SSH Tectia

Chapter 4 Authentication

Table of Contents

Server Authentication with Public Keys in File
Host Key Storage Formats
Using the System-Wide Host Key Storage
Using the OpenSSH known_hosts File
Server Authentication with Certificates
CA Certificates Stored in File
CA Certificates Stored in SAF
Server Certificates Stored in SAF
User Authentication with Passwords
Password in File or Dataset
User Authentication with Public Keys in File
Creating Keys with ssh-keygen-g3 on z/OS
Uploading Public Keys from z/OS to Remote Host
Using Keys Generated with OpenSSH
Special Considerations with Windows Servers
User Authentication with Certificates
Certificates Stored in File
Certificates Stored in SAF
Host-Based User Authentication
User Authentication with Keyboard-Interactive
Distributing Public Keys Using the Key Distribution Tool
Fetching Remote Server Keys
Distributing Mainframe User Keys

The Secure Shell protocol used by the SSH Tectia client/server solution provides mutual authentication – the client authenticates the server and the server authenticates the client user. Both parties are assured of the identity of the other party.

The remote Secure Shell server host can authenticate itself using either traditional public-key authentication or certificate authentication.

Different methods can be used to authenticate Secure Shell client users. These authentication methods can be combined or used separately, depending on the level of functionality and security you want.

User authentication methods

Figure 4.1. User authentication methods

User authentication methods used by the SSH Tectia client on z/OS by default are: public-key, keyboard-interactive, and password authentication. In addition, the client supports host-based authentication.