Restrictions to File Transfer
If SSH Tectia Server for IBM z/OS is used for file transfer only, it is advisable to disable tunneling and terminal access to the server.
Enabling the SFTP Subsystem
To allow the users to connect with SFTP to SSH Tectia Server for IBM z/OS, the secure file transfer subsystem has to be defined in the
Restricting Access to User's MVS User Catalog
To restrict the users' access with SFTP, the
--attribute=zos-access option can be specified with
subsystem-sftp /opt/tectia/libexec/sft-server-g3 --attribute=zos-access:value
The values for the
zos-access attribute are:
mvs: User is allowed access only to the MVS side of the server.
usercatalog: User is allowed access only to the MVS side of the server and only to his/her own catalog.
hfs: User is allowed access only to the HFS side of the server.
all: User is allowed access to both MVS and HFS sides of the server. No access restrictions are active.
hfs,usercatalog: User is allowed access to the HFS side of the server and to the MVS side of the server but only to his/her own catalog.
The values are case-insensitive. You can use both "
MVS" or "
mvs". The values cannot include white spaces. Value "
mvs,hfs" works, but "
mvs, hfs" does not.
sft-server-g3 so that user can only access his/her own MVS catalog:
sft-server-g3 so that only HFS can be accessed:
If you are sure you or your users do not need to create tunnels (possibly going around firewall restrictions or such), you can disable tunneling (port forwarding) altogether by adding the following to your
Note that this disables also transparent FTP tunneling through the server.
Disabling Terminal Access
The following configuration option of SSH Tectia Server for IBM z/OS will deny the group
sftpusers terminal access.