AuthenticationMethods

A discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
keer1gl
Posts: 2
Joined: Thu Jun 21, 2018 11:17 am

AuthenticationMethods

Post by keer1gl » Mon Jul 08, 2019 2:03 pm

z/OS OpenSSH 2.3 User's Guide mentions AuthenticationMethods as a way to require multiple authentication methods. I am trying to set up a transfer with a client that is requiring public key and then password authentication. I only want to require the multiple authentication for this client and want to run the job in batch. Has anyone been able to set this up successfully? Could you provide sample JCL?

dovetail
Site Admin
Posts: 1899
Joined: Thu Jul 29, 2004 12:12 pm

Re: AuthenticationMethods

Post by dovetail » Thu Jul 11, 2019 4:33 pm

Which side is the z/OS ssh client and which is the server? (The client starts the connection to the server)
Are you using the word "client" to mean something else?

FYI: AuthenticationMethods is a sshd server configuration option.

Bernhard
Posts: 7
Joined: Thu Jun 14, 2018 6:32 am

Re: AuthenticationMethods

Post by Bernhard » Tue Jul 23, 2019 8:15 am

I think I have a similar question - in my case regarding only the sFTP client (on z/OS):

...
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /.ssh/id_rsa
...

I want to enforce the client to only try a login by publickey. Is there any option to suppress all other authentication method trials?

And: is there any debugging feature which can show me in detail what did (not) work after "we sent a publickey packet, wait for reply"?

Thanks in advance
Bernhard

dovetail
Site Admin
Posts: 1899
Joined: Thu Jul 29, 2004 12:12 pm

Re: AuthenticationMethods

Post by dovetail » Fri Jul 26, 2019 9:14 am

You can disable specific authentication methods for the ssh client by setting options in /etc/ssh/ssh_config.

For example:

Code: Select all

PasswordAuthentication no
GSSAPIAuthentication no
GSSAPIKeyExchange no
ChallengeResponseAuthentication no

Post Reply