Difference between revisions of "SSH"

From MidrangeWiki
Jump to: navigation, search
m (Added process for ending SSHD at V5R4. Helpful for when process gets goofy and you want to restart without IPL or bouncing TCP.)
m (Diagnosing Unknown User)
 
(25 intermediate revisions by 5 users not shown)
Line 5: Line 5:
 
* As a secure tunnel to encrypt your regular 5250 telnet sessions
 
* As a secure tunnel to encrypt your regular 5250 telnet sessions
 
== Using the iSeries SSH client==
 
== Using the iSeries SSH client==
These are instructions on how to use the system i ssh client for automatic, secure file transfer.  
+
These are instructions on how to use the IBM i ssh client for automatic, secure file transfer.  
 
Your business partner has assigned you a remote user account called yourRemoteUser.  
 
Your business partner has assigned you a remote user account called yourRemoteUser.  
  
 
Your local system i process will run as user RUSER.  
 
Your local system i process will run as user RUSER.  
 +
 
=== System Requirements ===
 
=== System Requirements ===
Full instructions can be found here [http://www.ibm.com/servers/enable/site/porting/tools/ http://www.ibm.com/servers/enable/site/porting/tools/].
+
Full instructions can be found here [http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710 Tech note N1012710 - Configuring the IBM i SSH, SFTP, and SCP Clients to Use Public-Key Authentication].
* Portable App Solutions Environment also known as [[PASE]] must be installed on the [[iSeries]] server to use ssh. Check the existence of [[licensed program]] 5722SS1 option 33.  
+
* IBM i 5.4 or higher.
 +
* Portable App Solutions Environment also known as [[PASE]] must be installed on the [[iSeries]] server to use ssh. Check the existence of [[licensed program]] 57xx-SS1 option 33.
 +
* Portable Utilities for i 5733-SC1 must be installed.
 +
* A user profile name that is 8 characters or less in length.
 
* ''See also [[#External links]]'' for the IBM Redbook.
 
* ''See also [[#External links]]'' for the IBM Redbook.
  
=== Setting up the user profile===
+
=== Creating the public/private key pair ===
Assuming that the user profile to be used is RUSER, you need to set up some folders with the correct permissions.
+
# Sign on as RUSER
 +
# CALL QP2TERM to enter the PASE environment
 +
# mkdir /home/ruser to create a HOME directory for the user
 +
# chmod 755 /home/someuser to set permissions
 +
# ssh-keygen -t rsa -N "" for RSA keys
 +
# F3 to exit back to the command line
 +
# CHGUSRPRF USRPRF(ruser) HOMEDIR('/home/ruser') to set the home directory in the user profile
 +
# Sign off and back on
  
CHGUSRPRF USRPRF(RUSER) HOMEDIR('/home/RUSER')
+
* The key pair will be in /home/ruser/.ssh
MKDIR DIR('/home') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
+
* The public key will have a .pub extension
MKDIR DIR('/home/RUSER') DTAAUT(*INDIR) OBJAUT(*INDIR)
+
* The private key will not have an extension
If the home directory already exists, please run
+
** It is very important to secure the private key!  Use IFS authorities to limit access to the private key only to RUSER.
CHGAUT OBJ('/home/RUSER') USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJAUT(*NONE) SUBTREE(*ALL)
 
Create the .ssh subdirectory:
 
MKDIR DIR('/home/RUSER/.ssh') DTAAUT(*INDIR) OBJAUT(*INDIR)
 
===Getting and storing the remote server public key===
 
Log in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
 
  
Start the PASE shell
+
=== Getting and storing the remote server public key ===
CALL QP2TERM
+
# Sign on as user RUSER
Execute this shell command
+
# Send the public key (.pub file) to the remote site
ssh-keyscan -t rsa your.customer.com >> ~/.ssh/known_hosts
+
## (The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)
Now you need to set up your own key pair.
 
  
===Setting up your public and private key pair===
+
To test:
Log in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
+
# CALL QP2TERM - Start the PASE shell
====Self Creation of keys====
+
# ssh -T yourRemoteUser@somehost
Start the PASE shell  
 
CALL QP2TERM
 
Create the appropriate private/public keys with the ssh-keygen tool using an EMPTY passphrase, and place it in the default location in file "~/.ssh/id_rsa".
 
ssh-keygen -b 1024 -f ~/.ssh/id_rsa -t rsa
 
  
Send the public key from file "~/.ssh/id_rsa.pub" to your customer.
 
