IBM Support

Remote SFTP User Fails to Connect to the IBM i After the Operating System Upgrade to
R610

Troubleshooting


Problem

This document explains that the remote SFTP user fails to connect to the IBM i after the OS upgrade to R610.

Resolving The Problem

This document explains that the remote SFTP user fails to connect to the IBM i after the OS upgrade to
R610.

Remote users are connecting to the IBM i SFTP server to transfer files securely. After the operating system was upgraded to R610, SFTP access for one user was denied. The same user was able to log into the system through SSH successfully. The System SSHD was started in debug more to provide more information about the failed SFTP connection. Listed below is the CL command that was used to start SSHD in debug mode:

QSH CMD('/QOpenSys/usr/sbin/sshd -d -d -d') .

A portion of the SSHD debug output for the failed SFTP connection follows:

debug1: subsystem: exec() /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec/sftp-server
debug1: calling function do_exec
debug1: audit run command euid 515 user ouc command   '/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec/sftp-server'
debug2: fd 3 setting TCP_NODELAY
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: Received SIGCHLD.

To resolve the problem, you should do the following:

1.Sign onto the System i with the failing user profile.
2.On the System i command line, type CALL QP2TERM and press the Enter key.
3.From within the PASE environment, type cd /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec and press the Enter key.
4.Once in the libexec directory, type sftp-server and press the Enter key. A message similar to the one below will be returned:
Couldn't open /dev/null: Permission denied
5.Press Enter on the F3 function key to exit the PASE environment.
6.Open up a second session to System i. Log in with a user profile that has enough authority; in other words, QSECOFR to make object changes.
7.On the System i command line, type WRKLNK '/dev' and press the Enter key.
8.On the dev object, select Option 9 to display its authorities.
9.In the user column, you should see that the failing user profile was denied access to the object through the *EXCLUDE authority.
10.Select Option 4 to remove the failed user from the object's list of authorized users. The /dev object's default *PUBLIC authority (*RW) is enough authority for SFTP access to the System i.
Once the authority issue has been resolved, the failed user should be able to access the System i SFTP server.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]

Historical Number

625609247

Document Information

Modified date:
18 December 2019

UID

nas8N1011122

Page Feedback