Getting Started with SSH for IBM i
Secure Shell (SSH) provides the best environment for installing, managing, and running open source software on IBM i. Among SSH’s advantages over QSHELL and QP2TERM: IBM i’s SSH command line works just like SSH on Linux or Windows, helping the IBM i platform appeal to younger developers and admins. Supporting a wide range of Unix programs and open source software, such as git
, SSH is our go-to terminal interface for open source and PASE. This article covers how to set up SSH and use it to connect to IBM i servers.
SSH Setup
Ensure you have the SSH server running
Where to get the SSH server: SSH, SFTP, and related programs are provided by the 5733-SC1 Licensed Program Product. SC1 is usually installed as part of the operating system, but it doesn’t hurt to check.
Starting and ending SSH server: If NETSTAT *CNN
does not show activity on port 22, you can start SSH with the command STRTCPSVR *SSHD
. Typing WRKACTJOB
should now show jobs running function “PGM-sshd.” To end SSH, type ENDTCPSVR *SSHD
.
Choosing an SSH client program
We recommend the ssh
program from the popular OpenSSH package.
- macOS and Linux: OpenSSH’s
ssh
program is included in the built-in terminal. - Windows: Since fall 2018, Windows 10 has included OpenSSH, available as
ssh
via the command prompt. If you don’t have OpenSSH or prefer not to use it, we recommend PuTTY; however, we cover only OpenSSH in this blog post. - IBM i as SSH client (useful when copying files from one IBM i to another): SC1 provides the OpenSSH client. Run
ssh
from any PASE-enabled terminal, such as QP2TERM, QSH, or another open SSH session.
Connecting to your IBM i system
The easiest way to start a SSH session is with the Access Client Solutions (ACS) “SSH Terminal” option, which will launch a properly configured SSH client. If the ACS “SSH Terminal” link does not work for you, you can open an SSH session manually. From a terminal/command prompt, enter the following command:
1 |
ssh user@ibmihostname |
For example, if your system were called ibmi.contoso.com
(or an IPv4/v6 address), and your user were alans
, you would enter:
1 |
ssh alans@ibmi.contoso.com |
If you didn’t enter a username, OpenSSH would default to the same username you used on your own computer. Enter your password, and you’ll be logged in.
Trusting on first login
When connecting to a host through SSH for the first time, you might get a message like this:
1 2 3 4 |
$ ssh 10.12.0.1 The authenticity of host '10.12.0.1 (10.12.0.1)' can't be established. ECDSA key fingerprint is SHA256:3GeQFLWbHYoyG2t9RkwicsN1ywoWmg5l+MCWL+We+6I. Are you sure you want to continue connecting (yes/no/[fingerprint])? |
SSH employs a “trust on first use” model. When you enter “yes” here, SSH will remember the host’s fingerprint and keep trusting it. If the host’s fingerprint changes, SSH will warn you and refuse to connect, in case the server is an impostor.
TIP: If you are not sure whether to trust the address you were given, you can run ssh localhost
(since SC1 uses OpenSSH) on the IBM i from QP2TERM
or QSH
and make sure the fingerprint matches. Alternatively, if you’re using OpenSSH from another system, you can use the -v
flag and look for the “Server host key” line.
You’re in!
If you logged in successfully, you can now use PASE commands (ls, cd, cat, etc.), yum (if installed), and the full range of open source software available on your IBM i.
Advanced: Setting up private keys
SSH keys files provide a secure way to log in without passwords.
The key is in two parts:
- the private key, kept in a file on your PC that you want to log in from. Keep this key secret.
- the public key, copied to server systems you want to log in to. It’s okay to share the public key.
If you don’t have keys yet, generate them by running ssh-keygen
on your PC . This program will place keys in the .ssh
directory in your home folder (for example: C:\Users\Alan
on Windows, /Users/alan
on macOS, /home/alan
on Linux); the .pub
file is the public key that should be put on your IBM i.
The private key gets used automatically.
Placing the public key on your IBM i
Ask your system administrator to put your public key in the .ssh/authorized_keys
file, stored as UTF-8 text, in your home directory. This file doesn’t exist by default, so it must be created. Each public key gets its own line, so you can use multiple keys. Any text editor can be used to insert them. If you used ssh-keygen
to generate the keys, the contents of the .pub
file can be copied and pasted as a line in the authorized_keys file.
