IBM Support

OpenSSH 8.0p1 Instructions

General Page

You are in: IBM i OpenSSH & OpenSSL - Navigation > OpenSSh 8.0p1 Instructions.
1. Compatibility
Check each release's(after 6.9/6.9p1) section about Potentially-incompatible changes from release notes.
2. IBM i specific changes
This PTF creates a non-privileged user profile QSSHD. This profile must not be disabled.
This PTF creates /QOpenSys/QIBM/ProdData/SC1/OpenSSH/empty directory if it does not exist. The directory must not contain any files and must  be owned by QSECOFR and not group or world-writable.

In IBM i OpenSSH 6.9p1,  UsePrivilegeSeparation is explicitly set to "no".  Once upgrading to 8.0p1, UsePrivilegeSeparation is deprecated.  There is a warning message generated when the sshd server is started when the option exists in sshd_config. To disable the warning, you can comment out or remove the line containing UsePrivilegeSeparation from the sshd_config file. If you do so, you must uncomment or add the line back if you wish to roll back the PTF to OpenSSH 6.9p1, as privilege separation is not supported on that release.

3. Upgrading tips
It is recommended you replace the file with the latest sshd_config template shipped in /QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc_template and apply any custom configuration options you may have made previously.                        
1) Backup /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config              
2) Copy /QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc_template/sshd_config to the /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc  
3) Integrate with user specific configuration.
If sshd does not start, use following command to check whether there are any possible failure message
Note: The product directory is different between IBM i 7.1 and IBM i 7.2.
    IBM i 7.1 /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1/
    IBM i 7.2 /QOpenSys/QIBM/ProdData/SC1/OpenSSH/
4. Known issues you may encounter after upgrading
1) public-key authentication no longer works
Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time from OpenSSH7.0/7.0p1. Please check which key type you are using.  Please refer to to re-enable it if you still prefer DSA.
As a quick solution to enable ssh-dss public-key authentication, please add the following line into ssh_config(client side) , sshd_config(server side) or both:
PubkeyAcceptedKeyTypes +ssh-dss

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
05 February 2020