OpenSSH on IBM i (AS400) – some hints

Estimated reading time: 4 mins

Preface

I was asked to repost this article from our old wiki. So here it is - with the content back from 2011. If I find some time I’ll post how to restrict ssh access to users with a predefined group profile. Or better let me know if you are interested in it :)

Prerequisites

Install Portable App Solutions Environment i5/OS PASE which is shipped as i5/OS option 33.

1
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(33) RSTOBJ(*PGM)

Installation

Install IBM Portable Utilities for i5/OS (*BASE) and OpenSSH, OpenSSL, zlib Libs (Opt 1) from your i5/OS Installation Media in Drive OPTxx.

1
2
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)

Setup

For setup use CL (Command Language) commands or the build terminal to change configuration files

1
2
STRQSH or 
CALL QP2TERM 

Config file location

1
2
3
For V5.4: WRKLNK OBJ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/*') DETAIL(*EXTENDED) DSPOPT(*ALL) 
For V6.1: WRKLNK OBJ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/*') 
For V7.1: WRKLNK OBJ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc/*')

After the first call of WRKLNK the DETAIL and DSPOPT parameter doesn’t have to be specified anymore. If you are more familiar with vi use this commands…

1
2
EDTF '/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/* or
CALL QP2TERM <Enter> and vi 

(Auto)start ssh daemon

From V6.1 and following, the start is done with an integrated CL command. System wide key files ar generated at first start!!! Autostart can be d

1
STRTCPSVR SERVER(*SSHD)

At V5.4 there is some more work, with QSECOFR or a user with following prerequisites, is to be done…

  • The userid that starts the daemon must have *ALLOBJ special authority
  • The userid that starts the daemon must be 8 or fewer characters long
  • Before starting sshd for the first time, you will need to generate host keys starting a PASE shell (STRQSH or CALL QP2TERM)

1
2
3
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""

Start the sshd daemon within the same job…

1
QSH CMD ('/QOpenSys/usr/sbin/sshd')

or in a new job using PASE shell

1
/usr/sbin/sshd &
or in a new job useing CL

1
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/sbin/sshd'))

For Autostart contact you AS400 SysAdmin to plan a Scheduler Entry (WRKJOBSCDE) with QSECOFR Profile in order to be sure that all thinks will run.

Stopping sshd

From V6.1 and following use…

1
ENDTCPSVR SERVER(*SSHD)

In V5.4 you may find the running job and ‘kill’ it…

1
WRKUSRJOB USER(QSECOFR) STATUS(*ACTIVE)

and stop the job using selection 4 ending for the Job with the function PGM-sshd. If more than one job is listed, then there are active connections to you system.

Enable public key authentication

Unmask the following lines in the sshd_config file.

1
2
3
RSAAuthentication yes                   
PubkeyAuthentication yes                
AuthorizedKeysFile .ssh/authorized_keys 

Generate keys and exchange them on user basis as on any other linux/unix based system. Be aware that public key authentication will not work if public (write) authority is set to some directories or files … just read on.

Nice hints

Check this before connect to ssh on AS400

  • The userid’s home directory must not have public write authority ( chmod go-w /home/myuserid )
  • The userid’s /home/myuserid/.ssh directory and /home/myuserid/.ssh/authorized_keys file must not have any public authorities (chmod go-rwx /home/userid/.ssh and chmod go-rwx /home/myuserid/.ssh/authorized_keys )
Once connected, you will be at a PASE for i command line.

Restrictions on ssh, sftp or scp in PASE shell

The PASE shell (STRQSH or CALL QP2TERM) is not a true TTY device. This can cause problems when trying to use ssh, sftp or scp within one of these sessions. Try this as work-a-round:

References and Links

IBM Redbooks on this topic Another straight forward guide Using chroot to restrict jail access to specific directories Some security considerations

Posted on: Fri, 21 Apr 2017 22:02:12 +0200 by Markus Neuhold

  • IBM
  • PASE
Markus Neuhold
IBM i (AS/400) SysAdmin since 1997, Linux fanboy and loving open source, docker and all about tech and science.