SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Authentication >>
        Using the z/OS System Authorization Facility
        Server Authentication with Public Keys in File >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys in File >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
            Client Configuration
            Server Configuration
            Optional Configuration Settings
        User Authentication with Keyboard-Interactive
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
    Log Messages >>

Client Configuration

When a user connects to a server using host-based authentication, it must prove that it has proper client host credentials (host private key, host public key, and/or host certificate). As the client itself (sshg3) cannot access host private key there is separate binary (ssh-signer2) that has sufficient permissions for private key operations. ssh-signer2 reads default server configuration file, /opt/tectia/etc/sshd2_config.

Host-based authentication can be enabled either by using traditional public keys or by using certificates. In SSH Tectia Server for IBM z/OS, the host public key and/or certificate must be stored in software (ssh-signer2 cannot access it from SAF).

Traditional Public Keys Stored in File

To enable host-based authentication with traditional public keys on SSH Tectia client tools for z/OS, do the following steps as ClientUser:

  1. Generate a host key. By default, /opt/tectia/etc/hostkey and /opt/tectia/etc/hostkey.pub are generated during installation, so you can skip this step. Otherwise, give the following command as a UID 0 user:
    # /opt/tectia/bin/ssh-keygen-g3 -P /opt/tectia/etc/hostkey
    
  2. Add the following line in the ssh-broker-config.xml file:
    <authentication-methods>
      <authentication-method name="hostbased" />
      ...
    </authentication-methods>
    
    Also other authentication methods can be listed. Place the least interactive method first (this means usually the host-based method).
  3. Change the DefaultDomain element in the ssh2_config file to reflect your fully qualified domain:
    DefaultDomain   .example.com
    
    Note: On SSH Tectia Server 6.1 for IBM z/OS, the ssh2_config file is used solely for host-based authentication and it does not exist by default. You have to create it in /opt/tectia/etc/ssh2_config or $HOME/.ssh2/ssh2_config. Setting this is mandatory if the HostbasedAuthForceClientHostnameDNSMatch keyword in the sshd2_config file on Server has been set to yes. But even if HostbasedAuthForceClientHostnameDNSMatch is not used, the DefaultDomain keyword is useful on systems that report only the short hostname by default.

Certificates Stored in File

It is possible to use a certificate instead of the traditional public-key pair to authenticate the client host. In SSH Tectia Server for IBM z/OS, the host certificate must be stored in software (ssh-signer2 cannot access it from SAF).

To enable host-based authentication with certificates on SSH Tectia client tools for z/OS, do the following steps as ClientUser:

  1. Add the following line in the ssh-broker-config.xml file:
    <authentication-methods>
      <authentication-method name="hostbased" />
      ...
    </authentication-methods>
    
  2. Enroll a certificate for Client. See User Authentication with Certificates for more information. The certificate must contain a dns extension which contains the fully qualified domain name (FQDN) of Client. Note that the private key associated with the certificate needs to be stored with an empty passphrase.
  3. Define the private key and certificate in sshd2_config on Client:
    HostKeyFile              <private key>
    HostCertificateFile      <server-certificate>
    
  4. Change the DefaultDomain element in the ssh2_config file to reflect your fully qualified domain:
    DefaultDomain   .example.com
    
    Note: On SSH Tectia Server 6.1 for IBM z/OS, the ssh2_config file is used solely for host-based authentication and it does not exist by default. You have to create it in /opt/tectia/etc/ssh2_config or $HOME/.ssh2/ssh2_config.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice