SSH Key Authentication for IBM i ACS Open Source Package Management

How To

Summary

Covers configuring Secure Shell (SSH) key authentication for IBM i Access Client Solutions (IBM i ACS) Open Source Package Management (OSPM) tool

Steps

IBM i ACS Open Source Package Management supports SSH password or key authentication.

If leveraging key authentication is desired, the following SSH key formats are supported by IBM i ACS:

PuTTY PPK version 0.74 or lower.
OpenSSH PEM.

Since the PuTTY version 0.74 is no longer readily available, this document does not cover the PuTTY key generator process.

Here is how to create an SSH key pair by using OpenSSH on the IBM i for use with the IBM i ACS OSPM.

The variable <profile> is used a lot on this document.

<profile> is the IBM i profile of the user who is setting up IBM i ACS OSPM for their session.

Ensure that the user account home directory exists and is defined in the IBM i user profile.

To check the profile for a home directory enter the following command:

DSPUSRPRF USRPRF(<profile>)

Page Down until you see a field called "Home directory".

If that does not have an entry, it is not defined.

Review the /home directory for a folder with your user profile as the name:

WRKLNK OBJ('/home/<profile>')

If a folder name matches your IBM i user profile name, your profile path exists.

If you get an error "Object not found", then you must create a home directory.

To create the home directory, use the following command:

MKDIR DIR('/home/<profile>')

After the user home directory path is created, the home directory path must be defined in your IBM i user profile.

Change the user profile and add the home directory path:

CHGUSRPRF USRPRF(<profile>) HOMEDIR('/home/<profile>')

Note:

Once the user profile is modified with the home directory, you must sign off from the 5250 session and then sign back in for the changes to take effect.

Start a PASE shell by using the following command:

CALL QP2TERM

Note:

PASE commands are case-sensitive.

By default your PASE session should start with your current working directory as your home directory.

To ensure that is the current working directory use the following command:

pwd

The pwd command shows your current working directory, which should be your home directory's path if one was correctly defined.

For example: /home/<profile>

If it does not, your home profile is not defined correctly. See previous steps for defining a home profile.

*Contact support if those steps do not work.

Once you have confirmed that the current working directory is the user's home directory, Enter the following command to generate the SSH keys:

ssh-keygen -m pem

The first prompt is "Enter file in which to save the key (/home/<profile>/.ssh/id_rsa):"

Press enter and take the default, unless you want or need a different name.

Next, you are prompted for a passphrase. Just press enter.

You will be asked to confirm the passphrase. Press enter.
Note: IBM i ACS OSPM doesn't currently provide passphrase support with it's use of SSH Key authentication.

When the random art image is shown, the process is complete.

Run the following command to ensure the keys are in your .ssh directory:

ls -l /home/<profile>/.ssh

You should see an id_rsa and an id_rsa.pub key.

The id_rsa is the private key and the id_rsa.pub is the public key.

Next, we are going to make sure the home directory has the correct authorities.

Run the following command:

chmod 755 /home/<profile>

Once that is complete, you can press F3 to exit PASE.

On the PC where ACS is installed, open a windows command prompt.

Create a directory on the C-drive of the computer called acs_ssh_keys.

Run the following commands:

cd /

mkdir acs_ssh_keys

cd acs_ssh_keys

Next, download the two generated keys.

Run the following commands:

ftp your_system

Enter the following command to change to name format 1. This allows you to work with root file system:

quote site namefmt 1

Change directory to where the two ssh keys were just generated:

cd /home/<profile>/.ssh

Change to ASCII mode by entering this command:

asc

Disable prompt mode by entering this command:

prompt

Enter this command to download both keys:

mget id_rsa.*

Once done downloading the two keys, enter this command to exit FTP:

quit

Exit the windows command prompt.

Open IBM i Access Client Solutions from the desktop.

In IBM i ACS under Management, select "System Configurations".

Locate your IBM i system and select it. Then, click the Edit button at the bottom.

Click the last tab on the upper right of Edit Selected System labeled "SSH Key Setup".

Click the button "Copy SSH Key(s) to server".

Browse to the directory on your PC c:\acs_ssh_keys that you created earlier.

Select the id_rsa.pub key and press the Open button.

You will be prompted to proceed. Answer "yes" by clicking the Yes button.

When that completes a message MSGGEN002 - The Function completed successfully will show. Just press the OK button.

Press the OK button on the "Edit Selected System" screen.

Exit the "System Configurations" screen.

Finally, in IBM i ACS, select Tools => Open Source Package Management.

Enter your user name for the IBM i system.

Click the checkbox "SSH Key (optional)" button.

Click the Browse button.

Browse to the directory on your PC c:\acs_ssh_keys that you created earlier.

Select the id_rsa key and press OK.

Click OK. ACS will connect to OSPM without prompting for a password using SSH key authentication.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSRQKY","label":"IBM i Access Client Solutions"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Was this topic helpful?

Document Information

More support for:
IBM i Access Client Solutions

Software version:
All Versions

Document number:
6502005

Modified date:
29 November 2021

UID

ibm16502005

IBM Support

Tips