SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
If Tectia Server for IBM z/OS is used for file transfer only, it is advisable to disable tunneling and terminal access to the server.
To allow the users to connect with SFTP to Tectia Server for IBM z/OS, the secure file
transfer subsystem has to be defined in the
To restrict the users' access with SFTP, the
--attribute=zos-access option can be specified with
subsystem-sftp /opt/tectia/libexec/sft-server-g3 --attribute=zos-access:value
The values for the
zos-access attribute are:
mvs: User is allowed access only to the MVS
side of the server.
usercatalog: User is allowed access only to the MVS
side of the server and only to his/her own catalog.
hfs: User is allowed access only to the HFS side of
all: User is allowed access to both MVS and HFS sides of
the server. No access restrictions are active.
User is allowed access to the HFS side of the server and to the MVS side of
the server but only to his/her own catalog.
The values are case-insensitive. You can use both
MVS" or "
mvs". The values cannot include
white spaces. Value "
mvs,hfs" works, but "
hfs" does not.
sft-server-g3 so that user can only access
his/her own MVS catalog:
Tectia Server for IBM z/OS can control who is permitted to request offline datasets to be
mounted. Tape datasets are typically offline and a DASD dataset is offline
if the volume it resides on is not mounted. To control mounting, the System
Authorization Facility (RACF, ACF2, or TSS) facility
SSZ.MOUNT must be defined. When it is defined Tectia requires
that the user has at least
READ access before it requests a
dataset to be mounted. If
SSZ.MOUNT is not defined there is
no restriction on mounting.
The restriction is enforced both by the server and by the
scpg3 client programs.
In addition to having permission to request mounts, the user must also
specify the file transfer attribute
automount=yes for Tectia
to allocate a dataset with mounts allowed.
Tectia first attempts to allocate a dataset without allowing the system
to do a mount. If this fails because the dataset is offline, and the user
has the required permission, Tectia repeats the allocation and allows the
system to mount the dataset. The user can instruct Tectia to omit the first
allocation by specifying
Note that a user who can open a shell or issue remote commands with Tectia has other ways of causing tape mount requests. To control tape mounts effectively, do the following steps:
SSZ.MOUNT with universal permission
RDEFINE FACILITY (SSZ.MOUNT) UACC(NONE)
Set up the users who are to be allowed to mount tapes as file-transfer only users as instructed above (Restricting Access to User's MVS User Catalog ).
Give these users
READ access to
PERMIT SSZ.MOUNT CLASS(FACILITY) ID(SRVACC1) ACCESS(READ)
After each command refresh the
SETROPTS RACLIST(FACILITY) REFRESH
If you are sure you or your users do not need to create tunnels
(possibly going around firewall restrictions or such), you can disable
tunneling (port forwarding) altogether by adding the following to your
Note that this disables also transparent FTP tunneling through the server.