A fix is available
APAR status
Closed as program error.
Error description
Attempts to connect to the server fail when the sshd_config file specifies a ChrootDirectory and the ChrootDirectory. Message FOTS0841 Connection closed will be issued. ANALYSIS: This problem only occurs if PTF UJ92768 is applied and the customer is using ChrootDirectory and the internal-sftp subsystem. If UJ92768 is not accepted do not accept it. When trying to connect the server validates the ChrootDirectory files and then should proceed with sftp processing but the connection actually terminates instead. KNOWN IMPACT: The sftp connection attempt will fail. VERIFICATION STEPS: The problem will occur if the sshd_config file specifies ChrootDirectory and the directory includes ForceCommand internal-sftp. ADDITIONAL SYMPTOMS: The server trace will show the safely_chroot messages issued during chroot validation ane then the client trace will show the FOTS0841 Connection closed. debug3: safely_chroot: checking PE INFORMATION: USERS AFFECTED: APAR OA64483 added the abilty to terminate idle sftp connections by adding the -t option to sftp-server. With PTF UJ92768 accepted, if the server is using ChrootDirectory and it includes the internal sftp subsystem, the connection will terminate prematurely if the -t option is not specified. USER IMPACT: APAR OA64483 fixed the problem it reported but introduced a new problem. APAR OA64483 added the abilty to terminate idle sftp connections by adding the -t option to sftp-server. With PTF UJ92768 accepted, if the server is using ChrootDirectory and it includes the internal sftp subsystem, the connection will terminate prematurely if the -t option is not specified.
Local fix
BYPASS/CIRCUMVENTION: Either do not accept the PTF or add the '-t 0' parameter to the sftp-server invocation as a bypass. RECOVERY ACTION: If the problem is encountered the '-t 0' parameter can be added to the sftp-server invocation.
Problem summary
**************************************************************** * USERS AFFECTED: Users of z/OS OpenSSH V2R4,V2R5 and 3.1 * **************************************************************** * PROBLEM DESCRIPTION: APAR OA64483 introduced -t option to * * terminate idle SFTP connections. While * * the connection will terminate * * prematurely if the -t option is not * * specified. * **************************************************************** When introducing the -t option, the default behavior were mistakenly changed, causing an error in the SFTP connection without -t.
Problem conclusion
Corrected the logic for the -t option. When -t option is not specified, restore the default behavior as before.
Temporary fix
Comments
APAR Information
APAR number
OA65807
Reported component name
OPENSSH FOR Z/O
Reported component ID
5655M2301
Reported release
240
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-15
Closed date
2024-01-03
Last modified date
2024-03-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ94375 UJ94376
Modules/Macros
FOTSXFSV FOTSXSHD
Fix information
Fixed component name
OPENSSH FOR Z/O
Fixed component ID
5655M2301
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"240"}]
Document Information
Modified date:
04 April 2024