL 0.9.7b). With APAR OA10315 it gets upgraded to OpenSSH 3.8.1p1. This is related to OpenSSL 0.9.7d. IBM Ported Tools for z/OS User's Guide , SA22-7985 presents information you need to set up and use the OpenSSH. 10.1.4 The ssh daemon The ssh daemon, sshd, is listening for incoming connections. It usually uses TCP/IP port 22. First we generate private and public keys, as shown in Figure 10-3 on page 388. Each host has a host-specific RSA key (normally 1024 bits) used to identify the host. Additionally, when the daemon starts, it generates a server RSA key (normally 768 bits). This key is normally regenerated every hour if it has been used, and is never stored on disk. Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. The client then generates a 256-bit random number. It encrypts this random number using both the host key and the server key, and sends the encrypted number to the server. Both sides then use this random number as a session key that is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher, currently Blowfish or 3DES, with 3DES being used by default. The client selects the encryption algorithm to use from those offered by the server. Next, the server and the client enter an authentication dialog. The Chapter 10. Tools, functions, and programming interfaces 387