IBM Support

Remote Command Execution from IBM i to Microsoft Windows Open SSHD

How To


Summary

This document describes an alternative to the RUNRMTCMD using OpenSSH on the IBMi and the OpendSSHD on Windows 10/Windows Server 2016.

This is provided as is, there is no implied support. SSH is a open standard.

Steps

Note:  When I created this document I used our internal system and my user.  Make sure you replace my user profile with your own and your system name.

Open an Elevated Windows Power Shell. 

Run the following: 

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Figure 1 shows what the output will look like.

Figure 1.

image-20190618094519-1

If the the state of the server shows NotPresent you must install it.

The following command is used to install the OpenSSH Server:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

If the client is not installed run the following as well:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Once completed, check the install status with the command:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Should look like Figure 2.

Figure 2.

image-20190618094519-2

Note:  If the state shows Install pending the PC will need to be rebooted.

Install utilities for key generation and management.

Run the following:

Install-Module -Force OpenSSHUtils -Scope AllUsers

The next command is necessary to enable an important to run latter on:

set-executionpolicy remotesigned

You will be prompted do you want to change the policy, take a option A for all.

Open the Windows firewall to allow incoming SSH connections:

New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH

At this point we can test credential-based authentication.

Start the SSHD with the following command:

Start-Service sshd

This service can be auto-start at reboot as well by entering the following command:

Set-Service -Name sshd -StartupType 'Automatic'

To get the status of the SSHD service, run the following:

Get-service sshd

Test locally by entering:

ssh localhost

You should be prompted to enter your password for the Windows PC.

You should be able to use a utility like putty and ssh into you Windows PC from another PC on the network.  The command exit is used to close the ssh session.

At this point password authentication should be working with SSH.

We can now start the process for key authentication.

Key authentication is used to log in using SSH without having to type a user and password.

It’s important you have a basic understanding of key authentication.

The following is a quick overview of how it works. 

If you want to dive deeper there are plenty of resources on the web.

Key authentication starts with keys. 

Keys are paired, there is a public key and a private key.

The public key will have a .pub extension.

The private key will not have an extension.

The private key is essentially your password.

The server always keeps the public key.

The client has the keeps the private key.

In the SSH world authority is very important and causes most failures.

Files and folders in the configuration must have the correct authorities.

Always protect your private key, if anyone obtains it, they can log on the server as you and have access to everything you have access to.

Keys are generated with a utility called ssh-keygen.

In this example we will generate the keys on the IBMi side, but you could just as easily generate them on the Windows side.

Please note that in all examples I’m using my own profile on the Windows side and on the IBMi side, obviously use your own profiles.

Before the keys are generated, we need to do some initial setup on the IBMi side.

Make sure you have a Home directory created.

wrklnk ‘/home/*’

Do you see your profile name in the home path?

If not create it:

mkdir ‘/home/jmckee’

Make sure you have the home directory set in your IBMi profile.

CHGUSRPRF USRPRF(JMCKEE) HOMEDIR('/home/jmckee')

Now a .ssh directory must be created within your home path.

Mkdir ‘/home/jmckee/.ssh’

At this time, we can set permissions.

To do this we will go into the PASE environment.

Enter the following command to get into PASE:

call qp2term

Change directory to the home folder:

cd /home

The following lists file and folder attributes in the current directory:

ls -la

If you have a lot of users with home folders, you may have to page up to find your folder.

It will look like this:

drwxrwsrwx    3 jmckee   0              8192 Jan 29 15:06 jmckee

We need to update the permissions of your home directory:

chmod 755 jmckee

ls -la

Should show this now:

drwxr-sr-x    3 jmckee   0              8192 Jan 29 15:06 jmckee

Next change directory to you home folder:

cd /home/jmckee

ls -la

The .ssh directory will have these default permissions:

drwxrwsrwx    2 jmckee   0              8192 Jan 29 15:04 .ssh

chmod 700 .ssh

ls -la

Should show this now:

drwx--S---    2 jmckee   0              8192 Jan 29 15:04 .ssh

Change directory into the .ssh directory:

cd .ssh

Let’s generate keys.

ssh-keygen

After entering that command your prompted to enter a file to save the key, just press enter.

