SSH: Example of Distributing Keys

[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Using SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Examples of Use >>
        Secure File Transfers Using the z/OS Client>>
        Secure File Transfers Using Windows and Unix Clients>>
        Submitting JCL Jobs over Secure Shell
        Debugging SSH Tectia Server for IBM z/OS>>
        Example of Distributing Keys
            Mainframe Server Keys
            Remote Server Keys
            Mainframe User Keys
            Remote User Keys
    Man Pages >>
    Log Messages >>

Example of Distributing Keys

File transfer processing on mainframes is usually non-interactive. This means that the host keys of the remote servers must be stored in a way that user interaction is not needed during the batch process, and that users and processes use non-interactive authentication methods for user authentication.

This section contains some examples on storing multiple remote host keys to a common key store and setting up public-key authentication to multiple hosts using the key distribution tool included in the installation package. These examples are executed from Unix shell (for example, OMVS shell), but the same commands can also be run in JCL using BPXBATCH.

The example tool consists of two scripts, ssh-userkeygendist2.sh and ssh-1st-connect2.sh. Both scripts are installed to /usr/lpp/ssh2/doc/zOS/samples/. ssh-userkeygendist2.sh is the main script that is used on all examples. ssh-1st-connect.sh is a sub-script that is used by ssh-userkeygendist2.sh.

Before using the scripts, you need to add the /usr/lpp/ssh2/doc/zOS/samples to your PATH environment variable. On OMVS or other Unix shell, use the following commands:

> PATH=$PATH:/usr/lpp/ssh2/doc/zOS/samples
> export PATH

Or copy the scripts to a directory that is already in PATH, for example:

> cp /usr/lpp/ssh2/doc/zOS/samples/ssh*.sh /usr/lpp/ssh2/bin/

Your current PATH can be seen with command:

> echo $PATH

The usage of ssh-userkeygendist2.sh is the following:

Usage: ssh-userkeygendist2.sh [options] host [[options] [host]] ... Options: -u, --remote-user remote_user The default is local username. -W, --ssh2-windows The remote host is running Windows and its ssh client is SSH Tectia. -S, --ssh2-unix The remote host is running Unix and its ssh client is SSH Tectia. -O, --openssh-unix The remote host is running Unix and its ssh client is OpenSSH. -Z, --ssh2-zos The remote host is running z/OS and its ssh client is SSH Tectia. -H, --hostlist-file hostlist_file File contains hostnames or username/hostname pairs. -p, --password-file File contains password used for authentication. -P, --empty-passphrase Assume empty passphrase when generating key pair. -d, --allow-keygen-overwrite Allow ssh-keygen2 to overwrite an existing key pair. -t, --key-type dsa|rsa Type of the generated key -b, --key-bits bits Length of the generated key -f, --pubkey-file public_key_file Disable key pair generation, distribute this key instead. -a, --accept-new-host-keys Automatically accept new hostkeys. Use with care. -N, --only-accept-new-host-keys Only accept the hostkeys. Do not generate or distribute user keys. -A, --accepted-host-key-log log_file Log file of accepted new hostkeys -n, --do-not-execute Print the commands but do not execute them. -v, --verbose Use verbose mode.