IBM Support

Starting the SSH Daemon in a Dedicated Subsystem Environment

Troubleshooting


Problem

This document describes how to start SSH as an autostart job in a subsystem.

Resolving The Problem

To better control the environment and resources that are used by SSH jobs, we recommend that you run SSH jobs in a dedicated subsystem. This becomes even more obvious when we discuss how the SSHD environment works. When you start the SSHD daemon on the IBM i, a single job for the daemon is started. When a client establishes an SSH session to the daemon, the daemon spawns a new job for this particular client. When a user is authenticated for this client session, another job is spawned. In addition, if the user runs a command or job, another job is started; this means that you might end up with three jobs for a single client user. Therefore, we recommend that you run all SSH jobs in a separate subsystem.

To set up the required subsystem environment, you must have at least the following IBM i objects:
o Subsystem description (SBSD) with routing and memory entries and an autostart job entry
o Job queue (JOBQ)
o Job description (JOBD)
o User profile (USRPRF)

Note: This object is recommended to run sshd under a dedicated user profile.

The following steps show an example of starting the sshd daemon in a simple subsystem environment:
1.
Create a library to store the SSDH-related objects. On the operating system command line, type the following:

CRTLIB LIB(SSHLIB) TEXT('SSH library')

Press the Enter key.
2.
Create a subsystem description using the following CL command:

CRTSBSD SBSD(SSHLIB/SSHSBS) POOLS((1 *BASE)) TEXT('SSH jobs subsystem')

Press the Enter key. This command creates a subsystem description called SSHSBS in the SSHLIB library and assigns a single memory pool. You might want to create a dedicated memory pool in your environment rather than using the system base pool.
3.
Create a job queue for submitting the job to the subsystem:

CRTJOBQ JOBQ(SSHLIB/SSHJOBQ) TEXT('SSH job queue')

Press the Enter key.
4.
Create a user profile for the daemon job. This user profile is used to run the SSHD daemon; therefore, it should not be used to sign on the system. To ensure it will not be used to sign on the system, create the profile without a password and specify *SIGNOFF for the Initial menu. In addition, set Limit capabilities for the user profile to *YES. Ensure the profile is less than eight characters.

CRTUSRPRF USRPRF(SSHDUSR) PASSWORD(*NONE) INLMNU(*SIGNOFF) LMTCPB(*YES) SPCAUT(*ALLOBJ) + TEXT('SSHD Daemon user profile')

Press the Enter key.
5.
Create a job description for the subsystem autostart job entry:

CRTJOBD JOBD(SSHLIB/SSHJOBD) JOBQ(SSHLIB/SSHJOBQ) TEXT('Job description for SSHD autostart') USER(SSHDUSR) RQSDTA('QSH CMD(''/QOpenSys/usr/sbin/sshd'')') ALWMLTTHD(*YES)   

Press the Enter key.
Please make sure the job description parameter ALWMLTTHD is set to *YES !! 
The default is *N, but having this parameter set to NO can cause multi thread issues.
 
6.
Create a class for the subsystem. The class defines the run priority of the SSH jobs and other resource related parameters.

CRTCLS CLS(SSHLIB/SSHCLS) TEXT('SSH job class')

Press the Enter key.
7.
Add a routing entry to the subsystem so that the autostart job entry can start the SSHD daemon job:

ADDRTGE SBSD(SSHLIB/SSHSBS) SEQNBR(1) CMPVAL(*ANY) PGM(QCMD) CLS(SSHLIB/SSHCLS)

Press the Enter key.
8.
Add the job queue that you previously created to the subsystem description:

ADDJOBQE SBSD(SSHLIB/SSHSBS) JOBQ(SSHLIB/SSHJOBQ) MAXACT(*NOMAX) SEQNBR(10)

Press the Enter key.
9. Add the autostart job entry to the subsystem description:

ADDAJE SBSD(SSHLIB/SSHSBS) JOB(SSHD) JOBD(SSHLIB/SSHJOBD)

Press the Enter key.

Whenever the subsystem is started, the job (as specified in the autostart job entry through the job description) is started. It runs with the priority defined in the class SSHCLS. It also runs under the SSHDUSR user profile. To fully automate the startup of the SSHD daemon at IPL time, you must change your startup program to include the STRSBS SSHLIB/SSHSBS command. When the subsystem is started with the previously created subsystem environment and no SSH connection is established, you should see one QP0ZSPWP running (as shown below in Figure 1).


Screen shot of the SSHD job (QP0ZSPWP) running in the dedicated SSH SBS.

Note: The primary function of the SSHD autostart job is to process the program call '/OpenSys/usr/sbin/sshd' defined in the SSHD JOBD. When processing of the autostart job completes, the SSHD job is no longer active. SSHD processing will be handled by job QP0ZSPWP. The QP0ZSPWP job will run in the dedicated SSH subsystem.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSTS2D","label":"IBM i 7.3"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}}]

Historical Number

428379042

Document Information

Modified date:
19 November 2019

UID

nas8N1014744