In addition to the standard IETF SecSh keys used by SSH Tectia, SSH Tectia Server for IBM z/OS accepts OpenSSH public keys for user authentication. For more information on OpenSSH configuration, see OpenSSH documentation.
To enable public-key authentication from OpenSSH client on Unix to SSH Tectia Server on z/OS:
Create a key pair using
ssh-keygen, for example:
$ ssh-keygen -t rsa -b 1536 Generating public/private rsa key pair. Enter file in which to save the key (/home/ClientUser/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ClientUser/.ssh/id_rsa. Your public key has been saved in /home/ClientUser/.ssh/id_rsa.pub. The key fingerprint is: ca:3a:5d:a7:58:9c:45:e1:4d:e3:42:e4:bc:77 ClientUser@open.example.com
To create the key without a passphrase, hit enter when prompted to enter the passphrase.
When the is created with a default file name (
id_rsa), it is automatically used in public-key authentication attempts.
.ssh2directory on the z/OS Server (if it does not exist already):
$ ssh ServerUser@Server_zos mkdir .ssh2
Copy your public key to the remote z/OS Server using
$ sftp ServerUser@Server_zos sftp> put id_rsa.pub /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/.ssh2/id_rsa.pub
authorizationfile on the remote z/OS Server.
$ ssh ServerUser@Server_zos "echo Key id_rsa.pub >> .ssh2/authorization"
Make sure that public-key authentication is allowed in the OpenSSH client configuration on
Client(it is allowed by default).