ISTH030E One or more MVRSHD servers are active

Explanation

Check CSAPP_MVRSHD_RHOSTS_DATA determined that one or more MVRSHD servers are active.

IBM® suggests avoiding the use of MVRSHD servers. The MVRSHD server supports the RSH and REXEC protocols which transfer user ID and password information in the clear. There is also the potential of weak authentication for RSH clients using RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password.

System action

The system continues processing.

Operator response

Contact the system programmer.

System programmer response

Examine the report that was produced by check CSAPP_MVRSHD_RHOSTS_DATA.

This report lists all the active MVRHSD server address spaces. To assist in identifying the server instance, the report contains the MVRSHD server job name in the first column, the ASID value in hexadecimal format in the second column, and a data value in hexadecimal format in the third column. The following indicates the meaning of the data value:

0 – This MVRSHD server is active and no attempts to authenticate using RHOSTS.DATA have occurred.

1 – This MVRSHD server is active and there have been one or more attempts to authenticate using RHOSTS.DATA.

To obtain more information regarding future attempts of RSH clients attempting to use RHOSTS.DATA datasets for authentication, take the following action:

Enable internal RHOSTS level MVRSHD server tracing by issuing MODIFY proc_name,TRACE=(LOG,RHOSTS). When a new RSH client using a RHOSTS.DATA dataset for authentication is detected, an EZA4443I message will be recorded in the MVRSHD server joblog. The message will read:

EZA4443I Attempt to open USER1.RHOSTS.DATA requested by user2 on sys209.pok.im.com

For more information on the EZA4443I message, see EZA4443I in z/OS Communications Server: IP Messages Volume 1 (EZA).

To disable the RHOSTS level MVRSHD server tracing, issue the MODIFY proc_name,TRACE=(LOG,NORHOSTS) command. To disable all tracing in addition to the RHOSTS level MVRSHD server tracing, issue the MODIFY proc_name,TRACE=(NOLOG,NORHOSTS) command.

To disable the ability for RSH clients to use RHOSTS.DATA datasets for authentication, take the following action:

Identify and delete all specified userid.RHOSTS.DATA datasets.

The EZA4443I message can help identify which datasets are in use.

To disable the support for RSH and REXEC protocols, take the following action:

Stop all active instances of MVRSHD server.

For more information on the RHOSTS.DATA dataset, see Step 3: Permit remote users to access MVS™ resources (optional) in z/OS Communications Server: IP Configuration Guide.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS® CS Health Checker

Module

ISTHCCK2

Routing code

Not applicable.

Descriptor code

Not applicable.

Automation

Not applicable.

Example

ISTH030E One or more MVRSHD servers are active