Does password authentication require to have authorized_keys

Discussion of the free COZBATCH utility for z/OS
Post Reply
igortr
Posts: 8
Joined: Tue Aug 25, 2015 2:50 pm

Does password authentication require to have authorized_keys

Post by igortr » Wed Aug 26, 2015 1:05 pm

Another mainframe to mainframe sftp question: we use batch job/password for sftp/authentication and we were told that we still need to have file authorized_keys in u/HOME/.ssh. Is that correct?
Please advice.
thank you.

dovetail
Site Admin
Posts: 1850
Joined: Thu Jul 29, 2004 12:12 pm

Re: Does password authentication require to have authorized_keys

Post by dovetail » Wed Aug 26, 2015 3:23 pm

No, you do not need a $HOME/.ssh/authorized_keys file if you are using password auth.

This file is a server-side file where public keys are registered, which must match a private key used by the SSH client. It is not used for password authentication of the user.

No matter what kind of user authentication you use (password, key, etc), you will normally still need to have the client authenticate the server (host) identity. This is typically done with a "known_hosts" file on the client machine.

igortr
Posts: 8
Joined: Tue Aug 25, 2015 2:50 pm

Re: Does password authentication require to have authorized_keys

Post by igortr » Thu Aug 27, 2015 8:51 am

Thank you so much for your help. Just to clarify: when I do mainframe to mainframe sftp the ACF2 password created for the sftp ID is enough for the authentication. Is this correct?
thank you
Igor

dovetail
Site Admin
Posts: 1850
Joined: Thu Jul 29, 2004 12:12 pm

Re: Does password authentication require to have authorized_keys

Post by dovetail » Thu Aug 27, 2015 9:05 am

Right: the mainframe server (IBM Ported Tools OpenSSH SSHD) canl authenticate the userid using only the ACF2 password.

But don't forget: with SSH, the client will also authenticate the server using the server's SSH Host key.

igortr
Posts: 8
Joined: Tue Aug 25, 2015 2:50 pm

Re: Does password authentication require to have authorized_keys

Post by igortr » Thu Sep 03, 2015 9:37 am

Does this means that I still need to have a public key on my site even though I use password option for authentication?
thank you.

dovetail
Site Admin
Posts: 1850
Joined: Thu Jul 29, 2004 12:12 pm

Re: Does password authentication require to have authorized_keys

Post by dovetail » Thu Sep 03, 2015 10:02 am

You will need to have the server's host public key on your client (in .ssh/known_hosts or /etc/ssh/ssh_known_hosts) or accept the key the first time you connect.

For more information on how this works, I would suggest that you take a look at the presentation:

"IBM Ported Tools for z/OS: OpenSSH - Key Authentication"
at: http://dovetail.com/webinars.html

igortr
Posts: 8
Joined: Tue Aug 25, 2015 2:50 pm

Re: Does password authentication require to have authorized_keys

Post by igortr » Thu Sep 03, 2015 10:42 am

thanks a lot, will look into documentation

Post Reply