What is OpenSSH?

OpenSSH provides secure encryption for both remote login and file transfer. Some of the utilities that it includes are:
  • ssh, a z/OS® client program for logging into a z/OS shell. It can also be used to log into other platform's UNIX shells. It is an alternative to rlogin.
  • scp for copying files between networks. It is an alternative to rcp.
  • sftp for file transfers over an encrypted ssh transport. It is an interactive file transfer program similar to ftp.
  • sshd, a daemon program for ssh that listens for connections from clients. The z/OS OpenSSH implementation of sshd supports both SSH protocol versions 1 and 2 simultaneously.

    The default sshd configuration only runs protocol version 2.

Other basic utilities such as ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server are also included.

To ensure secure encrypted communications, OpenSSH uses ciphers such as AES, Blowfish and 3DES.

z/OS OpenSSH provides the following z/OS extensions:
  • System Authorization Facility (SAF) key ring. OpenSSH can be configured to allow OpenSSH keys to be stored in SAF key rings. See Choosing between UNIX files and key rings for more information.
  • Multilevel security. It is a security policy that allows the classification of data and users based on a system of hierarchical security levels combined with a system of non-hierarchical security categories. See Running the sshd daemon in a multilevel-secure environment.
  • System Management Facility (SMF). OpenSSH can be configured to collect SMF Type 119 records for both the client and the server. See Setting up OpenSSH to collect SMF records for more information.
  • ICSF ciphers and MAC algorithms. OpenSSH can be set up to use Integrated Cryptographic Service Facility (ICSF) to implement certain ciphers and MAC (message authentication code) algorithms. This extension enables OpenSSH to use hardware support when applicable. See Setting up OpenSSH to use ICSF cryptographic operations for more information.
  • Start of changeFIPS 140-2 mode. OpenSSH can be set up to direct all cryptographic operations to ICSF and System SSL interfaces running in FIPS mode. This extension enables OpenSSH to meet the FIPS 140-2 specifications. See Setting up OpenSSH to run in FIPS mode for more information.End of change

The Internet Engineering Task Force (http://www.ietf.org/) has a Secure Shell (SECSH) working group whose goal is to update and standardize the popular SSH protocol. For information about OpenSSH compliancy to SECSH RFCs and internet drafts, see RFCs and Internet drafts.

Parent topic: Introduction to z/OS OpenSSH