Hello,
thank you for this SAF-support. I think it's a great idea. I tried to get familiar with it. COZLNCH is running fine.
But I don't see how to associate the keyring to the sftp-client.
And I couldn't figure out whether you also support the ssh-server with this new feature.
brgds,
Ulrich Schmidt
SAF support also available for SSH-Server
-
Ulrich Schmidt
- Posts: 37
- Joined: Fri Jan 09, 2009 1:25 pm
- Location: Germany
Ulrich,
Thanks for your encouragement.
To use a keyring with the Co:Z SFTP client, you use the "-k" command line switch. The argument to this switch is either "ringname" or "ringname:label". If you only supply the ring name, we use the default certificate in the ring.
Here's an example:
http://dovetail.com/docs/sftp/client.ht ... batch_cert
We are only able to provide this support for the Co:Z SFTP client and the Co:Z launcher, since we are able to use the OpenSSH client's "ssh agent" protocol, which does not require modifications to IBM's ssh client. Adding SAF certificate support to the sftp-server would require modifications to IBM's sshd server.
Kirk Wolf
Thanks for your encouragement.
To use a keyring with the Co:Z SFTP client, you use the "-k" command line switch. The argument to this switch is either "ringname" or "ringname:label". If you only supply the ring name, we use the default certificate in the ring.
Here's an example:
http://dovetail.com/docs/sftp/client.ht ... batch_cert
We are only able to provide this support for the Co:Z SFTP client and the Co:Z launcher, since we are able to use the OpenSSH client's "ssh agent" protocol, which does not require modifications to IBM's ssh client. Adding SAF certificate support to the sftp-server would require modifications to IBM's sshd server.
Kirk Wolf
-
Ulrich Schmidt
- Posts: 37
- Joined: Fri Jan 09, 2009 1:25 pm
- Location: Germany
-
Ulrich Schmidt
- Posts: 37
- Joined: Fri Jan 09, 2009 1:25 pm
- Location: Germany
For testing, I used new certificates. I'm thinking, whether I will use the same as I have for ftps but I made no decision right now about this. But it should work with those as well.
We are running ICSF for some reasons. One of those reason is, that RACF cannot store keys larger than 1024 bits - and we got already keys in size 2Kbits. But if we can we store them to the RACFDS. I personnaly feel uncomfortable with those CKDS and PKDS-Dataset; they are too loosly coupled to the security system - you can too easily switch to another dataset and you might loose vital data by doing so.
brgds,
Ulrich Schmidt
We are running ICSF for some reasons. One of those reason is, that RACF cannot store keys larger than 1024 bits - and we got already keys in size 2Kbits. But if we can we store them to the RACFDS. I personnaly feel uncomfortable with those CKDS and PKDS-Dataset; they are too loosly coupled to the security system - you can too easily switch to another dataset and you might loose vital data by doing so.
brgds,
Ulrich Schmidt