How do you setup ACF2 so that OpenSSH (also known as IBM Ported Tools) for z/OS can use SSHD privilege seperation?

Article Id: 52872
Status: Published
Updated On: 14-02-2018 06:43
Legacy Id: TEC489287
Products:
CA ACF2 , CA ACF2 - DB2 Option , CA ACF2 for zVM , CA ACF2 - z/OS , CA ACF2 - MISC , CA PanApt , CA PanAudit
Issue/Introduction:

Description

The ACF2 setup for OpenSSH requires an ACF2 USER Profile record for the sshd privilege separation user and an ACF2 GSO STC record for the user ID for the SSHD daemon.

The daemon needs to run under a UID(0) userid and have access to BPX.DAEMON but the spawned tasks need to run under a NON-UID(0) userid and have NO access to BPX.DAEMON.

Solution

  1. Set the OpenSSH sshd_config setting UsePrivilegeSeparation = yes.

  2. Place SSHD STC/daemon JCL in proclib under MEMBER_NAME=SSHD.

  3. INSERT the ACF2 USER Profile record for the sshd privilege separation user. Make sure you have a LOGONID record for SSHD, with the STC attribute.

    This logonid must also have a non-zero UID and specify HOME(/var/empty) and OMVSPGM(/bin/false). It should have NO access to the BPX.DAEMON resource and will be used by spawned tasks.

    For example from TSO:

    ACF
    SET PROFILE(USER) DIV(OMVS)
    INSERT SSHD HOME(/var/empty) OMVSPGM(/bin/false) UID(nnn)
    F ACF2,REBUILD(USR),CLASS(P)

    where nnn is non-zero

  4. Using the ACF2 GSO STC record map procedure SSHD to the logonid that the SSHD daemon will run under. INSERT a GSO STC record that maps SSHD to a UID 0 user (for example OMVSKERN) and refresh the STC record.

    for example from TSO:

    ACF
    SET CONTROL(GSO)
    INSERT STC.SSHD GROUP(OMVSGRP) LOGONID(OMVSKERN) STC(SSHD)
    F ACF2,REFRESH(STC)

  5. Ensure that there is a LOGONID called OMVSKERN with GROUP = OMVSGRP specified and a group profile record of OMVSGRP exists.

    This logonid must have UID=0 and READ access to FACILITY resource BPX.DAEMON ($TYPE(FAC)).

Details on the ACF2 OMVS USER Profile record can be found in the ACF2 Administrator Guide, in Chapter 3: Maintaining Logonid Records section "USER Profile Records".

Details on the ACF2 GSO STC record can be found in the ACF2 Administrator Guide, in Chapter 14: Maintaining Global System Options Records section "Started Task (STC)".

Details on the BPX.DAEMON FACILITY resource can be found in the ACF2 Administrator Guide, in Chapter 21: z/OS UNIX System Services Support section "Defining Additional Started Task Logonids".

Environment:

Release:
Component: ACF2MS