File format

The zos_ssh_config configuration file views empty lines and lines starting with # as comments. Configuration options can be specified using two different formats.
  • The first format is the keyword argument pair separated by white space.
  • The second format is the keyword argument pair separated with exactly one "=" and optional white space. Arguments can optionally be enclosed in double quotes (") in order to represent arguments containing spaces.
    For example: 
    keyword argument
keyword=argument
Keywords are not case sensitive while arguments are case sensitive. Following are the possible keywords:
ChannelConvert
Specifies one or more ssh channel types that will automatically be converted between ASCII and EBCDIC using the default code pages for the current locale. The argument must be a comma-separated list selected from the following list of channel types:
shell
Interactive session
exec
Remote program execution
subsystem
Remote subsystem program execution
direct-tcpip
TCP/IP forwarding
forwarded-tcpip
TCP/IP reverse forwarding
stdio-forward
ssh -W option (applies to client only)
The default is shell,exec, which is identical to the behavior of channel conversion in previous releases.
Note:
  • shell conversion is enabled whether it is specified or not.
  • This option only controls stdin/stdout conversion. stderr output (used with shell and exec channels) is always converted.
  • The sftp protocol requires a binary connection. Do not specify subsystem conversion when using the sftp command or subsystem.
  • The scp command requires a text (translated) connection. You must specify exec (which is enabled by default) when using the scp client or server.
  • This option should not be used globally in zos_ssh_config since changing conversion options for channel types (for example, subystem or exec) could cause sftp, scp, and other exec connections to fail. The option may be used in Host blocks for selected connections.
Example 1: Executing a remote program, without translating its output: 
> ssh -oChannelConvert=shell user@host cat remote.bin > local.bin
Example 2: Sending data to a remote socket program, tunneled through an ssh connection, translating the input and output: 
> echo “hi” | ssh -W localhost:5000 -oChannelConvert=stdio-forward user@host
CiphersSource
Specifies the source used to implement the ciphers specified by the ssh_config keyword Ciphers. Valid arguments are "any", "CPACF", "OpenSSL" or "ICSF". The default is "CPACF". Specifying "OpenSSL" requests all ciphers to be implemented using the statically linked OpenSSL cryptographic library. Specifying “CPACF” requests that supported ciphers be implemented using z/Architecture CPACF instructions, or otherwise by OpenSSL. Specifying "ICSF" requests all applicable ciphers to be implemented using Integrated Cryptographic Service Facility (ICSF). Ciphers that are not supported by ICSF will fail if used. Specifying "any" requests all applicable ciphers to be implemented using CPACF if available. Ciphers that are not supported by CPACF are implemented using ICSF if available, or otherwise using OpenSSH. For more information about the ICSF-supported ciphers and the setup required to use ICSF, see Setting up OpenSSH to use ICSF cryptographic operations. If FIPSMODE is set to yes and CiphersSource is set to any, the CiphersSource option will be set to ICSF automatically. If FIPSMODE is not set to yes (the default), then CiphersSource=CPACF (the default) will generally result in the lowest CPU usage by OpenSSH. Ciphers supported by CPACF: aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, .
ClientSMF
Specifies whether to collect client SMF records. The argument must be set to "TYPE119_U83", "TYPE119_U84" or "none". The default is "none". If set to "TYPE119_U83" or "TYPE119_U84" , Start of changeType 119 client connection started records (subtype 94) are collected for the ssh client,End of change and SMF Type 119 client transfer completion records (subtype 97) are collected for the sftp and scp commands. SMF record exit IEFU83 receives control for "TYPE119_U83". SMF record exit IEFU84 receives control for "TYPE119_U84".

Restriction: Because this keyword can only be set in the z/OS-specific system-wide configuration file (/etc/ssh/zos_ssh_config), it cannot be specified using the -o option of scp, sftp or ssh.

The IEFU83 and IEFU84 exits are documented in z/OS MVS Installation Exits.

