login about faq

Our Tectia/SSH admins currently have UID(0) on OMVS and our security team had me change them to unique UID's and to also change their home directory from / to /home/userid. After doing this they complained they couldn't do their job.

What do I need to do to get Tectia/SSH setup so they can work without UID(0) and without / as their home directory.

I suspect it has something to do with /.ssh2 directory but as I have no documentation I've no clue.

Please advise.

asked Aug 02 '16 at 20:40

lbdyck's gravatar image

lbdyck
1112


Oh OK, I thought they were able to connect but couldn't access other parts of the system.

In this case if they were using public key authentication in the past then likely their public keys didn't get moved to the new /.ssh2 directory under there individual accounts. If you know what public keys under the (root)/.ssh2 directory belong to each individual then you can simply copy only the individual public keys to (non-uid(0))/.ssh2 directory.

Link to: Manual on setting up key auth

link

answered Aug 03 '16 at 16:28

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
51714

Technically yes, but its not generally recommended. Given the example of 2 users (bob, and joe). If they had shared .ssh2 (or duplicated) .ssh2 directories bob would be able to login as joe, and vise versa, and this would somewhat defeat part of the purpose of going aware from the shared UID(0) user.

link

answered Aug 03 '16 at 16:39

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
51714

Unless the SSH server configuration was setup to lock the user only into their own directory, this doesn't sound like an SSH issue. Its more likely that is the OS permissions given to the use that is causing the limited permissions. There are a few ways of SSH Server limiting the what a user can do, but for the most part SSH relys on the operating system permissions.

link

answered Aug 03 '16 at 15:07

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
51714

This is on z/OS OMVS if that helps explain things.

link

answered Aug 03 '16 at 15:21

lbdyck's gravatar image

lbdyck
1112

The same things happens on z/OS OMVS its the permissions set by the z/OS OMVS operating system that controls what access the users will have when logging in through SSH.

link

answered Aug 03 '16 at 15:28

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
51714

Can you point me to some doc on this? I'd really like to know if the admin users can work with a unique uid and just su to used the tectia .ssh2 file and where that file should be as it shouldn't be in root (/).

Thanks

link

answered Aug 03 '16 at 15:45

lbdyck's gravatar image

lbdyck
1112

The .ssh2 directory has to do with authentication not normally what they can access within the system. When they said "they couldn't do their job." are they unable to login at all, or simply not able to access directories or programs within the system once logged in?

link

answered Aug 03 '16 at 16:18

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
51714

When they connect they are prompted for a password when using non-uid(0) and su. When using uid(0) and a default home directory of root they are not prompted for a password when they connect to a site.

link

answered Aug 03 '16 at 16:20

lbdyck's gravatar image

lbdyck
1112

Perfect - that makes sense.

Is there a way to share the .ssh2 directory among users?

link

answered Aug 03 '16 at 16:33

lbdyck's gravatar image

lbdyck
1112

Thank you for your help

link

answered Aug 03 '16 at 17:33

lbdyck's gravatar image

lbdyck
1112

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×2
×2

Asked: Aug 02 '16 at 20:40

Seen: 1,748 times

Last updated: Aug 03 '16 at 17:33

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.