Public-key authentication is based on the use of digital signatures. Each user creates a pair of key files. One of these key files is the user's public key, and the other is the user's private key. The server knows the user's public key, and only the user has the private key.
The key files must be stored in a location where the user has the
write rights, (and
read rights), but that is not accessible to others. These user-specific rights are required for the
key.pub file, the
authorized_keys directory, and for the
authorization file, if used.
When the user tries to authenticate, the client sends a signature to the server, and the server checks for matching public keys. If the key is protected with a passphrase, the server requests the user to enter the passphrase.
Do not store your private keys in a location accessible to other users.
To use public-key authentication with Tectia client tools for z/OS, do the following actions:
For instructions on using public-key authentication to connect from other hosts to Tectia Server for IBM z/OS, see Using Public-Key Authentication from Other Hosts to z/OS.
In the instructions in the following sections,
Serveris the remote host running the Secure Shell server that you are trying to connect to.
ServerUseris the user name on
Serverthat you are logging in as.
Clientis the host running the Secure Shell client (Tectia client tools for z/OS).
ClientUseris the user name on
Clientthat should be allowed to log in to
The instructions assume that
ClientUser is allowed to log in to
ServerUser using some other authentication method (usually password).