It then prompts for a passphrase, just press enter, then enter again to confirm.

You’ll see an output like Figure 3 once done.

Figure 3.

image-20190618094519-3

At this time list the contents of your .ssh directory.

Ls -la

You will see two new files, id_rsa and id_rsa.pub.

These files are your public and private key pair.

The private key stays on the IBMi in your own .ssh directory you created.  The permissions of that file must be 600.  ls -la will show the permissions of the id_rsa private key, make sure it looks like this:

-rw-------    1 jmckee   0              1675 Jan 29 15:32 id_rsa

If not use the change mod command to update the permissions:

chmod 600 id_rsa

One more important this to know is your home folder, .ssh folder and id_rsa file must all be owned by you.  If it shows a different owner use the chown command to change the owner.

chown jmckee /home/jmckee

chown jmckee /home/jmckee/.ssh

chown jmckee /home/jmckee/.ssh/id_rsa

At this time we can exit PASE with an F3.

Then sign off your session.

Sign back into it again, this updates the current session and makes all the changes take effect.

Continuing Windows setup.

Go back into an Elevated Power Shell.

Change directory to your home path:t

cd /users/jmckee

If not sure where your home path is located you can use the command:

Get-Variable Home

If there is not already a .ssh folder in that path, one needs to be created.

md .ssh

A dir should confirm it created.

Once created change directory into the .ssh directory you just created.

cd .ssh

If you now enter the command pwd it will show your current location, should look like Figure 4.

Figure 4.

image-20190618094519-4

Next, we download the public key to the Windows server into the .ssh directory.

Inside the same Elevated Power Shell where you are still in the .ssh directory enter the command.  I’m using FTP to download the public key.

ftp rch730a

rch730a is a system I used, obviously use your own.

Change directory to your .ssh directory you created on the IBMi.

cd /home/jmckee/.ssh

We will be using binary mode, enter the FTP sub command, bin.

Then download the id_rsa.pub file.

get id_rsa.pub

Then quit the ftp session.

Figure 5 shows the ftp commands as I entered them.

Figure 5.

image-20190618094519-5

Now we will copy the public key into a special file named authorized_keys on the Windows PC.

copy id_rsa.pub authorized_keys

After that is complete, we must set permissions correctly on the authorized_keys file.

The script Repair-AuthorizedKeyPermission will be used to do this.

Repair-AuthorizedKeyPermission -FilePath C:\Users\jmckee\.ssh\authorized_keys

When prompted take A for all on each question.

We are almost done.

Windows has updated the authorized_keys, but it has added a user called SSHD to the file.

This works fine for other Windows machines, but the IBMi client will fail.

We must remove the SSHD user from the authorized_keys file.

Run the following command to remove that user.

$acl = Get-Acl -Path authorized_keys;$user = 'NT SERVICE\sshd';$acl.Access|Where-Object{$PSItem.IdentityReference.Value -eq $user}|ForEach-Object {$acl.RemoveAccessRule($_)|Out-Null};Set-Acl -Path authorized_keys -AclObject $acl

Restart the SSHD on Windows:

Stop-Service sshd

Start-Service sshd

To connect from the IBMi to the Windows machine using SSH enter the following command:

ssh -T windows_profile@Windows server.

You will receive a warning to add the server to the known hosts, say yes to it.  This warning will only occur once.  See Figure 6.

Figure 6.

image-20190618094519-6

At this time, you can use common windows commands to navigate the command line.

When you done enter the command exit and that will return you to PASE.

Just to send a command to Windows you can use something similar to this:

ssh -T jmckee@9.10.77.51 "dir"

Document Location

Worldwide

[{"Business Unit":{"code":"BU009","label":"Systems - Cognitive"},"Product":{"code":"SSTS2D","label":"IBM i 7.3"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
20 August 2019

UID

ibm10888107