Restrictions to File Transfer
If SSH Tectia Server for IBM z/OS is used for file transfer only, it is advisable to disable
tunneling and terminal access to the server.
Enabling the SFTP Subsystem
To allow the users to connect with SFTP to SSH Tectia Server for IBM z/OS, the secure file
transfer subsystem has to be defined in the sshd2_config file:
subsystem-sftp /opt/tectia/libexec/sft-server-g3
|
Restricting Access to User's MVS User Catalog
To restrict the users' access with SFTP, the --attribute=zos-access
option can be specified with sft-server-g3:
subsystem-sftp /opt/tectia/libexec/sft-server-g3 --attribute=zos-access:value
|
The values for the zos-access attribute are:
-
mvs:
User is allowed access only to the MVS side of the server.
-
usercatalog:
User is allowed access only to the MVS side of the server and only to his/her own catalog.
-
hfs:
User is allowed access only to the HFS side of the server.
-
mvs,hfs or hfs,mvs or all:
User is allowed access to both MVS and HFS sides of the server. No access restrictions are active.
-
usercatalog,hfs or hfs,usercatalog:
User is allowed access to the HFS side of the server and to the MVS side of the server but only to his/her own catalog.
The values are case-insensitive. You can use both "MVS" or
"mvs". The values cannot include white spaces. Value
"mvs,hfs" works, but "mvs, hfs" does not.
Example 1
To start sft-server-g3 so that user can only access his/her own MVS catalog:
sft-server-g3 --attribute=zos-access:usercatalog
|
Example 2
To start sft-server-g3 so that only HFS can be accessed:
sft-server-g3 --attribute=zos-access:hfs
|
Setting Up Security for Processing Offline Datasets
SSH Tectia Server for IBM z/OS can control who is permitted to request offline datasets to be
mounted. Tape datasets are typically offline and a DASD dataset is offline
if the volume it resides on is not mounted. To control mounting, the System
Authorization Facility (RACF, ACF2, or TSS) facility SSZ.MOUNT must
be defined. When it is defined SSH Tectia requires that the user has at least
READ access before it requests a dataset to be mounted. If
SSZ.MOUNT is not defined there is no restriction on mounting.
The restriction is enforced both by the server and by the sftpg3
and scpg3 client programs.
In addition to having permission to request mounts, the user must also
specify the file transfer attribute automount=yes for SSH Tectia to
allocate a dataset with mounts allowed.
SSH Tectia first attempts to allocate a dataset without allowing the system to do
a mount. If this fails because the dataset is offline, and the user has the
required permission, SSH Tectia repeats the allocation and allows the system to
mount the dataset. The user can instruct SSH Tectia to omit the first allocation
by specifying automount=immed.
Note that a user who can open a shell or issue remote commands with
SSH Tectia has other ways of causing tape mount requests. To control tape mounts
effectively, do the following steps:
- Define
SSZ.MOUNT with universal permission NONE:
RDEFINE FACILITY (SSZ.MOUNT) UACC(NONE)
- Set up the users who are to be allowed to mount tapes as file-transfer
only users as instructed above (Restricting Access to User's MVS User Catalog).
- Give these users
READ access to SSZ.MOUNT:
PERMIT SSZ.MOUNT CLASS(FACILITY) ID(SRVACC1) ACCESS(READ)
- After each command refresh the
RACLIST:
SETROPTS RACLIST(FACILITY) REFRESH
Disabling Tunneling
If you are sure you or your users do not need to create tunnels
(possibly going around firewall restrictions or such), you can disable
tunneling (port forwarding) altogether by adding the following to your
sshd2_config:
Note that this disables also transparent FTP tunneling through the server.
Disabling Terminal Access
The following configuration option of SSH Tectia Server for IBM z/OS will deny the group
sftpusers terminal access.
Terminal.DenyGroups sftpusers
|
