Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Server Configuration Files >>
        Subconfigurations >>
        Ciphers and MACs >>
        Configuring Root Logins
        Restricting User Logins
        Auditing >>
        Securing the Server >>
            System Administration
            File Transfer
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Configuring the Client >>
    Authentication >>
    Transferring Files >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>


SSH Tectia Connector can be used to securely tunnel TN3270 connections from a Windows workstation to the mainframe.

The following examples show how to restrict tunneling services for certain groups and how to deny terminal and file transfer services.

Please see Section Subconfigurations for information on user-specific configurations if more fine-grained control is needed over the services.

Restricting Tunneling

SSH Tectia Connector will use only local tunnels (port forwarding). The tunnels are established based on the configuration of the application being tunneled. Please see SSH Tectia Connector Administrator Manual for details on the tunneling principles.

The following configuration options of SSH Tectia Server for IBM z/OS will deny remote port forwarding and allow local port forwarding for all users for example to or

AllowTcpForwarding       yes
ForwardACL               deny remote .* .*
ForwardACL               allow local .* .*\.example\.com%(80|443)

The format for the value of the ForwardACL option is the following:

(allow|deny) (local|remote) user-pat forward-pat [originator-pat]

user-pat is used to match the client user, in the same way as in the UserSpecificConfig option.

With local port forwarding, forward-pat is a pattern of format host-id[%port]. host-id will match with the target host of the forwarding, in the same way as in the AllowHosts option. port will match the target port. If the client attempts to open the forwarding using a DNS name, the IP is looked up from the DNS, which will be used to match the pattern.

Note that the ForwardACL forward pattern defined with a DNS name does not match if the tunneled application uses IP addresses instead of DNS names for connections. The forward pattern defined with an IP address will match to both.

With local port forwarding, originator-pat will match the originator address that the client has reported. However, restrictions based on the source address of local port forwarding are normally not reliable because the client can forge the source address. originator-pat should be used only if the client can be trusted (for example, if it is administered by yourself).

If you specify any allow directives, all forwardings in that class (local or remote) not specifically allowed will be denied. If a forwarding matches both allow and deny directives, the forwarding will be denied.

Also, if you have specified any of the options {Allow,Deny}TcpForwardingFor{Users,Groups} or AllowTcpForwarding, and the forwarding for the user is disabled with those options, an allow directive will not re-enable the forwarding for the user.

The following example denies all forwarding for the sftpusers group. Other users are denied remote forwarding. User root is allowed all local forwarding. User tunnelu is allowed local forwarding only to the Telnet port (23) of addresses *, and the forwarding must originate from the client machine local address (, it cannot be forwarded from a third host (this assumes that the client machines are trusted).

AllowTcpForwarding            yes
DenyTcpForwardingForGroups    sftpusers
ForwardACL               deny remote .* .*
ForwardACL               allow local root .*
ForwardACL               allow local tunnelu .*\.example\.com%23

Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in configurations.

Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see Section System Administration for more information.

Disabling Terminal Access

The following configuration option of SSH Tectia Server for IBM z/OS will deny the user tunnelu terminal access.

Terminal.DenyUsers       tunnelu

File Transfers

To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server for IBM z/OS to:


PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now