But, some folks would like to put the public key into a z/OS Key Ring... here are the steps
1) Use the OpenSSH private key file "id_rsa" to build a PKCS#10 self-signed x509 cert
Note: This requires a Unix/Linux or Windows box with the OpenSSL package installed
Note: this particular OpenSSH private key does not have a passphrase, otherwise
you would be prompted for the passphrase here.
Note: the output file doesn't actually include the private key; only the public key,
so you don't have to protect the file's contents.
Actually, it is a cert request that contains the public key but is "self-signed" by the private key.
(in the command below, use your own distinguished name fields)
Code: Select all
openssl req -new -x509 -key id_rsa -out myid.ssh.pkcs10 -outform PEM -days 3650 <<EOF
US
Missouri
St. Charles
Dovetailed Technologies
HQ
Kirk Wolf
kirk@dovetail.com
EOF
Code: Select all
> sftp kirk@zosdtl
sftp> ls /+mode=text,lrecl=1028,recfm=vb
sftp> put test.pkcs10 //kirk.test.pkcs10
Code: Select all
racdcert add('kirk.test.pkcs10') id(kirk) withlabel('MYLABEL') TRUST
Code: Select all
zos-key-ring-label="* MYLABEL"
The .ssh directory must be owned by the userid, with permissions "700".
The home directory, and any directories above it must be owned either by the userid or by root, and may only be writeable by the owner.
Now, you should be able to log in to z/OS ssh from a remote system using this public/private key pair.