search cancel

How to setup ACF2 so that OpenSSH (also known as IBM Ported Tools) for z/OS can use SSHD privilege seperation

book

Article ID: 52872

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

  The ACF2 setup for OpenSSH requires an ACF2 USER Profile record for the sshd privilege separation user and an ACF2 GSO STC record for the user ID for the SSHD daemon.

The daemon needs to run under a UID(0) userid and have access to BPX.DAEMON but the spawned tasks need to run under a NON-UID(0) userid and have NO access to BPX.DAEMON.

 

Environment

Release:
Component: ACF2MS

Resolution

  1.  Set the OpenSSH sshd_config setting UsePrivilegeSeparation = yes.

  2. Place SSHD STC/daemon JCL in proclib under MEMBER_NAME=SSHD.

  3. INSERT the ACF2 USER Profile record for the sshd privilege separation user.
    Make sure you have a LOGONID record for SSHD, with the STC attribute.

    This logonid must also have a non-zero UID and specify HOME(/var/empty) and OMVSPGM(/bin/false).
    It should have NO access to the BPX.DAEMON resource and will be used by spawned tasks.

    For example from TSO:

    ACF
    SET LID
    INSERT SSHD NAME(priv separation id) STC GROUP(sshgrp) -
    HOME(/var/empty) OMVSPGM(/bin/false) UID(nnn)


    SET PROFILE(GROUP) DIV(OMVS)
    INSERT SSHGRP GID(nnn)
    F ACF2,REBUILDS(GRP),CLASS(P)
    END

    where nnn is not zero.

  4. Using the ACF2 GSO STC record map procedure SSHD to the logonid that the SSHD daemon will run under.
    INSERT a GSO STC record that maps SSHD to a UID 0 user (for example OMVSKERN) and refresh the STC record.

    for example from TSO:

    ACF
    SET CONTROL(GSO)
    INSERT STC.SSHD GROUP(OMVSGRP) LOGONID(OMVSKERN) STC(SSHD)
    F ACF2,REFRESH(STC)

  5. Ensure that there is a LOGONID called OMVSKERN with GROUP = OMVSGRP specified and a group profile record of OMVSGRP exists.
    ACF
    INSERT OMVSKERN NAME(OMVSKERN) RESTRICT UID(0) GROUP(OMVSGRP)
    SET PROFILE(GROUP) DIV(OMVS)
    INSERT OMVSGRP GID(nnn)
    F ACF2,REBUILD(GRP),CLASS(P)
    END

    This logonid must have UID=0 and READ access to FACILITY resource BPX.DAEMON ($TYPE(FAC)).
    ACF
    SET RESOURCE(FAC)
    RECKEY BPX ADD(DAEMON UID(<uid for omvskern> SERVICE(READ) ALLOW)
    F ACF2,REBUILD(FAC)
    END

Details on the ACF2 OMVS USER Profile record can be found in the  ACF2 TECHDOCS Maintaining Logonid Records section "USER Profile Records".

Details on the ACF2 GSO STC record can be found in the ACF2 TECHDOCS Maintaining Global System Options Records section "Started Task (STC)".

Details on the BPX.DAEMON FACILITY resource can be found in the ACF2 TECHDOCS:UNIX System Services Support section "control access to daemons".