SSH

From MidrangeWiki
Revision as of 13:14, 11 December 2007 by Shalomc (talk | contribs) (External links)
Jump to: navigation, search

SSH, an acronym for Secure SHell, is a method to securely connect to servers where all data, even the userid and password is encrypted.

Setting up System i SSH client

These are instructions on how to use the system i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.

Your local system i process will run as user RUSER.

System Requirements

Full instructions can be found here http://www.ibm.com/servers/enable/site/porting/tools/.

Setting up the user profile

Assuming that the user profile to be used is RUSER, you need to set up some folders with the correct permissions.

CHGUSRPRF USRPRF(RUSER) HOMEDIR('/home/RUSER') 
MKDIR DIR('/home') DTAAUT(*EXCLUDE) OBJAUT(*NONE) 
MKDIR DIR('/home/RUSER') DTAAUT(*INDIR) OBJAUT(*INDIR) 

If the home directory already exists, please run

CHGAUT OBJ('/home/RUSER') USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJAUT(*NONE) SUBTREE(*ALL) 

Create the .ssh subdirectory:

MKDIR DIR('/home/RUSER/.ssh') DTAAUT(*INDIR) OBJAUT(*INDIR) 

Getting and storing the remote server public key

Log in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.

Start the PASE shell

CALL QP2TERM 

Execute this shell command

ssh-keyscan -t rsa your.customer.com >> ~/.ssh/known_hosts 

Now you need to set up your own key pair.

Setting up your public and private key pair

Log in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.

Self Creation of keys

Start the PASE shell

CALL QP2TERM 

Create the appropriate private/public keys with the ssh-keygen tool using an EMPTY passphrase, and place it in the default location in file "~/.ssh/id_rsa".

ssh-keygen -b 1024 -f ~/.ssh/id_rsa -t rsa 

Send the public key from file "~/.ssh/id_rsa.pub" to your customer. ( The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)

Using a key issued by someone else

Your business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.

Copying files with SCP

To copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:

scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming 

(replace "id_rsa" with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)

To run batch file transfer via scp, create a script file like this (called examplescp.sh)

#! /QopenSys/bin/sh 
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming 
exit 

Execute it in batch via command

SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER) 

Copying files with SFTP

We want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.

Create a text file called ssh-input.txt that contains:

get IN/*.xml /b2b/incoming 
rm IN/*.xml 
exit 

To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)

#! /QopenSys/bin/sh 
sftp –b ssh-input.txt -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com 
exit 

Execute it in batch via command

SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER) 

Placing your own public key on the remote server

Sometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?). You also need write permissions you your home directory, and hopefully it does not have any public authority.

Start the PASE shell

CALL QP2TERM 

Connect to the remote server using your password.

sftp yourRemoteUser@your.customer.com 

Check to see if there is a .ssh folder in your home directory.

dir .ssh 

If it does not exist , create it now, and switch to it.

mkdir .ssh 
cd .ssh 

If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:

put ~/.ssh/id_rsa.pub authorized_keys

External links