|
5733-SC1 -- IBM Portable Utilities for i5/OS
LPO 5733-SC1 -- IBM Portable Utilities for i5/OS -- is available for i5/OS users. The 5733-SC1 LPO contains the OpenSSH, OpenSSL and zlib open source packages ported to i5/OS using the i5/OS PASE runtime environment. The 5733-SC1 LPO requires i5/OS V5R3 or later and also requires that i5/OS
Option 33 (i5/OS PASE - Portable Solutions Application Environment) be installed.
TCP/IP connectivity applications such as telnet and ftp transmit data and passwords over the network in plain text. This means that the data and passwords can be intercepted and read by other users on the network. The SSH (Secure SHell) protocol suite is a software solution that provides secure alternatives for
telnet and ftp. SSH verifies the authenticity of both the client and server and all of the data (including userids and passwords) is encrypted as it travels on the network. This encryption is done transparently to the end user.
OpenSSH is the open source implementation of the SSH protocol suite. OpenSSH is widely available for use on many other platforms including Linux, AIX and z/OS. The OpenSSH development team maintains web pages here: http://www.openssh.org/
The OpenSSH portion of 5733-SC1 consists of these utilities:
- ssh - a secure telnet replacement that allows an i5/OS user to connect as a client
to a server running the sshd daemon. An ssh client can also be used to connect to the Hardware Management Console (HMC) on the eServer 5xx iSeries models.
- sftp - a secure ftp replacement. As with all implementations of sftp on other platforms, sftp can only transfer data in binary format. Note that sftp also does not provide the enhanced functions available in the i5/OS ftp utility when transferring files in the QSYS.LIB file system nor does it provide the CCSID data conversion options available in the i5/OS ftp utility.
- scp - a secure file copy program -- basically an alternative to sftp for copying a
single file in the integrated file system (IFS).
- ssh-keygen - a public/private key generation and management tool. SSH allows users to
authenticate using these public and private keys as an alternative to using their OS signon password
- ssh-agent - an authentication agent that can store private keys. ssh-agent allows a user
to load their public/private key passphrase into memory to avoid needing to retype the passphrase each
time an SSH connection is started
- sshd - The daemon that handles incoming ssh connections. The sshd daemon utility allows users to connect to i5/OS via an ssh client. In contrast to connecting to i5/OS via telnet and being presented with a 5250 screen interface, users that connect via ssh to an i5/OS system running the sshd daemon will be
presented with a character interface and an i5/OS PASE command line.
During installation, symlinks to these commands are created in the default $PATH.
For specifics on the OpenSSH utilities see the reference manual pages here:
http://www.openssh.org/manual.html
Hints and tips for using OpenSSH:
- Installation:
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)
- For V5R3 and V5R4, the OpenSSH configuration files ( for example, ssh_config and sshd_config ) are located in the directory: /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/
- For V6R1 the OpenSSH configuration files are located in the directory:
/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/
Any changes that have been made in the V5R3 or V5R4 configuration files will need to be manually migrated to the V6R1 configuration files.
- The "green screen" 5250 terminal sessions started by using
the STRQSH or CALL QP2TERM CL commands are not true TTY devices.
This can cause problems when trying to use ssh, sftp or scp within one of these sessions.
Possible workarounds:
- For ssh: use the
-T option to not allocate a tty when connecting
- For sftp and scp: use the ssh-agent utility and public key authentication to avoid sftp and scp
prompting for passwords or passphrases
- Use the utilities from a true tty session (such as xterm)
- To run the sshd daemon on i5/OS:
- For V6R1 the sshd daemon can be started with CL command STRTCPSVR SERVER(*SSHD) and ended with ENDTCPSVR SERVER(*SSHD). If they do not exist, the host key files will be generated when the sshd daemon is started.
- For V5R3 and V5R4:
- The userid that starts the daemon must have *ALLOBJ special authority
- The userid that starts the daemon must be 8 or fewer characters long
- Before starting sshd for the first time, you will need to generate host keys:
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/
openssh-3.5p1/etc/ssh_host_key -N ""ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/
openssh-3.5p1/etc/ssh_host_dsa_key -N ""ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/
openssh-3.5p1/etc/ssh_host_rsa_key -N ""
- You can start the sshd daemon with this CL command: QSH CMD ('/QOpenSys/usr/sbin/sshd')
- To connect to i5/OS using ssh:
- The userid that is connecting must be 8 or fewer characters long
- If you use public-key authentication to connect, verify the permissions on the userid's directories and files:
- The userid's home directory must not have public write authority ( chmod go-w /home/myuserid )
- The userid's /home/myuserid/.ssh directory and /home/myuserid/.ssh/authorized_keys file must not have any public authorities (
chmod go-rwx /home/userid/.ssh and chmod go-rwx /home/myuserid/.ssh/authorized_keys )
- Once connected, you will be at an i5/OS PASE command line.
See the
i5/OS PASE utilities information in InfoCenter
for information on the i5/OS PASE utilities that are available.
- You can use ssh to encrypt the 5250 telnet datastream:
- On the server, start the telnet server and the sshd server
- On the client, start an ssh session to the server (named servername in this example)
that will route the traffic on an unused port on the client (2001 in this example)
to the telnet port (23) on the server:
CALL QP2TERM
then
ssh -T -L2001:localhost:23 servername
This ssh session will need to be left active while the tenet sessions are in use
- Other sessions on the client can now start telnet sessions:
TELNET RMTSYS(*INTNETADR) INTNETADR(LOCALHOST) PORT(2001)
- The sshd daemon uses the i5/OS Set Profile API ( QsySetToProfileHandle )
to switch from the userid that started sshd to the userid that is connecting.
OpenSSL and zlib:
OpenSSH requires the OpenSSL and zlib open source libraries in order to function.
A user can write i5/OS PASE applications that call OpenSSL or zlib APIs.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL).
Refer to the OpenSSL web pages here for more information:
http://www.openssl.org/
for more information.
zlib is a set of data compression APIs.
Refer to the zlib web pages here:
http://www.zlib.org/ for more information.
Miscellaneous Information:
Version and directory information:
- For V5R3 and V5R4 the OpenSSH version is 3.5p1 and is located in directory
/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/
- For V6R1 the OpenSSH version is 3.8.1p1 and is located in directory /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/
- The OpenSSL version is 0.9.7d and is located in directory
/QOpenSys/QIBM/ProdData/SC1/OpenSSL/openssl-0.9.7d/
- The zlib version is 1.1.4 and is located in directory
/QOpenSys/QIBM/ProdData/SC1/zlib/zlib-1.1.4/
NLS information:
- There is only a single English build available, however this single build does include
these translations of the OpenSSH messages which will be used based on the
LANG and NLSPATH environment variable settings:
- CA_ES and ca_ES (Catalan)
- CS_CZ and cs_CZ (Czech)
- DE_DE and de_DE (German)
- EN_US and en_US (English)
- ES_ES and es_ES (Spanish)
- FR_FR and fr_FR (French)
- HU_HU and hu_HU (Hungarian)
- IT_IT and it_IT (Italian)
- JA_JP and ja_JP and Ja_JP (Japanese)
- KO_KR and ko_KR (Korean)
- PL_PL and pl_PL (Polish)
- PT_BR and pt_BR (Portuguese)
- RU_RU and ru_RU (Russian)
- SK_SK and sk_SK (Slovak)
- ZH_CN and Zh_CN and zh_CN (Simplified Chinese)
- ZH_TW and Zh_TW and zh_TW (Traditional Chinese)
|
