SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Server Configuration Files >>
        Defining Subconfigurations >>
        Configuring Ciphers and MACs >>
        Configuring Root Logins
        Restricting User Logins
        Defining Subsystems
        Auditing >>
        Securing the Server >>
            Restrictions to System Administration
            Restrictions to File Transfer
            Restrictions to Tunneling
    Authentication >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
    Log Messages >>

Restrictions to File Transfer

If SSH Tectia Server for IBM z/OS is used for file transfer only, it is advisable to disable tunneling and terminal access to the server.

Enabling the SFTP Subsystem

To allow the users to connect with SFTP to SSH Tectia Server for IBM z/OS, the secure file transfer subsystem has to be defined in the sshd2_config file: 

subsystem-sftp   /opt/tectia/libexec/sft-server-g3

Restricting Access to User's MVS User Catalog

To restrict the users' access with SFTP, the --attribute=zos-access option can be specified with sft-server-g3: 

subsystem-sftp   /opt/tectia/libexec/sft-server-g3 --attribute=zos-access:value

The values for the zos-access attribute are:

  • mvs: User is allowed access only to the MVS side of the server.
  • usercatalog: User is allowed access only to the MVS side of the server and only to his/her own catalog.
  • hfs: User is allowed access only to the HFS side of the server.
  • mvs,hfs or hfs,mvs or all: User is allowed access to both MVS and HFS sides of the server. No access restrictions are active.
  • usercatalog,hfs or hfs,usercatalog: User is allowed access to the HFS side of the server and to the MVS side of the server but only to his/her own catalog.

The values are case-insensitive. You can use both "MVS" or "mvs". The values cannot include white spaces. Value "mvs,hfs" works, but "mvs, hfs" does not.

Example 1

To start sft-server-g3 so that user can only access his/her own MVS catalog: 

sft-server-g3 --attribute=zos-access:usercatalog

Example 2

To start sft-server-g3 so that only HFS can be accessed: 

sft-server-g3 --attribute=zos-access:hfs

Disabling Tunneling

If you are sure you or your users do not need to create tunnels (possibly going around firewall restrictions or such), you can disable tunneling (port forwarding) altogether by adding the following to your sshd2_config: 

AllowTcpForwarding       no

Note that this disables also transparent FTP tunneling through the server.

Disabling Terminal Access

The following configuration option of SSH Tectia Server for IBM z/OS will deny the group sftpusers terminal access. 

Terminal.DenyGroups       sftpusers

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice