APAR status
Closed as documentation error.
Error description
DOC APAR - running summary of documentation / pubs updates. . Problem #1 Description: Item 25 in the FAQ, "Sometimes when I run the ssh common on z/OS, I get the following SIGINT messages" requires clarification regarding the possibility of seeing a related console message. . Book Title - IBM Ported Tools for z/OS User's Guide Book Number - SA22-7905-04 Chapter - Troubleshooting Section - Frequently asked questions Topic - #25 (SIGINT) PMR Number - None Initials - DN/RT . Documentation #1 Change: . The following text should be appended to answer: . The system administrator might also see the following message on the console: . IEF450I JOBNAME *OMVSEX - ABEND=SEC6 U0000 REASON=0000FF02 . The console message results when ssh-rand-helper kills the UNIX command listed in /etc/ssh/ssh_prng_cmds before the kernel is able to initialize the child process for the command. Again, you may see the console message if your system is heavily loaded. . Both messages can be eliminated by moving to z/OS V1R7 and above, with an available Integrated Cryptographic Service Facility (ICSF), because OpenSSH uses hardware support (/dev/random or /dev/urandom) to generate random numbers instead of using ssh-rand-helper. For more information about using hardware support, see "Using hardware support to generate random numbers". -------- Problem #2 Description: The documentation for section "Steps for creating or editing configuration files", #8 references the TCPIP.DATA file being copied to the HFS in /var/empty for the privsep user. But the incorrect file name is used. . Book Title - IBM Ported Tools for z/OS User's Guide Book Number - SA22-7905-nn Chapter - For system administrators Section - Steps for creating or editing configuration files Topic - #8 (TCPIP.DATA file) PMR Number - 14508,122,000 Initials - CW/RT . Documentation #2 Change: . The text in this section should alter all occurrences of "/etc/tcpip.data" to read "/etc/resolv.conf". . The corrected text should read: -- If the TCPIP.DATA file on the system is located in the UNIX file system, for example, named /etc/resolv.conf, copy /etc/resolv.conf to /var/empty/etc/resolv.conf. . cp -p /etc/resolv.conf /var/empty/etc/resolv.conf . The OpenSSH daemon runs with privilege separation enabled by default. During privilege separation, the daemon cleaves itself into two processes, one with privileges and one without. The unprivileged user (the SSHD privilege separation user) handles network traffic and everything not requiring special privileges. This unprivileged process runs in a chroot jail of /var/empty. The chroot service changes the root directory from the current one to a new one; in this case, /var/empty. The root directory is the starting point for path searches of path names beginning with a slash. At some point, the privilege separation user invokes a TCP/IP system call which requires access to the TCPIP.DATA file. If this file is stored in the UNIX file system as /etc/resolv.conf, the privilege separation user will not have access to the file because it is not located off the new root file system of /var/empty. The system administrator should copy /etc/resolv.conf to /var/empty/etc/resolv.conf to make this file visible to the privilege separation user. . Tip: Every time the installation changes the TCPIP.DATA statements, the TCPIP.DATA file will need to be recopied to the path name located off the /var/empty root, so that the updated information is found by the privilege separation user. -- -------- Problem #3 Description: . OpenSSH vulnerability information needs to be updated in the "OpenSSH and vulnerabilities" chapter. . . Book Title - IBM Ported Tools for z/OS User's Guide Book Number - SA22-7985-05 Chapter - OpenSSH and vulnerabilities Section - List of vulnerabilities reported against SSH applications List of vulnerabilities reported against zlib Topic - Table 8. List of vulnerabilites reported against SSH applications Table 9. List of vulnerabilites reported against zlib. PMR Number - 62294,7TD,000 Initials - DN/RT . Documentation #3 Change: . ---------------------------------------------------------------- The following rows need to be added to Table 8: --- CERT/CVE Date CVE-2005-2797 09/06/2005 . OpenSSH does not properly No. This vulnerability was handle dynamic port introduced in OpenSSH 4.0. forwarding when a listen address is not provided --- CVE-2005-2798 09/06/2005 . OpenSSH allows GSSAPI No. OpenSSH on z/OS does credentials to be not support GSSAPI delegated to clients authentication. who log in using non-GSSAPI methods --- CVE-2006-4925 09/28/2006 . OpenSSH allows remote No. This vulnerability was attackers to cause a denial introduced in OpenSSH 4.2. of service (crash) by sending an invalid protocol sequence --- CVE-2006-5052 09/27/2006 . Portable OpenSSH allows No. OpenSSH on z/OS does remote attackers to determine not support GSSAPI the validity of usernames authentication. via unknown vectors involving a GSSAPI "authentication abort." --- CVE-2007-2243 04/25/2007 . OpenSSH when No. OpenSSH on z/OS does ChallengeResponseAuthentication not support challenge is enabled, allows remote response authentication. attackers to determine the existence of user accounts . ---------------------------------------------------------------- . The following rows need to be added to Table 9: . CERT/CVE Date CVE-2005-1849 07/26/2005 . zlib allows remote attackers No. This vulnerability only to cause a denial of service affects zlib version 1.2.2. via an invalid file that OpenSSH on z/OS utilizes zlib causes a large dynamic tree 1.1.4. to be produced . ----------------------------------------------------------------
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: z/OS users of IBM Ported Tools for z/OS * * OpenSSH package. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: * **************************************************************** IBM Ported Tools for z/OS User's Guide book needs updates.
Problem conclusion
IBM Ported Tools for z/OS User's Guide book will be updated.
Temporary fix
Comments
APAR Information
APAR number
OA24067
Reported component name
OPENSSH FOR Z/O
Reported component ID
5655M2301
Reported release
110
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2008-02-19
Closed date
2008-06-12
Last modified date
2008-06-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
SA227985XX |
Fix information
Applicable component levels
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"110"}]
Document Information
Modified date:
09 January 2021