SSH

Tectia Server 6.5 for IBM z/OS

Administrator Manual

SSH Communications Security Corporation

This software and documentation are protected by international copyright laws and treaties. All rights reserved.

ssh® and Tectia® are registered trademarks of SSH Communications Security Corporation in the United States and in certain other jurisdictions.

SSH and Tectia logos and names of products and services are trademarks of SSH Communications Security Corporation. Logos and names of products may be registered in certain jurisdictions.

All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corporation.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY, RELIABILITY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the Administrator Manual.

15 December 2015


Table of Contents

1. About This Document
Introduction to Tectia Server for IBM z/OS
System Authorization Facility
Sample Files
Documentation Conventions
Operating System Names
Customer Support
Terminology
2. Installing Tectia Server for IBM z/OS
Preparing for Installation
System Requirements
Permission Requirements
System Limits and Requirements
Directories and Data Sets
Licensing
Uploading Files Required for Installation
Installing Tectia Server for IBM z/OS
Installing the Tectia SSH Assistant ISPF Application
Installation Settings and Defaults
Generating Product Installation Jobs
Running the Product Installation Jobs
Enabling Manual Pages
Upgrading from Tectia Server for IBM z/OS Version 6.x
Uploading Files Required for Upgrade
Upgrading to Tectia Server for IBM z/OS 6.5.0
3. Getting Started with Tectia Server for IBM z/OS
Running the SSH Server (sshd2)
Starting the Server
Stopping the Server
Restarting the Server
Querying the Server Version
Setting Options for Starting the Server
Running the Certificate Validator (ssh-certd)
Starting the Certificate Validator
Stopping the Certificate Validator
Restarting the Certificate Validator
Querying the Certificate Validator Version
Setting Options for Starting the Certificate Validator
Environment Variables for Server and Client Applications
Setting Up a Shell User
Authenticating Remote Server Hosts
Using Password Authentication
Using Public-Key Authentication
4. Configuring the Server
Server Configuration Files
Editing Configuration Files
Command-Line Options
Running Tectia and OpenSSH on the Same Host
IPv6 Support
Defining Subconfigurations
Host-Specific Subconfiguration
User-Specific Subconfiguration
Configuring Cryptographic Algorithms
Configuring Ciphers
Configuring MACs
Configuring KEXs
Configuring Host Key Signature Algorithms
Configuring Public Key Signature Algorithms
Cryptographic Hardware Support
Configuring Root Logins
Restricting User Logins
Configuring Code Pages
Defining Subsystems
Auditing
Configuring Logging in sshd2
Logging SFTP Transactions
SMF Auditing
Securing the Server
Restrictions to System Administration
Restrictions to File Transfer
Restrictions to Tunneling
Load Control
5. Authentication
Supported User Authentication Methods
Using the z/OS System Authorization Facility
Server Authentication with Public Keys in File
Defining Server Host Key
Generating the Server Host Key Pair
Using an OpenSSH Server Host Key
Notifying the Users of the Host Key Change
Server Authentication with Certificates
Certificates Stored in File
Certificates Stored in SAF
User Authentication with Passwords
User Authentication with Public Keys in File
Enabling Public-Key Authentication
Using the Authorization File
Using Keys Generated with OpenSSH
User Authentication with Certificates
Certificates Stored in File
Certificate User Mapping File
Certificates Stored in SAF
Host-Based User Authentication
Client Configuration
Server Configuration
Optional Configuration Settings
User Authentication with Keyboard-Interactive
6. System Administration
Shell Access and Remote Commands
Supporting the chcp Command
Configuring Terminal Data Conversion
7. File Transfer Using SFTP
Creating a User for Batch File Transfers
Controlling File Transfer
Handling Prematurely Ending File Transfers
Controlling Staging during File Transfers
Restoring Archived Data Sets
8. Secure File Transfer Using Transparent FTP Security
Introduction to Transparent FTP Security
Transparent FTP Tunneling
FTP-SFTP Conversion
Summary of Configuration Steps
Configuring SOCKS Proxy
The ssh-socks-proxy-config.xml configuration file
Storing Remote Server Host Keys
Creating the SSHSP User
Running SOCKS Proxy
Starting ssh-socks-proxy Manually under USS
Running ssh-socks-proxy as a Started Task
Stopping ssh-socks-proxy
Restarting ssh-socks-proxy
Reloading ssh-socks-proxy configuration
Configuring FTP
Editing the FTP Client Configuration
Creating the SOCKS Configuration
Examples of Transparent FTP Security
System-Wide Transparent FTP Tunneling with Fallback
JCL-Specific Transparent FTP Tunneling or FTP-SFTP Conversion
9. Tunneling
Local Tunnels
Tunneling TN3270
Remote Tunnels
Agent Forwarding
10. Troubleshooting Tectia Server for IBM z/OS
Debugging Tectia Server for IBM z/OS
Setting the Debug Level
Debugging Using USS shell
Debugging File Transfer
Solving Problem Situations
Using the OMVS Shell
Common MVS Error Messages
Common Tectia Server for IBM z/OS Error Messages
Exceeding Maximum CPU Time
Auxiliary Storage Shortage
SSHD2 Cannot Be Started as a Started Task
File Transfer Server Log Messages with Wrong Timestamps
A. Man Pages
ssh-certd - Secure Shell Certificate Validator on z/OS
ssh_certd_config - configuration file format for ssh-certd on z/OS
ssh-dummy-shell - Ultimately restricted shell
ssh-externalkeys - Using external keys with Tectia Server for IBM z/OS
sshd-check-conf - checks what your configuration allows or denies based on the incoming user name and/or host name
sshd2 - Secure Shell server daemon on z/OS
sshd2_config - configuration file format for sshd2 on z/OS
sshd2_subconfig - advanced configuration of sshd2 on z/OS
sshregex - regular expressions used in file name globbing with scpg3, sftpg3 and configuration files
B. Default Configuration Files
Default sshd2_config Configuration File
Default ssh_certd_config Configuration File
C. IPv6 Support on Tectia Server and client tools for IBM z/OS
Server Configuration and Use
Client Configuration and Use
Connection Broker
Client
Tunneling
D. Running the Server and SOCKS Proxy on Multiple TCP/IP Stack z/OS
Running Two Servers on a Dual TCP/IP Stack
Running Two SOCKS Proxies on a Dual TCP/IP Stack
Connecting via Different TCP/IP Stacks with Tectia Clients
E. Console Messages
F. Log Messages
User Authentication - Common
User Authentication - Host-Based
User Authentication - Keyboard-Interactive Password
User Authentication - Keyboard-Interactive
User Authentication - Password
User Authentication - Public Key
Certificate-Specific Code
Agent Forwarding
Session Channels
SSH1 Agent Forwarding
Port Forwarding
Common Code
Host Key I/O
Cryptography Support
General Server Log Messages
SFTP
G. Open Source Software License Acknowledgements
Index

List of Examples

D.1. Two configuration files with different network listeners
D.2. Network listeners on TCP/IP stacks' loopback address