OpenSSH Presentation SHARE 082011

IBM Ported Tools for z/OS
OpenSSH V1R2
Richard Theis (rtheis@us.ibm.com)
IBM Rochester, MN
Session 9684
u!ust "", #$""
2011 IBM Corporation
2
Trademars and !is"laimers
See #ttp$//%%%&i'm&"om/le(al/"op)trade&s#tml for a list of IBM trademars&
T#e follo%in( are trademars or re(istered trademars of ot#er "ompanies
%NI& is a re!istered trademar' o( The )*en +rou* in the %nited States and other countries
,-RT. is a re!istered trademar' and ser/ice mar' o( ,arne!ie Me00on %ni/ersit1.
ssh. is a re!istered trademar' o( SS2 ,ommunications Securit1 ,or*
& 3indo4 S1stem is a trademar' o( & ,onsortium, Inc
*ll ot#er prod+"ts ma) 'e trademars or re(istered trademars of t#eir respe"ti,e "ompanies
-otes$
5er(ormance is in Interna0 Throu!h*ut Rate (ITR) ratio based on measurements and *ro6ections usin! standard IBM benchmar's in a contro00ed en/ironment.
The actua0 throu!h*ut that an1 user 4i00 e7*erience 4i00 /ar1 de*endin! u*on considerations such as the amount o( mu0ti*ro!rammin! in the user8s 6ob stream,
the I9) con(i!uration, the stora!e con(i!uration, and the 4or'0oad *rocessed. There(ore, no assurance can be !i/en that an indi/idua0 user 4i00 achie/e
throu!h*ut im*ro/ements e:ui/a0ent to the *er(ormance ratios stated here.
IBM hard4are *roducts are manu(actured (rom ne4 *arts, or ne4 and ser/iceab0e used *arts. Re!ard0ess, our 4arrant1 terms a**01.
00 customer e7am*0es cited or described in this *resentation are *resented as i00ustrations o( the manner in 4hich some customers ha/e used IBM *roducts and
the resu0ts the1 ma1 ha/e achie/ed. ctua0 en/ironmenta0 costs and *er(ormance characteristics 4i00 /ar1 de*endin! on indi/idua0 customer con(i!urations
and conditions.
This *ub0ication 4as *roduced in the %nited States. IBM ma1 not o((er the *roducts, ser/ices or (eatures discussed in this document in other countries, and the
in(ormation ma1 be sub6ect to chan!e 4ithout notice. ,onsu0t 1our 0oca0 IBM business contact (or in(ormation on the *roduct or ser/ices a/ai0ab0e in 1our area.
00 statements re!ardin! IBM8s (uture direction and intent are sub6ect to chan!e or 4ithdra4a0 4ithout notice, and re*resent !oa0s and ob6ecti/es on01.
In(ormation about non;IBM *roducts is obtained (rom the manu(acturers o( those *roducts or their *ub0ished announcements. IBM has not tested those *roducts
and cannot con(irm the *er(ormance, com*atibi0it1, or an1 other c0aims re0ated to non;IBM *roducts. <uestions on the ca*abi0ities o( non;IBM *roducts shou0d
be addressed to the su**0iers o( those *roducts.
5rices sub6ect to chan!e 4ithout notice. ,ontact 1our IBM re*resentati/e or Business 5artner (or the most current *ricin! in 1our !eo!ra*h1.
.
*(enda
// O,er,ie% 00
5ac'a!in! and insta00ation
Re:uirements addressed
Ser/ice notes
Mi!ration and coe7istence
Troub0eshootin! in(ormation
**endi7
1
O,er,ie%$ OpenSSH
2#at is OpenSSH3
Suite o( net4or' connecti/it1 too0s that *ro/ide secure

encr1*ted communications bet4een t4o un;trusted hosts o/er
an insecure net4or'.
2#at se"+rit) does OpenSSH pro,ide3
=ata *ri/ac1 throu!h encr1*tion
=ata inte!rit1 to !uarantee una0tered communications
uthentication o( users and ser/ers
uthori>ation o( user actions
?or4ardin! to *rotect other T,59I5;based a**0ications

4
O,er,ie%$ OpenSSH
Ser/er ,0ient
Ser/er
sshd
ssh
s(t*
sc*
ssh;'e1scan
s(t*;ser/er
sc*
ssh;add
ssh;a!ent
ssh;'e1si!n
5
O,er,ie%$ OpenSSH for z/OS Prod+"ts
6Tools and To)s7 OpenSSH for z/OS
Non;*riced too0 (ne/er an o((icia0 *roduct)
Ne/er o((icia001 su**orted
No 0on!er a/ai0ab0e
8
IBM Ported Tools for z/OS$ OpenSSH V1R1
+ @ersion (Ma1 #$$4)A )*enSS2 B.C*", )*enSSD $.9.Eb,

>0ib ".".4, 7"";ssh;as'*ass ".#.4."
5R )"$B"C @ersion (*ri0 #$$C)A )*enSS2 B.8."*",

)*enSSD $.9.Ed, >0ib ".".4, 7"";ssh;as'*ass ".#.4."
Non;*riced *ro!ram *roduct (not *art o( >9)S)
Su**orted on >9)S ".4 and 0ater
No 0on!er orderab0e but sti00 su**orted

9
:-;2< IBM Ported Tools for z/OS$ OpenSSH V1R2
+ @ersion (Fu01 #$"$)A )*enSS2 C.$*", )*enSSD $.9.8',

>0ib ".#.B, 7"";ssh;as'*ass ".#.4."
Non;*riced *ro!ram *roduct (not *art o( >9)S)
Su**orted on >9)S "."$ and 0ater
)rder (rom Sho*>Series
a.'.a. G)*enSS2 (or >9)SH throu!hout this *resentation

=
*(enda
)/er/ie4
// Pa"a(in( and installation 00
Ser/ice notes
**endi7
10
Pa"a(in( and installation
Ne4 re0ease (@"R# ; ?MI= 2)S""#$) insta00s o/er the

*re/ious re0ease (@"R" ; ?MI= 2)S"""$)
,annot order the *re/ious re0ease no4 that the ne4

re0ease is a/ai0ab0e
Ne4 re0ease su**orted on >9)S "."$ and 0ater
>9)S "."$ and >9)S "."" re:uirementA 5T?s (or 5Rs

5I86B#9 and )#94$" must be a**0ied.
11
Important e>tended attri'+tes settin(s set d+rin(

install
N-3A sshd, sc*, s(t* and s(t*;ser/er must ha/e the 5?;
authori>ed e7tended attribute set (i.e. e7tattr Ja)
N-3A ssh and ssh;'e1si!n must ha/e the noshareas

e7tended attribute set
(i.e. e7tattr Ks)
sshd must ha/e the noshareas e7tended attribute set (i.e.

e7tattr Ks)
sshd must ha/e the *ro!ram contro0 e7tended attribute set

(i.e. e7tattr J*)
12
See the G3hat 1ou need to /eri(1 be(ore usin! )*enSS2H

section in the userLs !uide (or detai0s
&/(b s*0it (se*arate boo' and ?MI= 2@?B""") (rom

