Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
        Using the z/OS System Authorization Facility
        Server Authentication with Public Keys in File >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys in File >>
            From SSH Tectia Client on z/OS
            From SSH Tectia Client on Windows to SSH Tectia Server on z/OS
            From SSH Tectia Client on Unix to SSH Tectia Server on z/OS
            From OpenSSH Client on Unix to SSH Tectia Server on z/OS
            Settings in SSH Tectia Server on z/OS
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
        Distributing Public Keys Using the Key Distribution Tool >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

From SSH Tectia Client on z/OS

All commands in this section are shown using the SSH Tectia Client on z/OS. Server-side configuration can also be done by logging in to the remote server and entering the commands locally.

To set up user public-key authentication from a z/OS Client, do the following steps:

  1. Create a key pair by executing ssh-keygen2 on the z/OS client host.

    By default, ssh-keygen2 creates a 2048-bit DSA key pair. RSA keys can be generated by specifying the -t rsa option. Key length can be specified with the -b option. For non-interactive use, the key can be generated without a passphrase with the -P option.

    > /usr/lpp/ssh2/bin/ssh-keygen2 -t rsa -b 1536 -P $HOME/.ssh2/mf_key
    Generating 1536-bit rsa key pair
       5 oOo.oOo.oOo.
    Key generated.
    1536-bit rsa, USER1@ZOS, Tue Jul 11 2006 01:45:06 -0600
    Private key saved to /u/USER1/.ssh2/mf_key
    Public key saved to /u/USER1/.ssh2/mf_key.pub
    

    If the -P option is not used, ssh-keygen2 asks for a passphrase for the new key.

    ssh-keygen2 stores your new authentication key pair in two separate files. One of the keys is your private key which must never be made available to anyone but yourself.

    In the example above, the private key file is mf_key. The other file mf_key.pub is your public key, which can be distributed to other computers.

    For special applications, you can create multiple identifications by executing ssh-keygen2 again. However, this is not usually needed.

    For more information on the ssh-keygen2 options, see the ssh-keygen2 man page (Appendix ssh-keygen2).

  2. Create an identification file in your $HOME/.ssh2 directory on the z/OS Client, for example:
    > cd $HOME/.ssh2
    > echo "IdKey mf_key" >> identification
    
    You now have an identification file that consists of one line that denotes the file containing your identification (your private key).
    IdKey mf_key
    
    The identification file can contain several key IDs. For more information on the syntax of the identification file, see the ssh2 man page (Appendix ssh2).
  3. Connect to Server using some other authentication method and create a .ssh2 or .ssh directory (if it does not exist already). Depending on the server version, run the following command:
    • If the remote host is running SSH Tectia Server on Unix or z/OS:
      $ ssh2 user1@tectia_server mkdir .ssh2
      
    • If the remote host is running SSH Tectia Server on Windows:
      $ ssh2 user1@tectia_win "cmd /c mkdir .ssh2"
      
    • If the remote host is running OpenSSH on Unix or z/OS:
      $ ssh2 user1@openssh_server mkdir .ssh
      
  4. Copy your public key to Server. Keys created with z/OS ssh-keygen2 are stored in the EBCDIC format. When the public key is transferred to a Unix or Windows server, it must be converted to the ASCII format. If public-key authentication is configured between mainframe servers, conversion is not needed. To ensure that key stays in EBCDIC format, binary file transfer should be used. Depending on the server version, run the following command:
    • If the remote host is running SSH Tectia Server on Unix or Windows:
      $ scp2 /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/mf_key.pub \
      user1@tectia_server:.ssh2/
      
    • If the remote host is running OpenSSH on Unix:
      $ scp2 /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/mf_key.pub \ 
      user1@openssh_unix:.ssh/
      
    • If the remote host is running SSH Tectia Server on z/OS:
      $ scp2 /ftadv:X=BIN/mf_key.pub user1@tectia_zos:/ftadv:X=BIN/.ssh2/
      
    • If the remote host is running OpenSSH on z/OS:
      $ scp2 /ftadv:X=BIN/mf_key.pub user1@openssh_zos:.ssh
      
  5. Create an authorization or authorized_keys file on Server. Depending on the server version, do the following:
    • If the remote host is running SSH Tectia Server on Unix, add the key entry to an authorization file:
      $ ssh2 user1@tectia_unix "echo Key mf_key.pub >> \
      .ssh2/authorization"
      
    • If the remote host is running SSH Tectia Server on Windows, add the key entry to an authorization file:
      $ ssh2 user1@tectia_win "cmd /c echo Key mf_key.pub >> \
      .ssh2/authorization"
      
    • If the remote host is running OpenSSH on Unix or z/OS, convert the key to the OpenSSH key format and concatenate it to the authorized_keys file:
      $ ssh2 user1@openssh_server "ssh-keygen -i -f .ssh/mf_key.pub >> \
      .ssh/authorized_keys"
      
  6. Make sure the AllowedAuthentications keyword in the /etc/ssh2/ssh2_config (or $HOME/.ssh2/ssh2_config) file on the z/OS client contains the argument publickey:

    AllowedAuthentications   publickey 
    

    Other authentication methods can be listed in the configuration file as well.

Using Keys Generated with OpenSSH

SSH Tectia Client on z/OS can use keys generated with OpenSSH. The OpenSSH keys can be configured the same way as described above in steps 2-5 for keys generated with ssh-keygen2.

As an alternative to step 2, OpenSSH private keys can be specified using the IdentityKeyFile option in the ssh2_config file or with the -K option on the command line.

If the user has an existing OpenSSH authorized_keys file on the server, the ssh-keygen2 tool can be used to import the OpenSSH authorized_keys file and to configure the authorization file, for example:

SERVER> ssh-keygen2 --import-ssh1-authorized-key 
$HOME/.ssh/authorized_keys $HOME/.ssh2/authorization

Imported key /home/user/.ssh/authorized_keys:1 to 
/home/user/imported-437b1a07-1.pub and added to authorization file 
/home/user/.ssh2/authorization
Imported key /home/user/.ssh/authorized_keys:2 to 
/home/user/imported-437b1a07-2.pub and added to authorization file 
/home/user/.ssh2/authorization

For more information on the ssh-keygen2 options, see the ssh-keygen2 man page (Appendix ssh-keygen2).

Alternatively, the administrator of SSH Tectia Server may enable AuthorizedKeysFile in the server configuration file /etc/ssh2/sshd2_config, for example as follows:

AuthorizedKeysFile %D/.ssh/authorized_keys

SSH Tectia Server will check the defined AuthorizedKeysFile in addition to the user's AuthorizationFile (by default authorization). Note that the AuthorizationFile has precedence over AuthorizedKeysFile if the same key is defined in both.

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===