( The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)
 
 
====Using a key issued by someone else====
 
====Using a key issued by someone else====
 
Your business partner may have issued you a key, and now you should use it and not create your own.  
 
Your business partner may have issued you a key, and now you should use it and not create your own.  
 
In this case, copy the key file that you received into the .ssh folder.  
 
In this case, copy the key file that you received into the .ssh folder.  
===Copying files with SCP===
+
===Transferring Files===
 +
*A critical difference between most implementations of SCP/SFTP and the PASE environment version is that the commands do _not_ support the -T (tty terminal) switch. This means that authentication by password is _not_ supported.
 +
 
 +
Instead, you must place your public key on the remote server you intend to connect with.
 +
 
 +
====Copying files with SCP====
 
To copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:  
 
To copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:  
 
  scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming  
 
  scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming  
Line 58: Line 62:
 
Execute it in batch via command  
 
Execute it in batch via command  
 
  SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER)  
 
  SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER)  
===Copying files with SFTP===
+
 
 +
====Copying files with SFTP====
 +
*Note: the SFTP is not equivalent to the OS/400 FTP client: implicit data conversion is not done (all transfers are binary), nor is there any integration with system security.
 +
 
 
We want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.  
 
We want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.  
  
Line 70: Line 77:
 
  exit  
 
  exit  
 
Execute it in batch via command  
 
Execute it in batch via command  
  SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)  
+
  SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)
 +
 
 
===Placing your own public key on the remote server===
 
===Placing your own public key on the remote server===
 +
*These instructions will not work: if your public key is not on the remote server there is no way to log on to that server. It may be possible to do this using a windows or linux based client, that permits password entry.
 +
 
Sometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server.  
 
Sometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server.  
 
There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?).
 
There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?).
Line 88: Line 98:
 
  put ~/.ssh/id_rsa.pub authorized_keys
 
  put ~/.ssh/id_rsa.pub authorized_keys
  
==Setting up an iSeries SSHD server==
+
==Setting up an IBM i SSHD server==
 
[http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html]
 
[http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html]
  
Line 115: Line 125:
  
 
* The '''PermitRootLogin''' directive allows QSECOFR to login via SSH
 
* The '''PermitRootLogin''' directive allows QSECOFR to login via SSH
 +
 +
== Diagnosing Problems ==
 +
 +
=== General Debugging===
 +
You can invoke the sshd server manually to help diagnose problems.
 +
 +
* Shut down the SSHD server if it's already running ( [[ENDTCPSVR]] SERVER(*SSHD) )
 +
* Open a QP2TERM command line shell (call QP2TERM)
 +
* Invoke the sshd server with the '-d' parameter: /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/sbin/sshd -d
 +
* Try to connect from your ssh client.
 +
* The sshd server will generate copious diagnostic information to the console.
 +
 +
'''NOTE''': The sshd server will terminate as soon as this connection attempt is completed.
 +
 +
=== Public Key Permissions ===
 +
* The permissions on the ~/.ssh directory should be 700 or shown as 'drwx------' when you do 'ls -ld ~/.ssh'.
 +
* The permissions on the authorized_keys or authorized_keys2 file, in ~/.ssh, should be 600 or shown as '-rw-------' when you do 'ls -l .ssh'
 +
 +
=== Diagnosing Unknown User ===
 +
If, while debugging the SSHD server, you get a message indicating the user profile is unknown, similar to this:
 +
<pre>
 +
debug1: userauth-request for user MYUSERID0 service ssh-connection method none
 +
debug1: attempt 0 failures 0                                                 
 +
Invalid user from 10.199.19.213                                               
 +
debug1: audit event euid 112 user (unknown user) event 9 (SSH_invldusr)       
 +
input_userauth_request: invalid user MYUSERID0                               
 +
</pre>
 +
 +
Check the length of the user profile.
 +
 +
Due to the AIX origins of the SSH server, user profiles have to be 8 characters or less.  A profile that is 9 characters or longer will result in an unknown user error.
 +
 +
This limitation can be eliminated.
 +
 +
IBM i 6.1 requires PTF [http://www-01.ibm.com/support/docview.wss?uid=nas379ddb5216c54b7a4862578a50000c998 SI43594].
 +
 +
IBM i 7.1 requires PTF [http://www-01.ibm.com/support/docview.wss?uid=nas33c72aa689624b389862578a50000c9a6 SI43709].
 +
 +
Add the following to your sshd_config file...
 +
<pre>
 +
ibmpaseforienv PASE_USRGRP_LIMITED=N
 +
</pre>
 +
 +
See http://www-01.ibm.com/support/docview.wss?uid=nas8N1011847 for more details.
 +
 +
=== Non-English Environments ===
 +
If you unable to start the SSH server in a non-english environment using STRTCPSVR *SSHD, try adding the following to the sshd_config file (usually located in /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/):
 +
 +
<pre>ibmPASEforilangid ENU</pre>
  
 
== Security implications of using SSH on iSeries ==
 
== Security implications of using SSH on iSeries ==
Line 124: Line 183:
 
| pubnumber=redp4163
 
| pubnumber=redp4163
 
}}
 
}}
*[http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html 5733-SC1 -- IBM Portable Utilities for i5/OS]
+
*[https://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/pw_com_porting_tools_openssh LPO 5733-SC1 -- IBM Portable Utilities for i]
 
*[http://archive.midrange.com/midrange-l/200609/msg01523.html How to set up SSH client on iSeries for password-less connections] from [http://archive.midrange.com/midrange-l/index.htm midrange-l]
 
*[http://archive.midrange.com/midrange-l/200609/msg01523.html How to set up SSH client on iSeries for password-less connections] from [http://archive.midrange.com/midrange-l/index.htm midrange-l]
*[http://174.79.32.155/wiki/PASE/SSHSetup SSHSetup] at YiPs Wiki
+
*[http://www.youngiprofessionals.com/wiki/index.php/PASE/SSHSetup SSHSetup] at [[YiPs]] Wiki
 +
*[https://www.ibm.com/developerworks/community/groups/service/html/communityview?communityUuid=38f2c9b4-5ddb-485f-b3e9-37e520a3fd82 DeveloperWorks OpenSSH and OpenSSL page]
  
 
==Categories==
 
==Categories==
 
[[Category:Definitions]]
 
[[Category:Definitions]]

Latest revision as of 16:07, 28 December 2017

SSH, an acronym for Secure SHell, is a method to securely connect to servers where all data, even the userid and password is encrypted. SSH on iSeries can be used in several scenarios:

  • As a server to enable encrypted file transfer and secure remote commands
  • As a client to use with other secure servers
  • As a secure tunnel to encrypt your regular 5250 telnet sessions

Using the iSeries SSH client

These are instructions on how to use the IBM i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.

Your local system i process will run as user RUSER.

System Requirements

Full instructions can be found here Tech note N1012710 - Configuring the IBM i SSH, SFTP, and SCP Clients to Use Public-Key Authentication.

  • IBM i 5.4 or higher.
  • Portable App Solutions Environment also known as PASE must be installed on the iSeries server to use ssh. Check the existence of licensed program 57xx-SS1 option 33.
  • Portable Utilities for i 5733-SC1 must be installed.
  • A user profile name that is 8 characters or less in length.
  • See also #External links for the IBM Redbook.

Creating the public/private key pair

  1. Sign on as RUSER
  2. CALL QP2TERM to enter the PASE environment
  3. mkdir /home/ruser to create a HOME directory for the user
  4. chmod 755 /home/someuser to set permissions
  5. ssh-keygen -t rsa -N "" for RSA keys
  6. F3 to exit back to the command line
  7. CHGUSRPRF USRPRF(ruser) HOMEDIR('/home/ruser') to set the home directory in the user profile
  8. Sign off and back on
  • The key pair will be in /home/ruser/.ssh
  • The public key will have a .pub extension
  • The private key will not have an extension
    • It is very important to secure the private key! Use IFS authorities to limit access to the private key only to RUSER.

Getting and storing the remote server public key

  1. Sign on as user RUSER
  2. Send the public key (.pub file) to the remote site
    1. (The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)

To test:

  1. CALL QP2TERM - Start the PASE shell
  2. ssh -T yourRemoteUser@somehost

Using a key issued by someone else

Your business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.

Transferring Files

  • A critical difference between most implementations of SCP/SFTP and the PASE environment version is that the commands do _not_ support the -T (tty terminal) switch. This means that authentication by password is _not_ supported.

Instead, you must place your public key on the remote server you intend to connect with.

Copying files with SCP

To copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:

scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming 

(replace "id_rsa" with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)

To run batch file transfer via scp, create a script file like this (called examplescp.sh)

#! /QopenSys/bin/sh 
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming 
exit 

Execute it in batch via command

SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER) 

Copying files with SFTP

  • Note: the SFTP is not equivalent to the OS/400 FTP client: implicit data conversion is not done (all transfers are binary), nor is there any integration with system security.

We want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.

Create a text file called ssh-input.txt that contains:

get IN/*.xml /b2b/incoming 
rm IN/*.xml 
exit 

To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)

#! /QopenSys/bin/sh 
sftp –b ssh-input.txt -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com 
exit 

Execute it in batch via command

SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)

Placing your own public key on the remote server

  • These instructions will not work: if your public key is not on the remote server there is no way to log on to that server. It may be possible to do this using a windows or linux based client, that permits password entry.

Sometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?). You also need write permissions you your home directory, and hopefully it does not have any public authority.

Start the PASE shell

CALL QP2TERM 

Connect to the remote server using your password.

sftp yourRemoteUser@your.customer.com 

Check to see if there is a .ssh folder in your home directory.

dir .ssh 

If it does not exist , create it now, and switch to it.

mkdir .ssh 
cd .ssh 

If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:

put ~/.ssh/id_rsa.pub authorized_keys

Setting up an IBM i SSHD server

http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html

To run the sshd daemon on i5/OS:

  • The userid that starts the daemon must have *ALLOBJ special authority
  • The userid that starts the daemon must be 8 or fewer characters long
  • Before starting sshd for the first time, you will need to generate host keys:
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N "" 
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N "" 
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N "" 
  • You can start the sshd daemon with either one of these CL commands:
QSH CMD ('/QOpenSys/usr/sbin/sshd')
CALL PGM(QP2SHELL) PARM('/QopenSys/usr/sbin/sshd')
With IBM i 6.1 you can also use STRTCPSVR *SSHD
  • You can stop the sshd daemon at V5R4 by starting the PASE command shell:
CALL PGM(QP2SHELL)
   (then issue the command to show active processes)
ps ax
   (Find the PID number of the process for ssh and issue the kill command, if the PID is 1234...)
kill 1234 


The SSHD configuration file should be reviewed for fitness to your security policy. In particular, the following items should be decided upon:

  • The AllowUsers directive by default allows ALL active users to connect and execute PASE and system commands, even if they are limited users. Check the AllowUsers, AllowGroups, DenyUsers and DenyGroups directives to see what is good for you.
  • The PermitRootLogin directive allows QSECOFR to login via SSH

Diagnosing Problems

General Debugging

You can invoke the sshd server manually to help diagnose problems.

  • Shut down the SSHD server if it's already running ( ENDTCPSVR SERVER(*SSHD) )
  • Open a QP2TERM command line shell (call QP2TERM)
  • Invoke the sshd server with the '-d' parameter: /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/sbin/sshd -d
  • Try to connect from your ssh client.
  • The sshd server will generate copious diagnostic information to the console.

NOTE: The sshd server will terminate as soon as this connection attempt is completed.

Public Key Permissions

  • The permissions on the ~/.ssh directory should be 700 or shown as 'drwx------' when you do 'ls -ld ~/.ssh'.
  • The permissions on the authorized_keys or authorized_keys2 file, in ~/.ssh, should be 600 or shown as '-rw-------' when you do 'ls -l .ssh'

Diagnosing Unknown User

If, while debugging the SSHD server, you get a message indicating the user profile is unknown, similar to this:

debug1: userauth-request for user MYUSERID0 service ssh-connection method none 
debug1: attempt 0 failures 0                                                   
Invalid user from 10.199.19.213                                                
debug1: audit event euid 112 user (unknown user) event 9 (SSH_invldusr)        
input_userauth_request: invalid user MYUSERID0                                 

Check the length of the user profile.

Due to the AIX origins of the SSH server, user profiles have to be 8 characters or less. A profile that is 9 characters or longer will result in an unknown user error.

This limitation can be eliminated.

IBM i 6.1 requires PTF SI43594.

IBM i 7.1 requires PTF SI43709.

Add the following to your sshd_config file...

ibmpaseforienv PASE_USRGRP_LIMITED=N

See http://www-01.ibm.com/support/docview.wss?uid=nas8N1011847 for more details.

Non-English Environments

If you unable to start the SSH server in a non-english environment using STRTCPSVR *SSHD, try adding the following to the sshd_config file (usually located in /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/):

ibmPASEforilangid ENU

Security implications of using SSH on iSeries

http://archive.midrange.com/security400/200609/msg00048.html

External links

Categories