OA65807: CANNOT CONNECT TO THE SERVER WHEN USING CHROOTDIRECTORY AND THE INTERNAL SFTP SERVER WITH PTF UJ92768 APPL 23/11/15 PTF PECHANGE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Attempts to connect to the server fail when the sshd_config file
  specifies a ChrootDirectory and the ChrootDirectory.  Message
  FOTS0841 Connection closed will be issued.
  
  ANALYSIS:
       This problem only occurs if PTF UJ92768 is applied and the
  customer is using ChrootDirectory and the internal-sftp
  subsystem.  If UJ92768 is not accepted do not accept it.
  
       When trying to connect the server validates the
  ChrootDirectory files and then should proceed with sftp
  processing but the connection actually terminates instead.
  
  KNOWN IMPACT:
    The sftp connection attempt will fail.
  
  VERIFICATION STEPS:
  The problem will occur if the sshd_config file specifies
  ChrootDirectory and the directory includes ForceCommand
  internal-sftp.
  
  ADDITIONAL SYMPTOMS:
  The server trace will show the safely_chroot messages issued
  during chroot validation ane then the client trace will show the
  FOTS0841 Connection closed.
  
  debug3: safely_chroot: checking
  
  PE INFORMATION:
  USERS AFFECTED:
  APAR OA64483 added the abilty to terminate idle sftp connections
  by adding the -t option to sftp-server.  With PTF UJ92768
  accepted, if the server is using ChrootDirectory and it includes
  the internal sftp subsystem, the connection will terminate
  prematurely if the -t option is not specified.
  
  USER IMPACT:
  APAR OA64483 fixed the problem it reported but introduced a new
  problem.
  
  APAR OA64483 added the abilty to terminate idle sftp connections
  by adding the -t option to sftp-server.  With PTF UJ92768
  accepted, if the server is using ChrootDirectory and it includes
  the internal sftp subsystem, the connection will terminate
  prematurely if the -t option is not specified.
  

Local fix

• BYPASS/CIRCUMVENTION:
  Either do not accept the PTF or add the '-t 0' parameter to the
  sftp-server invocation as a bypass.
  
  RECOVERY ACTION:
  If the problem is encountered the '-t 0' parameter can be added
  to the sftp-server invocation.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of z/OS OpenSSH V2R4,V2R5 and 3.1      *
  ****************************************************************
  * PROBLEM DESCRIPTION: APAR OA64483 introduced -t option to    *
  *                      terminate idle SFTP connections. While  *
  *                      the connection will terminate           *
  *                      prematurely if the -t option is not     *
  *                      specified.                              *
  ****************************************************************
  When introducing the -t option, the default behavior were
  mistakenly changed, causing an error in the SFTP connection
  without -t.
  

Problem conclusion

• Corrected the logic for the -t option. When -t option is not
  specified, restore the default behavior as before.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ94375 UJ94376

Modules/Macros

• FOTSXFSV FOTSXSHD
  

Fix information

• Fixed component name

  OPENSSH FOR Z/O

• Fixed component ID

  5655M2301

Applicable component levels

• R240 PSY UJ94376

     UP24/01/24 P F401 {

• R310 PSY UJ94375

     UP24/01/24 P F401 {

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.