Archive for 2月 2011
Security implications of using SSH on iSeries
Security implications of using SSH on iSeries
http://archive.midrange.com/security400/200609/msg00048.html
External links
* PDF of Securing Communications with OpenSSH on IBM i5/OS (redp4163) at IBM Redpapers
* LPO 5733-SC1 -- IBM Portable Utilities for i
* How to set up SSH client on iSeries for password-less connections from midrange-l
* SSHSetup at YiPs Wiki
Using the iSeries SSH clientThese are instructions on how to use the system i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.
Your local system i process will run as user RUSER.
System RequirementsFull instructions can be found here http://www.ibm.com/servers/enable/site/porting/tools/.
* Portable App Solutions Environment also known as PASE must be installed on the iSeries server to use ssh. Check the existence of licensed program 5722SS1 option 33.
* See also #External links for the IBM Redbook.
Setting up the user profileAssuming that the user profile to be used is RUSER, you need to set up some folders with the correct permissions.
CHGUSRPRF USRPRF(RUSER) HOMEDIR('/home/RUSER')
MKDIR DIR('/home') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
MKDIR DIR('/home/RUSER') DTAAUT(*INDIR) OBJAUT(*INDIR)
If the home directory already exists, please run
CHGAUT OBJ('/home/RUSER') USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJAUT(*NONE) SUBTREE(*ALL)
Create the .ssh subdirectory:
MKDIR DIR('/home/RUSER/.ssh') DTAAUT(*INDIR) OBJAUT(*INDIR)
Getting and storing the remote server public keyLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Start the PASE shell
CALL QP2TERM
Execute this shell command
ssh-keyscan -t rsa your.customer.com >> ~/.ssh/known_hosts
Now you need to set up your own key pair.
Setting up your public and private key pairLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Self Creation of keysStart the PASE shell
CALL QP2TERM
Create the appropriate private/public keys with the ssh-keygen tool using an EMPTY passphrase, and place it in the default location in file "~/.ssh/id_rsa".
ssh-keygen -b 1024 -f ~/.ssh/id_rsa -t rsa
Send the public key from file "~/.ssh/id_rsa.pub" to your customer. ( The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)
Using a key issued by someone elseYour business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.
Copying files with SCPTo copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
(replace "id_rsa" with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)
To run batch file transfer via scp, create a script file like this (called examplescp.sh)
#! /QopenSys/bin/sh
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER)
Copying files with SFTPWe want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.
Create a text file called ssh-input.txt that contains:
get IN/*.xml /b2b/incoming
rm IN/*.xml
exit
To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)
#! /QopenSys/bin/sh
sftp –b ssh-input.txt -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)
Placing your own public key on the remote serverSometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?). You also need write permissions you your home directory, and hopefully it does not have any public authority.
Start the PASE shell
CALL QP2TERM
Connect to the remote server using your password.
sftp yourRemoteUser@your.customer.com
Check to see if there is a .ssh folder in your home directory.
dir .ssh
If it does not exist , create it now, and switch to it.
mkdir .ssh
cd .ssh
If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:
put ~/.ssh/id_rsa.pub authorized_keys
Setting up an iSeries SSHD serverhttp://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html
To run the sshd daemon on i5/OS:
* The userid that starts the daemon must have *ALLOBJ special authority
* The userid that starts the daemon must be 8 or fewer characters long
* Before starting sshd for the first time, you will need to generate host keys:
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""
* You can start the sshd daemon with either one of these CL commands:
QSH CMD ('/QOpenSys/usr/sbin/sshd')
CALL PGM(QP2SHELL) PARM('/QopenSys/usr/sbin/sshd')
With IBM i 6.1 you can also use STRTCPSVR *SSHD
javascript:void(0)
* You can stop the sshd daemon at V5R4 by starting the PASE command shell:
CALL PGM(QP2SHELL)
(then issue the command to show active processes)
ps ax
(Find the PID number of the process for ssh and issue the kill command, if the PID is 1234...)
kill 1234
The SSHD configuration file should be reviewed for fitness to your security policy. In particular, the following items should be decided upon:
* The AllowUsers directive by default allows ALL active users to connect and execute PASE and system commands, even if they are limited users. Check theAllowUsers, AllowGroups, DenyUsers and DenyGroups directives to see what is good for you.
