[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Using SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Configuring the Client >>     Authentication >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Examples of Use >>     Man Pages >>         scp2         sftp2         ssh-add2         ssh-agent2         ssh-certd         ssh_certd_config         ssh-certview >>         ssh-cmpclient >>         ssh-dummy-shell         ssh-ekview         ssh-externalkeys         ssh-keygen2         ssh-probe2         ssh-scepclient >>         ssh-sft-stage         ssh2         ssh2_config         sshd-check-conf         sshd2         sshd2_config         sshd2_subconfig         sshregex     Log Messages >>

ssh-externalkeys

SSH-EXTERNALKEYS(5) SSH2 SSH-EXTERNALKEYS(5) DESCRIPTION This document contains general information about using external keys with SSH Tectia Server for IBM z/OS. USING EXTERNAL KEYS For applications capable of using external keys, two strings need to be specified: the provider name and the initialization string for the provider. These strings can be given on the command line or in a configuration file, depending on the application. The following section describes the different providers available in more detail. The provider name and/or the initialization string may be defined in the following configuration keywords: In ssh2_config: EkInitString="initstring" EkProvider="provider" HostCAEkProvider="provider:initstring" HostCAEkProviderNoCRLs="provider:initstring" HostKeysEkProvider="provider:initstring" In sshd2_config: AuthorizationEkProvider="provider:initstring" HostKeyEkInitString="initstring" HostKeyEkProvider="provider" KnownHostsEkProvider="provider:initstring" In ssh_certd_config: HostCAEkProvider="provider:initstring" HostCAEkProviderNoCRLs="provider:initstring" PkiEkProvider="provider:initstring" EXTERNAL KEY PROVIDERS zos-saf The zos-saf provider is used for accessing keys stored in the IBM z/OS System Authorization Facil- ity (SAF). The initialization string for the zos-saf provider specifies the key(s) to be used and it has the fol- lowing components: {KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}... KEYS(..) may repeat. The subattributes are: ID - A SAF user id signifying the owner of the key ring. If missing, the current user's id is used. RING - Key ring name. Mandatory. LABEL - The SAF key label. If missing, and DEFAULT is missing, use all the keys in the key ring. DEFAULT - Use the key that is marked as the default key on the key ring. Do not specify together with LABEL. The initialization string specified with the HostKeyEkInitString keyword of sshd2_config must point to a single private key. If the key ring con- tains several keys, LABEL must be used to distin- guish between the keys. When using a trusted key provider and the SSH Tec- tia Certificate Validator, specify KEYS variables that include all the CA certificates needed, for example: PkiEkProvider="zos-saf" PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA')) KEYS(ID(SSHTEST) RING(Internal.CAs))" The EkInitString keyword of ssh2_config and the AuthorizationEkProvider keyword of sshd2_config can contain special strings in the key specification that are mapped according the following list: %U = user name %IU = user ID %IG = user group ID AUTHORS SSH Communications Security Corp. For more information, see http://www.ssh.com. SEE ALSO ssh-certd(8), ssh2(1), sshd2(8), ssh_certd_config(5), ssh2_config(5), sshd2_config(5).