saf-ssh-agent — Co:Z utility to enable ssh client authetication via SAF/RACF Digital Certificates
keyring[:label] command [command_args...]
This z/OS Co:Z utility is similar in function to the OpenSSH ssh-agent, but rather than automatically authenticating the ssh client with ssh keys, it provides for authentication with SAF/RACF Digital Certificates.
keyring[:label] is the keyring (and optional certifcate label) to use.
extract the public key from a SAF/RACF Digital Certificate in OpenSSH format.
The file to export the OpenSSH format key. If this option is omitted, the key will be written to
extract the public key (in binary ASN1 format) to a file. This option is used for diagnostic purposes.
commandas a child process after initializing saf-ssh-agent. This enables
commandto authenticate with the supplied
keyring[:label]. Generally, this option is used to run ssh as a child process, allowing it to take advantage of SAF RACDCERT authentication.
This example shows how to extract an OpenSSH public key from a SAF/RACF Digital Certificate. In this case, the key is written to
/dovetail/coz/bin: > saf-ssh-agent -x MY-RING ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDVoW8HzKQYIfVqOZpEHgPLLfUkqg68fyBc XTDUpFyQiIoKWRh1rHHa4DlQxa80lMPzr+VvyzvJrgzXI0OVp9A09yLgr4XxtrkrfTY3nojT 35y3bZqZXTefCX5atN8yaORfkXZeYl4H+ojdQK3ywHdDlqOMTSl1Cj4/9w67JNTXXw== CN= Stephen Goetze,OU=Development,O=Dovetailed Technologies,C=US
This example shows how to run ssh as a child process to execute the who command on the remote system linux.com. The ssh client will authenticate via the SAF RACDCERT contained in
/dovetail/coz/bin: > saf-ssh-agent -c MY-RING ssh email@example.com who myid tty7 2009-12-29 06:15 (:0) myid pts/0 2009-12-29 11:23 (:0.0) myid pts/1 2010-01-08 11:43 (:0.0)