This document provides the steps necessary to configure Public-key authentication on the IBM i SSHD.
Resolving The Problem
Public-key authentication allows SSH, SFTP, and SCP clients to gain access to SSH servers without having to provide a password. Public-key authentication is a popular form of authentication because it eliminates the need to store user IDs and passwords in clear text files during batch processing.
5733SC1 IBM Portable Utilities for i5/OS *BASE & Option 1
57XXSS1 Option 33 (Portable Application Solutions Environment)
This document assumes the following:
- The IBM i is running at V5R4 or higher of the operating system.
- A user profile consisting of eight characters or less has been created to provide SSH access to the IBM i.
- The IBM i SSHD has been configured to accept and process inbound SSH connections.
|Important Note: The user someuser provided in the examples below is not the name of an actual IBM i profile. The commands that contain someuser as part of the syntax should be replaced with the profile name that has been created to provide users SSH access to the IBM i.|
Do the following to configure Public-key authentication on the IBM i:
|1.||Sign on a system that is running V5R4 or higher.|
|2.||On the operating system command line, run the CALL QP2TERM command to enter the PASE environment.|
|3.||From within the PASE or Qshell environment, type the following commands:|
Note: Licensed Program Product 57XXSS1 Option 30 (Qshell) is required to run the commands below in the Qshell environment.
a. Create a HOME directory on the IBM i to store the user's SSH-related objects.
b. Change ownership of the home directory to the SSH user.
c. Set permissions on the user's home directory.
d. Create a .SSH directory within the user's home directory.
e. Change ownership of the .SSH directory to the SSH user.
f. Set permissions on the user's .SSH directory.
|4.||Close the PASE terminal session. Use the F3 key to exit the terminal session.|
|5.||Change the home directory parameter in the SSH user's profile to point to the IFS path of the home directory created in Step 3a.|
CHGUSRPRF USRPRF(someuser) HOMEDIR('/home/someuser')
|6.||Once the appropriate directories and permissions have been set for the SSH user, now it is time to have the client generate a private/public DSA or RSA key pair. When the key pair has been generated, the client will need to send you the corresponding public key. The public key should be stored in the authorized_keys file within the user's .SSH folder. Use FTP in binary mode to move the public key into the user's .SSH directory.|
|7.||Rename the public key's filename to authorized_keys. |
a. Follow Step 2 in this document to enter the PASE environment.
b. Rename the public key's filename to authorized_keys.
Note: Replace public_key with the name of the file that contains the public key.
c. Change ownership of the authorized_keys file to the SSH user.
d. Set permissions on the authorized_keys file.
In some cases, you may need to append additional public keys into the authorized_keys file. For example, the client needs SSH access to the IBM i from more than one machine. In situations like these, the client has generated a separate private/public key on each machine. You should use the command below to append keys to the authorized_keys.
cat /some/tree/public_key >> /home/someuser/.ssh/authorized_keys
Note: In the example above, /some/tree/public_key is the IFS path were the public key is stored.
|8.||Close the PASE terminal session. Use the F3 key to exit the terminal session.|
|9.||Configuration of Public-key authentication on the IBM i is complete. Clients connecting to the IBM i should not be prompted for a password during the authentication phase. Note: You do not need to restart the SSHD to allow the Public-key authentication configuration changes to take effect. If configured properly on both sides, user's should not be prompted for a password when connecting to the IBM i SSHD.|
18 December 2019