It's sometimes convenient to create your own z/OS SSHD server on an alternate port for testing purposes. You can do this without any special privileges, and the SSHD server will run fine, except that it will only allow logins for the userid that it is running under.
This is especially handy if your Systems Programmer doesn't understand immediately that adding an SSH user subsystem doesn't introduce any new security risks.
Procedure G.1. General outline for adding a test SSHD server
Create your own ssh directory, say ~/sshd, and copy the file
/etc/ssh/sshd_configinto it:.zos$ mkdir ~/sshd zos$ cp /etc/ssh/sshd_config ~/sshdIn this directory, generate your DSA and RSA host keys, as directed in the IBM Ported Tools for z/OS User's Guide.
If you can copy the keys in /etc/ssh directory, then you will avoid "host key" mismatch problems if you switch your SSH client from the production to the test server. If you do copy the production host keys, make sure that you change the file permissions to
600so that they can't be read by others.Edit your copy of sshd_config:
Find the line "Subsystem" which defines the sftp subsystem
Add a new line after this line:
Subsystem dspipes /usr/lpp/coz/bin/dspipes
(where /usr/lpp/coz is the directory where Co:Z Toolkit is installed).
Uncomment the
Portline and set it to an available portUncomment / add the following lines (to use the private keys generated in the previous step):
HostKey ./ssh_host_rsa_key HostKey ./ssh_host_dsa_key
(where /usr/lpp/coz is the directory where Co:Z Toolkit is installed).
From a z/OS shell, change to the directory that you created and start your copy of SSHD:
/usr/sbin/sshd -e -D -f ./sshd_config
Note: If you are unable to execute
/usr/sbin/sshd, you may be able to copy it to your local directory, add the execute bit (chmod +x ~/sshd/sshd) and run the above command using this local copy.To connect to your test SSHD server from a client, don't forget to use the
-ssh -p portSSH option on your ssh, fromdsn or todsn commands.