)*enSS2 (or >9)S
1.
*(enda
)/er/ie4
// Re?+irements addressed 00
Ser/ice notes
**endi7
11
Re?+irements addressed$ O,er,ie%
%*!rade /ersions o( )*enSS2, )*enSSD and >0ib
5ro/ide SM? su**ort
5ro/ide S? 'e1 rin! su**ort
Misce00aneous re:uirements
14
Re?+irements addressed$ @p(rade
Pro'lem statement
)*enSS2 (or >9)S needs to u*!rade the o*en source

/ersions o( )*enSS2, )*enSSD and >0ib to address /arious
(unctiona0, *er(ormance and securit1 re:uirements.
Sol+tion
%*!raded to )*enSS2 C.$*"
%*!raded to )*enSSD $.9.8'
%*!raded to >0ib ".#.B
Recom*i0ed 4ith &5DINI to im*ro/e o/era00 *er(ormance

15
Re?+irements addressed$ @p(rade
Benefits
?unctiona0A ,om*ression 4ith *ri/i0e!e se*aration su**ort
?unctiona0 and 5er(ormanceA ,onnection sharin! su**ort

:See ill+stration A1<
Securit1A =e0a1ed com*ression o*tion
Securit1A Restricted en/ironment su**ort (or SS2 c0ients

Securit1A 2ashed hostname and address su**ort
Securit1A Su**ort (or arc(our"#8 and arc(our#C6 ci*hers
Securit1A Su**ort (or umac64@o*enssh.com M,
+enera0A ,urrenc1 4ith o*en source enhancements and (i7es

18
Ill+stration A1$ Conne"tion S#arin(
Ser/er ,0ient
,0ientM#
ssh
Ser/er
sshd
,0ient MB
s(t*
,0ient M"
ssh (Master)
,0ient M4
sc*
19
Ill+stration A2$ Restri"ted ;n,ironment
Ser/er ,0ient
,0ient M"
ssh
Ser/er
sshd
,0ient M#
s(t*
,0ient MB
sc*
M", M# and MB
interna0;s(t*
root (9)
9chroot
M"
sh
M#
s(t*;ser/er
MB
sc*
1=
Re?+irements addressed$ SMB
Pro'lem statement
)*enSS2 (or >9)S needs to audit (i0e trans(ers and 0o!in

(ai0ures.
Sol+tion
SM? records !enerated (or both c0ient N ser/er (i0e trans(ers
SM? records !enerated (or 0o!in (ai0ures
Ne4 SM? ser/er trans(er com*0etion record

(T1*e ""9 ; Subt1*e 96)
Ne4 SM? c0ient trans(er com*0etion record

(T1*e ""9 ; Subt1*e 9E)
Ne4 SM? 0o!in (ai0ure record (T1*e ""9 ; Subt1*e 98)

20
Re?+irements addressed$ SMB
Benefits
SM? records audit sc*, s(t*, s(t*;ser/er and sshd acti/it1

:See ill+stration A.<
Ne4 SM? records are customi>ed (or )*enSS2 (or >9)S
Su**ort (or SM? record e7it I-?%8B or I-?%84

21
Ill+stration A.$ SMB Re"ords
Ser/er ,0ient
,0ient M"
s(t*
,0ient M#
sc*
Ser/er M"
s(t*;ser/er
Ser/er M#
sc*
T1*e ""9
Subt1*e 9E
SM?
T1*e ""9
Subt1*es 96 N 98
SM?
Ser/er
sshd
Ser/er M"
interna0;s(t*
98
96
96
96
9E
9E
22
Re?+irements addressed$ Ce) Rin(s
Pro'lem statement
)*enSS2 (or >9)S needs to su**ort !ettin! )*enSS2 'e1s

(RS and =S) (rom S? 'e1 rin!s.
Sol+tion
)*enSS2 (or >9)S 'e1s can be stored in a di!ita0 certi(icate

connected to a S? 'e1 rin!
Ne4 (eatures a/ai0ab0e (or ssh, sc*, s(t*, ssh;add, ssh;

'e1!en and sshd to !et 'e1s (rom a S? 'e1 rin!
2.
Re?+irements addressed$ Ce) Rin(s
Benefits
S? (e.!. R,?) contro0 o( )*enSS2 (or >9)S 'e1s (or SS2

*rotoco0 /ersion #
Su**orts ser/er authentication 4hen 'e1s are stored in 'e1

rin!s :See ill+stration A1<
Su**orts user authentication 4hen 'e1s are stored in 'e1

rin!s :See ill+stration A4<
Su**orts mi7in! 'e1 stora!e K 'e1 rin!s and %NI& (i0es

Su**orts rea0 or /irtua0 'e1 rin!s
dditiona0 (eatures a/ai0ab0e

(e.!. e7*ired certi(icate, si!nin!, etc.)
21
Ill+stration A1$ Ser,er a+t#enti"ation
Ser/er ,0ient
Ser/er
sshd
,0ient
ssh
9etc9ssh9sshO'no4nOhosts
host >os;'e1;rin!;0abe0PQSS2=-M9SS2Ino4n2ostsRin! host;ssh;rsaQ
SSHCno%nHostsRin( SSH!rin(
9etc9ssh9>osOsshdOcon(i!
2ostIe1Rin!Dabe0 QSS2=-M9SS2=rin! host;ssh;rsaQ
#ostDss#Drsa
24
Ill+stration A4$ @ser a+t#enti"ation
Ser/er ,0ient
Ser/er
sshd
,0ient
ssh
R9.ssh9>osOuserOsshOcon(i!
Identit1Ie1Rin!Dabe0PG%S-R9SS2rin! user;ssh;rsaQ
SSHrin( SSH*+t#Ce)sRin(
R9.ssh9authori>edO'e1s
>os;'e1;rin!;0abe0PG%S-R9SS2uthIe1sRin! user;ssh;rsaQ
+serDss#Drsa
25
Ill+stration A5$ Mi>in( e) stora(e
S1stem "A Ie1 Rin!s S1stem #A %NI& ?i0es
R9.ssh9>osOuserOsshOcon(i!
9etc9ssh9>osOsshdOcon(i! 9etc9ssh9sshdOcon(i!
R9.ssh9con(i!
SSHrin(
SSH*+t#Ce)sRin(
SSHCno%nHostsRin(
SSH!rin(
*
B
C
!
Host Ce) Biles
@ser Ce) Biles
;
B
28
Re?+irements addressed$ Mis"ellaneo+s
Pro'lem statement
)*enSS2 (or >9)S needs to *ro/ide a con(i!urab0e timeout

/a0ue (or ssh;rand;he0*er.
Sol+tion
Ne4 OS)SOSS2O5RN+O,M=SOTIM-)%T en/ironment

/ariab0e
Benefits
Im*ro/ed ssh;rand;he0*er su**ort on hea/i01 0oaded s1stems

29
Pro'lem statement
)*enSS2 (or >9)S needs to im*ro/e messa!e su**ort.
Sol+tion
Ne4 OS)SO)5-NSS2OMS+,T en/ironment /ariab0e
00 error;re0ated messa!es are no4 documented
Benefits
-nab0es :uic'er identi(ication o( *rob0ems

2=
Pro'lem statement
)*enSS2 (or >9)S needs to im*ro/e su**ort (or users that

share a %I=.
Sol+tion
,urrent M@S identit1 used to determine user name and initia0

4or'in! director1
Benefits
Im*ro/es ssh, ssh;add, ssh;'e1!en, ssh;rand;he0*er and sshd

(unctiona0it1 (or users that share a %I=
.0
*(enda
)/er/ie4
// Ser,i"e notes 00
**endi7
.1
Ser,i"e notes
V1R2$ !OC *P*Rs O*.191=E O*.1.89 and O*..=11
=ocument B ne4 mi!ration actions.
%*date documentation (or " mi!ration action.
V1R2$ P;R *P*R O*.1210
?i7es SM? T1*e ""9 subt1*e 9E record *rob0em 4hen usin!

Gs(t* user@ hostA(i0e" (i0e#H (i0e trans(er s1nta7.
V1R2$ @R1 *P*R O*.5248
Noise error messa!e 4hen usin! nested ssh c0ient a(ter

enab0in! SM? to co00ect T1*e ""9 subt1*e 96 records.
.2
Ser,i"e notes
V1R2$ sftp F' //!!$BTP and *PB a+t#orized pro'lem
)*enSS2 (or >9)S (@"R" or @"R#) doesnLt su**ort M@S

data sets.
Turnin! o(( s(t* 5?;authori>ed bit ma1 *ro/ide unsu**orted

circum/ention but sacri(ices SM? su**ort.
V1R1 and V1R2$ Pa"et pro'lems 6Bad pa"et len(t#7

and 6Corr+pted M*C on inp+t7
((ects SS2 *rotoco0 /ersion #
,hec' hard4are, (ire4a00s, net4or', inetd, etc.
See the (o00o4in! 4ebsite (or detai0sA

htt*A99b0o!s.orac0e.com96an*9entr19sshOmessa!esOcodeObadO*ac'et
..
Ser,i"e notes
V1R1 and V1R2$ Goop %#en +sin( SSHH*SCP*SS in

'at"#
((ects )*enSS2 in !enera0
Runnin! in batch and te00in! )*enSS2 that 1ou arenLt can

cause an in(inite 0oo* (i.e. s(t* ;oBatchModePno).
,ircum/ent b1 chan!in! Strict2ostIe1,hec'in! to 1es or no

de*endin! on ho4 much 1ou trust the host.
V1R1 and V1R2$ OpenSSH for z/OS isnIt a BIPS 110D2

"ompliant appli"ation&
.1
*(enda
)/er/ie4
Ser/ice notes
// Mi(ration and "oe>isten"e 00
**endi7
.4
Mi(ration and "oe>isten"e
Mi!ration actions
,oe7istence considerations
See the GMi!ratin! to @ersion " Re0ease # o( IBM 5orted

Too0s (or >9)SA )*enSS2H cha*ter in the userLs !uide.
Tae spe"ial note of
t#e mi(ration a"tions
%it# t#is s)m'ol
.5
Mi(ration a"tion$ sftp 'at"# mode
2#at "#an(ed
3hen the s(t* command is run 4ith the Kb o*tion, the

;oBatchModeP1es ar!ument is no4 *assed to the ssh
command.
2#en is a mi(ration a"tion needed
I( 1ou use the s(t* command 4ith the Kb o*tion and re:uire
*ass4ord, *ass*hrase or host 'e1 *rom*ts durin!
authentication. ?or e7am*0e, i( 1ou use the SS2OSI5SS
en/ironment /ariab0e (or user authentication, this mi!ration
action is re:uired since usin! SS2OSI5SS re:uires a
*ass*hrase *rom*t.
.8
Mi(ration a"tion$ sftp 'at"# mode
:Contin+ed<
Mi(ration a"tion
Run the s(t* command 4ith ;oBatchModePno as the (irst

o*tion.
CommandsE options or e)%ords affe"ted
s(t* Kb command;0ine o*tion
Referen"es
Mi!ration action u*dated 4ith =), 5R )BB9"4.

.9
Mi(ration a"tion$ OpenSSH #eap
mana(ement
2#at "#an(ed
)*enSS2 chan!ed ho4 it mana!es user hea* stora!e (or

data trans(ers.
I( 1ou 0imit the amount o( stora!e a/ai0ab0e to the *rocesses

runnin! )*enSS2 commands.
Mi(ration a"tion
Re(er to the G)*enSS2 hea* mana!ementH section in the

userLs !uide (or detai0s on action o*tionsA
O,--OR%N)5TSPG2-5(,,,?R--)H,
O,--OR-DD),O,)NTR)DPG#C6I,#CH or increase stora!e
a/ai0ab0e to )*enSS2.
.=
Mi(ration a"tion$ OpenSSH #eap
mana(ement :Contin+ed<
00 )*enSS2 commands
Referen"es
Mi!ration action ne4 4ith =), 5R )B48"9.

10
Mi(ration a"tion$ sftp spe"ial
"#ara"ters
2#at "#an(ed
5re/ious01, s(t* subcommand *arsin! hand0ed certain

s*ecia0 characters ((or e7am*0e, 8M8 and !0ob characters)
di((erent01. No4 s(t* subcommand *arsin! is more consistent
4ith she00 command *arsin!.
I( 1ou use s*ecia0 characters on s(t* subcommands.
Mi(ration a"tion
-sca*e s*ecia0 characters 4ith the bac's0ash character.

11
Mi(ration a"tion$ sftp spe"ial
"#ara"ters :Contin+ed<
s(t* command
Referen"es
Mi!ration action ne4 4ith =), 5R )B48"9.

12
Mi(ration a"tion$ ss#DrandD#elper
J/&ss#/ dire"tor) "reation
2#at "#an(ed
The ssh;rand;he0*er command no4 (ai0s i( a user8s R9.ssh9

director1 does not e7ist and can not be created.
I( 1ou use ssh;rand;he0*er to !enerate random numbers (or

)*enSS2 and an )*enSS2 user doesn8t ha/e and can not
create a R9.ssh9 director1.
Mi(ration a"tion
-nsure that a00 )*enSS2 users ha/e or can create a R9.ssh9

director1.
1.
Mi(ration a"tion$ ss#DrandD#elper
J/&ss#/ dire"tor) "reation :Contin+ed<
00 )*enSS2 commands
Referen"es
Mi!ration action ne4 4ith =), 5R )B4BE8.

11
Mi(ration a"tion$ J/&ss#/"onfi( o%ner
and permissions "#e"
2#at "#an(ed
5re/ious01, i( the user 4as usin! the de(au0t con(i!uration (i0e

(R9.ssh9con(i!), the o4ner or *ermissions on the (i0e 4as not
chec'ed. No4 ssh issues an error messa!e and e7its i( the
(i0e is not o4ned b1 the user or i( the (i0e is 4ritab0e b1 the
4or0d or the (i0e8s !rou*.
I( 1our (i0e has incorrect o4ner or *ermissions.
Mi(ration a"tion
,orrect the settin!s so the1 adhere to the ne4 re:uirements.
ssh command
14
Mi(ration a"tion$ ss#d f+ll pat# name
2#at "#an(ed
5re/ious01, the sshd daemon cou0d be started usin! a re0ati/e

*ath name ((or e7am*0e, .9sshd). No4 a (u00 *ath name must
be used instead o( the re0ati/e *ath name.
I( 1ou use a re0ati/e *ath name 4hen startin! the sshd

daemon.
Mi(ration a"tion
,han!e the startu* *rocess to use the (u00 *ath name instead
o( a re0ati/e *ath name.
sshd command
15
Mi(ration a"tion$ *ddress parsin(
"#an(es
2#at "#an(ed
5re/ious01, addresses containin! a co0on (A) character cou0d

be *arsed usin! the (or4ard s0ash (9) character and /ice
/ersa. No4 addresses containin! de0imiter characters (A or 9)
must be enc0osed in s:uare brac'ets.
I( 1ou use an address that contains de0imiter characters.
Mi(ration a"tion
-nc0ose the address in s:uare brac'ets.

18
Mi(ration a"tion$ *ddress parsin(
"#an(es :Contin+ed<
ssh KD and KR command;0ine o*tions
sshOcon(i! Doca0?or4ard and Remote?or4ard 'e14ords
*ermito*en authori>edO'e1s (i0e (ormat o*tion

19
Mi(ration a"tion$ !efa+lt ,al+e "#an(e
for *llo%T"pBor%ardin(
2#at "#an(ed
5re/ious01, the de(au0t /a0ue 4as Q1esQ. No4 it is QnoQ.
I( 1ou 4ant to continue to a00o4 *ort (or4ardin!. This de(au0t

4as chan!ed to reduce e7*osure to a /u0nerabi0it1 re*orted
as ,@-;#$$4;"6CB.
Mi(ration a"tion
Set 00o4Tc*?or4ardin! to Q1esQ.
sshdOcon(i! 00o4Tc*?or4ardin! 'e14ord

1=
Mi(ration a"tion$ Inp+t ,al+e "#an(es
for ss#De)(en F'
2#at "#an(ed
5re/ious01, the minimum RS 'e1 si>e on the ssh;'e1!en ;b

o*tion 4as C"# bits and the de(au0t 4as "$#4 bits. No4 the
minimum RS 'e1 si>e is E68 bits and the de(au0t is #$48
bits. The ma7imum remains B#E68 bits.
5re/ious01, the =S 'e1 si>e on the ssh;'e1!en Kb o*tion

4as a00o4ed to be bet4een C"# and B#E68 bits. No4 the
=S 'e1 si>e must be "$#4 bits.
40
Mi(ration a"tion$ Inp+t ,al+e "#an(es
for ss#De)(en F' :Contin+ed<
I( 1ou are usin! ssh;'e1!en to !enerate RS 'e1s 4ith a si>e

that is 0ess than E68 bits.
I( 1ou are usin! ssh;'e1!en to !enerate =S 'e1s 4ith a si>e

that is not e:ua0 to "$#4 bits.
Mi(ration a"tion
%se ssh;'e1!en to !enerate ne4 RS and =S 'e1s

based on the ne4 si>e re:uirements.
ssh;'e1!en Kb command;0ine o*tion

41
Mi(ration a"tion$ KPGI-C en,ironment
2#at "#an(ed
Be!innin! in @ersion " Re0ease #, IBM 5orted Too0s (or

>9)SA )*enSS2 is an &5DINI a**0ication. &5DINI (-7tra
5er(ormance Din'a!e) is a t1*e o( ca00 0in'a!e that can
im*ro/e *er(ormance in an en/ironment o( (re:uent ca00s
bet4een sma00 (unctions.
I( the &5DINI en/ironment is not set u*.

42
Mi(ration a"tion$ KPGI-C en,ironment
:Contin+ed<
Mi(ration a"tion
To set u* the &5DINI en/ironment (that is, to initia0i>e the

resources necessar1 to run an &5DINI a**0ication), do the
(o00o4in!A
5ut the Dan!ua!e -n/ironment run;time 0ibrar1 S,--R%N# in
the DNIDST member o( STS".5RMDIB.
5ut the &5DINI modu0es in S,--R%N# in the d1namic D5.
00 )*enSS2 commands
4.
Mi(ration a"tion$ Messa(e n+m'ers
2#at "#an(ed
5re/ious01, to associate messa!e numbers ((or e7am*0e,

?)TSnnnn) 4ith )*enSS2 error messa!es, the NDS5T2
en/ironment /ariab0e had to inc0ude the (o00o4in! *athA
9usr90ib9n0s9ms!9UD9UN.cat. Startin! in @ersion " Re0ease #,
messa!e numbers (or IBM 5orted Too0s (or >9)SA )*enSS2
are associated 4ith )*enSS2 error messa!es b1 de(au0t.
I( 1ou do not 4ant messa!e numbers to be associated 4ith

)*enSS2 error messa!es.
41
Mi(ration a"tion$ Messa(e n+m'ers
:Contin+ed<
Mi(ration a"tion
Set en/ironment /ariab0e

OS)SO)5-NSS2OMS+,TPQN)N-Q be(ore runnin! an
)*enSS2 command. I( 1ou ha/e *re/ious01 modi(ied the
NDS5T2 en/ironment /ariab0e, 1ou do not need to ma'e an1
chan!es to it.
00 )*enSS2 commands
44
for "ip#ers list
2#at "#an(ed
5re/ious01, the de(au0t ci*her 0ist did not contain arc(our"#8

and arc(our#C6. No4 the de(au0t ci*her 0ist contains
arc(our"#8 and arc(our#C6. The order 4as a0so chan!ed to
*re(er ci*hers that are not susce*tib0e to securit1 /u0nerabi0it1
,@-;#$$8;C"6".
I( 1ou used the *re/ious de(au0t 0ist and do not 4ant to a00o4
the ne4 ci*hers or the ne4 order o( the *re(erred ci*hers.
Mi(ration a"tion
S*eci(1 the *re/ious de(au0t 0ist.

45
for "ip#ers list :Contin+ed<
ssh Kc command;0ine o*tion
sshOcon(i! ,i*hers 'e14ord
sshdOcon(i! ,i*hers 'e14ord

48
for M*Cs list
2#at "#an(ed
5re/ious01, the de(au0t M,s 0ist did not contain

umac64@o*enssh.com. No4 the de(au0t M,s 0ist contains
umac64@o*enssh.com.
I( 1ou used the *re/ious de(au0t 0ist and do not 4ant to a00o4
the ne4 M,.
Mi(ration a"tion
S*eci(1 the *re/ious de(au0t 0ist.

49
for M*Cs list :Contin+ed<
ssh Km command;0ine o*tion
sshOcon(i! M,s 'e14ord
sshdOcon(i! M,s 'e14ord

4=
Mi(ration a"tion$ Minim+m ,al+e "#an(e
for Ree)Gimit
2#at "#an(ed
5re/ious01, the minimum /a0ue 4as $. No4 the minimum

/a0ue is "6.
I( 1ou use a Re'e1Dimit /a0ue that is 0ess than "6.
Mi(ration a"tion
,han!e the /a0ue so that the Re'e1Dimit /a0ue is !reater

than or e:ua0 to "6.
sshOcon(i! Re'e1Dimit 'e14ord

50
Mi(ration a"tion$ Pro>)Command s#ell
2#at "#an(ed
Instead o( runnin! 5ro71,ommand 4ith the 9bin9sh she00, the

user8s she00 as set in the S2-DD en/ironment /ariab0e is
used.
I( 1ou use a she00 other than 9bin9sh (e.!. 9bin9tcsh).
Mi(ration a"tion
Ma'e sure that 5ro71,ommand con(orms to 1our she008s

s1nta7.
sshOcon(i! 5ro71,ommand 'e14ord

51
Mi(ration a"tion$ ss#De)(en Dr
2#at "#an(ed
5re/ious01, i( the (i0e name 4as not s*eci(ied, a *rom*t (or the
(i0e name 4as issued. No4 the de(au0t (i0e names (or RS
and =S 'e1s are used instead.
I( 1ou did not s*eci(1 a (i0e name.
Mi(ration a"tion
S*eci(1 the (i0e name on the ssh;'e1!en command.
ssh;'e1!en Kr command;0ine o*tion

52
Mi(ration a"tion$ ss#De)(en Df
2#at "#an(ed
Instead o( truncatin! a 0on! (i0e name at "$#B characters, a

messa!e is issued.
Mi(ration a"tion
None.
ssh;'e1!en K( command;0ine o*tion

5.
Mi(ration a"tion$ ss#De)(en %it#o+t t#e
Fd or Ft options
2#at "#an(ed
5re/ious01, i( ssh;'e1!en 4as issued 4ithout the Kd or Kt

o*tions, a messa!e 4as issued. No4 RS is used as the
de(au0t 'e1 t1*e.
Mi(ration a"tion
None. 5re/ious01 success(u0 ssh;'e1!en commands 4i00

continue to be success(u0.
ssh;'e1!en
51
Coe>isten"e "onsiderations
Coe>isten"e "onsiderations
In a s1s*0e7 en/ironment, some s1stems mi!ht share the

same con(i!uration. The1 mi!ht a0so share the
sshO'no4nOhosts or authori>edO'e1s (i0es. 2o4e/er, those
s1stems mi!ht ha/e di((erent /ersions o( ssh or sshd. In that
situation, the *re/ious /ersion o( the command mi!ht e7it
4ith an error messa!e because it does not su**ort the ne4
(eatures.
3hen a ne4er /ersion o( the SS2 c0ient is tr1in! to connect

to a *re/ious /ersion o( the sshd daemon, connection mi!ht
not be estab0ished due to incom*atibi0it1 o( the ne4
con(i!uration o*tions.
54
Coe>isten"e "onsiderations :Contin+ed<
Options to a,oid s#arin( t#e files affe"ted
sshOcon(i!A ssh K? command;0ine o*tion
sshdOcon(i!A sshd K( command;0ine o*tions
sshO'no4nOhostsA sshOcon(i! +0oba0Ino4n2osts?i0e or

%serIno4n2osts?i0e 'e14ords
authori>edO'e1sA sshdOcon(i! uthori>edIe1s?i0e 'e14ord

55
*(enda
)/er/ie4
Ser/ice notes
// Tro+'les#ootin( information 00
**endi7
58
Tro+'les#ootin( information$ @p(rade
@eri(1 u*!rade insta00ed

> ssh V
OpenSSH_5.0p1, OpenSSL 0.9.8k 25 Mar 2009
Tracin! added (or >9)S additions and chan!es

(e.!. debug1: sshS!"Se#$%nnS!"S#a#us: SM&
s#a#us 's 0)
See the GTroub0eshootin!H and G)*enSS2 /u0nerabi0itiesH

cha*ters in the userLs !uide (or !enera0 )*enSS2 (or >9)S
ser/ice in(ormation.
59
Common 6restri"ted en,ironment s+pport for SSH

"lients7 pro'lems
Insecure com*onents o( the sshdOcon(i! ,hroot=irector1

Must be o4ned b1 %I= $
Must not ha/e 4rite *ermission (or !rou* or others
Missin! (i0es or directories to su**ort the c0ientLs session (e.!.

9bin9sh)
,on(usion as to 4hen the chroot occurs (re(er to the GDo!in

*rocessH section under the sshd command descri*tion in the
userLs !uide (or more in(ormation)
5=
Common 6restri"ted en,ironment s+pport for SSH

"lients7 pro'lems :Contin+ed<
ssh and sc* c0ients 4i00 han! i( ser/er (orces s(t* (e.!.
?orce,ommand interna0;s(t*) ; this is 4or'in!;as;desi!ned
See the GDimitin! (i0e s1stem name s*ace (or s(t* usersH
section in the userLs !uide (or more in(ormation on settin! u* a
restricted en/ironment (or SS2 c0ients.
80
Tro+'les#ootin( information$ SMB
In"omplete set+p often "a+se of 6pro'lems7 :refer to

t#e 6Settin( +p OpenSSH to "olle"t SMB re"ords7
se"tion in t#e +serIs (+ide<
%*date the SM?5RM77 *arm0ib member
-nab0e )*enSS2 (or >9)S SM? recordin! (i.e. ,0ientSM?

and Ser/erSM? 'e14ords)
>9)S "."$ and >9)S "."" on01A @eri(1 the 5T?s (or 5Rs
5I86B#9 and )#94$" are a**0ied
Subt1*e 98 records are (or user authentication (ai0ures

(e.!. bad *ass4ord, 'e1 *rob0ems, etc.) and not (or
!enera0 *rob0ems connectin! to the sshd daemon.
81
Tro+'les#ootin( information$ Ce) Rin(s
Incorrect authorit1 or o4nershi* setu* (or 'e1 rin!s or

certi(icates o(ten cause o( G*rob0emsH
,erti(icate Gnot (oundH errors cou0d a0so be the resu0t o( an

authorit1 (ai0ure
ssh;'e1!en Ke, K0, and KB command;0ine o*tions can be

use(u0 ser/ice too0s (or debu!!in! *ub0ic 'e1s *rob0ems
ssh;a!ent and ssh;add can be use(u0 ser/ice too0s (or

debu!!in! *ri/ate 'e1 *rob0ems
82
*(enda
)/er/ie4
Ser/ice notes
// *ppendi> 00
8.
2#atIs ne% or "#an(ed$ @p(rade
Conne"tion s#arin( s+pport
Ne4 ssh KM, ;) and KS command;0ine o*tions
Ne4 sshOcon(i! ,ontro0Master and ,ontro05ath 'e14ords
Restri"ted en,ironment s+pport for SSH "lients
Ne4 sshdOcon(i! ,hroot=irector1, ?orce,ommand and

Match 'e14ords
Ne4 Ginterna0;s(t*H su**ort (see sshdOcon(i! ?orce,ommand

and Subs1stem 'e14ords)
81
Has#ed #ostname and address s+pport
Ne4 ssh;'e1scan K2 command;0ine o*tion
Ne4 ssh;'e1!en K?, ;2 and KR command;0ine o*tions
Ne4 sshO'no4nOhosts (i0e (ormat su**ort (or hashed

hostnames and addresses
Ne4 sshOcon(i! 2ashIno4n2osts 'e14ord

84
Se"+rit) en#an"ements
Ne4 arc(our"#8 and arc(our#C6 ci*hers su**orted on the ssh

Kc command;0ine o*tion, sshOcon(i! ,i*hers 'e14ord and
sshdOcon(i! ,i*hers 'e14ord
Ne4 umac64@o*enssh.com M, su**orted on the ssh Km

command;0ine o*tion, sshOcon(i! M,s 'e14ord and
sshdOcon(i! M,s 'e14ord
Ne4 de(au0t 0ist (or the ci*hers and M,s
Ne4 Gde0a1edH /a0ue (a0so the ne4 de(au0t) (or the

sshdOcon(i! ,om*ression 'e14ord
,om*ression can no4 be enab0ed 4ith *ri/i0e!e se*aration

85
2#atIs ne% or "#an(ed$ SMB
Client transfer "ompletion re"ord
sc* and s(t* 4rite c0ient trans(er com*0etion records
-nab0ed /ia the ne4 ,0ientSM? 'e14ord in the ne4

>osOsshOcon(i! con(i!uration (i0e
Ser,er transfer "ompletion re"ord
s(t*;ser/er, sc* and sshd (/ia Ginterna0;s(t*H) 4rite ser/er

trans(er com*0etion records
-nab0ed /ia the ne4 Ser/erSM? 'e14ord in the ne4

>osOsshdOcon(i! con(i!uration (i0e
88
2#atIs ne% or "#an(ed$ SMB
Go(in fail+re re"ord
sshd 4rites 0o!in (ai0ure records
-nab0ed /ia the ne4 Ser/erSM? 'e14ord in the ne4

>osOsshdOcon(i! con(i!uration (i0e
Pro(rammin( s+pport
Ne4 ?)TSM?EE member o( STS".M,DIB that contains

assemb0er ma**in! macros (or )*enSS2 SM? T1*e ""9
records
Ne4 9sam*0es9sshOsm(.h (i0e that contains , ma**in! macros

(or )*enSS2 SM? T1*e ""9 records
89
2#atIs ne% or "#an(ed$ Ce) Rin(s
@ser a+t#enti"ation %it# S*B e) rin(s
ssh enab0ed /ia the ne4 Identit1Ie1Rin!Dabe0 'e14ord in the

ne4 >osOuserOsshOcon(i! con(i!uration (i0e
ssh;add enab0ed /ia the ne4 OS)SOSS2OI-TORIN+ and

OS)SOSS2OI-TORIN+ODB-D en/ironment /ariab0es
ssh;'e1!en enab0ed /ia the ne4

OS)SOSS2OI-TORIN+ODB-D en/ironment /ariab0e
sshd enab0ed /ia the ne4 >os;'e1;rin!;0abe0 o*tion (or

authori>edO'e1s (i0e (ormat
8=
2#atIs ne% or "#an(ed$ Ce) Rin(s
Ser,er a+t#enti"ation %it# S*B e) rin(s
ssh enab0ed /ia the ne4 >os;'e1;rin!;0abe0 o*tion (or

sshO'no4nOhosts (i0e (ormat
sshd enab0ed /ia the ne4 2ostIe1Rin!Dabe0 'e14ord in the

ne4 >osOsshdOcon(i! con(i!uration (i0e
90
2#atIs ne% or "#an(ed$ Mis"ellaneo+s
Impro,ed ss#DrandD#elper s+pport
Ne4 OS)SOSS2O5RN+O,M=SOTIM-)%T en/ironment

/ariab0e
Impro,ed messa(e s+pport
Ne4 OS)SO)5-NSS2OMS+,T en/ironment /ariab0e
00 error;re0ated messa!es are no4 documented in the userLs

!uide
91
2#atIs ne% or "#an(ed$ !etails
ss#
Ne4 KM, K) and KS command;0ine o*tions
Ne4 bind address (or the K=, KD and KR command;0ine

o*tions
Ne4 Garc(our"#8H and Garc(our#C6H ci*hers (or the Kc

command;0ine o*tion
Ne4 Gumac64@o*enssh.comH M, (or the Km command;

0ine o*tion
Ne4 KIR, Kh and Vcommand esca*e command;0ine o*tions
=e(au0t /a0ue chan!ed (or the Kc and Km command;0ine

o*tions
92
ss# :"ontin+ed<
Su**orts the ne4 OS)SO%S-ROSS2O,)N?I+ en/ironment

/ariab0e
Su**orts the ne4 >osOsshOcon(i! and >osOuserOsshOcon(i!

con(i!uration (i0es
9.
ss#H"onfi(
Ne4 bind address (or the =1namic?or4ard, Doca0?or4ard and

Remote?or4ard 'e14ords
Ne4 ,ontro0Master, ,ontro05ath, -7it)n?or4ard?ai0ure,

2ashIno4n2osts, Doca0,ommand, 5ermitDoca0,ommand,
Re'e1Dimit and Send-n/ 'e14ords
Ne4 Garc(our"#8H and Garc(our#C6H ci*hers (or the ,i*hers

'e14ord
Ne4 Gumac64@o*enssh.comH M, (or the M,s 'e14ord
=e(au0t /a0ue chan!ed (or the ,i*hers and M,s 'e14ords

91
ss#d
Ne4 no;user;rc and >os;'e1;rin!;0abe0 o*tions (or the

authori>edO'e1s (i0e (ormat
Ne4 >os;'e1;rin!;0abe0 o*tion (or the sshO'no4nOhosts (i0e

(ormat
Ne4 WhostXA*ort (ormattin! and hashed hostname and

address su**ort (or the sshO'no4nOhosts (i0e (ormat
Su**orts the ne4 OS)SOSS2=O,)N?I+ en/ironment

/ariab0e
Su**orts the ne4 >osOsshdOcon(i! con(i!uration (i0e
Su**orts 4ritin! SM? 0o!in (ai0ure and ser/er trans(er

com*0etion records
94
ss#dH"onfi(
Ne4 cce*t-n/, ddress?ami01, ,hroot=irector1,

?orce,ommand, 2ostbased%sesName?rom5ac'et)n01,
Match, Ma7uthTries and 5ermit)*en 'e14ords
Ne4 Gde0a1edH /a0ue (or the ,om*ression 'e14ord
Ne4 Gc0ients*eci(iedH /a0ue (or the +ate4a15ort 'e14ord
Ne4 Garc(our"#8H and Garc(our#C6H ci*hers (or the ,i*hers

