Overcome ‘Permission denied’ for long user profiles in IBM i SSH
[UPDATED May 2023]
In IBM i releases before 7.4, IBM i’s Secure Shell (SSH) rejected connection attempts with user profile names longer than eight (8) characters. The error message can vary, but may be similar to “Permission denied, please try again” or “Failed to connect sshd.”
For those older releases (7.3 and earlier), you can allow user profiles longer than 8 characters by editing the file:
/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config
and adding a new line containing the string:
ibmpaseforienv PASE_USRGRP_LIMITED=N
To apply your changes, end and then start the SSH server, like so:
1 2 |
ENDTCPSVR SERVER(*SSHD) STRTCPSVR SERVER(*SSHD) |
An alternative is to set the variable system-wide, to allow other PASE processes to use the improvement:
1 |
ADDENVVAR ENVVAR(PASE_USRGRP_LIMITED) VALUE('N') LEVEL(*SYS) |
For more details about configuring SSH, see How to Configure and Use SSH on IBM i.
Hello Alan
I also did a test and it didn’t work, finally add an environment variable and this worked.
Glad you eventually got it working.
Hi Alan I am trying to test this configuration on my box with IBM i 7.3 and it is not working, does this new line have to go in a specific place in the configuration file?
Hi, Leonardo, there’s no specfic place, but the new line can be added to the end of the file. I did this successfully just last week. Did you remember to end and restart the *SSHD server afterward?