sshd2 — Secure Shell server daemon on z/OS


sshd2 [-d debug_level_spec] [-D debug_level_spec] [-f config_file] [-h host_key_file] [-o options] [-4|-6] [-p port] [-F] [-v] [-V] [-g login_grace_time] [-i] [-q]


sshd2 (Secure Shell Daemon) is the server counterpart of sshg3. Together, these two programs replace and extend the services rlogin and rsh, and provide secure encrypted communication channels between two hosts connected over an unsecured network. They are intended to be as easy to install and use as possible.

sshd2 can be started either using a started task or manually from USS. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.

sshd2 can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file. sshd2 reads configuration data from /opt/tectia/etc/sshd2_config (or the file specified with -f on the command line).

Subconfiguration files can also be specified in the main configuration file.

Start sshd2 as a started task as follows:

===> s SSHD2

The started task takes modify commands as follows:

===> f SSHD2,<command>

The following modify commands are supported:

debug debug_level

Set the debug level of the running server.


Stop the server. Existing connections are killed.


Restart the server. Existing connections will stay open until they are disconnected. If you have made configuration changes, existing connections will continue to use the old configuration settings while new connections will use the reconfigured settings.



Kill all existing connections and restart the server.


Query the version of the server.

The sshd2 command-line options (described in detail in the following section) can be given as an OPTS parameter on the sshd2 "start". For example, configuration file options are entered in the following format (where keyword is a configuration file keyword):

===> S SSHD2,OPTS='-o<keyword>=<value>'

Under USS you can start sshd2 manually as the SSHD2 user with the following command:

> /opt/tectia/sbin/sshd2


The following options are available:

-d debug_level_spec

Runs the server in one-shot debug mode. The server process accepts only one connection and exits after the connection has disconnected. The server sends verbose debug output to STDERR. The debugging level is either a number, or a comma-separated list of assignments of the format ModulePattern=debug_level, for example "*=10,sshd2=2". This should be the first argument on the command line.

-D debug_level_spec

Runs the server in continuous debug mode. As -d, but the server accepts several connections and needs to be stopped manually when you want to finish the debugging.

-f configuration_file

Specifies the name of the configuration file. The default is /opt/tectia/etc/sshd2_config.


If this option is specified, the default configuration file is not read at all.

-h host_key_file

Specifies the file from which the host key is read (default /opt/tectia/etc/hostkey).

-o 'option'

Can be used to give options in the format used in the configuration files. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as a line in the configuration file. Comment lines are not accepted. Where applicable, the egrep regex format is used.


Specifies that sshd2 will only use IPv4 addresses. IPv6 addresses from ListenAddress configuration statements, name resolution and port forwarding will be ignored.


Specifies that sshd2 will only use IPv6 addresses. IPv4 addresses from ListenAddress configuration statements, name resolution and port forwarding will be ignored.

-p port

Specifies the port on which the server listens for connections. Note that when -p is specified, the server will ignore any defined ListenAddress and AddressFamily configuration statements and listen on all available IPv4 and IPv6 interfaces. The -p option is intended for testing - for greater control use the sshd2_config configuration file. The value of the Port configuration variable can be specified on the command line with the -o option. However, explicit port numbers on ListenAddress statements will override -oPort.


Disables daemon mode. The server does not spawn a new process to the background.


Enables verbose mode. Displays verbose debugging messages. Equivalent to -d 2. This option can also be specified in the configuration file with the keyword VerboseMode.


Displays version string.


Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. This option can also be specified in the configuration file with the keyword QuietMode.

-g login_grace_time

Gives the grace time for clients to authenticate themselves (the default is 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. The value zero indicates no limit.


Specifies that sshd2 is invoked via inetd.

Configuration File

sshd2 reads configuration data from /opt/tectia/etc/sshd2_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments.

For the format of sshd2_config, see sshd2_config(5).

Login Process

When a user logs in successfully, sshd2 does the following:

  1. Changes process to run with normal user privileges.

  2. Sets up the basic environment.

  3. Changes to the user's home directory.

  4. Runs the user's shell or command.



Contains configuration data for sshd2. This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable.


Contains the private part of the host key. This file is normally created automatically by "make install", but can also be created manually using ssh-keygen-g3. This file contains vital cryptographic information and may only be read or modified by root.


Contains the public part of the host key. This file is normally created automatically by "make install", but can also be created manually. This file should be world-readable but must not be writable by anyone but root. If it does not match the private counterpart, clients probably get confused about the server's identity.


This file contains a seed for the random number generator. This file must not be accessible by anyone but root.


Contains information on how the server will verify the identity of a user. For more information, see Using the Authorization File.


If this file exists, sshd2 will not print information during login. (This is normally the user's last login time, message of the day and mail check.)


If this file exists, sshd2 refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in. The file should be world-readable.


As above, but the file name is constructed from the name of the host. Check the output of hostname to see which name you should use in the file name. This functionality is supposed to be used by clustered machines (which share /etc).


This file contains host-username pairs, separated by a white space, one per line. The given user is permitted to log in from the given host without a password. The same file is used by rlogind and rshd. sshd2 differs from rlogind and rshd in that it requires public host-key authentication from the ssh2 server running on this host in addition to validating the host name retrieved from domain name servers. The file must be writable only by the user; it is recommended that it is not accessible by others.

It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group.


For sshg3, this file is exactly the same as for .rhosts. However, this file is not used by rlogin and rshd, so using this permits access using sshg3 only.


This file is used during .rhosts authentication. In its simplest form, this file contains host names, one per line. Users on those hosts are permitted to log in without a password, provided they have the same user name on both machines. The host name may also be followed by a user name; such users are permitted to log in as any user on this machine (except root). Additionally, the syntax +@group can be used to specify netgroups. Negated entries start with '-'.

If the client host/user is successfully matched in this file, login is automatically permitted provided the client and server user names are the same. Additionally, successful host-based authentication is normally required. This file must be writable only by root; it is recommended that it be world-readable.


It is almost never a good idea to use user names in hosts.equiv. Note that it really means that the named user(s) can log in as anybody, including bin, daemon, adm, and other accounts that own critical binaries and directories. Using a user name practically grants the user root access. The only valid use for user names should be in negative entries. Note that this warning also applies to rsh/rlogin.


This is processed exactly as /etc/hosts.equiv. However, this file is not used by rlogin and rshd, so using this permits access using sshg3 only.


These are the public host keys of hosts that a user wants to log in from using host-based authentication (equivalent to RhostsRSAAuthentication in ssh1). Also, users have to set up their $HOME/.shosts (only used by ssh) or $HOME/.rhosts files (insecure, as it is used by the r* commands also). If the user name is the same on both hosts, it is adequate to put the public host key to /opt/tectia/etc/knownhosts and add the host name to /etc/shosts.equiv (or /etc/hosts.equiv).

xxxx denotes the host name (FQDN) and yyyy denotes the public-key algorithm of the key.

For example, if's host-key algorithm is ssh-dss, the host key is contained in the file in the knownhosts directory.

Possible names for public-key algorithms are ssh-dss and ssh-rsa.


As above, but system-wide. These settings can be overridden by the user by putting a file with the same name to the $HOME/.ssh2/knownhosts directory.