Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.
This site uses cookies and collects data about visitor interaction for improving user experience, identifying returning visitors, and providing personalized offers. Your continued use of this site indicates your consent to this. See Privacy Policy for details or if you wish to disable cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Setting up Non-Interactive Server and User Authentication >>
        Key Distribution Tool
        Authenticating Remote Server Hosts
            Fetching Remote Server Keys
        Using Password for User Authentication
        Using Public Key for User Authentication >>
    Setting up Non-Interactive Secure File Transfer >>

Authenticating Remote Server Hosts

Remote Secure Shell servers are authenticated by a public-key procedure. The user checks the fingerprint of the remote server's public key. When the user has approved the public key, it is stored in the user's $HOME/.ssh2/hostkeys directory and will be used automatically thereafter.

The verification step normally requires user interaction, so even for users that are set up to run client programs unattended, the first connection must be done by a person who logs in as the user, accesses the remote server, and goes through the fingerprint check dialog. The same steps must be repeated if the remote host's key is changed.

Caution: When ssh-keydist2 is run with the -a or -N options, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys after receiving them or you risk being subject to a man-in-the-middle attack. To be able to verify the keys, you should use the plain host key storage format. See below.

When the host key is received during the first connection to a remote host (or when the host key has changed) and you choose to save the key, its filename is by default stored in hashed format, keys_hhh..., where hhh is a hash of the host port and name. The saved file contains a hash of the host's public key. A salt is included in the hash calculations. The value of the salt is stored in the file salt in the same directory as the host keys ($HOME/.ssh2/hostkeys). The hashed host key format is a security feature to make address harvesting on the hosts difficult.

In the plain (traditional) format, the name of a host key file includes the hosts's name and port, as in key_22_host.example.com.pub, and the file contains the host's public key in plaintext format.

The storage format can be controlled with the HostKeyFormat option of the ssh2_config configuration file. The argument must be plain or hashed (default). 

HostKeyFormat              plain

When keys are obtained using the ssh-keydist2 tool, the -F option can be used on the command line to specify the key storage format. The command-line option takes precedence over the setting in the configuration file.

You can display the fingerprint of a received host key by running the following command: 

> ssh-keygen2 -F $HOME/.ssh2/hostkeys/key_<port>_<host>.pub

Fetching Remote Server Keys

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===