SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
        Using the z/OS System Authorization Facility
        Server Authentication with Public Keys in File >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys in File >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
        Distributing Public Keys Using the Key Distribution Tool
            Distributing Mainframe Server Keys
            Distributing Remote Server Keys
            Distributing Mainframe User Keys
            Distributing Remote User Keys
    Transferring Files >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

Distributing Public Keys Using the Key Distribution Tool

File transfer processing on mainframes is usually non-interactive. This means that the host keys of the remote servers must be stored in a way that user interaction is not needed during the batch process, and that both users and processes use non-interactive authentication methods for user authentication.

The key distribution tool, /usr/lpp/ssh2/bin/ssh-keydist2, can be used for storing multiple remote host keys to a common key store and setting up public-key authentication to multiple hosts.

The tool uses a sub-script /usr/lpp/ssh2/bin/ssh-1st-connect2 for receiving remote host keys.

The syntax of ssh-keydist2 is as follows:

Usage: ssh-keydist2 [options] host [[options] [host]] ...

Options:
-u, --remote-user remote_user         The default is the local username.

-W, --ssh2-windows                    The remote host is running Windows and 
                                      its Secure Shell server is SSH Tectia.

-S, --ssh2-unix                       The remote host is running Unix and 
                                      its Secure Shell server is SSH Tectia.

-O, --openssh-unix                    The remote host is running Unix and 
                                      its Secure Shell server is OpenSSH.

-Z, --ssh2-zos                        The remote host is running z/OS and 
                                      its Secure Shell server is SSH Tectia.

-H, --hostlist-file hostlist_file     File contains hostnames or 
                                      username/hostname pairs.

-p, --password-file pass_file         File or dataset containing the password 
                                      for authenticating to remote server(s)
                                      during public key setup. Use with care!

-P, --empty-passphrase                Generate the key pair with an empty 
                                      passphrase.

-d, --allow-keygen-overwrite          Allow ssh-keygen2 to overwrite 
                                      an existing key pair.

-t, --key-type dsa|rsa                Type of the generated key

-b, --key-bits bits                   Length of the generated key

-f, --pubkey-file public_key_file     Disable key pair generation, 
                                      distribute this key instead.

-a, --accept-new-host-keys            Automatically accept new hostkeys. 
                                      Use with care!

-N, --only-accept-new-host-keys       Only accept the hostkeys. Do not 
                                      generate or distribute user keys.

-A, --accepted-host-key-log log_file  Log file of accepted new hostkeys

-n, --do-not-execute                  Print the commands but do not 
                                      execute them.

-v, --verbose                         Use verbose mode.

Caution: When ssh-keydist2 is run with the -a or -N options, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys after receiving them or you risk being subject to a man-in-the-middle attack. To be able to verify the keys, you should use the plain host key storage format. See Section Authenticating Remote Server Hosts for more information.

Most of the examples in this section are executed from Unix shell (for example, OMVS shell), but the same commands can also be run in JCL using BPXBATCH.

Distributing Mainframe Server Keys

Distributing Remote Server Keys

Distributing Mainframe User Keys

Distributing Remote User Keys

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice