Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Server Configuration Files >>
        Subconfigurations >>
        Ciphers and MACs >>
        Configuring Root Logins
        Restricting User Logins
        Auditing >>
            Configuring Logging in sshd2
            Logging SFTP Transactions
            SMF Auditing
        Securing the Server >>
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Configuring the Client >>
    Authentication >>
    Transferring Files >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

SMF Auditing

System Management Facilities (SMF) collect data for auditing. sshd2 collects SMF records for failed login attempts. The sft-server-g3 subsystem collects SMF records for the following events:

  • Download a file (retrieve)
  • Upload a file (store)
  • Append data to a file
  • Rename a file
  • Delete a file

scp2 and sftp2 clients collect SMF records for the following events:

  • Download to local file (store)
  • Upload local file (retrieve)

The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the SftpSmfType option in server's configuration (/etc/ssh2/sshd2_config):

SftpSmfType    TYPE119

For scp2 and sftp2 clients the SMF record type can be defined in the SSH_SFTP_SMF_TYPE environment variable. The following SMF record types are available:

  • TYPE119

Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the "Syslog daemon" chapter in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07 (

Required Permissions for SMF Records

The caller of the SMF service must be permitted to the BPX.SMF facility class profile:

  • The SSHD2 user must be permitted to the BPX.SMF facility class profile so that sshd2 can create SMF records for users logging in and out.
  • Each user that can transfer files must be permitted to the BPX.SMF facility class profile so that sft-server-g3, scp2, and sftp2 can create SMF records for file transfers.

Give these commands to set up the permissions:


Changes in SMF TYPE119 Messages

All SMF records produced by sshd2, sft-server-g3, scp2, and sftp2 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07 ( Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.

New values are used for SMF119FT_FSLoginMech in the FTP server security section and for SMF119FT_FFLoginMech in the FTP server login failure security section:

  • K (0xD2) - public-key authentication
  • H (0xC8) - host-based authentication.

In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value SSHS is used in sshd2, SFTPS is used in sft-server-g3, and SFTPC is used in file transfer clients scp2 and sftp2.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more