OA24067: DOCUMENTATION DEFECTS AND CLARIFICATIONS FOR "IBM PORTED TOOLS FOR Z/OS" OPENSSH COMPID 5655M2301 M2301 HOS1110

APAR status

• Closed as documentation error.

Error description

• DOC APAR - running summary of documentation / pubs updates.
  .
  Problem #1 Description:
     Item 25 in the FAQ, "Sometimes when I run the ssh common on
     z/OS, I get the following SIGINT messages" requires
     clarification regarding the possibility of seeing a related
     console message.
  .
  Book Title  - IBM Ported Tools for z/OS User's Guide
  Book Number - SA22-7905-04
  Chapter     - Troubleshooting
  Section     - Frequently asked questions
  Topic       - #25 (SIGINT)
  PMR Number  - None
  Initials    - DN/RT
  .
  Documentation #1 Change:
  .
  The following text should be appended to answer:
  .
    The system administrator might also see the following message
    on the console:
  .
  IEF450I JOBNAME *OMVSEX - ABEND=SEC6 U0000 REASON=0000FF02
  .
    The console message results when ssh-rand-helper kills the
    UNIX command listed in /etc/ssh/ssh_prng_cmds before the
    kernel is able to initialize the child process for the
    command.  Again, you may see the console message if your
    system is heavily loaded.
  .
    Both messages can be eliminated by moving to z/OS V1R7 and
    above, with an available Integrated Cryptographic Service
    Facility (ICSF), because OpenSSH uses hardware support
    (/dev/random or /dev/urandom) to generate random numbers
    instead of using ssh-rand-helper.  For more information about
    using hardware support, see "Using hardware support to
    generate random numbers".
  --------
  Problem #2 Description:
     The documentation for section "Steps for creating or editing
     configuration files", #8 references the TCPIP.DATA file being
     copied to the HFS in /var/empty for the privsep user.  But
     the incorrect file name is used.
  .
  Book Title  - IBM Ported Tools for z/OS User's Guide
  Book Number - SA22-7905-nn
  Chapter     - For system administrators
  Section     - Steps for creating or editing configuration files
  Topic       - #8 (TCPIP.DATA file)
  PMR Number  - 14508,122,000
  Initials    - CW/RT
  .
  Documentation #2 Change:
  .
  The text in this section should alter all occurrences of
  "/etc/tcpip.data" to read "/etc/resolv.conf".
  .
  The corrected text should read:
  --
  If the TCPIP.DATA file on the system is located in the UNIX file
  system, for example, named /etc/resolv.conf, copy
  /etc/resolv.conf to /var/empty/etc/resolv.conf.
  .
  cp -p /etc/resolv.conf /var/empty/etc/resolv.conf
  .
  The OpenSSH daemon runs with privilege separation enabled by
  default. During privilege separation, the daemon cleaves itself
  into two processes, one with privileges and one without. The
  unprivileged user (the SSHD privilege separation user) handles
  network traffic and everything not requiring special privileges.
  This unprivileged process runs in a chroot jail of /var/empty.
  The chroot service changes the root directory from the current
  one to a new one; in this case, /var/empty. The root directory
  is the starting point for path searches of path names beginning
  with a slash. At some point, the privilege separation user
  invokes a TCP/IP system call which requires access to the
  TCPIP.DATA file. If this file is stored in the UNIX file system
  as /etc/resolv.conf, the privilege separation user will not have
  access to the file because it is not located off the new root
  file system of /var/empty. The system administrator should copy
  /etc/resolv.conf to /var/empty/etc/resolv.conf to make this file
  visible to the privilege separation user.
  .
  Tip: Every time the installation changes the TCPIP.DATA
  statements, the TCPIP.DATA file will need to be recopied to the
  path name located off the /var/empty root, so that the updated
  information is found by the privilege separation user.
  --
  --------
  Problem #3 Description:
  .
  OpenSSH vulnerability information needs to be updated in the
  "OpenSSH and vulnerabilities" chapter.
  .
  .
  Book Title  - IBM Ported Tools for z/OS User's Guide
  Book Number - SA22-7985-05
  Chapter     - OpenSSH and vulnerabilities
  Section     - List of vulnerabilities reported against SSH
                applications
                List of vulnerabilities reported against zlib
  Topic       - Table 8. List of vulnerabilites reported against
                SSH applications
                Table 9. List of vulnerabilites reported against
                zlib.
  PMR Number  - 62294,7TD,000
  Initials    - DN/RT
  .
  Documentation #3 Change:
  .
  ----------------------------------------------------------------
  
  The following rows need to be added to Table 8:
  ---
  CERT/CVE Date
  CVE-2005-2797 09/06/2005
  .
  OpenSSH does not properly       No. This vulnerability was
  handle dynamic port             introduced in OpenSSH 4.0.
  forwarding when a listen
  address is not provided
  ---
  CVE-2005-2798 09/06/2005
  .
  OpenSSH allows GSSAPI           No. OpenSSH on z/OS does
  credentials to be               not support GSSAPI
  delegated to clients            authentication.
  who log in using
  non-GSSAPI methods
  ---
  CVE-2006-4925 09/28/2006
  .
  OpenSSH allows remote           No. This vulnerability was
  attackers to cause a denial     introduced in OpenSSH 4.2.
  of service (crash) by
  sending an invalid protocol
  sequence
  ---
  CVE-2006-5052 09/27/2006
  .
  Portable OpenSSH allows         No. OpenSSH on z/OS does
  remote attackers to determine   not support GSSAPI
  the validity of usernames       authentication.
  via unknown vectors
  involving a GSSAPI
  "authentication abort."
  ---
  CVE-2007-2243 04/25/2007
  .
  OpenSSH when                       No. OpenSSH on z/OS does
  ChallengeResponseAuthentication    not support challenge
  is enabled, allows remote          response authentication.
  attackers to determine the
  existence of user accounts
  .
  ----------------------------------------------------------------
  .
  The following rows need to be added to Table 9:
  .
  CERT/CVE Date
  CVE-2005-1849 07/26/2005
  .
  zlib allows remote attackers       No. This vulnerability only
  to cause a denial of service       affects zlib version 1.2.2.
  via an invalid file that           OpenSSH on z/OS utilizes zlib
  causes a large dynamic tree        1.1.4.
  to be produced
  .
  ----------------------------------------------------------------
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: z/OS users of IBM Ported Tools for z/OS      *
  *                 OpenSSH package.                             *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  IBM Ported Tools for z/OS User's Guide book needs updates.
  

Problem conclusion

• IBM Ported Tools for z/OS User's Guide book will be updated.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels