What z/OS OpenSSH supports

sftp can treat files as binary or text. By default, sftp assumes that files are binary. Files transferred between EBCDIC and ASCII platforms are not converted. For file transfers between z/OS and ASCII UNIX platforms, you might need to convert your files (treat them as text). The sftp ascii subcommand can be used to transfer files in ASCII between the local host and a remote UNIX host. This subcommand assumes that the file data on the network should be encoded in ISO/IEC 8859-1. The sftp binary subcommand can be used to disable this conversion and return to performing binary file transfers.

scp treats files as text. By default, scp performs ASCII/EBCDIC conversion on files. For more information about how scp performs conversion, see Globalization on z/OS systems.

Start of changessh, sftp and scp are restricted from using passwords when running in a 3270 environment. The OpenSSH client (ssh) cannot be run from OMVS (which is a 3270 session). ssh has been disabled under OMVS because passwords are visible while they are being typed by the user in some situations. sftp and scp invoke ssh as part of their processing, so they have the same restriction.End of change

z/OS OpenSSH has different default settings. z/OS OpenSSH has different default settings than the open source level of OpenSSH. If you share OpenSSH configuration files among platforms, then you should be aware of these differences. The differences are:
  • The daemon configuration (sshd_config) file has both the AllowTcpForwarding keyword and the Compression keyword set to "no".
  • The default ssh_config file has been changed to specify default Ciphers and MACs algorithms to prefer ICSF hardware accelerated algorithms and AES over 3DES, and SHA over MD5.
  • The daemon configuration (sshd_config) file has the Protocol keyword set to 2 as the default setting, which specifies that only protocol version 2 connections are allowed.
  • The client configuration (ssh_config) file has the Protocol keyword set to 2, which specifies that only protocol version 2 connections are allowed.
  • The default locations of z/OS executables might differ than on other platforms, so the Subsystem specification of sftp might contain a different path on z/OS. On z/OS it is set to: 
    Subsystem     sftp    /usr/lib/ssh/sftp-server
Provides support unique to z/OS. z/OS OpenSSH provides the following z/OS extensions:
  • System Authorization Facility (SAF) key ring. OpenSSH can be configured to allow OpenSSH keys to be stored in SAF key rings. See Choosing between UNIX files and key rings for more information.
  • Multilevel security. It is a security policy that allows the classification of data and users based on a system of hierarchical security levels combined with a system of non-hierarchical security categories. See Running the sshd daemon in a multilevel-secure environment.
  • System Management Facility (SMF). OpenSSH can be configured to collect SMF Type 119 records for both the client and the server. See Setting up OpenSSH to collect SMF records for more information.
  • ICSF ciphers and MAC algorithms. OpenSSH can be set up to use Integrated Cryptographic Service Facility (ICSF) to implement certain ciphers and MAC (message authentication code) algorithms. This extension enables OpenSSH to use hardware support when applicable. See Setting up OpenSSH to use ICSF cryptographic operations for more information.
  • Start of changeFIPS 140-2 mode. OpenSSH can be set up to direct all cryptographic operations to ICSF and System SSL interfaces running in FIPS mode. This extension enables OpenSSH to meet FIPS 140-2 specifications. See Setting up OpenSSH to run in FIPS mode for more information.End of change
Parent topic: How does z/OS OpenSSH differ from the open source version?