How To
Summary
In some situations, there can be a need to run two separate sshd servers on z/OS.
At a minimum, this requires two separate TCP/IP ports, but for completeness, two distinct environments should be created (config files, pid files, etc).
Steps
There are several methods to accomplish this, the most simplistic would be to invoke sshd a second time with the -p <port> and it would reuse the primary sshd's configuration for all the remaining keywords (note: it will also overwrite the pid file).
The preferred method (creating a completely independent second sshd) can be configured by using the following steps performed as a UID 0 user:
1) Create a new directory (for our purposes: /etc/ssh2):
mkdir -m 755 /etc/ssh2
2) Copy the existing sshd configuration files into /etc/ssh2:
cp /etc/ssh/*sshd* /etc/ssh2
(This should copy over files sshd.sh, sshd_config, zos_sshd_config)
3) Update the sshd configuration in /etc/ssh2 to reflect the configuration needed for the second server.
3a) At a minimum you should update the following keywords in sshd_config:
Port
PidFile
For example:
Port 1022
PidFile /var/run/sshd2.pid
3b) It is recommended the second server should have its own server authentication keys, the preferred key types can be created using commands like:
ssh-keygen -t rsa -f /etc/ssh2/ssh_host_rsa_key -N ""
Then the /etc/ssh2/sshd_config file's Hostkey keyword(s) should be updated referring to the new keys. In this example:
HostKey /etc/ssh2/ssh_host_rsa_key
4) Update the startup script (/etc/ssh2/sshd.sh) with the following changes:
4a) Before the invocation of sshd add the following to point to the updated zos_sshd_config file:
export _ZOS_SSHD_CONFIG=/etc/ssh2/zos_sshd_config
4b) Update the sshd invocation -f flag to reflect the updated path to the sshd_config file:
nohup /usr/sbin/sshd -f /etc/ssh2/sshd_config &
5) Running /etc/ssh2/sshd.sh as the same user starting the original sshd will start a second sshd server with the altered configuration on the additional port.
Additional Information
Notes:
The client configuration (for utilities like ssh, scp, sftp) will remain in /etc/ssh (ssh_config, zos_ssh_config, etc).
You may need to update (or duplicate) your shutdown procedure to terminate this additional instance of sshd.
Applying maintenance to the z/OS OpenSSH product will impact both instances of sshd and both will need to be restarted to pick up the maintenance.
When migrating, if there are configuration actions needed, be sure to update both configuration instances.
If automation tools are involved starting /etc/ssh/sshd.sh, you may need to update it to start /etc/ssh2/sshd.sh as well.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS - SWG90"},"ARM Category":[{"code":"a8m0z0000001h5WAAQ","label":"z\/OS-\u003EOpenSSH-\u003Eservers (sshd\/sftp-server)"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 December 2022
UID
ibm16848567