File format
The zos_ssh_config configuration
file views empty lines and lines starting with # as comments.
Configuration options can be specified using two different formats.
- The first format is the keyword argument pair separated by white space.
- The second format is the keyword argument pair separated with
exactly one "=" and optional white space.
Arguments can optionally be enclosed in double quotes (") in
order to represent arguments containing spaces. For example:
keyword argument keyword=argument
Keywords are not case sensitive while arguments are case sensitive.
Following are the possible keywords:
- ChannelConvert
- Specifies one or more ssh channel types that will automatically
be converted between ASCII and EBCDIC using the default code pages
for the current locale. The argument must be a comma-separated list
selected from the following list of channel types:
- shell
- Interactive session
- exec
- Remote program execution
- subsystem
- Remote subsystem program execution
- direct-tcpip
- TCP/IP forwarding
- forwarded-tcpip
- TCP/IP reverse forwarding
- stdio-forward
- ssh -W option (applies to client only)
shell,exec
, which is identical to the behavior of channel conversion in previous releases.Note:shell
conversion is enabled whether it is specified or not.- This option only controls stdin/stdout conversion. stderr output (used with shell and exec channels) is always converted.
- The sftp protocol requires a binary connection. Do not specify
subsystem
conversion when using the sftp command or subsystem. - The scp command requires a text (translated)
connection. You must specify
exec
(which is enabled by default) when using the scp client or server. - This option should not be used globally in zos_ssh_config since
changing conversion options for channel types (for example,
subystem
orexec
) could cause sftp, scp, and other exec connections to fail. The option may be used in Host blocks for selected connections.
Example 1: Executing a remote program, without translating its output:> ssh -oChannelConvert=shell user@host cat remote.bin > local.bin
Example 2: Sending data to a remote socket program, tunneled through an ssh connection, translating the input and output:> echo “hi” | ssh -W localhost:5000 -oChannelConvert=stdio-forward user@host
- CiphersSource
- Specifies the source used to implement the ciphers
specified by the ssh_config keyword Ciphers. Valid arguments are "any",
"CPACF", "OpenSSL" or "ICSF". The default is "CPACF". Specifying "OpenSSL" requests all ciphers to
be implemented using the statically linked OpenSSL cryptographic library. Specifying “CPACF”
requests that supported ciphers be implemented using z/Architecture CPACF instructions, or otherwise
by OpenSSL. Specifying "ICSF" requests all applicable ciphers to be implemented using Integrated
Cryptographic Service Facility (ICSF). Ciphers that are not supported by ICSF will fail if used.
Specifying "any" requests all applicable ciphers to be implemented using CPACF if available. Ciphers
that are not supported by CPACF are implemented using ICSF if available, or otherwise using OpenSSH.
For more information about the ICSF-supported ciphers and the setup required to use ICSF, see Setting up OpenSSH to use ICSF cryptographic operations. If FIPSMODE is set to
yes
and CiphersSource is set toany
, the CiphersSource option will be set toICSF
automatically. If FIPSMODE is not set toyes
(the default), then CiphersSource=CPACF (the default) will generally result in the lowest CPU usage by OpenSSH. Ciphers supported by CPACF:aes128-cbc
,aes192-cbc
,aes256-cbc
,aes128-ctr
,aes192-ctr
,aes256-ctr
,3des-cbc
, . - ClientSMF
- Specifies whether to collect client SMF records. The argument must be set to "TYPE119_U83",
"TYPE119_U84" or "none". The default is "none". If set to "TYPE119_U83" or "TYPE119_U84" ,
Type 119 client connection started records (subtype 94) are collected for the ssh
client, and SMF Type 119 client transfer completion records (subtype 97) are collected for the
sftp and scp commands. SMF record exit IEFU83
receives control for "TYPE119_U83". SMF record exit IEFU84 receives control for "TYPE119_U84".
Restriction: Because this keyword can only be set in the z/OS-specific system-wide configuration file (
/etc/ssh/zos_ssh_config
), it cannot be specified using the -o option of scp, sftp or ssh.The IEFU83 and IEFU84 exits are documented in z/OS MVS Installation Exits.
