[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Getting Started with SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Configuring the Client >>     Authentication >>     Transferring Files >>     Tunneling >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Advanced Information >>     Man Pages >>         scp2         sftp2         ssh-add2         ssh-agent2         ssh-certd         ssh_certd_config         ssh-certview >>         ssh-cmpclient >>         ssh-dummy-shell         ssh-ekview         ssh-externalkeys         ssh-keygen2         ssh-probe2         ssh-scepclient >>         ssh-sft-stage         ssh2         ssh2_config         sshd-check-conf         sshd2         sshd2_config         sshd2_subconfig         sshregex     Log Messages >>

ssh-externalkeys

SSH-EXTERNALKEYS(5) SSH2 SSH-EXTERNALKEYS(5) DESCRIPTION This document contains general information about using external keys with SSH Tectia Server for IBM z/OS. USING EXTERNAL KEYS For applications capable of using external keys, two strings need to be specified: the provider name and the initialization string for the provider. These strings can be given on the command line or in a configuration file, depending on the application. The following section describes the different providers available in more detail. The provider name and/or the initialization string may be defined in the following configuration keywords: In ssh2_config: EkInitString="initstring" EkProvider="provider" HostCAEkProvider="provider:initstring" HostCAEkProviderNoCRLs="provider:initstring" HostKeysEkProvider="provider:initstring" In sshd2_config: AuthorizationEkProvider="provider:initstring" HostKeyEkInitString="initstring" HostKeyEkProvider="provider" KnownHostsEkProvider="provider:initstring" In ssh_certd_config: HostCAEkProvider="provider:initstring" HostCAEkProviderNoCRLs="provider:initstring" PkiEkProvider="provider:initstring" EXTERNAL KEY PROVIDERS zos-saf The zos-saf provider is used for accessing keys stored in the IBM z/OS System Authorization Facil- ity (SAF). The initialization string for the zos-saf provider specifies the key(s) to be used and it has the fol- lowing components: {KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}... KEYS(..) may repeat. The subattributes are: ID - A SAF user id signifying the owner of the key ring. If missing, the current user's id is used. RING - Key ring name. Mandatory. LABEL - The SAF key label. If missing, and DEFAULT is missing, use all the keys in the key ring. DEFAULT - Use the key that is marked as the default key on the key ring. Do not specify together with LABEL. Values must be written in single quotation marks if they contain single quotation marks or parenthesis. The initialization string specified with the HostKeyEkInitString keyword of sshd2_config must point to a single private key. If the key ring con- tains several keys, LABEL must be used to distin- guish between the keys. When using a trusted key provider and the SSH Tec- tia Certificate Validator, specify KEYS variables that include all the CA certificates needed, for example: PkiEkProvider="zos-saf" PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA')) KEYS(ID(SSHTEST) RING(Internal.CAs))" The EkInitString keyword of ssh2_config and the AuthorizationEkProvider keyword of sshd2_config can contain special strings in the key specification that are mapped according the following list: %U = user name %IU = user ID %IG = user group ID AUTHORS SSH Communications Security Corp. For more information, see http://www.ssh.com. SEE ALSO ssh-certd(8), ssh2(1), sshd2(8), ssh_certd_config(5), ssh2_config(5), sshd2_config(5).