The common technique for restricting ssh capabilities is to change the user's
default shell (the "default program" in the OMVS segment) to a shell that only
allows certain commands and no interactive access. The sample script below can
be customized and used as the user's "restricted shell". Put this script
somewhere in your Co:Z bin install directory and make its permissions
u=rwx,go=rx (i.e 755). Use the full path name of the script as
the users shell. Make sure that the script has the full path names that you used
for the Co:Z SFTP executable. You can remove the
from the list if you don't want to allow remote Dataset Pipes commands via ssh.
#!/bin/sh # A shell script which can be set as a users default shell # to only allow certain commands or ssh subsystems to run, # disallowing full shell logins. if [ $# -ge 2 -a "$1" = "-c" ]; then case $2 in # Update this list to match what you have in /etc/ssh/sshd_config # or add any other commands that you would like to allow # from ssh. /opt/dovetail/coz/bin/sftp-server.sh) exec $2;; /opt/dovetail/coz/bin/cozserver) exec $2;; *);; esac fi # Write out whatever messages you want your users to see # if they try something else echo "Only sftp and dataset pipes file transfers are allowed\ from this account." exit 1
Note: this will not only restrict the user from using an interactive shell under OpenSSH, but will prevent them from running an interactive shell under TSO as well. Also, any batch jobs that run with their userid will also use this as the default Unix shell (BPXBATCH or COZBATCH).