- FIPSMODE
- Specifies whether or not OpenSSH is running in FIPS mode. Valid
arguments are
no
oryes
. The default value isno
which means OpenSSH is not running in any FIPS mode. Specifyingyes
means that OpenSSH is running in FIPS 140-2 mode. If this option is set toyes
, it requires that CiphersSource, MacsSource, KexAlgorithmsSource are set toICSF
orany
.Restriction: This option only applies to protocol version 2.
- Host
- Restricts the following declarations (up to the next Host keyword)
to be only for those hosts that match one of the patterns given after
the keyword. A single * as a pattern can be used to provide global
defaults for all hosts. The host is the hostname argument given on
the command line (the name is not converted to a canonical host name
before matching).
See Patterns in ssh_config for more information about patterns.
- KexAlgorithmsSource
- Specifies the source used to implement Key Exchange algorithms specified by the
ssh_config keyword KexAlgorithms. Valid arguments are
any
,OpenSSL
orICSF
. The default isOpenSSL
. SpecifyingOpenSSL
requests all Key Exchange algorithms to be implemented using the statically linked OpenSSL Cryptographic library. SpecifyingICSF
requests all applicable Key Exchange algorithms to be implemented using Integrated Cryptographic Service Facility (ICSF). Key Exchange algorithms that are not supported by ICSF will fail if used. Specifyingany
requests all applicable Key Exchange algorithms to be implemented using ICSF if available. Key Exchange algorithms not supported by ICSF are implemented using OpenSSL. If ICSF is not available, all Key Exchange algorithms are implemented using OpenSSL. For more information about the ICSF-supported Key Exchange algorithms and the setup required to use ICSF, see Setting up OpenSSH to use ICSF cryptographic operations. If FIPSMODE is set toyes
and KexAlgorithmsSource is set toany
, the KexAlgorithmsSource option will be set toICSF
automatically.Note: Specifying ICSF for Kex algorithms does not force source=ICSF or MAC algorithms that are used as part of Key Exchange. - MACsSource
- Specifies the source used to implement the MAC algorithms
specified by the ssh_config keyword MACs. Valid arguments are "any",
"CPACF", "OpenSSL" or "ICSF". The default is "CPACF". Specifying "OpenSSL" requests all MAC
algorithms to be implemented using the statically linked OpenSSL cryptographic library. Specifying
“CPACF” requests that supported MAC algorithms be implemented using z/Architecture CPACF
instructions, or otherwise by OpenSSL. Specifying "ICSF" requests all applicable MAC algorithms to
be implemented using Integrated Cryptographic Service Facility (ICSF). MAC algorithms that are not
supported by ICSF will fail if used. Specifying "any" requests all applicable MAC algorithms to be
implemented using CPACF if available. MAC algorithms that are not supported by CPACF are implemented
using ICSF if available, or otherwise using OpenSSL. For more information about the ICSF-supported
MAC algorithms and the setup required to use ICSF, see Setting up OpenSSH to use ICSF cryptographic operations. If FIPSMODE is set
to
yes
and MacsSource is set toany
, the MacsSource option will be set toICSF
automatically. If FIPSMODE is not set toyes
(the default), then MACsSource=CPACF (the default) will generally result in the lowest CPU usage by OpenSSH. MAC algorithms supported by CPACF:hmac-sha1
,hmac-sha2-256
,hmac-sha2-512
as well as the encrypt-then-mac variants of these:hmac-sha1-etm@openssh.com
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512-etm@openssh.com
- zEDCCompression
- Specifies whether zEnterprise Data Compression hardware will be allowed for ssh packet
compression. The argument must be set to
yes
orno
. The default isno
. When set toyes
, the zEDC zlib inflate/deflate threshold is lowered so that the initial ssh packets will allow hardware enabled compression for the connection. This option should not be enabled for interactive connections or others that primarily use small packets, as this could result in reduced performance as compared to the default software-based compression. Performance benefits are more likely to be realized with sftp or scp file transfer connections. This option has no effect unless the OpenSSH Compression option is enabled. See ssh_config - OpenSSH client configuration files for more information on enabling ssh compression. For more information, seezlib for zEnterprise Data Compression
in z/OS MVS Programming: Callable Services for High-Level Languages.