All commands in this section are shown using sshg3 and scpg3 from the machine running SSH Tectia ConnectSecure. Server-side configuration can also be done by logging in to the remote server and entering the commands locally.
To enable public-key authentication with your key pair:
Place your keys in a directory where the Connection Broker can locate them.
By default, the Connection Broker attempts to use each key found in the $HOME/.ssh2
directory on Unix, or in the %APPDATA%\SSH\UserKeys
and
%APPDATA%\SSH\UserCertificates
directories on Windows.
On Windows, you can also add other directory locations for
keys on the Keys and Certificates page of the SSH Tectia
Configuration tool. See Managing Keys and Certificates. On Unix, you can use
the general/key-stores/key-store
element in the ssh-broker-config.xml
file. See the section called “Key Store Configuration Examples”.
(Optional) Create an identification file.
Using the identification
file is not necessary if all
your keys are stored in the default directory and you allow all of them to
be used for public-key and/or certificate authentication. If the
identification
file does not exist, the Connection Broker attempts to use
each key found in the default directory. If the identification
file exists, the keys listed in it are attempted first.
Create a file called identification
, on Unix in
your $HOME/.ssh2
directory, or on Windows in your
%APPDATA%\SSH
directory.
Edit it with your favorite text editor to include the following line
(replace id_dsa_2048_a
with the filename of the private key):
IdKey id_dsa_2048_a
The keys are assumed to be in the same directory with the
identification
file, but also an absolute or a relative path
can be given. for example, on Windows:
IdKey UserKeys\id_dsa_2048_a
The identification file can contain several key IDs. For more
information on the syntax of the identification file, see $HOME/.ssh2/identification
.
Connect to Server
using some other
authentication method and create a .ssh2
(and
.ssh2/authorized_keys
), or a .ssh
directory under
your home directory if it does not exist already.
Depending on the server version the remote host is running, run one of the following commands:
SSH Tectia Server on Unix or z/OS:
$ sshg3 ServerUser@tectia_server mkdir .ssh2
If you do not want to use an authorization file on SSH Tectia Server 5.x or
later on Unix, create also the authorized_keys
directory:
$ sshg3 ServerUser@tectia_unix mkdir .ssh2/authorized_keys
SSH Tectia Server on Windows:
$ sshg3 ServerUser@tectia_win "cmd /c mkdir .ssh2"
If you do not want to use an authorization file on SSH Tectia Server 5.x or
later on Windows, create also the authorized_keys
directory:
$ sshg3 ServerUser@tectia_win mkdir "cmd /c mkdir .ssh2/authorized_keys"
OpenSSH server on Unix or z/OS:
$ sshg3 ServerUser@open_server mkdir .ssh
Copy the public key to Server
.
Depending on the server version the remote host is running, do one of the following actions:
SSH Tectia Server 5.x or later on Unix and Windows:
Use SCP to upload your public key to the server, to your
authorized_keys
directory (by default
$HOME/.ssh2/authorized_keys
on Unix servers, or
%USERPROFILE%\.ssh2\authorized_keys
on Windows
servers):
$ scpg3 id_dsa_2048_a.pub ServerUser@tectia_server:.ssh2/authorized_keys/
SSH Tectia Server 4.x on Unix and Windows:
Use SCP to upload your public key to the server (by default to the
$HOME/.ssh2
directory on Unix and to the
%USERPROFILE%\.ssh2
directory on Windows servers):
$ scpg3 id_dsa_2048_a.pub ServerUser@tectia4x_server:.ssh2/
SSH Tectia Server for IBM z/OS:
The public key must be converted to the EBCDIC format.
This can be done by including
the dst-site
command-line options (when using scpg3
),
or the site
commands (when using sftpg3
)
in the file transfer command.
Use SCP to upload your public key to the server (by default to the
$HOME/.ssh2
directory):
$ scpg3 --dst-site="C=ISO8859-1,D=IBM-1047,X=TEXT" id_dsa_2048_a.pub \ ServerUser@tectia_zos:$HOME/.ssh2/
OpenSSH server on Unix:
Use SCP to upload your public key to the server, to your
$HOME/.ssh
directory:
$ scpg3 id_dsa_2048_a.pub ServerUser@open_unix:.ssh/
Create an authorization
or
authorized_keys
file on Server
.
Depending on the server version the remote host is running, do one of the following actions:
SSH Tectia Server 5.x or later on Unix and Windows do not require an
authorization file if the public keys are stored in the user's
authorized_keys
directory. However, an authorization file may
be optionally used. See instructions for creating the file below in the
SSH Tectia Server 4.x information.
SSH Tectia Server 4.x on Unix and Windows and SSH Tectia Server for IBM z/OS require an
authorization
file stored in the user's .ssh2
directory. The authorization file specifies the public keys that are
authorized for login.
Add the key entry to the authorization file. On a Unix or z/OS server:
$ sshg3 ServerUser@tectia_server "echo Key id_dsa_2048_a.pub >> \ .ssh2/authorization"
On a Windows server:
$ sshg3 ServerUser@tectia4x_win "cmd /c echo Key id_dsa_2048_a.pub >> \ .ssh2/authorization"
An example authorization file is shown below (by default
$HOME/.ssh2/authorization
on Unix and z/OS servers, and
%USERPROFILE%\.ssh2\authorization
on Windows servers):
Key id_dsa_2048_a.pub
This directs SSH Tectia Server to use id_dsa_2048_a.pub
as a valid
public key when authorizing your login.
OpenSSH server requires that the public key is
converted to the OpenSSH public-key file format and stored in the
authorized_keys
file in the user's .ssh
directory.
Convert the public key to the OpenSSH public key file format on
the server and append it to your $HOME/.ssh/authorized_keys
file. This can be done with the following command:
$ sshg3 ServerUser@open_server "ssh-keygen -i -f id_dsa_2048_a.pub >> \ .ssh/authorized_keys"
Make sure that public-key authentication is enabled in the
ssh-broker-config.xml
file (it is enabled by default).
<authentication-methods> <auth-publickey /> ... </authentication-methods>
Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.
Assuming Server
is configured to allow public-key
authentication to your account, you should now be able to log in from
Client
to Server
using public-key
authentication.
Try to log in:
Client$ sshg3 Server
You should be prompted for the passphrase of the private key. After you have entered the passphrase, a Secure Shell connection will be established.