Dovetailed Technologies

Appendix J. Setting up a test OpenSSH system on z/OS

It's sometimes convenient to create your own z/OS SSHD server on an alternate port for testing purposes. You can do this without any special privileges, and the SSHD server will run fine, except that it will only allow logins for the userid that it is running under.

This is especially handy if your Systems Programmer doesn't understand immediately that adding an SSH user subsystem doesn't introduce any new security risks.

Procedure J.1. General outline for adding a test SSHD server

  1. Create your own ssh directory, say ~/sshd, and copy the file /etc/ssh/sshd_config into it:.

    zos$ mkdir ~/sshd
    zos$ cp /etc/ssh/sshd_config ~/sshd      
  2. In this directory, generate your DSA and RSA host keys, as directed in the z/OS OpenSSH User's Guide.

    If you can copy the keys in /etc/ssh directory, then you will avoid "host key" mismatch problems if you switch your SSH client from the production to the test server. If you do copy the production host keys, make sure that you change the file permissions to 600 so that they can't be read by others.

  3. Edit your copy of sshd_config:

    1. Find the line "Subsystem" which defines the sftp subsystem

    2. Add a new line after this line:

      Subsystem dspipes <COZ_INST>/bin/dspipes

      (where <COZ_INST> is the directory where Co:Z Toolkit is installed).

    3. Uncomment the Port line and set it to an available port

    4. Uncomment / add the following lines (to use the private keys generated in the previous step):

      HostKey ./ssh_host_rsa_key
      HostKey ./ssh_host_dsa_key

      (where <COZ_INST> is the directory where Co:Z Toolkit is installed).

  4. From a z/OS shell, change to the directory that you created and start your copy of SSHD:

    /usr/sbin/sshd -e -D -f ./sshd_config

    Note: If you are unable to execute /usr/sbin/sshd, you may be able to copy it to your local directory, add the execute bit (chmod +x ~/sshd/sshd) and run the above command using this local copy.

  5. To connect to your test SSHD server from a client, don't forget to use the -ssh -p port SSH option on your ssh, fromdsn or todsn commands.

Copyright© 2009-2021 Dovetailed Technologies, LLC. All rights reserved.
Co:Z® is a registered trademark of Dovetailed Technologies, LLC.