Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Setting up Non-Interactive Server and User Authentication >>
        Key Distribution Tool
        Authenticating Remote Server Hosts
            Distributing Remote Server Keys
        Using Password for User Authentication
        Using Public Key for User Authentication >>
    Setting up Non-Interactive File Transfer >>

Distributing Remote Server Keys

The SSH Tectia clients on the mainframe must have the remote server public keys or public key hash values available in order to authenticate the remote server they are connecting to. The keys or key hash values can be stored in the mainframe user's $HOME/.ssh2/hostkeys directory or in the /etc/ssh2/hostkeys directory which is common for all the users. The key distribution tool can be used to retrieve multiple remote host keys and store the keys or key hash values to user's host key directory. Separate steps are needed if the administrator wants to store these key hash values also to system-wide key store that is available for all the users.

For more information about using the system-wide key store, see SSH Tectia Server for IBM z/OS Administrator Manual.

Examples of Fetching Remote Server Keys

The following examples illustrate using ssh-keydist2 for fetching remote server host keys.

Caution: When ssh-keydist2 is run with the -N option, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys after receiving them or you risk being subject to a man-in-the-middle attack. To be able to verify the keys, you should use the plain host key storage format. See Section Authenticating Remote Server Hosts for more information.

Example 1: Using USS

This example is run under USS shell. Multiple host keys are fetched in verbose mode and saved under $HOME/.ssh2/hostkeys and the log is stored under /tmp:

> ssh-keydist2 -v -N -A /tmp/newhosts.log host1 host2 host3 host4

Example 2: Using JCL

This example HOSTSAVE from SAMPLIB presents a JCL script that does the same steps as the USS command in Example 1 above:

//HOSTSAVE EXEC PGM=IKJEFT1A,
//             REGION=0M
//SYSTSPRT DD  SYSOUT=*
//STDOUT   DD  PATH='/tmp/&SYSUID.-KEYDIST.out',
//             PATHOPTS=(OWRONLY,OCREAT,OTRUNC),
//             PATHMODE=(SIRUSR,SIWUSR)
//STDERR   DD  PATH='/tmp/&SYSUID.-KEYDIST.err',
//             PATHOPTS=(OWRONLY,OCREAT,OTRUNC),
//             PATHMODE=(SIRUSR,SIWUSR)
//STDENV   DD  DSN=&SYSUID..SSZ.SRVR542.PARMLIB(SSHENV),
//             DISP=SHR
//SYSTSIN  DD  *
  BPXBATCH SH  /usr/lpp/ssh2/bin/ssh-keydist2 +
               -v -N -A /tmp/newhosts.log +
               host1 host2 host3 host4
/*
//*
//PROUT   EXEC PGM=IKJEFT1A,
//             PARM='OCOPY INDD(STDOUT) OUTDD(STDOUTPR) TEXT'
//SYSTSPRT DD  SYSOUT=*
//SYSTSIN  DD  DUMMY
//STDOUT   DD  PATH='/tmp/&SYSUID.-HOSTSAVE.out',
//             PATHOPTS=(ORDONLY),
//             PATHDISP=(DELETE,KEEP),
//             PATHMODE=(SIRUSR,SIWUSR)
//STDOUTPR DD  SYSOUT=*,
//             DCB=(LRECL=4000,RECFM=VB)
//*
//PRERR   EXEC PGM=IKJEFT1A,
//             PARM='OCOPY INDD(STDERR) OUTDD(STDERRPR) TEXT'
//SYSTSPRT DD  SYSOUT=*
//SYSTSIN  DD  DUMMY
//STDERR   DD  PATH='/tmp/&SYSUID.-HOSTSAVE.err',
//             PATHOPTS=(ORDONLY),
//             PATHDISP=(DELETE,KEEP),
//             PATHMODE=(SIRUSR,SIWUSR)
//STDERRPR DD  SYSOUT=*,
//             DCB=(LRECL=4000,RECFM=VB)
//*

Example 3: Using Host List under USS

In this example, host keys are fetched using a host list file.

The format of the host list file is as follows:

userid1/host1.example.com
userid2/host2.example.com
userid3/host3.example.com

The command is as follows:

> ssh-keydist2 -N -A /tmp/newhosts.log -H /home/userid/hostlist.txt

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===