Name
saf-ssh-agent — enable ssh client authetication via SAF/RACF Digital Certificates
Synopsis
saf-ssh-agent-x[-fexport_file]keyring[:label]saf-ssh-agent-basn1_filekeyring[:label]saf-ssh-agent-ckeyring[:label] command [command_args...]
Description
This z/OS Co:Z utility is similar in function to the OpenSSH ssh-agent, but rather than automatically authenticating the ssh client with ssh keys, it provides for authentication with SAF/RACF Digital Certificates.
keyring[:label] is the keyring (and optional certifcate label) to use.
Options
-xextract the public key from a SAF/RACF Digital Certificate in OpenSSH format.
-fexport_fileThe file to export the OpenSSH format key. If this option is omitted, the key will be written to
stdout.-basn1-fileextract the public key (in binary ASN1 format) to a file. This option is used for diagnostic purposes.
-crun
commandas a child process after initializing saf-ssh-agent. This enablescommandto authenticate with the suppliedkeyring[:label]. Generally, this option is used to run ssh as a child process, allowing it to take advantage of SAF RACDCERT authentication.
Examples
This example shows how to extract an OpenSSH public key from a SAF/RACF Digital Certificate. In this case, the key is written to
stdout./dovetail/coz/bin: > saf-ssh-agent -x MY-RING ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDVoW8HzKQYIfVqOZpEHgPLLfUkqg68fyBc XTDUpFyQiIoKWRh1rHHa4DlQxa80lMPzr+VvyzvJrgzXI0OVp9A09yLgr4XxtrkrfTY3nojT 35y3bZqZXTefCX5atN8yaORfkXZeYl4H+ojdQK3ywHdDlqOMTSl1Cj4/9w67JNTXXw== CN= Stephen Goetze,OU=Development,O=Dovetailed Technologies,C=US
This example shows how to run ssh as a child process to execute the who command on the remote system linux.com. The ssh client will authenticate via the SAF RACDCERT contained in
MY-RING./dovetail/coz/bin: > saf-ssh-agent -c MY-RING ssh myid@linux.com who myid tty7 2009-12-29 06:15 (:0) myid pts/0 2009-12-29 11:23 (:0.0) myid pts/1 2010-01-08 11:43 (:0.0)
