OpenSSH on IBM i (AS400) – some hints

Estimated reading time: 4 mins

Table of contents

Preface

I was asked to repost this article from our old wiki. So here it is - with the content back from 2011. If I find some time I’ll post how to restrict ssh access to users with a predefined group profile. Or better let me know if you are interested in it :)

Prerequisites

Install Portable App Solutions Environment i5/OS PASE which is shipped as i5/OS option 33.

1

RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(33) RSTOBJ(*PGM)

Installation

Install IBM Portable Utilities for i5/OS (*BASE) and OpenSSH, OpenSSL, zlib Libs (Opt 1) from your i5/OS Installation Media in Drive OPTxx.

1
2

RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)

Setup

For setup use CL (Command Language) commands or the build terminal to change configuration files

1
2

STRQSH or 
CALL QP2TERM

Config file location

1
2
3

For V5.4: WRKLNK OBJ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/*') DETAIL(*EXTENDED) DSPOPT(*ALL) 
For V6.1: WRKLNK OBJ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/*') 
For V7.1: WRKLNK OBJ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc/*')

After the first call of WRKLNK the DETAIL and DSPOPT parameter doesn’t have to be specified anymore. If you are more familiar with vi use this commands…

1
2

EDTF '/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/* or
CALL QP2TERM <Enter> and vi

(Auto)start ssh daemon

From V6.1 and following, the start is done with an integrated CL command. System wide key files ar generated at first start!!! Autostart can be d

1

STRTCPSVR SERVER(*SSHD)

At V5.4 there is some more work, with QSECOFR or a user with following prerequisites, is to be done…

  • The userid that starts the daemon must have *ALLOBJ special authority
  • The userid that starts the daemon must be 8 or fewer characters long
  • Before starting sshd for the first time, you will need to generate host keys starting a PASE shell (STRQSH or CALL QP2TERM)

1
2
3

ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""

Start the sshd daemon within the same job…

1

QSH CMD ('/QOpenSys/usr/sbin/sshd')

or in a new job using PASE shell

1

/usr/sbin/sshd &
or in a new job useing CL

1

SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/sbin/sshd'))

For Autostart contact you AS400 SysAdmin to plan a Scheduler Entry (WRKJOBSCDE) with QSECOFR Profile in order to be sure that all thinks will run.

Stopping sshd

From V6.1 and following use…

1

ENDTCPSVR SERVER(*SSHD)

In V5.4 you may find the running job and ‘kill’ it…

1

WRKUSRJOB USER(QSECOFR) STATUS(*ACTIVE)

and stop the job using selection 4 ending for the Job with the function PGM-sshd. If more than one job is listed, then there are active connections to you system.

Enable public key authentication

Unmask the following lines in the sshd_config file.

1
2
3

RSAAuthentication yes                   
PubkeyAuthentication yes                
AuthorizedKeysFile .ssh/authorized_keys

Generate keys and exchange them on user basis as on any other linux/unix based system. Be aware that public key authentication will not work if public (write) authority is set to some directories or files … just read on.

Nice hints

Check this before connect to ssh on AS400

  • The userid that is connecting must be 8 or fewer characters long
  • For public key authentication verify the permissions on the userid’s directories and files
  • The userid’s home directory must not have public write authority ( chmod go-w /home/myuserid )
  • The userid’s /home/myuserid/.ssh directory and /home/myuserid/.ssh/authorized_keys file must not have any public authorities (chmod go-rwx /home/userid/.ssh and chmod go-rwx /home/myuserid/.ssh/authorized_keys )
Once connected, you will be at a PASE for i command line.

Restrictions on ssh, sftp or scp in PASE shell

The PASE shell (STRQSH or CALL QP2TERM) is not a true TTY device. This can cause problems when trying to use ssh, sftp or scp within one of these sessions. Try this as work-a-round:
  • For ssh: use the -T option to not allocate a tty when connecting
  • For sftp and scp: use the ssh-agent utility and public key authentication to avoid sftp and scp prompting for passwords or passphrases

References and Links

IBM Redbooks on this topic Another straight forward guide Using chroot to restrict jail access to specific directories Some security considerations

Posted on: Fri, 21 Apr 2017 22:02:12 +0200 by Markus Neuhold
  • IBM
  • PASE
    • Markus Neuhold
    IBM i (AS/400) SysAdmin since 1997, Linux fanboy and loving open source, docker and all about tech and science.
    www.n0r1sk.com 2009 - 2023
    All content, if not otherwise mentioned is CC-BY 4.0Creative Commons Lizenzvertrag