Re: OpenSSH + GCC on PASE -- MIDRANGE-L

Hello Yvan,

I'm wondering if you didn't understand my reply? If so, can you clarify what you didn't understand? Here are a few things I want to be clear on:

1) I never suggested an encrypted connection. All connections I suggested were encrypted with either SSL or SSH.

2) I never suggested a commercial product.

3) I am one of the authors of the TN5250 you refer to, and I understand very well how it works.

4) However, it has been my experience that it does not do proper keyboard mapping unless you run tn5250 on the same box with your keyboard. The cursesterm interface you refer to works by assigning escape codes to keys that don't normally have escape codes assigned to them -- this will be very difficult to get working over a term program like putty!

5) In my experience, TN5250 does not compile cleanly in PASE, so you'd have to modify it. If it weren't for point #3, these modifications might be a good idea, but...

6) Since you are going to need SOME program on the client box in any case (maybe Putty, maybe something like Cygwin, you'll need SOMETHING...) you might as well put TN5250 there, I think you'll find a more secure, more satisfactory experience this way. TN5250 works nicely off of a flash drive or even a 3.5 floppy disk.

Is that clearer?

Also, please send all replies to the mailing list. There may be others (now or sometime in the future) who are interested in this topic. Sending your replies in private e-mail excludes those people from being able to follow the discussion, which is not good!!

-SK

On 7/7/2013 11:32 AM, Yvan Janssens wrote:

Hello,

2013/7/7 Scott Klement <midrange-l@xxxxxxxxxxxxxxxx
<mailto:midrange-l@xxxxxxxxxxxxxxxx>>

I wouldn't run the tn5250 client in PASE. Instead, I'd carry a
flash drive with TN5250 installed on it, and use TN5250 with SSL to
connect to the IBM i.

If you prefer SSH to SSL for some reason, then have Putty or OpenSSH
on the flash drive as well as TN5250, and run TN5250 through an ssh
tunnel.

Due to my profession I'm constantly required to be able to reach
machines in a secure way on untrusted networks - unencrypted telnet
sessions can be easily captured and displayed using e.g. Wireshark, and
when on the road/conferences I mostly reside on places where people
actively use such software.

I think running TN5250 on PASE will be difficult, and since TN5250
won't have access to the keyboard, getting the keyboard mapping
right will be extremely difficult. I strongly recommend running it
on the end-PC rather than trying to run it on PASE.

The tn5250 client at http://tn5250.sf.net uses *curses for terminal
rendering/keyboard capture. It works quite well on Linux machines using
SSH, since curses uses the stdio to perform input/output in a way that
VT100/xterm like terminals understand it.

Currently I run this on a small gateway Linux VM - it only consists out
of a kernel+userland+tn5250 client in the initial ramdisk built using
buildroot, and I want to consolidate this: if I understand correctly, I
can configure PASE|OS/400 V5R1 so that if a user logs in, it
authenticates to the SSH daemon, and when authenticated a tn5250 to
localhost is started with the user being logged in.

This is not really a production setup (since the machine is an old Model
150 which I use for testing edge-cases like this), merely an experiment
to consolidate the tn5250 client "inside" the AS/400e so generic client
software can be used next to the old TN5250 protocol.

This also opens possibilities to the many web/HTML5/ajax based SSH
terminals available to be used to log into this system.

I know that commercial solutions carrying out this exist, but I'm
looking to do it myself to learn edge-cases and gain new insights.

-SK

On 7/7/2013 9:41 AM, Yvan Janssens wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

If I understand correctly, PASE is a unix (AIX)-like subsystem
on IBM
i and predecessors.

I'm having the following setup in mind:
* install GCC on PASE
* install OpenSSHD on PASE
* install tn5250 console client on PASE

I want to use this setup to encrypt the TN5250 traffic, and I know I
can use SSL on the TELNETD. The issue with that is that I'm mostly
on-the-road and this is a test/dev system at home, and I want to run
the tn5250 client on the AS/400e (V5R1) itself so I can
basically use
any PC w/ putty/openssh/<insert your most favorite SSH client
here>. I
also want to use it as an SSH tunnel to access the other services at
the machine/my lan, and this setup might solve all those things
at once.

Now the questions are:
* is this setup possible?
** which are the drawbacks to such a setup, knowing that this is not
production hardware, but a spare device to carry out quick tests?
* how do I install AIX software on it? Can I use those GCC packages?
* can I use the normal init scripts to auto-start daemons in PASE?

I tried searching the interwebs and the IBM site, but all the
information is about more recent releases (V5R4+), and in the past I
ran into issues because of some things which weren't supported yet.

Yvan Janssens

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJR2X38AAoJEElyT3__Tqk/Mc7X0H/3WUG+6qvJ+__bzrRb8gtzyM4e
BStg5glihJmbxctA4eoEglyy7b6ED8__DHGz+__dWyvLAvS4KoSlvX0YDpEVDRjtFmgk
5IbFdliurEXeg54YZb26iEPJ59ynqb__mL2FuHrmmO14CIHV8nVufiYvsNCL+__qS17k
QsfeVi/FuMj5EAJvb+__NOknMbSf7lF8PDgcwrqVoQopXUMAZN__KE/npTDNkpOGo2Nj
HznGItASblSRro+__3aCI73YyInwCAOPdqVLBh+__mO72Xh2JOhgrwIJ94E8Be3BzKOj
WHnCf0T0w+__XIw9pihZGoLBaayBCrq0sAMMP3PX3C__I6TYKM6du+OuyRQFAkhCFn0=
=BvCE
-----END PGP SIGNATURE-----

--

|_|0|_| Yvan Janssens |_|_|0| Observe. Hack. Meet.
https://www.ohm2013.org |0|0|0| ['2013-07-31','2013-08-04']