Alternatively, if you have OpenSSH on your PC, then you can run ssh-copy-id
to copy the public keys from your computer to the IBM i.
Security of the public key: The key, the .ssh
folder, and your home directory must be exclusively under your control to prevent snooping/tampering; this means that your home directory and .ssh
under it must be chmod 700
/*RWX
and authorized_keys
has chmod 600
/*RW
for yourself, with no other users having permission.
Automatically restart the SSH server
You can make the SSH server start on IPL with the following CL command:
1 |
CHGTCPSVR *SSHD AUTOSTART(*YES) |
Advanced: Configuring the SSH server using sshd_config
The SSH server is configured using a file called sshd_config
, this is usually at /QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/sshd_config
. (If you aren’t certain, running sshd -ddt
will show you its location. ) This is a standard OpenSSH server configuration file, so advice for other operating systems generally applies.
For IBM i older than 7.4: If your user profile is more than 8 characters long, you will need to edit sshd_config
. In that case, add this line:
1 |
ibmpaseforienv PASE_USRGRP_LIMITED=N |
Other reasons to edit sshd_config
: disabling QSECOFR login over SSH, disabling password authentication (to mandate keys), changing the port number SSH listens on (be sure to change your PuTTY/OpenSSH command settings to match), etc.
To disable password authentication, so that public key files must be used, set the PasswordAuthentication setting in sshd_config
like so:
1 |
PasswordAuthentication no |
To apply your changes, end and then start the SSH server:
1 2 |
ENDTCPSVR SERVER(*SSHD) STRTCPSVR SERVER(*SSHD) |
If you change the SSH port
If you changed the port that the SSH server runs on, you need to update clients to be aware of this.
If using ACS, go to “System Configurations” and edit the connection you’re using. On the “Connection” tab, change the port being used.
If using OpenSSH, use the “-p” flag for “ssh” and “-P” for SCP/SFTP. For example, if you changed the SSH server to listen to port 1234:
1 2 3 |
ssh -p 1234 user@host sftp -P 1234 user@host scp -P 1234 file1 user@host:file1 |
SSH is your portal to innovation
Once you switch to SSH, you’ll find new possibilities for innovation on your IBM i, as well as attracting and retaining talent in your organization and on the platform. Use modern tools for modern applications. Get in touch if you would like to discuss training or other assistance.
For additional topics related to SSH on IBM i, see How to Configure and Use SSH on IBM i.
Edited: Thanks to Kevin Adler for pointing out some additional tricks.
Hi Calvin. We use SSHD from within IBMi to external, however we tightly control incoming requests to SSHD. We therefore typically have the “listener” job that resides in subsystem QUSRWRK default to NOT startup after an IPL and keep it turned OFF, unless specifically required. However – we notice that several times a day that “listener” job keeps getting started. Unfortunately the jobs show little to no joblog information, so very difficult to track down the culprit.
Anu ideas/clues on how we can track and hone in on what keeps starting this “listener” job for SSHD? Something like this shows
Job . . : QP0ZSPWP User . . : QSECOFR
sshd[14889]: Server listening on 0.0.0.0 port 22.
sshd[14889]: Server listening on :: port 22.
Hi, very good article. I am trying to generate a private key with openssl and the command I am using is: I have a question. openssl genrsa -rand ~/.ssh/prng_seed -des3 -out mydomain.com.secure 2048 but I do not have prng_seed. Is that part of ssh? Where can I find that file? Thanks in advance.
Great sharing, i have a question on configuring the environment, I’ve set term like this:
export TERM=xterm
Connecting from linux, i use tmux to multiplex remote sessions, but its windows and panels crash when control characters are present, a simple npm install with its colored output does it ¿ do you know a fix for this ?
Thanks
Hi Calvin, would you know how to check SSHD server started on IBM 7.4? It doesn’t show up on NETSTAT or QUSRWRK (QP0ZSPWP – PGM-sshd) like they use to before 7.4.
NETSTAT should show SSHD on port 22 unless you changed the port.
Thanks Calvin! This is a great article and is very helpful for people that want to start using SSH.
Excellent article! Aptly encourages the use of SSH over QSH/QP2TERM.
If you change your default shell to bash, you have many advantages of retrieving/searching your commands and use keyboard shortcuts.
Endless possibilities.
Great work! Thanks for sharing.
Excellent article, easy to digest and to follow.
I’ve emailed this to a number of colleagues and customers.
Good Job!