Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Using SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
        Using the z/OS System Authorization Facility
        Server Authentication with Public Keys in File >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys in File >>
            Using Public-Key Authentication from z/OS Client
            Using Public-Key Authentication from Windows Client to z/OS Server
            Using Public-Key Authentication from Unix Client to z/OS Server
            z/OS Server Configuration
            Optional Configuration Settings
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Examples of Use >>
    Man Pages >>
    Log Messages >>

Using Public-Key Authentication from z/OS Client

All commands in this section are shown using the SSH Tectia z/OS client. Server-side configuration can also be done by logging in to the remote server and entering the commands locally.

To set up user public-key authentication from a z/OS Client, do the following steps:

  1. Create a key pair by executing ssh-keygen2 on the z/OS client host.

    By default, ssh-keygen2 creates a 2048-bit DSA key pair. RSA keys can be generated by specifying the -t rsa option. Key length can be specified with the -b option. For non-interactive use, the key can be generated without a passphrase with the -P option.

    > /usr/lpp/ssh2/bin/ssh-keygen2 -t rsa -b 1024 -P $HOME/.ssh2/mf_key
    Generating 1024-bit rsa key pair
       2 oOo.oOo.oOo.
    Key generated.
    1024-bit rsa, TESTUSER@ZOS, Tue Jul 11 2006 01:45:06 -0600
    Private key saved to /u/TESTUSER/.ssh2/mf_key
    Public key saved to /u/TESTUSER/.ssh2/

    If the -P option is not used, ssh-keygen2 asks for a passphrase for the new key.

    ssh-keygen2 stores your new authentication key pair in two separate files. One of the keys is your private key which must never be made available to anyone but yourself.

    In the example above, the private key file is mf_key. The other file is your public key, which can be distributed to other computers.

    For more information on the ssh-keygen2 options, see the ssh-keygen2 man page (Appendix ssh-keygen2).

  2. Create an identification file in your $HOME/.ssh2 directory on the z/OS Client, for example:
    > cd $HOME/.ssh2
    > echo "IdKey mf_key" >> identification
    > cat identification 
    IdKey mf_key
    You now have an identification file that consists of one line that denotes the file containing your identification (your private key). For special applications, you can create multiple identifications by executing ssh-keygen2 again. However, this is not usually needed.
  3. Create a .ssh2 or .ssh directory on Server (if it does not exist already).
    • If the remote host is running SSH Tectia Server on Unix or z/OS :
      $ ssh2 testuser@tectia_server mkdir .ssh2
    • If the remote host is running SSH Tectia Server on Windows:
      $ ssh2 testuser@tectia_win_server "cmd /c mkdir .ssh2"
    • If the remote host is running OpenSSH on Unix or z/OS:
      $ ssh2 testuser@openssh_server mkdir .ssh
  4. Copy your public key to Server.
    • Keys created with z/OS ssh-keygen2 are stored in the EBCDIC format. When the public key is transferred to a Unix or Windows server, it must be converted to the ASCII format.
      $ scp2 /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/ \
      $ scp2 /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/ \ 
    • If public-key authentication is configured between mainframe servers, conversion is not needed. To ensure that key stays in EBCDIC format, binary file transfer should be used.
      $ scp2 /ftadv:X=BIN/ 
      $ scp2 /ftadv:X=BIN/ testuser@openssh_server:.ssh
  5. Create an authorization or authorized_keys file on Server.
    • If the remote host is running SSH Tectia Server, the key entry needs to be added to authorization file.
      $ ssh2 testuser@tectia_unix_server "echo Key >> \
      $ ssh2 testuser@tectia_win_server "cmd /c echo Key >> \
    • If the remote host is running OpenSSH, the key has to be converted to the OpenSSH key format and concatenated to the authorized_keys file.
      $ ssh2 testuser@open_server "ssh-keygen -I -f .ssh/ >> \
  6. Make sure the AllowedAuthentications keyword in the /etc/ssh2/ssh2_config (or $HOME/.ssh2/ssh2_config) file on the z/OS client contains the argument publickey:

    AllowedAuthentications   publickey 

    Other authentication methods can be listed in the configuration file as well.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2006 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more