Import a SSH format public key into a z/OS certificate

[dovetail]

Normally, if a remote user wants to log into z/OS SSH, you would just take the OpenSSH-format public key and add it to the user's ~/.ssh/authorized_keys file.

But, some folks would like to put the public key into a z/OS Key Ring... here are the steps

1) Use the OpenSSH private key file "id_rsa" to build a PKCS#10 self-signed x509 cert

Note: This requires a Unix/Linux or Windows box with the OpenSSL package installed
Note: this particular OpenSSH private key does not have a passphrase, otherwise
you would be prompted for the passphrase here.
Note: the output file doesn't actually include the private key; only the public key,
so you don't have to protect the file's contents.
Actually, it is a cert request that contains the public key but is "self-signed" by the private key.

(in the command below, use your own distinguished name fields)

Code: Select all

openssl req -new -x509 -key id_rsa -out myid.ssh.pkcs10 -outform PEM -days 3650 <<EOF
US
Missouri
St. Charles
Dovetailed Technologies
HQ
Kirk Wolf
kirk@dovetail.com
EOF

2) Transfer the pkcs10 file in text to a RECFM=VB,LRECL=1028 dataset

Code: Select all

> sftp kirk@zosdtl
sftp> ls /+mode=text,lrecl=1028,recfm=vb
sftp> put test.pkcs10 //kirk.test.pkcs10

3) (on z/OS) Create a RACF cert using the PKCS#10 package

Code: Select all

racdcert add('kirk.test.pkcs10') id(kirk) withlabel('MYLABEL') TRUST 

4) now you can refer to this public key in your ~/.ssh/authorized_keys file

Code: Select all

zos-key-ring-label="* MYLABEL"

Note: authorized_keys file must have the normal protections: it be owned by the userid with permissions "600".
The .ssh directory must be owned by the userid, with permissions "700".
The home directory, and any directories above it must be owned either by the userid or by root, and may only be writeable by the owner.

Now, you should be able to log in to z/OS ssh from a remote system using this public/private key pair.