'e14ord
Ne4 Gumac64@o*enssh.comH M, (or the M,s 'e14ord
Ne4 Ginterna0;s(t*H /a0ue (or the Subs1stem 'e14ord
=e(au0t /a0ue chan!ed (or the 00o4Tc*?or4ardin!, ,i*hers,

,om*ression and M,s 'e14ords
95
s"p
Su**orts 4ritin! SM? c0ient and ser/er trans(er com*0etion

records
sftp
Ne4 o*tions added (or the 0s command (Ka K( Kn Kr KS Kt)
Su**orts 4ritin! SM? c0ient trans(er com*0etion records
sftpDser,er
Ne4 K(, K0, Ke and Kh command;0ine o*tions
Su**orts 4ritin! SM? ser/er trans(er com*0etion records

98
ss#De)s"an
Ne4 K2 command;0ine o*tion
ss#De)(en
Ne4 K?, ;2 and KR command;0ine o*tions
Su**orts the ne4 OS)SOSS2OI-TORIN+ODB-D

en/ironment /ariab0e
99
ss#Dadd
Su**orts the ne4 OS)SOSS2OI-TORIN+ and

OS)SOSS2OI-TORIN+ODB-D en/ironment /ariab0es
ss#DrandD#elper
Su**orts the ne4 OS)SOSS2O5RN+O,M=SOTIM-)%T

en/ironment /ariab0e
9=
:-;2< zosHss#H"onfi(
Ne4 >9)S;s*eci(ic s1stem;4ide )*enSS2 c0ient

con(i!uration (i0e used b1 ssh
5ro/ides ,0ientSM? 'e14ord (or SM? su**ort
?i0e 0ocationA 9etc9ssh9>osOsshOcon(i!
Sam*0e *ro/idedA 9sam*0es9>osOsshOcon(i!

=0
:-;2< zosH+serHss#H"onfi(
Ne4 >9)S;s*eci(ic *er;user )*enSS2 c0ient con(i!uration (i0e

used b1 ssh
5ro/ides Identit1Ie1Rin!Dabe0 'e14ord (or S? 'e1 rin!

su**ort
=e(au0t ?i0e DocationA R9.ssh9>osOuserOsshOcon(i!
)/erride de(au0t (i0e 0ocation /ia the ne4

OS)SO%S-ROSS2O,)N?I+ en/ironment /ariab0e
Sam*0e *ro/idedA 9sam*0es9>osOuserOsshOcon(i!

=1
:-;2< zosHss#dH"onfi(
Ne4 >9)S;s*eci(ic )*enSS2 daemon con(i!uration (i0e used

b1 sshd
5ro/ides Ser/erSM? 'e14ord (or SM? su**ort
5ro/ides 2ostIe1Rin!Dabe0 'e14ord (or S? 'e1 rin!

su**ort
=e(au0t ?i0e DocationA 9etc9ssh9>osOsshdOcon(i!
)/erride de(au0t (i0e 0ocation /ia the ne4

OS)SOSS2=O,)N?I+ en/ironment /ariab0e
Sam*0e *ro/idedA 9sam*0es9>osOsshdOcon(i!

=2
C#an(ed samples
9sam*0es9sshOcon(i!
9sam*0es9sshdOcon(i!
9sam*0es9modu0i
-e% samples
9sam*0es9>osOsshOcon(i!
9sam*0es9>osOuserOsshOcon(i!
9sam*0es9>osOsshdOcon(i!
9sam*0es9sshOsm(.h
?)TSM?EE in STS".M,DIB
=.
-e% en,ironment ,aria'les
OS)SO)5-NSS2OMS+,T (Su**orted b1 a00 )*enSS2

commands)
OS)SOSS2O5RN+O,M=SOTIM-)%T (ssh;rand;he0*er)
OS)SOSS2=O,)N?I+ (sshd)
OS)SOSS2OI-TORIN+ (ssh;add)
OS)SOSS2OI-TORIN+ODB-D (ssh;add and ssh;'e1!en)
OS)SO%S-ROSS2O,)N?I+ (ssh)
OS)SOSM?O?= (interna0 use on01)
OS)SO)5-NSS2O=-B%+ (interna0 use on01)

=1
See the G3hatLs ne4 or chan!ed in @ersion " Re0ease # o(

IBM 5orted Too0s (or >9)SA )*enSS2H cha*ter in the userLs
!uide (or more in(ormation.
=4
*ppendi>
2e'site Referen"es
IBM 5orted Too0s (or >9)SA

htt*A99444.ibm.com9s1stems9>9os9>os9(eatures9uni79*orted9
IBM 5orted Too0s (or >9)SA )*enSS2A

htt*A99444.ibm.com9s1stems9>9os9>os9(eatures9uni79*orted9o*enssh9
)*enSS2A htt*A99444.o*enssh.or!9
)*enSSDA htt*A99444.o*enss0.or!9
>0ibA htt*A99444.>0ib.net9
=5
*ppendi>
2e'site Referen"es :Contin+ed<
I-T?A htt*A99444.iet(.or!9
%S;,-RT @u0nerabi0it1 Notes =atabaseA

htt*A99444.'b.cert.or!9/u0s
Nationa0 @u0nerabi0it1 =atabaseA htt*A99n/d.nist.!o/9n/d.c(m
Sho*>SeriesA
htt*sA99444"4.so(t4are.ibm.com94eba**9Sho*>Series9Sho*>Series.6s*
Too0s and To1sA

htt*A99444.ibm.com9s1stems9>9os9>os9(eatures9uni79too0s9
=8
*ppendi>
See t#e ne% 6IBM Ported Tools for z/OS$ OpenSSH

@serIs L+ide7 for more details on OpenSSH for z/OS
V1R2&
()rder NumberA S#B;##46;$$)
R*CB Referen"e L+ides
>9)S Securit1 Ser/er R,? Securit1 dministratorLs +uide

()rder NumberA S##;E68B;"#)
>9)S Securit1 Ser/er R,? ,a00ab0e Ser/ices

()rder NumberA S##;E69";"#)
>9)S Securit1 Ser/er R,? ,ommand Dan!ua!e Re(erence

()rder NumberA S##;E68E;"#)
=9
*ppendi>
Ot#er Referen"e L+ides
5ro!ram =irector1 (or IBM 5orted Too0s (or >9)S

()rder NumberA +I"$;$E69;$C)
>9)S M@S S1stem Mana!ement ?aci0ities (SM?)

