Remote Server Keys
The remote Secure Shell servers generate public-key pairs for themselves
when the software is installed.
The SSH Tectia clients on the mainframe must have the remote server public
keys available in order to authenticate the remote server they are
connecting to. The keys can be stored in the mainframe user's
$HOME/.ssh2/hostkeys directory or in the
/etc/ssh2/hostkeys directory which is common for all the users.
Here it is assumed that the common directory will be used. The directory
will be copied to all the mainframe systems that need the keys.
A remote server public key can be downloaded manually with an initial
interactive connection with Secure Shell. The SSH Tectia client programs on
mainframe do not allow entering remote passwords in the OMVS shell, so this
connection in most easily done from a Telnet or a Secure Shell session. The
SSH Tectia client program stores the key in the user's .ssh2 directory.
It can be copied from there to /etc/ssh2/hostkeys.
An automated method is available to download the server keys of a large
number of remote servers. The ssh-hostkey-probe program will access
the remote machines (the Secure Shell servers must be running) and download
the keys. The program reads a file containing the hostnames of the remote
machines. Note that if a server will be accessed with different names, for
example sometimes with the DNS hostname and sometimes with the IP address,
all the names must be entered in the file on separate lines.
The downloaded remote server public keys should be checked. Their
fingerprints should be printed with ssh-keygen2 and compared to
the fingerprints printed at the remote sites. For more information,
see Client Configuration.
