Dovetailed Technologies


saf-ssh-agent — enable ssh client authetication via SAF/RACF Digital Certificates


saf-ssh-agent -x [-f export_file] keyring[:label] 
saf-ssh-agent -b asn1_file  keyring[:label]
saf-ssh-agent -c keyring[:label] command [command_args...]


This z/OS Co:Z utility is similar in function to the OpenSSH ssh-agent, but rather than automatically authenticating the ssh client with ssh keys, it provides for authentication with SAF/RACF Digital Certificates.

keyring[:label] is the keyring (and optional certifcate label) to use.



extract the public key from a SAF/RACF Digital Certificate in OpenSSH format.

-f export_file

The file to export the OpenSSH format key. If this option is omitted, the key will be written to stdout.

-b asn1-file

extract the public key (in binary ASN1 format) to a file. This option is used for diagnostic purposes.


run command as a child process after initializing saf-ssh-agent. This enables command to authenticate with the supplied keyring[:label]. Generally, this option is used to run ssh as a child process, allowing it to take advantage of SAF RACDCERT authentication.


  1. This example shows how to extract an OpenSSH public key from a SAF/RACF Digital Certificate. In this case, the key is written to stdout.

    /dovetail/coz/bin: > saf-ssh-agent -x MY-RING
    35y3bZqZXTefCX5atN8yaORfkXZeYl4H+ojdQK3ywHdDlqOMTSl1Cj4/9w67JNTXXw== CN=
    Stephen Goetze,OU=Development,O=Dovetailed Technologies,C=US      
  1. This example shows how to run ssh as a child process to execute the who command on the remote system The ssh client will authenticate via the SAF RACDCERT contained in MY-RING.

    /dovetail/coz/bin: > saf-ssh-agent -c MY-RING ssh who
    myid   tty7         2009-12-29 06:15 (:0)
    myid   pts/0        2009-12-29 11:23 (:0.0)
    myid   pts/1        2010-01-08 11:43 (:0.0)
Copyright© 2009-2022 Dovetailed Technologies, LLC. All rights reserved.
Co:Z® is a registered trademark of Dovetailed Technologies, LLC.