I run CA Top Secret as my ESM, and need to know how to implement SSHD. I looked into the manuals supplied for CA Top Secret, including the Cookbook, But was not
The following 3 sets of commands sequences has been confirmed by several customers that had to implement SSHD under Top Secret:
Creating the SSHD privilege separation user.
- Create the SSHD privilege separation user.
TSS CRE(SSHDG) NAME(SSHDG) TYPE(GROUP) GID(xxx) TSS CRE(SSHD) TYPE(USER) NAME(SSHD) PASS(NOPW,0) - FAC(STC) DFLTGRP(SSHDG) GROUP(SSHDG) UID(yy) - HOME('/var/empty') PROGRAM('/bin/false')
Choosing an acid to start the daemon.
- The acid used to start the daemon
- Needs UID(0)
- Must not be the SSHD acid.
- Needs read access to IBMFAC(BPX.POE)
- Needs read access to IBMFAC(BPX.DAEMON)
Assuming the acid you choose is OMVSKERN
TSS ADD(OMVSKERN) UID(0) TSS PER(OMVSKERN) IBMFAC(BPX.POE) ACC(READ) TSS PER(OMVSKERN) IBMFAC(BPX.DAEMON) ACC(READ)
Program control and noshareas extended attributes.
- The SSHD daemon requires program control and noshareas extended attributes.
Program control in CA-TOP SECRET means that FETCH or READ authorities for the library are needed to execute the programs in the library.
TSS ADD(owning-acid) DSN(CEE.SCEERUN) TSS ADD(owning-acid) DSN(SYS1.LINKLIB) TSS PER(acid) DSN(CEE.SCEERUN) ACC(READ) TSS PER(acid) DSN(SYS1.LINKLIB) ACC(READ) SHAREAS or NOSHAREAS is not related to security. It has something to do with the OMVS command and the shell running in the same (shared) TSO/E address space saving one address space per user and simplifying transaction accounting, as managed by the operating system.