()rder NumberA S##;E6B$;"9)
>9)S M@S Initia0i>ation and Tunin! Re(erence

()rder NumberA S##;EC9#;"8)
>9)S ,ommunications Ser/erA I5 ,on(i!uration Re(erence

()rder NumberA S,B";8EE6;"C)

OpenSSH Presentation SHARE 082011

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OpenSSH Presentation SHARE 082011

Uploaded by

Copyright:

Available Formats

IBM Ported Tools for z/OS

Suite o( net4or' connecti/it1 too0s that *ro/ide secure

2#at se"+rit) does OpenSSH pro,ide3

=ata *ri/ac1 throu!h encr1*tion

=ata inte!rit1 to !uarantee una0tered communications

uthentication o( users and ser/ers

uthori>ation o( user actions

?or4ardin! to *rotect other T,59I5;based a**0ications

6Tools and To)s7 OpenSSH for z/OS

Non;*riced too0 (ne/er an o((icia0 *roduct)

Ne/er o((icia001 su**orted

IBM Ported Tools for z/OS$ OpenSSH V1R1

+ @ersion (Ma1 #$$4)A )*enSS2 B.C*", )*enSSD $.9.Eb,

5R )"$B"C @ersion (*ri0 #$$C)A )*enSS2 B.8."*",

Non;*riced *ro!ram *roduct (not *art o( >9)S)

Su**orted on >9)S ".4 and 0ater

No 0on!er orderab0e but sti00 su**orted

:-;2< IBM Ported Tools for z/OS$ OpenSSH V1R2

+ @ersion (Fu01 #$"$)A )*enSS2 C.$*", )*enSSD $.9.8',

Non;*riced *ro!ram *roduct (not *art o( >9)S)

Su**orted on >9)S "."$ and 0ater

)rder (rom Sho*>Series

a.'.a. G)*enSS2 (or >9)SH throu!hout this *resentation

Ne4 re0ease (@"R# ; ?MI= 2)S""#$) insta00s o/er the

,annot order the *re/ious re0ease no4 that the ne4

Ne4 re0ease su**orted on >9)S "."$ and 0ater

>9)S "."$ and >9)S "."" re:uirementA 5T?s (or 5Rs

Important e>tended attri'+tes settin(s set d+rin(

N-3A ssh and ssh;'e1si!n must ha/e the noshareas

sshd must ha/e the noshareas e7tended attribute set (i.e.

sshd must ha/e the *ro!ram contro0 e7tended attribute set

See the G3hat 1ou need to /eri(1 be(ore usin! )*enSS2H

&/(b s*0it (se*arate boo' and ?MI= 2@?B""") (rom

%*!rade /ersions o( )*enSS2, )*enSSD and >0ib

5ro/ide SM? su**ort

5ro/ide S? 'e1 rin! su**ort

)*enSS2 (or >9)S needs to u*!rade the o*en source

%*!raded to )*enSS2 C.$*"

%*!raded to )*enSSD $.9.8'

%*!raded to >0ib ".#.B

Recom*i0ed 4ith &5DINI to im*ro/e o/era00 *er(ormance

?unctiona0A ,om*ression 4ith *ri/i0e!e se*aration su**ort

?unctiona0 and 5er(ormanceA ,onnection sharin! su**ort

Securit1A =e0a1ed com*ression o*tion

Securit1A Restricted en/ironment su**ort (or SS2 c0ients

Securit1A 2ashed hostname and address su**ort

Securit1A Su**ort (or arc(our"#8 and arc(our#C6 ci*hers

Securit1A Su**ort (or umac64@o*enssh.com M,

+enera0A ,urrenc1 4ith o*en source enhancements and (i7es

)*enSS2 (or >9)S needs to audit (i0e trans(ers and 0o!in

SM? records !enerated (or both c0ient N ser/er (i0e trans(ers

SM? records !enerated (or 0o!in (ai0ures

Ne4 SM? ser/er trans(er com*0etion record

Ne4 SM? c0ient trans(er com*0etion record

Ne4 SM? 0o!in (ai0ure record (T1*e ""9 ; Subt1*e 98)

SM? records audit sc*, s(t*, s(t*;ser/er and sshd acti/it1

Ne4 SM? records are customi>ed (or )*enSS2 (or >9)S

Su**ort (or SM? record e7it I-?%8B or I-?%84

)*enSS2 (or >9)S needs to su**ort !ettin! )*enSS2 'e1s

)*enSS2 (or >9)S 'e1s can be stored in a di!ita0 certi(icate

Ne4 (eatures a/ai0ab0e (or ssh, sc*, s(t*, ssh;add, ssh;

S? (e.!. R,?) contro0 o( )*enSS2 (or >9)S 'e1s (or SS2

Su**orts ser/er authentication 4hen 'e1s are stored in 'e1

Su**orts user authentication 4hen 'e1s are stored in 'e1

=ata ri/ac1 throu!h encr1tion

Non;riced too0 (ne/er an o((icia0 roduct)

+ @ersion (Ma1 #$$4)A )enSS2 B.C", )*enSSD $.9.Eb,

5R )"$B"C @ersion (ri0 #$$C)A )enSS2 B.8."*",

Non;riced ro!ram roduct (not art o( >9)S)

+ @ersion (Fu01 #$"$)A )enSS2 C.$", )*enSSD $.9.8',

Non;riced ro!ram roduct (not art o( >9)S)

a.'.a. G)enSS2 (or >9)SH throu!hout this resentation

&/(b s0it (searate boo' and ?MI= 2@?B""") (rom

%!rade /ersions o( )enSS2, )*enSSD and >0ib

)enSS2 (or >9)S needs to u!rade the o*en source

%!raded to )enSS2 C.$*"

%!raded to )enSSD $.9.8'

Recomi0ed 4ith &5DINI to imro/e o/era00 *er(ormance

?unctiona0A ,omression 4ith ri/i0e!e se*aration su**ort

Securit1A =e0a1ed comression otion

Ne4 SM? 0o!in (ai0ure record (T1e ""9 ; Subt1e 98)

SM? records audit sc, s(t, s(t*;ser/er and sshd acti/it1

Ne4 (eatures a/ai0ab0e (or ssh, sc, s(t, ssh;add, ssh;

)enSS2 (or >9)S needs to ro/ide a con(i!urab0e timeout

Imro/ed ssh;rand;he0er su**ort on hea/i01 0oaded s1stems

)enSS2 (or >9)S needs to imro/e messa!e su**ort.

)enSS2 (or >9)S needs to imro/e su**ort (or users that

Imro/es ssh, ssh;add, ssh;'e1!en, ssh;rand;he0er and sshd

V1R2$ !OC PRs O.191=E O.1.89 and O*..=11

V1R2$ P;R PR O*.1210

?i7es SM? T1e ""9 subt1e 9E record *rob0em 4hen usin!

V1R2$ @R1 PR O*.5248

V1R1 and V1R2$ Goop %#en +sin( SSHHSCPSS in

)enSS2 chan!ed ho4 it mana!es user hea stora!e (or

Re(er to the G)enSS2 hea mana!ementH section in the

I( 1ou use secia0 characters on s(t subcommands.

-scae secia0 characters 4ith the bac's0ash character.