SSH-EXTERNALKEYS(5)            SSH2           SSH-EXTERNALKEYS(5)

DESCRIPTION

       This  document  contains  general  information about using
       external keys with SSH Tectia Server for IBM z/OS.

USING EXTERNAL KEYS

       For applications  capable  of  using  external  keys,  two
       strings  need  to  be specified: the provider name and the
       initialization string for the provider. These strings  can
       be  given  on the command line or in a configuration file,
       depending  on  the  application.  The  following   section
       describes   the  different  providers  available  in  more
       detail.

       The provider name and/or the initialization string may  be
       defined in the following configuration keywords:

       In ssh2_config:

              EkInitString="initstring"
              EkProvider="provider"
              HostCAEkProvider="provider:initstring"
              HostCAEkProviderNoCRLs="provider:initstring"
              HostKeysEkProvider="provider:initstring"


       In sshd2_config:

              AuthorizationEkProvider="provider:initstring"
              HostKeyEkInitString="initstring"
              HostKeyEkProvider="provider"
              KnownHostsEkProvider="provider:initstring"


       In ssh_certd_config:

              HostCAEkProvider="provider:initstring"
              HostCAEkProviderNoCRLs="provider:initstring"
              PkiEkProvider="provider:initstring"

EXTERNAL KEY PROVIDERS

       zos-saf

              The  zos-saf  provider  is  used for accessing keys
              stored in the IBM z/OS System Authorization  Facil-
              ity (SAF).

              The  initialization string for the zos-saf provider
              specifies the key(s) to be used and it has the fol-
              lowing components:

              {KEYS([ID(xxx)]RING(xxx)[LABEL(xxx)|DEFAULT])}...



SSH2                    December 14, 2006                       1





SSH-EXTERNALKEYS(5)            SSH2           SSH-EXTERNALKEYS(5)


              KEYS(..) may repeat. The subattributes are:

              ID  - A SAF user id signifying the owner of the key
              ring. If missing, the current user's id is used.

              RING - Key ring name. Mandatory.

              LABEL - The SAF key label. If missing, and  DEFAULT
              is missing, use all the keys in the key ring.

              DEFAULT   -  Use  the  key  that  is  marked as the
              default  key  on  the  key  ring.  Do  not  specify
              together with LABEL.

              Values must be written in single quotation marks if
              they contain single quotation marks or parenthesis.

              The   initialization   string  specified  with  the
              HostKeyEkInitString keyword  of  sshd2_config  must
              point to a single private key. If the key ring con-
              tains several keys, LABEL must be used  to  distin-
              guish between the keys.

              When  using a trusted key provider and the SSH Tec-
              tia Certificate Validator, specify  KEYS  variables
              that  include  all  the CA certificates needed, for
              example:

              PkiEkProvider="zos-saf"
              PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA'))
                               KEYS(ID(SSHTEST) RING(Internal.CAs))"

              The EkInitString keyword  of  ssh2_config  and  the
              AuthorizationEkProvider keyword of sshd2_config can
              contain special strings in  the  key  specification
              that are mapped according the following list:

              %U = user name

              %IU = user ID

              %IG = user group ID

AUTHORS

       SSH Communications Security Corp.

       For more information, see http://www.ssh.com.

SEE ALSO

       ssh-certd(8),   ssh2(1),   sshd2(8),  ssh_certd_config(5),
       ssh2_config(5), sshd2_config(5).




SSH2                    December 14, 2006                       2