SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Authentication >>
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
        Introduction to Transparent FTP Security
        Configuring SOCKS Proxy >>
            ssh-socks-proxy-config.xml
            Storing Remote Server Host Keys
        Creating the SSHSP User
        Running SOCKS Proxy >>
        Configuring FTP >>
        Examples of Transparent FTP Security>>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
    Log Messages >>

Storing Remote Server Host Keys

When opening the transparent tunnel or an SFTP session with FTP-SFTP conversion, accepting new or changed server host keys cannot be prompted from the user. In addition, transparent FTP tunneling and FTP-SFTP conversion always use the IP address of the Secure Shell server when opening the secure tunnel. This means that the host keys of the Secure Shell tunneling servers must be stored beforehand based on the IP addresses of the servers.

The keys can be stored by connecting to each host individually with the IP address of the host using an interactive shell and accepting the host keys one by one, or by using the ssh-keydist-g3 key distribution tool. More information and examples on storing remote server keys can be found in SSH Tectia Server for IBM z/OS User Manual.

Disabling Host-Key Check

As an alternative to storing the remote server host keys, it is possible to disable the host-key checking entirely. To do this, set the accept-unknown-host-keys element to yes in the ssh-socks-proxy-config.xml file. The element must be placed before the profiles element as shown below.

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE secsh-broker SYSTEM 
 "/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd" >
<secsh-broker version="6.0" >

  <general>
    <strict-host-key-checking enable="no" />
    <host-key-always-ask enable="no" />
    <accept-unknown-host-keys enable="yes" />
  </general>

  <profiles>
  ...

Caution: Consider carefully before enabling this option. Disabling the host-key checks makes you vulnerable to man-in-the-middle attacks.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice