After an upgrade from z/OS 2.3 to 2.4, users are unable to SFTP from a remove server using their passwords. Password authentication is the only method being used.

The following error messages are seen:

ACF01200 INVALID PASSWORD/AUTHORITY FOR ID xxxxxxxx FROM xxxxxxxx          
ACF01012 PASSWORD NOT MATCHED                                             
BPXF024I (BPXOINIT) sshd 455 : error: FOTS1503     
 __passwd: EDC5111I Permission denied. (errno2=0x090C0000)                 
BPXF024I (BPXOINIT)  sshd 455 : Failed password for xxxxxxx from xxxxxxxx port xxx ssh2

The correct password is being entered. The issue did not occur in the 2.3 environment. What is causing this logon failure?

Verify the OMVS UID for the user and sshd_config file settings. IBM made a change to the default SSH config files for z/OS 2.4. The summary of changes for OpenSSH z/OS Version 2 Release 4 (V2R4) states:

Root login using a password is no longer enabled by default.

The parameter this effects is PermitRootLogin. If PermitRootLogin is set to NO in sshd_config, then UID 0 users won't be able to login by using a password. The options are to either use a non-UID 0 user or change the config file to specify YES for this parameter and recycle the OpenSSH address space.

IBM Summary of changes for z/OS Version 2 Release 4 (V2R4) and its updates: https://www.ibm.com/docs/en/zos/2.4.0?topic=sc-summary-changes-zos-version-2-release-4-v2r4-its-updates