The ACF2 setup for OpenSSH requires an ACF2 USER Profile record for the sshd privilege separation user and an ACF2 GSO STC record for the user ID for the SSHD daemon.
The daemon needs to run under a UID(0) userid and have access to BPX.DAEMON but the spawned tasks need to run under a NON-UID(0) userid and have NO access to BPX.DAEMON.
Set the OpenSSH sshd_config setting UsePrivilegeSeparation = yes. (This option is deprecated at release 7.5 - UsePrivilegeSeperation is now the default)
ACF
SET LID
INSERT SSHD NAME(priv separation id) STC GROUP(sshgrp) -
HOME(/var/empty) OMVSPGM(/bin/false) UID(nnn)
SET PROFILE(GROUP) DIV(OMVS)
INSERT SSHGRP GID(nnn)
F ACF2,REBUILDS(GRP),CLASS(P)
ENDwhere nnn is not zero.
ACF
SET CONTROL(GSO)
INSERT STC.SSHD GROUP(OMVSGRP) LOGONID(OMVSKERN) STC(SSHD)
F ACF2,REFRESH(STC)
Details on the ACF2 OMVS USER Profile record can be found in the ACF2 TECHDOCS Maintaining Logonid Records section "USER Profile Records".
Details on the ACF2 GSO STC record can be found in the ACF2 TECHDOCS Maintaining Global System Options Records section "Started Task (STC)".
Details on the BPX.DAEMON FACILITY resource can be found in the ACF2 TECHDOCS:UNIX System Services Support section "control access to daemons".