Using hardware support to generate random numbers

OpenSSH uses hardware support (/dev/random or /dev/urandom) to generate random numbers. /dev/random is now required and ssh-rand-helper is not used or provided. If the SAF FACILITY resource CSF.CSFSERV.AUTH.CSFRNG.DISABLE is defined, no SAF authorization checks will be performed. Disabling the SAF check may improve performance.

In order for OpenSSH to use the hardware support (/dev/random or /dev/urandom) to collect random numbers, the Integrated Cryptographic Service Facility (ICSF) started task must be running and the user ID must have READ access to the CSFRNG (random number generate service) profile in the RACF® CSFSERV class. If the user ID does not have READ access to the CSFRNG profile, a RACF message is issued on the MVS console.

For example, a message for user WELLIE1 would look like the following output:

ICH408I USER(WELLIE1   ) GROUP(SYS1   ) NAME(WELLIE1)    
 CSFRNG CL(CSFSERV )                                                
 INSUFFICIENT ACCESS AUTHORITY                                      
 FROM CSFRNG (G)                                                      
 ACCESS INTENT(READ)  ACCESS ALLOWED(NONE)

For more information about ICSF, see z/OS Cryptographic Services ICSF Overview.