FIPSMODE
Specifies whether or not OpenSSH is running in FIPS mode. Valid arguments are no or yes. The default value is no which means OpenSSH is not running in any FIPS mode. Specifying yes means that OpenSSH is running in FIPS 140-2 mode. If this option is set to yes, it requires that CiphersSource, MacsSource, KexAlgorithmsSource are set to ICSF or any.

Restriction: This option only applies to protocol version 2.

Host
Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword. A single * as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (the name is not converted to a canonical host name before matching).

See Patterns in ssh_config for more information about patterns.

KexAlgorithmsSource
Specifies the source used to implement Key Exchange algorithms specified by the ssh_config keyword KexAlgorithms. Valid arguments are any, OpenSSL or ICSF. The default is OpenSSL. Specifying OpenSSL requests all Key Exchange algorithms to be implemented using the statically linked OpenSSL Cryptographic library. Specifying ICSF requests all applicable Key Exchange algorithms to be implemented using Integrated Cryptographic Service Facility (ICSF). Key Exchange algorithms that are not supported by ICSF will fail if used. Specifying any requests all applicable Key Exchange algorithms to be implemented using ICSF if available. Key Exchange algorithms not supported by ICSF are implemented using OpenSSL. If ICSF is not available, all Key Exchange algorithms are implemented using OpenSSL. For more information about the ICSF-supported Key Exchange algorithms and the setup required to use ICSF, see Setting up OpenSSH to use ICSF cryptographic operations. If FIPSMODE is set to yes and KexAlgorithmsSource is set to any, the KexAlgorithmsSource option will be set to ICSF automatically.
Note: Start of changeSpecifying ICSF for Kex algorithms does not force source=ICSF or MAC algorithms that are used as part of Key Exchange.End of change
MACsSource
Specifies the source used to implement the MAC algorithms specified by the ssh_config keyword MACs. Valid arguments are "any", "CPACF", "OpenSSL" or "ICSF". The default is "CPACF". Specifying "OpenSSL" requests all MAC algorithms to be implemented using the statically linked OpenSSL cryptographic library. Specifying “CPACF” requests that supported MAC algorithms be implemented using z/Architecture CPACF instructions, or otherwise by OpenSSL. Specifying "ICSF" requests all applicable MAC algorithms to be implemented using Integrated Cryptographic Service Facility (ICSF). MAC algorithms that are not supported by ICSF will fail if used. Specifying "any" requests all applicable MAC algorithms to be implemented using CPACF if available. MAC algorithms that are not supported by CPACF are implemented using ICSF if available, or otherwise using OpenSSL. For more information about the ICSF-supported MAC algorithms and the setup required to use ICSF, see Setting up OpenSSH to use ICSF cryptographic operations. If FIPSMODE is set to yes and MacsSource is set to any, the MacsSource option will be set to ICSF automatically. If FIPSMODE is not set to yes (the default), then MACsSource=CPACF (the default) will generally result in the lowest CPU usage by OpenSSH. MAC algorithms supported by CPACF: hmac-sha1, hmac-sha2-256, hmac-sha2-512 as well as the encrypt-then-mac variants of these: hmac-sha1-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com
zEDCCompression
Specifies whether zEnterprise Data Compression hardware will be allowed for ssh packet compression. The argument must be set to yes or no. The default is no. When set to yes, the zEDC zlib inflate/deflate threshold is lowered so that the initial ssh packets will allow hardware enabled compression for the connection. This option should not be enabled for interactive connections or others that primarily use small packets, as this could result in reduced performance as compared to the default software-based compression. Performance benefits are more likely to be realized with sftp or scp file transfer connections. This option has no effect unless the OpenSSH Compression option is enabled. See ssh_config - OpenSSH client configuration files for more information on enabling ssh compression. For more information, see zlib for zEnterprise Data Compression in z/OS MVS Programming: Callable Services for High-Level Languages.