SSH

User Authentication with Public Keys

The user's public keys are located in the user's $HOME/.ssh2 directory on the server.

The batch user accesses the remote machine using an account on the remote machine. The remote user name may either be the same as or different from the batch user's RACF user ID.

Each batch user's public key must be distributed to all the remote accounts. The way the public key is set up differs between Tectia and OpenSSH-based products.

ssh-keydist-g3 uses password authentication for this initial access to the remote server. You can store the password for the remote account in a data set as follows:

  1. Allocate a data set or a data set member. For example:

    //'USERID.PASSWD'
  2. The data set must only be accessible to the user executing the JCL.

  3. Put the user password in the data set. For example:

    secret

Use the sample JCL KEYDIST (shown below) from /opt/tectia/doc/zOS/SAMPLIB to distribute user keys. Edit the JCL to suit your needs. The example assumes that the server host key has already been fetched and verified. You can consult the Tectia Server for IBM z/OS User Manual for an explanation of all the available options for the ssh-keydist-g3 command.

Note that KEYDIST must be run under the batch user's user ID in order for the file permissions to be set properly.

KEYDIST:

//KEYDIST EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT
//STDPARM  DD  *
PGM /opt/tectia/bin/ssh-keydist-g3
-t rsa -b 1024 1 -P 2
-u userid 3 -p //'USERID.PASSWD' 4
-U /tmp/my_log_file 5 
-O host1.example.com 6
//STDENV   DD  DSN=&SYSUID..SSZ.SRVR648.PARMLIB(SSHENV),DISP=SHR
//STDOUT   DD  SYSOUT=*
//STDERR   DD  SYSOUT=*
//STDIN    DD  DUMMY
//
1

Create a new 1024-bit RSA keypair.

2

Use an empty passphrase.

3

The user name specified here will be used.

4

Use a password stored in a data set. Replace //'USERID.PASSWD' with the name of your password data set.

5

A log file will be written to the (non-default) location specified here.

6

Connect to a Unix host running OpenSSH. Replace host1.example.com with your host.

In KEYDIST above the -O option is used to connect to an OpenSSH server running on a Unix host. Use the following ssh-keydist-g3 options when connecting to Tectia Server on different platforms: