SSH Setup

Brief

Setup SSH deamon on your i5/OS.

Dependencies

Configuration

RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)

Enable X Windows forwarding by editing the sshd_config file to enable X11Forwarding yes:
 on V5R3 or V5R4:
   /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/sshd_config 
 on V6R1:
   /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/sshd_config

Create server host keys:
 on V5R3 or V5R4:
  (you only need to do this once after 5733-SC1 SSH install):
   CALL QP2TERM
   >ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
   >ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
   >ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""
 on V6R1
   the server host keys will be created if necessary during STRTCPSVR *SSHD

no password ssh, scp, etc.

On 400
> strTCPSVR SERVER(*SSHD)

On pC
$ ssh-keygen -t rsa -N ""
-- or --
$ ssh-keygen -t dsa -N ""

-- copy public key to /home/me/.ssh/authorized_keys --
$ ssh-copy-id me@myibmi

-- no password sign-on --
$ ssh me@myibmi 

enabled graphics

======
client
======
> xhost + myibmi
> ssh -X me@myibmi
if your client ssh is newer (security errors), use ...
> ssh -Y me@myibmi

====
IBM i
====
endTCPSVR *SSHD
/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1/etc/sshd_config    (version varies release, PTF, etc.)
X11Forwarding yes
strTCPSVR *SSHD

=====
if you see connection rejected ...
=====
> ssh -X me@myibmi
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

On client side (laptop) ...
> xhost + myibmi


======
I you see this error (especially non-English systems) ...
======
ssh -X me@myibmi
$ ssh -X me@myibmi
me@myibmi's password: 
/QOpenSys/usr/bin/X11/xauth: (stdin):1:  1356-373 unknown command "Usage:"
/QOpenSys/usr/bin/X11/xauth: (stdin):2:  1356-373 unknown command "-n"

you will also see this error on client
even after you xhost + myibmi
> ssh -X me@myibmi
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).


Newer versions of sshd (SC1):
edtf '/QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/sshd_config'
    # ibmpaseforilangid ESP
    # ibmpaseforicntryid ES
un-comment/force ibmpaseforilangid/ibmpaseforicntryid to valid combination 
    ibmpaseforilangid ENU
    ibmpaseforicntryid ES
this will force LANG=C and CCSID=819 (works most graphics)

Note (older versions SC1):
if your sshd version is too old
you will not see ibmpasefori
and sshd will not start,
therefore start manually.
    # $ call qp2term
    # $ export CCSID=819
    # $ export LANG=C
    # $ /usr/sbin/sshd

==========
if you see this error ...
==========
$ /usr/sbin/sshd
error: Could not load host key: /QOpenSys/../ssh_host_ed25519_key
$ ssh-keygen -A

=========
older versions sshd
=========
... start from PASE (especially non-English systems) ...
call qp2term
export CCSID=819
export LANG=C
/usr/sbin/sshd&

longer 8 character profile names

Take two PTFs and call me in the morning … standard IBM i answer.

  • V6 SI43594 - SC1-SSH-UNPRED SPECIFY PASE_USRGRP_LIMITED FOR SSHD
  • V7 SI43709 - SC1-SSH-UNPRED SPECIFY PASE_USRGRP_LIMITED FOR SSHD

Trick is to change whatever release you are running openssh and add ibmpaseforienv PASE_USRGRP_LIMITED=N

/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/sshd_config
ibmpaseforienv PASE_USRGRP_LIMITED=N

My v6 machine test ...
adc@cairns:~$ ssh -X long567890@lp0264d
long567890@lp0264d's password: 
Welcome to LP0264D
% tcsh 
> grep -i PASE_USRGRP_LIMITED /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/sshd_config
ibmpaseforienv PASE_USRGRP_LIMITED=N
> 

Example

Start sshd server side (i5/OS):
 on V5R3 or V5R4:
   CALL QP2TERM
   >/usr/sbin/sshd &
 on V6R1:
   STRTCPSVR *SSHD

Initiate ssh connection from client side (linux works very well):
 >ssh -X myi5
-- or --
 >ssh -X myuserid@myi5.xxx.org (if your PC is not same user name)


Tip: auto start start server side sshd
 on V5R3 or V5R4, change system value QSTRUPPGM to call a CL program that starts sshd
   PGM
   SBMJOB CMD(QSH CMD('/QOpenSys/usr/bin/sh -c +
      /QOpenSys/usr/sbin/sshd > /tmp/sshdlog.txt 2>&1')) JOB(SSHD) JOBQ(QUSRNOMAX) USER(SSHD)
   ENDPGM
 on V6R1:
   CHGTCPSVR SVRSPCVAL(*SSHD) AUTOSTART(*YES)

Performance

NA

Reference Links