Your browser does not allow storing cookies. We recommend enabling them.


User Authentication with Public Keys

The user's public keys are located in the user's $HOME/.ssh2 directory on the server.

The batch user accesses the remote machine using an account on the remote machine. The remote user name may either be the same as or different from the batch user's RACF user ID.

Each batch user's public key must be distributed to all the remote accounts. The way the public key is set up differs between Tectia and OpenSSH-based products.

ssh-keydist-g3 uses password authentication for this initial access to the remote server. You can store the password for the remote account in a data set as follows:

  1. Allocate a data set or a data set member. For example:

  2. The data set must only be accessible to the user executing the JCL.

  3. Put the user password in the data set. For example:


Use the sample JCL KEYDIST (shown below) from <HLQ>.V650.SAMPLIB to distribute user keys. Edit the JCL to suit your needs. The example assumes that the server host key has already been fetched and verified. You can consult the Tectia Server for IBM z/OS User Manual for an explanation of all the available options for the ssh-keydist-g3 command.

Note that KEYDIST must be run under the batch user's user ID in order for the file permissions to be set properly.


PGM /opt/tectia/bin/ssh-keydist-g3
-t rsa -b 1024 1 -P 2
-u userid 3 -p //'USERID.PASSWD' 4
-U /tmp/my_log_file 5 
-O 6

Create a new 1024-bit RSA keypair.


Use an empty passphrase.


The user name specified here will be used.


Use a password stored in a data set. Replace //'USERID.PASSWD' with the name of your password data set.


A log file will be written to the (non-default) location specified here.


Connect to a Unix host running OpenSSH. Replace with your host.

In KEYDIST above the -O option is used to connect to an OpenSSH server running on a Unix host. Use the following ssh-keydist-g3 options when connecting to Tectia Server on different platforms:

  • z/OS: -Z

  • Unix: -S

  • Windows: -W




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now