IBM Portable Utilities for i

LPO 5733-SC1 -- IBM Portable Utilities for i -- is available for IBM i users. The 5733-SC1 LPO contains the OpenSSH, OpenSSL and zlib open source packages ported to IBM i using the PASE for i runtime environment.

TCP/IP connectivity applications such as telnet and ftp transmit data and passwords over the network in plain text. This means that the data and passwords can be intercepted and read by other users on the network. The SSH (Secure SHell) protocol suite is a software solution that provides secure alternatives for telnet and ftp. SSH verifies the authenticity of both the client and server and all of the data (including userids and passwords) is encrypted as it travels on the network. This encryption is done transparently to the end user.

OpenSSH is the open source implementation of the SSH protocol suite. OpenSSH is widely available for use on many other platforms including Linux, AIX and z/OS. The OpenSSH development team maintains web pages here: http://www.openssh.org/ (link resides outside of ibm.com)

• ssh - a secure telnet replacement that allows an IBM i user to connect as a client to a server running the sshd daemon. An ssh client can also be used to connect to the Hardware Management Console (HMC) on System i and System p models.
• sftp - a secure ftp replacement. As with all implementations of sftp on other platforms, sftp can only transfer data in binary format. Note that sftp also does not provide the enhanced functions available in the IBM i ftp utility when transferring files in the QSYS.LIB file system nor does it provide the CCSID data conversion options available in the IBM i ftp utility.
• scp - a secure file copy program - essentially an alternative to sftp for copying a single file in the integrated file system (IFS).
• ssh-keygen - a public/private key generation and management tool. SSH allows users to authenticate using these public and private keys as an alternative to using their OS signon password.
• ssh-agent - an authentication agent that can store private keys. ssh-agent allows a user to load their public/private key passphrase into memory to avoid needing to retype the passphrase each time an SSH connection is started.
• sshd - The daemon that handles incoming ssh connections. The sshd daemon utility allows users to connect to IBM i via an ssh client. In contrast to connecting to IBM i via telnet and being presented with a 5250 screen interface, users that connect via ssh to IBM i via the sshd daemon will be presented with a character interface and a PASE for i command line.

• Installation
  • RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)
  • RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)
• For IBM i V5R4 the OpenSSH configuration files ( for example, ssh_config and sshd_config ) are located in the directory:
  /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/
• For IBM i 6.1 the OpenSSH configuration files are located in the directory:
  /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/
• For IBM i 7.1 the OpenSSH configuration files are located in the directory:
  /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc/
• Note that any changes that have been made in the configuration files of an earlier release will need to be manually migrated to the later release configuration file.
• The "green screen" 5250 terminal sessions started by using the STRQSH or CALL QP2TERM CL commands are not true TTY devices. This can cause problems when trying to use ssh, sftp or scp within one of these sessions. Possible workarounds:
  • For ssh: use the -T option to not allocate a tty when connecting
  • For sftp and scp: use the ssh-agent utility and public key authentication to avoid sftp and scp prompting for passwords or passphrases
  • Use the utilities from a true tty session (such as xterm)
• To run the sshd daemon on IBM i:
  • For 6.1 the sshd daemon can be started with CL command STRTCPSVR SERVER(*SSHD) and ended with ENDTCPSVR SERVER(*SSHD). If they do not exist, the host key files will be generated when the sshd daemon is started.
  • For V5R4:
    • The userid that starts the daemon must have *ALLOBJ special authority
    • The userid that starts the daemon must be 8 or fewer characters long
    • Before starting sshd for the first time, you will need to generate host keys:
      • ssh-keygen -t rsa1 -f
        /QOpenSys/QIBM/UserData/SC1/OpenSSH/
        openssh-3.5p1/etc/ssh_host_key -N ""
      • ssh-keygen -t dsa -f
        /QOpenSys/QIBM/UserData/SC1/OpenSSH/
        openssh-3.5p1/etc/ssh_host_dsa_key -N ""
      • ssh-keygen -t rsa -f
        /QOpenSys/QIBM/UserData/SC1/OpenSSH/
        openssh-3.5p1/etc/ssh_host_rsa_key -N ""
    • You can start the sshd daemon with this CL command: QSH CMD ('/QOpenSys/usr/sbin/sshd')
• To connect to IBM i using ssh:
  • The userid that is connecting must be 8 or fewer characters long
  • If you use public-key authentication to connect, verify the permissions on the userid's directories and files
    • The userid's home directory must not have public write authority ( chmod go-w /home/myuserid )
    • The userid's /home/myuserid/.ssh directory and /home/myuserid/.ssh/authorized_keys file must not have any public authorities ( chmod go-rwx /home/userid/.ssh and chmod go-rwx /home/myuserid/.ssh/authorized_keys )
  • Once connected, you will be at a PASE for i command line.
• You can use ssh to encrypt the 5250 telnet datastream:
  • On the server, start the telnet server and the sshd server
  • On the client, start an ssh session to the server (named servername in this example) that will route the traffic on an unused port on the client (2001 in this example) to the telnet port (23) on the server:
    CALL QP2TERM
    then
    ssh -T -L2001:localhost:23 servername
    This ssh session will need to be left active while the tenet sessions are in use
  • Other sessions on the client can now start telnet sessions:
    TELNET RMTSYS(*INTNETADR) INTNETADR(LOCALHOST) PORT(2001)
• The sshd daemon uses the IBM i Set Profile API ( QsySetToProfileHandle ) to switch from the userid that started sshd to the userid that is connecting.

OpenSSH requires the OpenSSL and zlib open source libraries in order to function. A user can write PASE for i applications that call OpenSSL or zlib APIs.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL). Refer to the OpenSSL web pages here for more information: http://www.openssl.org/ for more information.

zlib is a set of data compression APIs. Refer to the zlib web pages here for more information.

NLS information:

There is only a single English build available, however this single build does include these translations of the OpenSSH messages which will be used based on the LANG and NLSPATH environment variable settings:

• CA_ES and ca_ES (Catalan)
• CS_CZ and cs_CZ (Czech)
• DE_DE and de_DE (German)
• EN_US and en_US (English)
• ES_ES and es_ES (Spanish)
• FR_FR and fr_FR (French)
• HU_HU and hu_HU (Hungarian)
• IT_IT and it_IT (Italian)
• JA_JP and ja_JP and Ja_JP (Japanese)
• KO_KR and ko_KR (Korean)
• PL_PL and pl_PL (Polish)
• PT_BR and pt_BR (Portuguese)
• RU_RU and ru_RU (Russian)
• SK_SK and sk_SK (Slovak)
• ZH_CN and Zh_CN and zh_CN (Simplified Chinese)
• ZH_TW and Zh_TW and zh_TW (Traditional Chinese)