Help. SFTP through proxy servers

Discussion of the Co:Z Co-Processing Toolkit for z/OS
Post Reply
carros1
Posts: 1
Joined: Mon Apr 07, 2014 3:29 pm

Help. SFTP through proxy servers

Post by carros1 » Wed Mar 11, 2015 7:40 am

BMC has requested that we being using either FTPS or sftp. Our firewall team does not want to do FTPS but I'm not sure how to get sftp going with the company proxy servers.

Is there any suggestions on how to connect to a company proxy server to an external vendor via sftp in OMVS?
a sample or pointing to doc would be great?

Sandra Carroll

dovetail
Site Admin
Posts: 1791
Joined: Thu Jul 29, 2004 12:12 pm

Re: Help. SFTP through proxy servers

Post by dovetail » Wed Mar 11, 2015 2:36 pm

Its understandable that network people don't like FTPS (FTP with TLS), since managing multiple socket connections for FTPS through a firewall is messy.

SFTP (either our Co:Z SFTP or IBM's SFTP) relies on IBM Ported Tools OpenSSH for its ssh connection, so this is really a question about getting an z/OS ssh connection through a proxy.

FIrst - what kind of proxy do you need to punch through with ssh? SOCKS5 or HTTP? Does it require a userid/password?

The OpenSSH client does not directly support proxies, but you can use the "ProxyCommand" option to specify a command the will punch through the proxy and provide the socket connection. See the man page for more details.

Unfortunately, there isn't a suitable z/OS Unix proxy client command available from IBM - one would have to port something like BSD netcat ("nc") command to z/OS that can be used to make SOCKS5 proxy connections.

All of this said, I would not recommend using a proxy for your SSH connections, there is more efficient, supported, and arguably more secure way. The current ProxyCommand support in OpenSSH requires that the proxy command sit between the client and the socket over a pipe, which is just additional overhead. (The very latest version of OpenSSH allows the ProxyCommand to connect and then pass the socket FD back and get out of the way, but IBM doesn't support this yet).

Here is what we suggest if you can manage it:

- convince your firewall people to open up outbound connections on port 22 (SSH) if they originate from your z/OS LPAR.
- add SAF/RACF rules to z/OS (the SERVAUTH class) so that only the userid/jobs of your choosing can open this port to the public network.
(this is in effect a better firewall, implemented in z/OS Security product)

Post Reply