OA26660: DOCUMENTATION DEFECTS AND CLARIFICATIONS FOR "IBM PORTED TOOLS FOR Z/OS" OPENSSH COMPID 5655M2301 M2301 HOS1110

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as documentation error.

Error description

  • DOC APAR - running summary of documentation / pubs updates.
    .
    Problem #1 Description:
    
    RAS Update to improve ability of customer and IBM service
    personel to isolate problems that could easily be identified
    if a FOTS* message were printed and is currently not configured
    correctly.
    
    Book Title  - IBM Ported Tools for z/OS: OpenSSH User's Guide
    Book Number - SA22-7985-xx
    Chapter     - Chapter 4.  For system administrators
    Section     - Starting the sshd daemon
                    - AND -
                  Frequently asked questions
    Topic       - Ways to start sshd as a stand-alone daemon
                    - AND -
                  FAQ 24
    PMR Number  - 76082,442,000
    Initials    - CW/RT
    
    Problem #1 Documentation Change:
    
    Add two export statements to the sample script provided to
    invoke sshd.  First to explictly set NLSPATH so SSHD can produce
    FOTS* messages from the catalog, second to enable errno2
    reporting.  The updated sample script should look like:
    
    ---
    #!/bin/sh
    export _EDC_ADD_ERRNO2=1
    export NLSPATH="$NLSPATH:/usr/lib/nls/msg/%L/%N.cat"
    nohup /usr/sbin/sshd -f /etc/ssh/sshd_config &
    sleep 1
    ---
    
    =============================================================
    Problem #2 Description:
    
    Incorrect publication identifier used in the change history.
    
    Book Title  - IBM Ported Tools for z/OS: OpenSSH User's Guide
    Book Number - SA22-7985-xx
    Chapter     - Summary of changes
    Section     - All
    Topic       - n/a
    PMR Number  - 63271,005,000
    Initials    - CW/RT
    
    Problem #2 Documentation Change:
    
    All the sections of the SA22-7985-xx change history cite updates
    to the wrong publication ID: SA22-7905-xx.  For example:
    
    
    The "Summary of changes for ..." headings list
    SA22-7905-xx as the book number, but should list
    SA22-7985-xx as the book number.
    
    =============================================================
    Problem #3 Description:
    
    Clarifications are required for starting sshd as a
    stand-alone daemon.
    
    Book Title  - IBM Ported Tools for z/OS: OpenSSH User's Guide
    Book Number - SA22-7985-xx
    Chapter     - Chapter 4. For system administrators
    Section     - Starting the sshd daemon
    Topic       - Ways to start sshd as a stand-alone daemon
    PMR Number  - 73632,227,000
    Initials    - PE/RT
    
    Problem #3 Documentation Change:
    
    Add the following after "S SSHD" in step 3 of
    "Using BPXBATCH".
    
    You should see the message IEF695I on the MVS syslog.  The
    user ID indicated in the message should be defined as UID(0)
    with READ access to the BPX.DAEMON profile in the FACILITY
    class.  The group indicated in the message should have an
    OMVS segment containing a GID value.  With the default
    values from step 2, OMVSKERN and OMVSGRP, the message would
    look like this:
    
    IEF695I START SSHD     WITH JOBNAME SSHD     IS ASSIGNED TO
    USER OMVSKERN   , GROUP OMVSGRP
    
    The user ID and group must NOT be SSHD and SSHDG since
    this would indicate that the daemon was started with the
    SSHD privilege separation user.
    
    =============================================================
    Problem #4 Description:
    
    OpenSSH vulnerability information needs to be added to the
    "OpenSSH vulnerabilities" chapter.
    
    Book Title  - IBM Ported Tools for z/OS: OpenSSH User's Guide
    Book Number - SA22-7985-xx
    Chapter     - Chapter 11. OpenSSH vulnerabilities
    Section     - List of vulnerabilities reported against SSH
                    applications
    Topic       - Table 8. List of vulnerabilities reported
                    against SSH applications
    PMR Number  - None
    Initials    - RT
    
    Problem #4 Documentation Change:
    
    The following entries need to be added to Table 8:
    
    -----------------------------------------------------------
    Entry #1
    -----------------------------------------------------------
    CERT/CVE:
    CVE-2007-2768
    
    Date:
    05/21/2007
    
    Public name description:
    OpenSSH, when using OPIE (One-Time Passwords in Everything)
    for PAM, allows remote attackers to determine the existence
    of certain user accounts.
    
    Is OpenSSH on z/OS vulnerable?
    No. OpenSSH on z/OS does not support PAM.
    
    -----------------------------------------------------------
    Entry #2
    -----------------------------------------------------------
    CERT/CVE:
    CVE-2008-1657
    
    Date:
    04/02/2008
    
    Public name description:
    OpenSSH 4.4 up to versions before 4.9 allows remote
    authenticated users to bypass the sshd_config ForceCommand
    directive by modifying the .ssh/rc session file.
    
    Is OpenSSH on z/OS vulnerable?
    No. This vulnerability was introduced in OpenSSH 4.4.
    
    =============================================================
    Problem #5 Description:
    
    OpenSSL vulnerability information needs to be added to the
    "OpenSSH vulnerabilities" chapter.
    
    Book Title  - IBM Ported Tools for z/OS: OpenSSH User's Guide
    Book Number - SA22-7985-xx
    Chapter     - Chapter 11. OpenSSH vulnerabilities
    Section     - List of vulnerabilities reported against
                    OpenSSL
    Topic       - Table 10. List of vulnerabilities reported by
                    CERT/CC and CVE against OpenSSL
    PMR Number  - None
    Initials    - RT
    
    Problem #5 Documentation Change:
    
    The following entries need to be added to Table 10:
    
    -----------------------------------------------------------
    Entry #1
    -----------------------------------------------------------
    CERT/CVE:
    VU#661475
    CVE-2008-0891
    
    Date:
    05/29/2008
    
    Public name description:
    Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g,
    when the TLS server name extensions are enabled, allows
    remote attackers to cause a denial of service (crash) via
    a crafted packet.
    
    Is OpenSSH on z/OS vulnerable?
    No. This vulnerability affects OpenSSL 0.9.8f and 0.9.8g.
    OpenSSH on z/OS utilizes OpenSSL 0.9.7d.
    
    -----------------------------------------------------------
    Entry #2
    -----------------------------------------------------------
    CERT/CVE:
    VU#520586
    CVE-2008-1672
    
    Date:
    05/29/2008
    
    Public name description:
    OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause
    a denial of service (crash) via a TLS handshake that omits
    the Server Key Exchange message and uses "particular cipher
    suites."
    
    Is OpenSSH on z/OS vulnerable?
    No. This vulnerability affects OpenSSL 0.9.8f and 0.9.8g.
    OpenSSH on z/OS utilizes OpenSSL 0.9.7d.
    =============================================================
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: z/OS users of IBM Ported Tools for z/OS      *
    *                 OpenSSH package.                             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    IBM Ported Tools for z/OS User's Guide book needs updates.
    

Problem conclusion

  • IBM Ported Tools for z/OS User's Guide book will be updated.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA26660

  • Reported component name

    OPENSSH FOR Z/O

  • Reported component ID

    5655M2301

  • Reported release

    110

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-09-30

  • Closed date

    2008-12-03

  • Last modified date

    2008-12-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SA227985XX        

Fix information

Applicable component levels



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

z/OS family

Software version:

110

Operating system(s):

MVS

Reference #:

OA26660

Modified date:

2008-12-04

Translate my page

Machine Translation

Content navigation