No, what I'm looking to do is to perform a staged migration from OpenSSH
generated keypairs into RACF certificates. Our current situation is as
follows, we have many (several hundred) sftp processes, each running
under their own unique RACF userid with public/private keys already
generated and being used for production file transfer activities.
Thanks to your assistance on the Dovetail bulletin board, I was able to
successfully convert a OpenSSH generated private key and import it into
a keyring associated with my personal userid.
My goal is to convert and import, every users private key into a userid
specific key ring, and have that certificate used for authentication
purposes to the target server. I'm looking for a method to generically
tell OpenSSH to use the keyring/certificate that's defined for that RACF
userid without having to have a zos_user_ssh_config file for each user.
Mark Jacobs
On 11/06/12 14:03, Kirk Wolf wrote:
Mark,
IBM Ported Tools OpenSSH doesn't allow you to specify IdentityKeyRingLabel
in the global /etc/ssh/zos_ssh_config file.
You can also specify this option as a command line switch or environment
variable, if that helps.
Do you want to share the actual SAF(RACF/ACF2/TSS) key ring and private key
between users? This can be done, but the required SAF permissions are a
little tricky and not documented very well.
Kirk Wolf
Dovetailed Technologies
http://dovetail.com
+1 636.300.0901
On Tue, Nov 6, 2012 at 12:32 PM, Mark Jacobs<mark.jac...@custserv.com>wrote:
Before I dig even further into the manuals, does anyone know if there's a
way to specify in a globally accessible ssh configuration file to use a
certificate attached to a key ring for the private key?
I know I can use the user specific zos_user_ssh_config file, but I'd like
to utilize a single controlling configuration file, rather than a plethora
of user files.
--
Mark Jacobs
Time Customer Service
Tampa, FL
----
The quiet ones are the ones that change the universe...
The loud ones only take the credit.
Londo Mollari - Babylon 5
------------------------------**------------------------------**----------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
Mark Jacobs
Time Customer Service
Tampa, FL
----
The quiet ones are the ones that change the universe...
The loud ones only take the credit.
Londo Mollari - Babylon 5
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
