IBM Support

Allowing or Denying Access to the IBM i Secure Shell Daemon (SSHD) Using Group Profiles



This document describes how group profiles can be used to allow or deny access to the IBM i SSHD.

Resolving The Problem

The ssh client provides command line access to systems running the SSHD. Controlling or limiting which users can access the system through the SSHD is very important to IBM i administrators. The AllowUsers, AllowGroups, DenyUsers, and DenyGroups directives in the sshd_config file is one way that administrators can control access to the IBM i through SSHD. The OpenSSH daemon configuration file (sshd_config) is located in the following IFS directories:

R540 - /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc
R610 - /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc
R710 - /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc
R720 - /QOpenSys/QIBM/UserData/SC1/OpenSSH /etc

Here is an example of the AllowGroups directive being used in the sshd_config file. Only the bottom portion of the sshd_confile is included in this document. Only members of the group sshgrp will be allowed access to the IBM i through the SSHD. If users that are not members of the sshgrp attempt to access the system, they will be rejected.

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/tmp/
#MaxStartups 10
AllowGroups sshgrp

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1/libexec/sftp-server

# Example of overriding settings on a per-user basis
# Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

Considerations to Make

oThe values specified for the AllowUsers, AllowGroups, DenyUsers, and DenyGroups directives are case sensitive.
oThe allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and AllowGroups.
oThe SSHD must be restarted for the changes to take effect.
oThere is an eight-character limitation on the user profiles that can access the IBM i through SSHD. The eight-character limitation is also placed on any group profile that the user might be a member of. If any of the other members in a group profile have more than eight characters in their user name, access to the system will be denied. In order to get around the eight-character limitation, you can either create system wide environment variable or add a specicial directive to the sshd_config file:


ibmpaseforienv PASE_USRGRP_LIMITED=N

A restart of SSHD is required when the # of characters in the user profile is increased for inbound ssh, sftp, or scp connections to the IBM i.
oYou can specify multiple values for any of the allow/deny directives. If multiple values are specified, each value must be separated by spaces.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number


Document Information

Modified date:
18 December 2019