* The PermitRootLogin directive allows QSECOFR to login via SSH
http://archive.midrange.com/security400/200609/msg00048.html
External links
* PDF of Securing Communications with OpenSSH on IBM i5/OS (redp4163) at IBM Redpapers
* LPO 5733-SC1 -- IBM Portable Utilities for i
* How to set up SSH client on iSeries for password-less connections from midrange-l
* SSHSetup at YiPs Wiki
Using the iSeries SSH clientThese are instructions on how to use the system i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.
Your local system i process will run as user RUSER.
System RequirementsFull instructions can be found here http://www.ibm.com/servers/enable/site/porting/tools/.
* Portable App Solutions Environment also known as PASE must be installed on the iSeries server to use ssh. Check the existence of licensed program 5722SS1 option 33.
* See also #External links for the IBM Redbook.
Setting up the user profileAssuming that the user profile to be used is RUSER, you need to set up some folders with the correct permissions.
CHGUSRPRF USRPRF(RUSER) HOMEDIR('/home/RUSER')
MKDIR DIR('/home') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
MKDIR DIR('/home/RUSER') DTAAUT(*INDIR) OBJAUT(*INDIR)
If the home directory already exists, please run
CHGAUT OBJ('/home/RUSER') USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJAUT(*NONE) SUBTREE(*ALL)
Create the .ssh subdirectory:
MKDIR DIR('/home/RUSER/.ssh') DTAAUT(*INDIR) OBJAUT(*INDIR)
Getting and storing the remote server public keyLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Start the PASE shell
CALL QP2TERM
Execute this shell command
ssh-keyscan -t rsa your.customer.com >> ~/.ssh/known_hosts
Now you need to set up your own key pair.
Setting up your public and private key pairLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Self Creation of keysStart the PASE shell
CALL QP2TERM
Create the appropriate private/public keys with the ssh-keygen tool using an EMPTY passphrase, and place it in the default location in file "~/.ssh/id_rsa".
ssh-keygen -b 1024 -f ~/.ssh/id_rsa -t rsa
Send the public key from file "~/.ssh/id_rsa.pub" to your customer. ( The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)
Using a key issued by someone elseYour business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.
Copying files with SCPTo copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
(replace "id_rsa" with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)
To run batch file transfer via scp, create a script file like this (called examplescp.sh)
#! /QopenSys/bin/sh
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER)
Copying files with SFTPWe want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.
Create a text file called ssh-input.txt that contains:
get IN/*.xml /b2b/incoming
rm IN/*.xml
exit
To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)
#! /QopenSys/bin/sh
sftp –b ssh-input.txt -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)
Placing your own public key on the remote serverSometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?). You also need write permissions you your home directory, and hopefully it does not have any public authority.
Start the PASE shell
CALL QP2TERM
Connect to the remote server using your password.
sftp yourRemoteUser@your.customer.com
Check to see if there is a .ssh folder in your home directory.
dir .ssh
If it does not exist , create it now, and switch to it.
mkdir .ssh
cd .ssh
If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:
put ~/.ssh/id_rsa.pub authorized_keys
Setting up an iSeries SSHD serverhttp://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html
To run the sshd daemon on i5/OS:
* The userid that starts the daemon must have *ALLOBJ special authority
* The userid that starts the daemon must be 8 or fewer characters long
* Before starting sshd for the first time, you will need to generate host keys:
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""
* You can start the sshd daemon with either one of these CL commands:
QSH CMD ('/QOpenSys/usr/sbin/sshd')
CALL PGM(QP2SHELL) PARM('/QopenSys/usr/sbin/sshd')
With IBM i 6.1 you can also use STRTCPSVR *SSHD
javascript:void(0)
* You can stop the sshd daemon at V5R4 by starting the PASE command shell:
CALL PGM(QP2SHELL)
(then issue the command to show active processes)
ps ax
(Find the PID number of the process for ssh and issue the kill command, if the PID is 1234...)
kill 1234
The SSHD configuration file should be reviewed for fitness to your security policy. In particular, the following items should be decided upon:
* The AllowUsers directive by default allows ALL active users to connect and execute PASE and system commands, even if they are limited users. Check theAllowUsers, AllowGroups, DenyUsers and DenyGroups directives to see what is good for you.
* The PermitRootLogin directive allows QSECOFR to login via SSH
