When a user connects to a server using host-based authentication,
it must prove that it has proper client host credentials (host private
key, host public key, and/or host certificate). As the client itself
(sshg3) cannot access the host private key, there is a separate
binary (ssh-signer2) that has sufficient permissions for
private key operations. ssh-signer2 reads the default server
configuration file, /opt/tectia/etc/sshd2_config
.
Host-based authentication can be enabled either by using traditional public keys or by using certificates. In Tectia Server for IBM z/OS, the host public key and/or certificate must be stored in software (ssh-signer2 cannot access it from SAF).
To enable host-based authentication with traditional public keys on
Tectia client tools for z/OS, perform the following steps as
ClientUser
:
Generate a host key. By default, /opt/tectia/etc/hostkey
and
/opt/tectia/etc/hostkey.pub
are generated during installation,
so you can skip this step. Otherwise, give the following command as
a UID 0 user:
# /opt/tectia/bin/ssh-keygen-g3 -P /opt/tectia/etc/hostkey
Add the following line in the
ssh-broker-config.xml
file:
<authentication-methods> <auth-hostbased /> ... </authentication-methods>
Also other authentication methods can be listed. Place the least interactive method first (this usually means the host-based method).
Change the DefaultDomain
element
in the ssh2_config
file to reflect your fully qualified domain:
DefaultDomain .example.com
It is possible to use a certificate instead of the traditional public-key pair to authenticate the client host. In Tectia Server for IBM z/OS, the host certificate must be stored in software (ssh-signer2 cannot access it from SAF).
To enable host-based authentication with certificates on Tectia client
tools for z/OS, do the following steps as ClientUser
:
Add the following line in the ssh-broker-config.xml
file:
<authentication-methods> <auth-hostbased /> ... </authentication-methods>
Enroll a certificate for Client
. See
User Authentication with Certificates for more information. The certificate must
contain a dns
extension which contains the fully qualified
domain name (FQDN) of Client
. Note that the private key
associated with the certificate needs to be stored with an empty
passphrase.
Define the private key and certificate in
sshd2_config
on Client
:
HostKeyFile <private key> HostCertificateFile <server-certificate>
Change the DefaultDomain
element in the
ssh2_config
file to reflect your fully qualified domain:
DefaultDomain .example.com
Note | |
---|---|
On Tectia Server 6.3 for IBM z/OS, the |