Skip to main content

IBM Software Technical Document

_______________________________________________________________
Hide details for Document Information Document Information

Document Number:408105066
Functional Area: Communications-TCP
Subfunctional Area: Security
Sub-Subfunctional Area: OpenSSH
OS/400 Release:V5R3M0; V5R4M0
Product: PORTABLE UTILITIES FOR I5/OS (5733SC101)
Product Release:N/A


_______________________________________________________________

Document Title
OpenSSH: Configuring Server / Client

Document Description
Server Configuration

To configure the OpenSSH service on the operating system, do the following:

Note: The following are known to cause problems:
oUsing user IDs that are greater than 8 characters long. If your user name is longer than 8 characters, you must type WRKUSRPRF and copy your existing profile to an eight-character profile.
oRunning sshd under a user ID without *ALLOBJ authority.
oUsing public/private key authentication directory permissions on /home/userid and /home/userid/.ssh. The permissions must be correct.
oReceiving messages about not enough entropy – 5733SC1. For additional information, refer to the following Rochester Support Center knowledgebase document:

371780606, OpenSSH PTF List for V5R3: Database 'Rochester Support Line KnowledgeBase', View 'All Documents', Document 'OpenSSH PTF List for V5R3'
oCreating a job log every time a UNIX® process forks. For additional information, refer to the following Rochester Support Center knowledgebase document:

384898047, OpenSSH: How to Stop SSH from Creating Thousands of Job Logs: Database 'Rochester Support Line KnowledgeBase', View 'All Documents', Document 'OpenSSH: How to Stop SSH from Creating Thousands of Job Logs'

Step 1: Sign on the operating system.

Step 2: On the operating system command line, type DSPSFWRSC to verify that 5722SS1 Option 30 (Qshell), Option 33 (Portable App Solutions Environment), and 5733SC1 (IBM® Portable Utilities for i5/OS®) *BASE + Option 1, are installed.

Step 3: On the operating system command line, type the following commands, and press the Enter key after each command:

CALL QCMD
CALL PGM(QP2TERM)

You will now have a screen similar to the following:

Print current working directory within PASE environment.

Step 4: Generate host keys.

Before starting sshd for the first time, you must generate host keys by typing the following commands:

ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""

Note: Once the host keys reside on the system, you do not need to regenerate them again.

mkdir /home/myuserid
chmod go-w /home/myuserid
mkdir /home/myuserid/.ssh
chmod go-rwx /home/myuserid/.ssh

where myuserid is the client's user profile on the operating system. If you receive a message indicating there is not enough entropy for product 5733SC1, apply PTF SI18056 or refer to the following Rochester Support Center knowledgebase document:

371780606, OpenSSH PTF List for V5R3: Database 'Rochester Support Line KnowledgeBase', View 'All Documents', Document 'OpenSSH PTF List for V5R3'


This screen shows the output of the ssh-keygen command.
A continuation of the output for the ssh-keygen command.
Step 5: Run the sshd daemon on the operating system.

Notes:
1The user ID that starts the daemon must have *ALLOBJ special authority.
2The user ID that starts the daemon must be 8 or fewer characters long.
3If you are using QSH, you must type cd /QOpenSys/usr/bin/ for the commands to run. QP2TERM defaults to this path, so no directory change is needed. The example screen shots are taken from the QP2TERM environment.
4Refer to the following Web site for additional information:

http://www.ibm.com/servers/enable/site/porting/tools/openssh.html

To run the sshd daemon on the operating system, type the following:

QSH CMD('/QOpenSys/usr/sbin/sshd')

Press the Enter key.

CL command used to start the ssh daemon.

Step 6: Start the server.
    To start the SSH server in debug mode, from the command line type:

    QSH CMD('/QOpenSys/usr/sbin/sshd -d -d -d')

    Press the Enter key.
      SSH utilities have a flag to dump out debug information:

      ssh: ssh -v -v -v
      sftp: sftp -v -v -v
      scp: scp -v -v -v
      sshd: sshd -d -d -d
      ssh-agent: ssh-agent -d

      Step 7: Use NETSTAT *CNN to verify that the port is active.

      This screen shows that the ssh daemon is in a listening state on TCP port 22.

      Notes:
      1Our Clients can use QP2SHELL, QSH, and QP2TERM commands; however, SC1 commands (like ssh-keygen) are in the default $PATH for a PASE shell, not QShell.
      2Commands will work if you issue them from the screen that starts with "CALL QP2TERM."
      3If the end user wishes to issue SSH commands from QShell, add the directory with those commands to the QShell $PATH or fully qualify the path to the commands.
      4The end user can also use the setenv command to modify environmental settings.

      Note To Programmers: At the $ prompt, type env to view what the default $PATH is for your system; for example:

         $
       > env
         QYPS_DNS=1
         QIBM_SQJAVA_PROPERTIES=java.compiler=NONE
         DBU_DEBUG_LEVEL=1
         QIBM_SJ_TRACE=1
         QZLC_SERVERLIST=1
         LANG=/QSYS.LIB/en_US.LOCALE
         QIBM_USE_DESCRIPTOR_STDIO=I
         TRACEOPT=UNLINK
         QIBM_DESCRIPTOR_STDERR=CRLN=N
         QIBM_DESCRIPTOR_STDOUT=CRLN=N
         QIBM_DESCRIPTOR_STDIN=CRLN=Y
         LOGNAME=AARONSSH
         SHLVL=1
         HOSTTYPE=powerpc
         HOSTID=192.168.5.128
         HOSTNAME=IBM.COM
         OSTYPE=os400
         MACHTYPE=powerpc-ibm-os400
         TERMINAL_TYPE=5250
         HOME=/home/aaronssh/
         PATH=/usr/bin:/QOpenSys/usr/bin:/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/bin
       $          

      Client Configuration

      To configure the client, do the following:

      Step 1: Type NETSTAT *CNN to verify that port 22 is active. If it is not active, follow the steps in the Server Configuration section. The SSH server must be active for the client to work on the system or for any remote client to communicate with the system.

      Step 2: Select one of the OpenSSH clients from the following Web site:

      www.openssh.org/windows.html

      This example uses PuTTY, which was downloaded from the following Web site:

      the.earth.li/~sgtatham/putty/latest/x86/putty.exe

      Note: UNIX distributions usually have the ssh binaries, so a download is not usually required.

      Step 3: Click on PuTTY! Fill in the Host name, and click Open.

      PuTTYis a free ssh client that can be used to connect to ssh servers.

      Once connected to the ssh server, you will be prompted for a user id and password.

      Step 4: You will get a pop-up window that asks you to accept the key. After accepting, the commands are all UNIX.

      After logging into the server, you will be able to execute UNIX based commands.

      Not all IBM® AIX® libraries are included with the base PASE installation, so not all features of AIX are available until the administrator copies libraries from an AIX system.



      __________________________________________________________________

      PMR Number:
      Related APARs:
      Related Public Documents:

        IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.