A fix is available
APAR status
Closed as program error.
Error description
PTF UJ94988 and UJ94989 did not include as HOLDDATA that they introduced stricter syntax checking for the OpenSSH client Username and HostName options supplied on the command line. This enhancement tightens security by restricting certain special characters (also referred to as metacharacters) in these options. If any of the newly-restricted characters are present in either the Username or HostName options specified on the command line, the OpenSSH client command will fail with one of the following new messages:msgFOTS4291 hostname contains invalid characters msgFOTS4292 remote username contains invalid characters. The following metacharacters (in the IBM-1047 code page) are now Restricted in Username: | ' Apostrophe (Single Quote) | " Double Quote | $ Dollar Sign | \ Backslash | ; Semicolon | & Ampersands | < Less Than | > Greater Than | ` Grave Accent | ( Left Parenthesis | ) Right Parenthesis | { Left Brace (Curly Bracket) | } Right Brace (Curly Bracket) | * Asterisk | whitespace is immediately followed by a dash (-) | username ends with a backslash (\) Hostname | ' Apostrophe (Single Quote) | " Double Quote | $ Dollar Sign | \ Backslash | ; Semicolon | & Ampersands | < Less Than | > Greater Than | ` Grave Accent | ( Left Parenthesis | ) Right Parenthesis | { Left Brace (Curly Bracket) | } Right Brace (Curly Bracket) | * Asterisk | Whitespaces | hostname string starts with a - | Control characters (like newline, tab, etc.) These PTFs' new restriction ensure that only alphanumeric characters and other non-metacharacter symbols are allowed in both the User and HostName options. Customers whose OpenSSH client jobs or scripts currently using any of the restricted metacharacters in these options must modify them to comply with the new requirements. Failure to do so will result in the OpenSSH client command failing with new messages msgFOTS4291 or msgFOTS4292.KNOWN IMPACT: Existing OpenSSH client jobs or scripts that include restricted special characters in either the command-line User option or HostName option will no longer function as expected and will fail with the new messages msgFOTS4291 or msgFOTS4292. VERIFICATION STEPS: 1. When encountering the new messages msgFOTS4291 or msgFOTS4292, review the corresponding OpenSSH client job or script. 2. Check the command-line syntax for the User or HostName options to identify any restricted special characters. ADDITIONAL SYMPTOMS: MSGFOTS4291 MSGFOTS4292 PE INFORMATION: USERS AFFECTED: PTFs UJ94988 and UJ94989 introduced stricter syntax checking for the User and HostName options in OpenSSH to enhance security. This affects all OpenSSH client commands which specify these options on the command line when using restricted special characters (metacharacters) such as &, |, ;, <, >, etc. The PTFs failed to include critical information about the newly-restricted special characters as HOLDDATA, leaving customers unaware of the potential impact that they could encountered errors such as msgFOTS4291 ("hostname contains invalid characters") or msgFOTS4292 ("remote username contains invalid characters").USER IMPACT: PTFs UJ94988 and UJ94989 fixed the problem it reported but introduced a new problem - not including HOLDDATA to document new restrictions.
Local fix
BYPASS/CIRCUMVENTION: The client User and HostName options containing metacharacters should be specified in the client ssh_config file instead of on the command line.
Problem summary
**************************************************************** * USERS AFFECTED: Users running OpenSSH for z/OS on V2R4 * * (HOT77C0), V2R5 (HOT77C0), 3.1 (HOT77E0), * * or 3.2 (HOT77E0). * **************************************************************** * PROBLEM DESCRIPTION: New character restrictions were not * * properly documented by PTFs UJ94988 and * * UJ94989 causing unexpected SSH job * * failures accompanied by MSGFOTS4291 and * * MSGFOTS4292. * **************************************************************** * RECOMMENDATION: Update any SSH jobs or scripts to remove * * the newly restricted characters from the * * remote username and install this PTF to * * improve z/OS OpenSSH security. * ****************************************************************
Problem conclusion
Documentation and associated ++HOLDs have been corrected. +--- PUBLICATION AFFECTED -------------------------------------+ | | | o z/OS OpenSSH User's Guide | | SC27-6806 | | | +--------------------------------------------------------------+ New information was added to "Chapter 17. OpenSSH messages" clarifying which characters may not appear in the remote username and hostname: -------------------------------------------------------- FOTS4291 supplied hostname contains invalid characters Explanation ----------- | The supplied hostname contains invalid characters. | The following metacharacters are restricted from | appearing in the supplied hostname: | ' Apostrophe (Single Quotation Mark) | " Double Quotation Mark | $ Dollar Sign | \ Backslash | ; Semicolon | & Ampersand | < Less Than | > Greater Than | ` Grave Accent | | Vertical Bar | ( Opening Parenthesis | ) Closing Parenthesis | { Opening Brace | } Closing Brace | Additionally the hostname must not begin with a dash (-) and | it must not contain spaces or control characters (as defined | by the locale of the user.) System action ------------- The program ends. System programmer response -------------------------- If unable to resolve, follow local procedures for reporting problems to IBM. User Response ------------- Verify the program and retry. -------------------------------------------------------- FOTS4292 remote username contains invalid characters Explanation ----------- The remote username contains invalid characters. | The following metacharacters are restricted from | appearing in the remote username: | ' Apostrophe (Single Quotation Mark) | " Double Quotation Mark | $ Dollar Sign | \ Backslash | ; Semicolon | & Ampersand | < Less Than | > Greater Than | ` Grave Accent | | Vertical Bar | ( Opening Parenthesis | ) Closing Parenthesis | { Opening Brace | } Closing Brace | Additionally the username must not contain a space followed by | a dash (-) or end with a backslash (\). System action ------------- The program ends. System programmer response -------------------------- If unable to resolve, follow local procedures for reporting problems to IBM. User Response ------------- Verify the program and retry.
Temporary fix
Comments
APAR Information
APAR number
OA67486
Reported component name
OPENSSH FOR Z/O
Reported component ID
5655M2301
Reported release
240
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2025-02-05
Closed date
2025-08-17
Last modified date
2025-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ97829 UJ97830
Modules/Macros
FOTSRCAT FOTSXADD FOTSXAGT FOTSXFSV FOTSXFTP FOTSXKGN FOTSXKSC FOTSXKSN FOTSXSCP FOTSXSHD FOTSXSSH
| SC276806XX |
Fix information
Fixed component name
OPENSSH FOR Z/O
Fixed component ID
5655M2301
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"240"}]
Document Information
Modified date:
02 October 2025