× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2013

Re: OpenSSH + GCC on PASE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Hello,

On 07/07/13 19:45, Scott Klement wrote:
Hello Yvan,

I'm wondering if you didn't understand my reply? If so, can you
clarify what you didn't understand? Here are a few things I want
to be clear on:

1) I never suggested an encrypted connection. All connections I
suggested were encrypted with either SSL or SSH.

2) I never suggested a commercial product.


No, I know that - I was explaining that I was planning to recreate a
commercial product - the one I meant was the HTML5 version of z/Scope
anywhere.

3) I am one of the authors of the TN5250 you refer to, and I
understand very well how it works.

4) However, it has been my experience that it does not do proper
keyboard mapping unless you run tn5250 on the same box with your
keyboard. The cursesterm interface you refer to works by assigning
escape codes to keys that don't normally have escape codes
assigned to them -- this will be very difficult to get working over
a term program like putty!

5) In my experience, TN5250 does not compile cleanly in PASE, so
you'd have to modify it. If it weren't for point #3, these
modifications might be a good idea, but...

Yes, I know - there are currently some issues on a recent Linux distro
with the new 1.x OpenSSL branch; I had to compile it without SSL
support. I should definetely write a patch for that, and it's on the
to-do list, but other things keep requesting attention preventing me
to get to the end of that list ;-).


6) Since you are going to need SOME program on the client box in
any case (maybe Putty, maybe something like Cygwin, you'll need
SOMETHING...) you might as well put TN5250 there, I think you'll
find a more secure, more satisfactory experience this way. TN5250
works nicely off of a flash drive or even a 3.5 floppy disk.

Yes - I know. I was planning to recreate the z/Scope Anywhere product;
they have a limited (free) public version, but I don't like mapping my
systems' IP address to a public one. Not that any intrusion attempt
succeeded, but it's standing in my office room and nowadays I already
recognize the sound of people/bots trying word lists.


Is that clearer?

Oh yes - I think I might have miscommunicated/talked things through
each other a bit.


Also, please send all replies to the mailing list. There may be
others (now or sometime in the future) who are interested in this
topic. Sending your replies in private e-mail excludes those people
from being able to follow the discussion, which is not good!!


Yes, I accidentally clicked the wrong "reply" button while being fast
(which might have lead to the mail being quite incomprehensible). I'm
used to using mailing lists, but I patched all the software on my
netbook to the latest versions, and they swapped the buttons...

-SK


On 7/7/2013 11:32 AM, Yvan Janssens wrote:
Hello,

2013/7/7 Scott Klement <midrange-l@xxxxxxxxxxxxxxxx
<mailto:midrange-l@xxxxxxxxxxxxxxxx>>

I wouldn't run the tn5250 client in PASE. Instead, I'd carry a
flash drive with TN5250 installed on it, and use TN5250 with SSL
to connect to the IBM i.

If you prefer SSH to SSL for some reason, then have Putty or
OpenSSH on the flash drive as well as TN5250, and run TN5250
through an ssh tunnel.


Due to my profession I'm constantly required to be able to reach
machines in a secure way on untrusted networks - unencrypted
telnet sessions can be easily captured and displayed using e.g.
Wireshark, and when on the road/conferences I mostly reside on
places where people actively use such software.


I think running TN5250 on PASE will be difficult, and since
TN5250 won't have access to the keyboard, getting the keyboard
mapping right will be extremely difficult. I strongly recommend
running it on the end-PC rather than trying to run it on PASE.


The tn5250 client at http://tn5250.sf.net uses *curses for
terminal rendering/keyboard capture. It works quite well on Linux
machines using SSH, since curses uses the stdio to perform
input/output in a way that VT100/xterm like terminals understand
it.

Currently I run this on a small gateway Linux VM - it only
consists out of a kernel+userland+tn5250 client in the initial
ramdisk built using buildroot, and I want to consolidate this: if
I understand correctly, I can configure PASE|OS/400 V5R1 so that
if a user logs in, it authenticates to the SSH daemon, and when
authenticated a tn5250 to localhost is started with the user
being logged in.

This is not really a production setup (since the machine is an
old Model 150 which I use for testing edge-cases like this),
merely an experiment to consolidate the tn5250 client "inside"
the AS/400e so generic client software can be used next to the
old TN5250 protocol.

This also opens possibilities to the many web/HTML5/ajax based
SSH terminals available to be used to log into this system.

I know that commercial solutions carrying out this exist, but
I'm looking to do it myself to learn edge-cases and gain new
insights.



-SK


On 7/7/2013 9:41 AM, Yvan Janssens wrote:


Hello,

If I understand correctly, PASE is a unix (AIX)-like subsystem on
IBM i and predecessors.

I'm having the following setup in mind: * install GCC on PASE *
install OpenSSHD on PASE * install tn5250 console client on PASE

I want to use this setup to encrypt the TN5250 traffic, and I know
I can use SSL on the TELNETD. The issue with that is that I'm
mostly on-the-road and this is a test/dev system at home, and I
want to run the tn5250 client on the AS/400e (V5R1) itself so I
can basically use any PC w/ putty/openssh/<insert your most
favorite SSH client here>. I also want to use it as an SSH tunnel
to access the other services at the machine/my lan, and this setup
might solve all those things at once.

Now the questions are: * is this setup possible? ** which are the
drawbacks to such a setup, knowing that this is not production
hardware, but a spare device to carry out quick tests? * how do I
install AIX software on it? Can I use those GCC packages? * can I
use the normal init scripts to auto-start daemons in PASE?

I tried searching the interwebs and the IBM site, but all the
information is about more recent releases (V5R4+), and in the past
I ran into issues because of some things which weren't supported
yet.


Yvan Janssens





--

|_|0|_| Yvan Janssens |_|_|0| Observe. Hack. Meet.
https://www.ohm2013.org |0|0|0| ['2013-07-31','2013-08-04']



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJR2a3+AAoJEElyT3Tqk/Mc8vcIAIQLc7XIFOfluPn3oJrHxTkW
z6SG2LzCTWmJ6cY7RB7OOzXVx/buNlJP4OFQVLtYE8M7VZU5RrlxzhUydYZIXPcF
qF/QUAHxbDoXYQTM5RPZCLivjsWgQohdzV6zzEKDnoFAVdQfIDryoaYycrlxYG8p
6u5u8Owrmw2q1uFRwKHb8Fi26kaW16CKwjxZnhTMrSTPcgYjqOjTmF6+xaM4d7qL
lYx+qb3zsrb2Y4iVeAAS5BXsZvcipeL8XmGM2hYWClT3VZ0pIBTWuM+AzJ+xjGLt
3FELEkofrp/PCSVsVwOYvEYjPI0qsR6tk8jLMAaSbkWlelcv5b2DyTxhsJwjfXo=
=ppjQ
-----END PGP SIGNATURE-----

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.