COZ_SERVER_HOST not configured

Discussion of the Co:Z Co-Processing Toolkit for z/OS
Post Reply
gngrossi
Posts: 35
Joined: Sat Mar 06, 2010 6:10 pm

COZ_SERVER_HOST not configured

Post by gngrossi » Thu Oct 14, 2010 12:35 pm

Receiving the error message when running a fromdsn command on a Windows server using Cygwin.

fromdsn-client[E]: startSocketConnection: COZ_SERVER_HOST not configured

Did I miss a configuration step?
Thanks.

gngrossi
Posts: 35
Joined: Sat Mar 06, 2010 6:10 pm

Post by gngrossi » Thu Oct 14, 2010 1:52 pm

Here is more information.

This error is ocurring when we are trying to add command security to the user's SSH public key. The application script was part of the z/OS job STDIN (in-line) but we moved it to the server. It appears it's running before the cozagent has had a chance to run?

command="/path/to/script" ssh-rsa .....

Is this doable? We are trying to lockdown what can run remotely for this application.

dovetail
Site Admin
Posts: 1948
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Thu Oct 14, 2010 2:58 pm

Co:Z Launcher uses ssh to remotely start Co:ZAgent, which in turn runs the user's logon shell on the remote system.

If you put a command in the sshd authorized keys file, it will run *instead* of CoZAgent for that key. For Co:Z Launcher to setup the correct remote environment, CoZAgent must be the target program.

See "man sshd" on your target platform for more information.

gngrossi
Posts: 35
Joined: Sat Mar 06, 2010 6:10 pm

Post by gngrossi » Thu Oct 14, 2010 3:29 pm

The $SSH_ORIGINAL_COMMAND is /opt/dovetail/coz/bin/cozagent

Thanks for the verification.

dovetail
Site Admin
Posts: 1948
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Thu Oct 14, 2010 3:54 pm

Gary,

I'm unclear as to whether your issue is resolved...

If you have a command in the authorized keys file for a key, it will run before the target command (cozagent). Thats not a problem, except your command can't do any fromdsn/todsn commands since the environment established by cozagent won't be present yet.

What your command/script could do is to verify that the $SSH_ORIGINAL_COMMAND is in fact cozagent, and then "exec" it. This would prevent the key from being used to run a different command.

But, I'm not clear as to the intent of what you are trying to accomplish.
Please give me a call if you want to discuss.

gngrossi
Posts: 35
Joined: Sat Mar 06, 2010 6:10 pm

Post by gngrossi » Thu Oct 14, 2010 4:51 pm

You are right on target. We have a filter in place to inspect the command for /opt/dovetail/coz/bin/cozagent and exec it.

The purpose of this is to prevent a user from logging into the functional Unix id:

saf-ssh-agent -c keyring ssh user@server
saf-ssh-agent -c keyring ssh user@server "any cmd" < /dev/null

We were attempting to further limit the actual script cozagent would run and hence trying to use that in the authorized_keys file but that will not work. Does that help?
Thanks.

dovetail
Site Admin
Posts: 1948
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Thu Oct 14, 2010 5:29 pm

There really isn't a way in the sshd authorized_keys file to have the command filter what eventually happens under CoZAgent (since it hasn't started yet).

Post Reply