Avoiding problems with SSH in a collective
Learn to avoid problems with SSH in a collective. Security problems usually relate to a user not having access to a resource because security is too restrictive. The SSH configuration option StrictModes protects public and private key files against the opposite problem, when security is too permissive. SSH provides secure communications between systems without password authentication, but SSH does not work if the permissions on certain directories and files are not strict enough.
About this task
The collective controller uses SSH to start and stop collective members. The Admin Center also uses SSH when you view and edit configuration files. Both of these functions fail if certain SSH directory and file permissions are too permissive.
For SSH support on z/OS®, see IBM® Ported Tools for z/OS: OpenSSHUser's Guide in the OpenSSH documentation.
- What is SSH?
- The collective scripts create the files that the controller uses to log in to member services
that use public and private key authentication, which is the most secure authentication SSH method.
To protect public and private key authentication keys, access to the files that contain the keys
need to be restricted to the user who owns the keys.
Permissions on the directories or files that hold SSH keys must not allow write access to the UNIX group or other permission bits. For example, SSH does not work correctly if the permissions are 770, 775 or 777.
- StrictModes
- OpenSSH enables the StrictModes option by default. StrictModes disable the use of public and private key authentication if the required files are not properly protected to protect public key files when security is too relaxed.
- Troubleshoot SSH
- When you troubleshoot collective security problems where the controller cannot start or stop a member, or you cannot view or edit configuration files by using the Admin Center, if you disable StrictModes and the problem is solved, then the ownership, group, or world access to ssh directories or files that are related to public and private key authentication are incorrect. Correct the access and reenable StrictModes.