The ACF2 setup for OpenSSH requires an ACF2 USER Profile record for the sshd privilege separation user and an ACF2 GSO STC record for the user ID for the SSHD daemon.
The daemon needs to run under a UID(0) userid and have access to BPX.DAEMON but the spawned tasks need to run under a NON-UID(0) userid and have NO access to BPX.DAEMON.
Set the OpenSSH sshd_config setting UsePrivilegeSeparation = yes.
INSERT SSHD NAME(priv separation id) STC GROUP(sshgrp) -
HOME(/var/empty) OMVSPGM(/bin/false) UID(nnn)
SET PROFILE(GROUP) DIV(OMVS)
INSERT SSHGRP GID(nnn)
where nnn is not zero.
INSERT STC.SSHD GROUP(OMVSGRP) LOGONID(OMVSKERN) STC(SSHD)
Details on the ACF2 OMVS USER Profile record can be found in the ACF2 TECHDOCS Maintaining Logonid Records section "USER Profile Records".
Details on the ACF2 GSO STC record can be found in the ACF2 TECHDOCS Maintaining Global System Options Records section "Started Task (STC)".
Details on the BPX.DAEMON FACILITY resource can be found in the ACF2 TECHDOCS:UNIX System Services Support section "control access to daemons".