Open SSH for OS/390
Open SSH is well documented at www.openssh.org and open ssl is equally well documented at
The Ports presented here are somewhat back level, but are very stable.
scp only works with ascii files binary files will be corrupted, you can use
uuencode to pre-code binary files so that scp can copy them and then uudecode to get them back. The problem is that
the built in translation table is NOT one to one , if anyone knows how to specify a user translation table please let me know
You can email me if you have questions at firstname.lastname@example.org
If you want to thank someone then write to Mike McIsaac and the members of the red book team
for putting together the red book that made this possible
Please read carefuly and follow these instructions ;-)
The gzips contain the binaries compiled under 2.9 should your site not have a C compiler license
- Collect zlib, unpack it and make it
- Install and start your random number generator as documented below
- Collect openssl unpack it make and make install it
- Now create a symbolic link in the openssl directory like this:
ln -s blah blah
- Collect openssh unpack it NB: IF YOU USE THE CONFIGURE SCRIPT
YOU WILL HAVE TO MANUALLY EDIT THE Makefile so that the compiler options are in the right order. I have already run
configure and the Makefile should work for you as it is so just use make and make install. Copy the zlib headers
to the directory where you unpacked openssh if your compiler cant find them !
- Now mark the sshd as apf authorized in the HFS
su;extattr +ap /usr/local/sbin/sshd
- Now make your hostkey
/usr/local/bin/ssh-keygen -f /etc/ssh/ssh_host_key if you get the message:
ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8).
you havent started randy !!
- Now start the ssh server
- Use the freeware program putty if you are using windows as a client, sensible operating systems
have their own client ;-)
- Place the command
setty sanein your .profile or the system shell profile ..
- Enjoy - write IBM and tell them how important freeware is and ask them to support ssh in future z/390 releases.
Here is some JCL to start your ssh server, you should define the RACF user for this task
as protected and with uid 0 /tmp as home and /bin/sh as program
and the pseudo random number generator as we dont have /dev/urandom support, define the
userid as protected with any old UID that fits in your environment home as /tmp and /bin/sh
//INET EXEC PGM=BPXBATCH,REGION=4096K,TIME=NOLIMIT,ACCT=&IPACCNT,
// PARM='SH /usr/local/sbin/sshd -h /etc/ssh/ssh_host_key'
//CEEDUMP DD SYSOUT=*
//SYSERR DD PATH='/tmp/sshd.syserr',
//STDOUT DD PATH='/tmp/sshd.stdout',
//STDERR DD PATH='/tmp/sshd.stderr',
//SYSOUT DD PATH='/tmp/sshd.sysout',
Here is some example code for your very own pseudo random number generator:
You should make this code your own to reflect your own random space.
//RAND EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT,ACCT=&IPACCNT,
// PARM='SH /usr/local/bin/randy'
//SYSOUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//CEEDUMP DD SYSOUT=*
//SYSERR DD PATH='/tmp/randy.syserr',
//STDOUT DD PATH='/tmp/randy.stdout',
//STDERR DD PATH='/tmp/randy.stderr',
//SYSOUT DD PATH='/tmp/randy.sysout',
You need randy zlib perl and openssl to be installed for openssh to compile and
fname = '/dev/urandom'
"/usr/sbin/mknod " fname " p"
address syscall 'open' fname O_wronly 644
if retval=-1 then do ; say 'file not opened' errno errnojr; exit; end
fd = retval
do i=1 to 80
randomish_number=randomish_number || esc_n
address syscall 'write ' fd ' randomish_number ' length(randomish_number)
if retval=-1 then say 'error code ' errno errnojr
address syscall 'close' fd
address syscall 'sleep 1'