[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Getting Started with SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Configuring the Client >>     Authentication >>         Using the z/OS System Authorization Facility         Server Authentication with Public Keys in File >>         Server Authentication with Certificates >>         User Authentication with Passwords         User Authentication with Public Keys in File >>         User Authentication with Certificates >>         Host-Based User Authentication >>         User Authentication with Keyboard-Interactive >>         Distributing Public Keys Using the Key Distribution Tool             Distributing Mainframe Server Keys             Distributing Remote Server Keys             Distributing Mainframe User Keys             Distributing Remote User Keys     Transferring Files >>     Tunneling >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Advanced Information >>     Man Pages >>     Log Messages >>

Distributing Public Keys Using the Key Distribution Tool

File transfer processing on mainframes is usually non-interactive. This means that the host keys of the remote servers must be stored in a way that user interaction is not needed during the batch process, and that both users and processes use non-interactive authentication methods for user authentication.

The key distribution tool, /usr/lpp/ssh2/bin/ssh-keydist2, can be used for storing multiple remote host keys to a common key store and setting up public-key authentication to multiple hosts.

The tool uses a sub-script /usr/lpp/ssh2/bin/ssh-1st-connect2 for receiving remote host keys.

The syntax of ssh-keydist2 is as follows:

Usage: ssh-keydist2 [options] host [[options] [host]] ... Options: -u, --remote-user remote_user The default is the local username. -W, --ssh2-windows The remote host is running Windows and its Secure Shell server is SSH Tectia. -S, --ssh2-unix The remote host is running Unix and its Secure Shell server is SSH Tectia. -O, --openssh-unix The remote host is running Unix and its Secure Shell server is OpenSSH. -Z, --ssh2-zos The remote host is running z/OS and its Secure Shell server is SSH Tectia. -H, --hostlist-file hostlist_file File contains hostnames or username/hostname pairs. -p, --password-file pass_file File or dataset containing the password for authenticating to remote server(s) during public key setup. Use with care! -P, --empty-passphrase Generate the key pair with an empty passphrase. -d, --allow-keygen-overwrite Allow ssh-keygen2 to overwrite an existing key pair. -t, --key-type dsa|rsa Type of the generated key -b, --key-bits bits Length of the generated key -f, --pubkey-file public_key_file Disable key pair generation, distribute this key instead. -a, --accept-new-host-keys Automatically accept new hostkeys. Use with care! -N, --only-accept-new-host-keys Only accept the hostkeys. Do not generate or distribute user keys. -A, --accepted-host-key-log log_file Log file of accepted new hostkeys -n, --do-not-execute Print the commands but do not execute them. -v, --verbose Use verbose mode.

Caution: When ssh-keydist2 is run with the -a or -N options, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys after receiving them or you risk being subject to a man-in-the-middle attack. To be able to verify the keys, you should use the plain host key storage format. See Section Authenticating Remote Server Hosts for more information.

Most of the examples in this section are executed from Unix shell (for example, OMVS shell), but the same commands can also be run in JCL using BPXBATCH.

Distributing Mainframe Server Keys

Distributing Remote Server Keys

Distributing Mainframe User Keys

Distributing Remote User Keys

[Contents] [Index]