[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Getting Started with SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Authentication >>         Using the z/OS System Authorization Facility         Server Authentication with Public Keys in File >>         Server Authentication with Certificates >>         User Authentication with Passwords         User Authentication with Public Keys in File >>         User Authentication with Certificates >>             Certificates Stored in File             Certificate User Mapping File             Certificates Stored in SAF         Host-Based User Authentication >>         User Authentication with Keyboard-Interactive     System Administration >>     File Transfer Using SFTP >>     Secure File Transfer Using Transparent FTP Security >>     Tunneling >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Man Pages and Default Configuration Files >>     Log Messages >>

Certificate User Mapping File

The map file specifies which certificates authorize logging into which accounts. The format of the file is as follows:

<account-id> <keyword> <argument>

The keyword can be either Email, Subject, SerialAndIssuer, EmailRegex, or SubjectRegex. The argument depends on the keyword.

• Email: The argument is the e-mail address which must be present in the certificate.
• Subject: The argument is the required subject name in LDAP DN (distinguished name) string format.
• SerialAndIssuer: The argument is the required serial number and issuer name in LDAP DN string format, separated by spaces or tabs.
• EmailRegex: The argument is the regular expression which must match an e-mail address in the certificate. If account-id contains the string %subst%, it is substituted with the first parenthesized part of the regular expression. The patterns are matched using the egrep syntax.
• SubjectRegex: The argument is the regular expression which must match a subject name in the certificate. If account-id contains the string %subst%, it is substituted with the first parenthesized part of the regular expression. The patterns are matched using the egrep syntax.

Examples

The following are examples of different map file definitions:

user1 email user1@ssh.com user1 subject C=FI,O=SSH,CN=Secure Shell User 1 user1 serialandissuer 1234 C=FI,O=SSH,CN=Secure Shell User 1 %subst% subjectregex C=FI, O=SSH, CN=([a-z]+) %subst% emailregex ([a-z]+)@ssh\.com

The last line permits logging with any e-mail address with only letters in the username. For more information on the regular expression syntax, see Appendix sshregex.