SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Setting up Non-Interactive Server and User Authentication >>
        Key Distribution Tool
        Authenticating Remote Server Hosts
            Distributing Remote Server Keys
        Using Password for User Authentication
        Using Public Key for User Authentication >>
    Setting up Non-Interactive File Transfer >>

Authenticating Remote Server Hosts

Remote Secure Shell servers are authenticated by a public-key procedure. The user checks the fingerprint of the remote server's public key. When the user has approved the public key, it is stored in the user's $HOME/.ssh2/hostkeys directory and will be used automatically thereafter.

The verification step normally requires user interaction, so even for users that are set up to run client programs unattended, the first connection must be done by a person who logs in as the user, accesses the remote server, and goes through the fingerprint check dialog. The same steps must be repeated if the remote host's key is changed.

Caution: When ssh-keydist2 is run with the -a or -N options, it accepts the received host keys automatically without prompting the user. You should verify the validity of keys after receiving them or you risk being subject to a man-in-the-middle attack. To be able to verify the keys, you should use the plain host key storage format. See below.

When the host key is received during the first connection to a remote host (or when the host key has changed) and you choose to save the key, its filename is by default stored in hashed format, keys_hhh..., where hhh is a hash of the host port and name. The saved file contains a hash of the host's public key. A salt is included in the hash calculations. The value of the salt is stored in the file salt in the same directory as the host keys ($HOME/.ssh2/hostkeys). The hashed host key format is a security feature to make address harvesting on the hosts difficult.

In the plain (traditional) format, the name of a host key file includes the hosts's name and port, as in key_22_host.example.com.pub, and the file contains the host's public key in plaintext format.

The storage format can be controlled with the HostKeyFormat option of the ssh2_config configuration file. The argument must be plain or hashed (default). 

HostKeyFormat              plain

You can display the fingerprint of a received host key by running the following command: 

> ssh-keygen2 -F $HOME/.ssh2/hostkeys/key_<port>_<host>.pub

Distributing Remote Server Keys

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice