How do you setup ACF2 so that OpenSSH (also known as IBM Ported Tools) for z/OS can use SSHD privilege seperation?

book

Article ID: 52872

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Description

The ACF2 setup for OpenSSH requires an ACF2 USER Profile record for the sshd privilege separation user and an ACF2 GSO STC record for the user ID for the SSHD daemon.

The daemon needs to run under a UID(0) userid and have access to BPX.DAEMON but the spawned tasks need to run under a NON-UID(0) userid and have NO access to BPX.DAEMON.

Solution

  1. Set the OpenSSH sshd_config setting UsePrivilegeSeparation = yes.

  2. Place SSHD STC/daemon JCL in proclib under MEMBER_NAME=SSHD.

  3. INSERT the ACF2 USER Profile record for the sshd privilege separation user. Make sure you have a LOGONID record for SSHD, with the STC attribute.

    This logonid must also have a non-zero UID and specify HOME(/var/empty) and OMVSPGM(/bin/false). It should have NO access to the BPX.DAEMON resource and will be used by spawned tasks.

    For example from TSO:

    ACF
    SET PROFILE(USER) DIV(OMVS)
    INSERT SSHD HOME(/var/empty) OMVSPGM(/bin/false) UID(nnn)
    F ACF2,REBUILD(USR),CLASS(P)

    where nnn is non-zero

  4. Using the ACF2 GSO STC record map procedure SSHD to the logonid that the SSHD daemon will run under. INSERT a GSO STC record that maps SSHD to a UID 0 user (for example OMVSKERN) and refresh the STC record.

    for example from TSO:

    ACF
    SET CONTROL(GSO)
    INSERT STC.SSHD GROUP(OMVSGRP) LOGONID(OMVSKERN) STC(SSHD)
    F ACF2,REFRESH(STC)

  5. Ensure that there is a LOGONID called OMVSKERN with GROUP = OMVSGRP specified and a group profile record of OMVSGRP exists.

    This logonid must have UID=0 and READ access to FACILITY resource BPX.DAEMON ($TYPE(FAC)).

Details on the ACF2 OMVS USER Profile record can be found in the ACF2 Administrator Guide, in Chapter 3: Maintaining Logonid Records section "USER Profile Records".

Details on the ACF2 GSO STC record can be found in the ACF2 Administrator Guide, in Chapter 14: Maintaining Global System Options Records section "Started Task (STC)".

Details on the BPX.DAEMON FACILITY resource can be found in the ACF2 Administrator Guide, in Chapter 21: z/OS UNIX System Services Support section "Defining Additional Started Task Logonids".

Environment

Release:
Component: ACF2MS