APAR status
Closed as documentation error.
Error description
Problem description: Book Title - z/OS OpenSSH User's Guide Book Number - SC27-6806-xx Chapter - OpenSSH files Section - OpenSSH daemon configuration files Topic - sshd_config - OpenSSH daemon configuration file Initials - CTW/WQY Clarification is required for users who are attempting to configure keywords ClientAliveInterval and ClientAliveCountMax with the intention of detecting and disconnecting "idle" sessions. Documentation change: The ClientAliveInterval and ClientAliveCountMax keyword descriptions should be updated and a usage note should be added. The updated content should read: ------ ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd sends a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. ClientAliveCountMax Sets the number of client alive messages that can be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd disconnects the client, thus terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. Because the client alive messages are sent through the encrypted channel, they will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. If ClientAliveInterval is set to 15 and ClientAliveCountMax is left at the default value of 3, unresponsive SSH clients are disconnected after approximately 45 seconds. ClientAlive Keyword Usage Note: The client alive mechanism is designed to periodically send SSH protocol messages over the connection to validate network connectivity, enabling these keywords will also keep the client session alive. If the server hasn't received data from the client within the given amount of time, the server will send a client-alive message to the client. It will continue sending these messages at the given interval until it receives a response or gives up after ClientAliveCountMax attempts and cleans up the dropped session. If the intention is to have idle client shell sessions terminate, the recommended method is using the TMOUT environment variable, which can be set for the system in /etc/profile and the user's shell will detect when the session is idle and close the session despite the ClientAlive settings keeping the session alive. More information on TMOUT can be found here: https://www.ibm.com/docs/en/zos/2.4.0?topic=sys1parmlib-smfprmxx ------
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * z/OS users of IBM z/OS V2R4 OpenSSH. * **************************************************************** * PROBLEM DESCRIPTION: * * Clarification is required for users who * * are attempting to configure keywords * * ClientAliveInterval and * * ClientAliveCountMax with the intention * * of detecting and disconnecting "idle" * * sessions. * **************************************************************** * RECOMMENDATION: * **************************************************************** Documentation updates are required to the z/OS OpenSSH User's Guide.
Problem conclusion
Documentation updates are required to the z/OS OpenSSH User's Guide. Book Title - z/OS OpenSSH User's Guide Book Number - SC27-6806-xx Chapter - OpenSSH files Section - OpenSSH daemon configuration files Topic - sshd_config - OpenSSH daemon configuration file Initials - CTW/WQY The ClientAliveCountMax keyword descriptions should be updated and a usage note should be added. The updated content should read: ClientAliveCountMax Sets the number of client alive messages that can be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd disconnects the client, thus terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. Because the client alive messages are sent through the encrypted channel, they will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. If ClientAliveInterval is set to 15 and ClientAliveCountMax is left at the default value of 3, unresponsive SSH clients are disconnected after approximately 45 seconds. ClientAlive Keyword Usage Note: The client alive mechanism is designed to periodically send SSH protocol messages over the connection to validate network connectivity, enabling these keywords will also keep the client session alive. If the server hasn't received data from the client within the given amount of time, the server will send a client-alive message to the client. It will continue sending these messages at the given interval until it receives a response or gives up after ClientAliveCountMax attempts and cleans up the dropped session. If the intention is to have idle client shell sessions terminate, the recommended method is using the TMOUT environment variable, which can be set for the system in /etc/profile and the user's shell will detect when the session is idle and close the session despite the ClientAlive settings keeping the session alive. More information on TMOUT can be found here: https://www.ibm.com/docs/en/zos/2.4.0?topic=sys1parmlib-smfprmxx
Temporary fix
Comments
APAR Information
APAR number
OA62121
Reported component name
OPENSSH FOR Z/O
Reported component ID
5655M2301
Reported release
240
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-09-15
Closed date
2021-10-20
Last modified date
2021-12-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
| SC276806XX |
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"240"}]
Document Information
Modified date:
09 December 2021