SSH

Chapter 5 Authentication

Table of Contents

Supported User Authentication Methods
Using the z/OS System Authorization Facility
Server Authentication with Public Keys in File
Defining Server Host Key
Generating the Server Host Key Pair
Using an OpenSSH Server Host Key
Notifying the Users of the Host Key Change
Server Authentication with Certificates
Certificates Stored in File
Certificates Stored in SAF
User Authentication with Passwords
User Authentication with Public Keys in File
Enabling Public-Key Authentication
Using the Authorization File
Using Keys Generated with OpenSSH
User Authentication with Certificates
Certificates Stored in File
Certificate User Mapping File
Certificates Stored in SAF
Host-Based User Authentication
Client Configuration
Server Configuration
Optional Configuration Settings
User Authentication with Keyboard-Interactive

The Secure Shell protocol used by Tectia Server for IBM z/OS provides mutual authentication – the client authenticates the server and the server authenticates the client user. Both parties are assured of the identity of the other party.

The Secure Shell server host can authenticate itself using either traditional public-key authentication or certificate authentication.

Different methods can be used to authenticate Secure Shell client users. These authentication methods can be combined or used separately, depending on the level of functionality and security you want.

Secure Shell user authentication methods. Note that all of the methods are not available on z/OS.

Figure 5.1. Secure Shell user authentication methods. Note that all of the methods are not available on z/OS.

Tectia Server for IBM z/OS allows public-key and password authentication by default. It also supports keyboard-interactive and host-based authentication.