The user's public keys are located in the user's $HOME/.ssh2
directory on the server.
The batch user accesses the remote machine using an account on the remote machine. The remote user name may either be the same as or different from the batch user's RACF user ID.
Each batch user's public key must be distributed to all the remote accounts. The way the public key is set up differs between Tectia and OpenSSH-based products.
ssh-keydist-g3 uses password authentication for this initial access to the remote server. You can store the password for the remote account in a data set as follows:
Allocate a data set or a data set member. For example:
//'USERID.PASSWD'
The data set must only be accessible to the user executing the JCL.
Put the user password in the data set. For example:
secret
Use the sample JCL KEYDIST
(shown below) from
/opt/tectia/doc/zOS/SAMPLIB
to distribute user keys. Edit the JCL to
suit your needs. The example assumes that the server host key has already been fetched and
verified. You can consult the Tectia Server for IBM z/OS User Manual for an
explanation of all the available options for the ssh-keydist-g3 command.
Note that KEYDIST
must be run under the batch user's user ID in order
for the file permissions to be set properly.
KEYDIST:
//KEYDIST EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT //STDPARM DD * PGM /opt/tectia/bin/ssh-keydist-g3 -t rsa -b 1024 -P -u userid -p //'USERID.PASSWD' -U /tmp/my_log_file -O host1.example.com //STDENV DD DSN=&SYSUID..SSZ.SRVR648.PARMLIB(SSHENV),DISP=SHR //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //STDIN DD DUMMY //
In KEYDIST
above the -O
option is used to connect to
an OpenSSH server running on a Unix host. Use the following ssh-keydist-g3
options when connecting to Tectia Server on different platforms:
z/OS: -Z
Unix: -S
Windows: -W