The user's public keys are located in the user's
$HOME/.ssh2 directory on the server.
The batch user accesses the remote machine using an account on the remote machine. The remote user name may either be the same as or different from the batch user's RACF user ID.
Each batch user's public key must be distributed to all the remote accounts. The way the public key is set up differs between Tectia and OpenSSH-based products.
ssh-keydist-g3 uses password authentication for this initial access to the remote server. You can store the password for the remote account in a data set as follows:
Allocate a data set or a data set member. For example:
The data set must only be accessible to the user executing the JCL.
Put the user password in the data set. For example:
Use the sample JCL
KEYDIST (shown below) from
/opt/tectia/doc/zOS/SAMPLIB to distribute user keys. Edit the JCL to suit your needs. The example assumes that the server host key has already been fetched and verified. You can consult the Tectia Server for IBM z/OS User Manual for an explanation of all the available options for the ssh-keydist-g3 command.
KEYDIST must be run under the batch user's user ID in order for the file permissions to be set properly.
//KEYDIST EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT //STDPARM DD * PGM /opt/tectia/bin/ssh-keydist-g3 -t rsa -b 1024 -P -u userid -p //'USERID.PASSWD' -U /tmp/my_log_file -O host1.example.com //STDENV DD DSN=&SYSUID..SSZ.SRVR648.PARMLIB(SSHENV),DISP=SHR //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //STDIN DD DUMMY //
KEYDIST above the
-O option is used to connect to an OpenSSH server running on a Unix host. Use the following ssh-keydist-g3 options when connecting to Tectia Server on different platforms: