Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.
When a user connects to a server using host-based authentication, it must prove that it has proper client host credentials (host private key, host public key, and/or host certificate). As the client itself (ssh2) cannot access host private key there is separate binary (ssh-signer2) that has sufficient permissions for private key operations. ssh-signer2 reads default server configuration file, /etc/ssh2/sshd2_config.
Host-based authentication can be enabled either by using traditional public keys or by using certificates. In SSH Tectia Server for IBM z/OS, the host public key and/or certificate must be stored in software (ssh-signer2 cannot access it from SAF).
Traditional Public Keys Stored in File
To enable host-based authentication with traditional public keys on the client, do the following steps as ClientUser:
Generate a host key. By default, /etc/ssh2/hostkey and /etc/ssh2/hostkey.pub are generated during installation, so you can skip this step. Otherwise, give the following command:
Change the DefaultDomain keyword in the ssh2_config file to reflect your fully qualified domain:
Setting this is mandatory if the HostbasedAuthForceClientHostnameDNSMatch keyword in the /etc/ssh2/sshd2_config file on Server has been set to yes. But even if HostbasedAuthForceClientHostnameDNSMatch is not used, the DefaultDomain keyword is useful, for example, on AIX and Solaris, which report only the short hostname by default.
For more information on the configuration file options, see ssh2_config.
Certificates Stored in File
It is possible to use a certificate instead of the traditional public-key pair to authenticate the client host. In SSH Tectia Server for IBM z/OS, the host certificate must be stored in software (ssh-signer2 cannot access it from SAF).
To enable host-based authentication with certificates on the client, do the following steps as ClientUser:
Add the following line in the /etc/ssh2/ssh2_config (or $HOME/.ssh2/ssh2_config) file:
Enroll a certificate for client. See User Authentication with Certificates for more information. The certificate must contain a dns extension which contains the fully qualified domain name (FQDN) of client. Note that the private key associated with the certificate needs to be stored with an empty passphrase.
Define the private key and certificate in sshd2_config on client: