SSH Tectia

Uploading the Public Key Manually

To enable public-key authentication with your key pair:

  1. (Optional) Create an identification file.

    Create a file called identification, on Unix in your $HOME/.ssh2 directory, or on Windows in your "%USERPROFILE%\Application Data\SSH" directory.

    Edit it with your favorite text editor to include the following line (replace id_dsa_2048_a with the filename of the private key):

    IdKey       id_dsa_2048_a
    

    The keys are assumed to be in the same directory with the identification file, but also an absolute or a relative path can be given. For example, on Windows:

    IdKey       UserKeys\id_dsa_2048_a
    

    For more information on the syntax of the identification file, see $HOME/.ssh2/identification.

  2. Place your keys in a directory where the Connection Broker can locate them.

    With SSH Tectia Client 5.x, using the identification file is not necessary if all your keys are stored in the default directory and you allow all of them to be used for public-key and/or certificate authentication. If the identification file does not exist, the Connection Broker attempts to use each key found in the $HOME/.ssh2 directory on Unix, or in the "%USERPROFILE%\Application Data\SSH\UserKeys" and "%USERPROFILE%\Application Data\SSH\UserCertificates" directories on Windows. If the identification file exists, the keys listed in it are attempted first.

    On Windows, you can also add other directory locations for keys on the Keys and Certificates page of the SSH Tectia Configuration tool. See Managing Keys and Certificates. On Unix, you can use the key-store element in the ssh-broker-config.xml file. See the section called “Key Store Configuration Examples”.

  3. Connect to Server using some other authentication method and upload the public key.

    Depending on the server version, do the following:

    • With SSH Tectia Server 5.x on Unix and Windows, use SCP to upload your public key to the server, to your authorized_keys directory (by default $HOME/.ssh2/authorized_keys on Unix servers, or %USERPROFILE%\.ssh2\authorized_keys on Windows servers):

      $ scpg3 id_dsa_2048_a.pub ServerUser@5xServer:.ssh2/authorized_keys/
      
      An authorization file may be optionally used with SSH Tectia Server 5.x on Unix and Windows. See instructions for creating the file below in the SSH Tectia Server 4.x information.
    • SSH Tectia Server 4.x (or older) requires an authorization file stored in your .ssh2 directory. The authorization file specifies the public keys that are authorized for login.

      Use SCP to upload your public key to the server (by default to the $HOME/.ssh2 directory on Unix and to the %USERPROFILE%\.ssh2 directory on Windows servers) and edit the authorization file:

      $ scpg3 id_dsa_2048_a.pub ServerUser@4xServer:.ssh2/
      

      An example authorization file is shown below (by default $HOME/.ssh2/authorization on Unix and %USERPROFILE%\.ssh2\authorization on Windows servers):

      Key     id_dsa_2048_a.pub
      

      This directs SSH Tectia Server to use id_dsa_2048_a.pub as a valid public key when authorizing your login.

    • With SSH Tectia Server for IBM z/OS 5.x, use SCP to upload your public key to the server (by default to the $HOME/.ssh2) and edit the authorization file. SSH Tectia Server for IBM z/OS 5.x requires an authorization file stored in your .ssh2 directory. The authorization file specifies the public keys that are authorized for login.

      With SSH Tectia Server for IBM z/OS, the public key must be converted to the EBCDIC format. This can be done by using an advisor string in the file transfer command, for example:

      $ scpg3 id_dsa_2048_a.pub 
      ServerUser@zOSServer:/ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/.ssh2/
      

      An example authorization file is shown below (by default $HOME/.ssh2/authorization on SSH Tectia Server for IBM z/OS servers):

      Key     id_dsa_2048_a.pub
      
    • With OpenSSH server, use SCP to upload your public key to the server, to your $HOME/.ssh directory:

      $ scpg3 id_dsa_2048_a.pub ServerUser@OpenServer:.ssh/
      

      The OpenSSH server requires that the public key is converted to the OpenSSH public-key file format. Convert the public key to the OpenSSH public key file format on the server and append it to your ~/.ssh/authorized_keys file. This can be done with the following command:

      $ sshg3 ServerUser@OpenServer "ssh-keygen -i -f id_dsa_2048_a.pub >>
      .ssh/authorized_keys"
      
  4. Make sure that public-key authentication is allowed in the ssh-broker-config.xml file (it is allowed by default). The configuration file should contain an authentication-method element line like the following:

    <authentication-methods>
      <authentication-method name="publickey" />
    ...
    </authentication-methods>
    

    Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.

Assuming Server is configured to allow public-key authentication to your account, you should now be able to log in from Client to Server using public-key authentication.

Try to log in:

Client$ sshg3 Server

You should be prompted for the passphrase of the private key. After you have entered the passphrase, a Secure Shell connection will be established.