Summary of changes for z/OS Version 2 Release 4 (V2R4) and its updates

New information

The following updates contain new information.

Prior to August 2020 refresh

• For APAR OA58183, additional information about privilege separation was added to Step for creating the sshd privilege separation user.

• z/OS OpenSSH was updated to the openssh.com version 7.6p1 release. Previously, the product was based on release 6.4p1.

  Support for the following algorithms has been added:

  • • New key exchange (KEX) algorithms:
      • diffie-hellman-group14-sha256
      • diffie-hellman-group16-sha512
      • diffie-hellman-group18-sha512
      • curve25519-sha256
    • New key algorithms:
      • ssh-ed25519
      • ssh-ed25519-cert-v01@openssh.com
    • New ciphers:
      • chacha20-poly1305@openssh.com

  Codes to support these algorithms have been added to OpenSSH SMF type 119 records.

  The SMF Type 119 subtype 94 and 95 (ssh / sshd connection started) records now include a section that identifies the IP addresses and ports for the connection. This section was previously only included in the subtype 98 (logon failure) subtype.

• Elliptic-curve DSA keys are now supported in key rings.
• Key ring keys will now use Systems SSL for signature creation and verification, regardless of whether in FIPS mode. This change allows for key ring private keys that are stored in ICSF, which was not previously supported.
• Root login using a password is no longer enabled by default.
• A new command ssh-proxyc is added, which can be used by the ssh client to connect through SOCKS5 proxy servers.
• For APAR OA57432, the following was added:
  • New option -T added to the scp command. For more information, see scp Formatand Options.

Changed information

The following updates contain changed information.

August 2020 refresh

The descriptions for the ClientSMF and ServerSMF keywords were updated. For more information, refer to File format for the updated ClientSMF description, and File format for the updated ServerSMF description.

Deleted information

The following updates contain deleted information.

Prior to August 2020 refresh

• As previously announced in the z/OS V2R3 Statement of Direction: ENYS217-536 (and consistent with the open source version of OpenSSH 7.6), the following features are no longer available:
  • SSH Version 1 protocol (also referred to as SSH-1).
  • Running without privilege separation for sshd (SSH Daemon).
  • Support for the legacy v00 OpenSSH certificate format.
  • Support for pre-authentication compression by sshd (SSH Daemon). SSH clients will either need to support delayed compression mode or otherwise compression will not be negotiated.
  • Support for Blowfish and RC4 ciphers and the RIPE-MD160 HMAC (Hash Message Authentication Code), specifically: blowfish-cbc, cast128-cbc, arcfour, arcfour128, arcfour256, hmac-ripemd160, and hmac-ripemd160@openssh.com .
  • Accepting RSA keys smaller than 1024 bits.
• Also as previously announced, the following features will no longer be enabled by default:
  • Support for the 1024-bit Diffie Hellman key exchange, specifically diffie-hellman-group1-sha1 .
  • Support for DSA (ssh-dss, ssh-dss-cert-*) host and user keys.
  • Support for MD5-based and truncated MD5 and SHA1 HMAC algorithms, specifically: hmac-md5, hmac-md5-96@openssh.com, hmac-sha1-96@openssh.com, hmac-md5-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-sha1-96-etm@openssh.com .
  • Support for the Triple DES cipher, specifically 3des-cbc, in the SSH client's default algorithm proposal.

New

Changed

Deleted