[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Getting Started with SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Configuring the Client >>     Authentication >>         Using the z/OS System Authorization Facility         Server Authentication with Public Keys in File >>         Server Authentication with Certificates >>         User Authentication with Passwords         User Authentication with Public Keys in File >>         User Authentication with Certificates >>         Host-Based User Authentication >>         User Authentication with Keyboard-Interactive >>         Distributing Public Keys Using the Key Distribution Tool >>             Distributing Mainframe Server Keys             Fetching Remote Server Keys             Distributing Mainframe User Keys             Distributing Remote User Keys     File Transfer Using SFTP >>     File Transfer Using Transparent FTP Tunneling >>     Tunneling on the Command Line >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Advanced Information >>     Man Pages >>     Log Messages >>

Fetching Remote Server Keys

The SSH Tectia clients on the mainframe must have the remote server public keys or public key hash values available in order to authenticate the remote server they are connecting to. The keys or key hash values can be stored in the mainframe user's $HOME/.ssh2/hostkeys directory or in the /etc/ssh2/hostkeys directory which is common for all the users. The key distribution tool can be used to retrieve multiple remote host keys and store the keys or key hash values to the user's host key directory or to the system-wide key store that is available for all the users.

For more information about hashed host key format, see Section Authenticating Remote Server Hosts.

Examples of Fetching Remote Server Keys

The following examples illustrate using ssh-keydist2 for fetching remote server host keys.

Caution: When ssh-keydist2 is run with the -N option, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys after receiving them or you risk being subject to a man-in-the-middle attack. To be able to verify the keys, you should use the plain host key storage format. See Section Authenticating Remote Server Hosts for more information.

Example 1: Using USS

This example is run under USS shell. Multiple host keys are fetched in verbose mode and saved in plain format under the user's $HOME/.ssh2/hostkeys directory. The host keys are also saved using the IP addresses of the hosts. The log is stored under /tmp.

> ssh-keydist2 -v -N -F plain -i -A /tmp/newhosts.log host1 host2 host3

Example 2: Using JCL

This example HOSTSAVE from SAMPLIB presents a JCL script that does the same steps as the USS command in Example 1 above:

//HOSTSAVE EXEC PGM=IKJEFT1A, // REGION=0M //SYSTSPRT DD SYSOUT=* //STDOUT DD PATH='/tmp/&SYSUID.-HOSTSAVE.out', // PATHOPTS=(OWRONLY,OCREAT,OTRUNC), // PATHMODE=(SIRUSR,SIWUSR) //STDERR DD PATH='/tmp/&SYSUID.-HOSTSAVE.err', // PATHOPTS=(OWRONLY,OCREAT,OTRUNC), // PATHMODE=(SIRUSR,SIWUSR) //STDENV DD DSN=&SYSUID..SSZ.SRVR551.PARMLIB(SSHENV), // DISP=SHR //SYSTSIN DD * BPXBATCH SH /usr/lpp/ssh2/bin/ssh-keydist2 + -v -N -F plain -i -A /tmp/newhosts.log + host1 host2 host3 /* //* //PROUT EXEC PGM=IKJEFT1A, // PARM='OCOPY INDD(STDOUT) OUTDD(STDOUTPR) TEXT' //SYSTSPRT DD SYSOUT=* //SYSTSIN DD DUMMY //STDOUT DD PATH='/tmp/&SYSUID.-HOSTSAVE.out', // PATHOPTS=(ORDONLY), // PATHDISP=(DELETE,KEEP), // PATHMODE=(SIRUSR,SIWUSR) //STDOUTPR DD SYSOUT=*, // DCB=(LRECL=4000,RECFM=VB) //* //PRERR EXEC PGM=IKJEFT1A, // PARM='OCOPY INDD(STDERR) OUTDD(STDERRPR) TEXT' //SYSTSPRT DD SYSOUT=* //SYSTSIN DD DUMMY //STDERR DD PATH='/tmp/&SYSUID.-HOSTSAVE.err', // PATHOPTS=(ORDONLY), // PATHDISP=(DELETE,KEEP), // PATHMODE=(SIRUSR,SIWUSR) //STDERRPR DD SYSOUT=*, // DCB=(LRECL=4000,RECFM=VB) //*