Tectia client tools for z/OS must have the remote server public keys or public key hash values available in order to authenticate the remote server they are connecting to. The keys or key hash values can be stored in the mainframe user's
$HOME/.ssh2/hostkeys directory or in the
/opt/tectia/etc/hostkeys directory which is common for all the users. The key distribution tool can be used to retrieve multiple remote host keys and store the keys or key hash values to the user's host key directory or to the system-wide key store that is available for all the users.
For more information about hashed host key format, see Host Key Storage Formats.
The following examples illustrate using ssh-keydist-g3 for fetching remote server host keys.
When ssh-keydist-g3 is run with the
This example is run under the USS shell. Multiple host keys are fetched in verbose mode and saved in plain format under the user's
$HOME/.ssh2/hostkeys directory. The host keys are also saved using the IP addresses of the hosts. The log is stored under
/tmp. The log will list the accepted keys and their fingerprints. You should verify them after running the command.
$ ssh-keydist-g3 --verbose --accept-host-keys --accept-host-keys-also-by-ip \ --accepted-host-key-filename-format plain \ --accepted-host-key-log /tmp/newhosts.log \ host1 host2 host3
/opt/tectia/doc/zOS/SAMPLIB presents a JCL script that does the same steps as the USS command in Example 1 above (the options are given in short format):
//HOSTSAV EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT //STDPARM DD * PGM /opt/tectia/bin/ssh-keydist-g3 -v -N -F plain -i -A /tmp/newhosts.log host1 host2 host3 //STDENV DD DSN=&SYSUID..SSZ.SRVR648.PARMLIB(SSHENV),DISP=SHR //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //STDIN DD DUMMY //*
If the fetching of host keys fails, make sure you have the environment variable