1.  Home
  2. MIDRANGE-L
  3. February 2019

RE: Calling a program on the i via OpenSSH

Yea the document I used was created about 10 years ago and I use it as my reminder on the necessary steps for creating a local key. Guess I should update the doc. But basically the steps are:
Client Side:
1. Create a public / private key pair to identify yourself using the tools that come with your SSH client.
2. Get your public key over to the server you are attempting to connect to. If you do not have password access, you will need to get the local admin to post the key to your directory, or a global sever directory.
3. Put the remote server host key into your local Known_Host file.

Server side:
1. Create a user directory and set permission so the SSHD user account can read/write to it.
2. Put the remote user public key into the home directory for the user, under a subdirectory ".ssh' in a file called authorized_keys, and set the permissions correctly

With an iSeries being the SSHD, you have to grant the user profile Read/Write access to the user directory and .ssh sub-directory.

How all this is done depends on the SSH client and SSH demon.

--
Chris Bipes
Director of Information Services
CrossCheck, Inc.

707.665.2100, ext. 1102 - 707.793.5700 FAX
chris.bipes@xxxxxxxxxxxxxxx
www.cross-check.com
Notice of Confidentiality: This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information.  If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited.  If you have received this e-mail in error, please immediately notify me by e-mail (by replying to this message) or telephone (noted above) and permanently delete the original and any copy of any e-mail and any printout thereof.  Thank you for your cooperation with respect to this matter.


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Kevin Adler
Sent: Monday, February 4, 2019 8:36 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: RE: Calling a program on the i via OpenSSH

There's a lot of good info in there Chris, but a couple things I'd like to
mention:
 
- NOBODY should be using DSA keys in this day and age. IMHO, ed25519 keys
are the way to go, but you do need to have a (relatively) recent version
of OpenSSH to use (6.5 from 2014). RSA 2048 (or 4096) keys are the most
commonly used and supported though and are still a good choice.
 
- Your whole "Server side configuration" section can be replaced with a
single call to ssh-copy-id. If ssh-copy-id is not available, it can still
be simplified to:
 
ssh myuser@myserver "cat >> .ssh/authorized_keys" < .ssh/id_rsa.pub
 
The above command assumes you have a .ssh directory set up on the server
already and generated an RSA keypair with ssh-keygen.
 
 
 
Of course, this assumes a Unix-like command line, but the poster was
asking for help with Windows. On Windows there are a few ways to use SSH.
If using Cygwin or WSL (Bash for Windows), then the steps are all the
same, since those environments mimic a Unix command line. If using Putty,
things are different - definitely read the manual:
[1]https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter8.html#pubkey
 
 
Another issue you may run in to is permissions. OpenSSH requires that your
home directory, .ssh directory, and authorized_keys have correct
permissions to prevent others from adding their own public keys to your
authorized_keys file and then being able to log in as you. See this
article for more information:
[2]https://club.alanseiden.com/learninghall/article/locking-down-ssh-on-the-ibm-i-with-public-keys/
 

----- Original message -----
From: Christopher Bipes <chris.bipes@xxxxxxxxxxxxxxx>
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Cc:
Subject: RE: Calling a program on the i via OpenSSH
Date: Mon, Feb 4, 2019 10:14 AM
 
Client Steps
You can use the standard user ID and password authentication where you
are prompted for a password.  However if you want to automate your SSH
session and not hardcode a password, you can opt to use RSA or DSA
authentication.  To configure RSA/DSA you need to generate a key pair to
identify yourself.  It is best to generate the key pair at the client
opposed to having the server generate one for you.  This will enable you
to use your key pair at multiple hosts.
Generate client key pair
This is done from a UNIX, Linux, or PASE command line.  The command line
is ssh-keygen.  See the following example to create a RSA key pair.
> ssh-keygen  -t rsa
  Generating public/private rsa key pair.
  Enter file in which to save the key (/home/chrisb/.ssh/id_rsa):
> (hit enter to use the default file name)
 Enter passphrase (empty for no passphrase): (enter a passphrase)
Enter same passphrase again: (enter it again)
Your identification has been saved in /home/chrisb/.ssh/id_rsa.
Your public key has been saved in /home/chrisb/.ssh/id_rsa.pub.
The key fingerprint is:
Whole bunch of hex: chrisb@xxxxxxxxxxxxxxx
Now you need to take the id_rsa.pub file and send it to any servers you
wish to connect to.
 
Server side Configuration
This is the part that is usually out of our control.  On the server that
we wish to connect to they must put our public key on their server.
 When we logon we are assigned a root directory.  Within this root
directory they need to create a directory called .ssh   It must have the
leading period in the name.  Within that directory they must create a
file called authorized_keys.  Here is where they will add our public key
file that we sent to them.
Now if you can log on with a user id and password and have access to
create a directory in your initial logon directory, you can do this
yourself.  An easy command line way to copy the file over is SCP
command:
> scp ~/.ssh/id_rsa.pub userid@xxxxxxxxxxx
This will put the public key generated with the ssh_keygen command on to
the remote host.  You should be prompted for a password.  It the server
was setup correctly you will have a file called authorized_keys located
in a directory call .ssh
To copy your public key into this file you can run the following
commands:
> ssh userid@xxxxxxxxxxx  
You will be prompted to enter your password.
> cat id_rsa.pub >> ~/.ssh/authorized_keys
This command appends the is_rsa.pub to the end of the authorized_keys
file located in your root /.ssh folder.
> exit
At this time you should be able to connect to the remote host via ssh
without being prompt for a password.

--
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
smith5646midrange@xxxxxxxxx
Sent: Monday, February 4, 2019 8:02 AM
To: 'Midrange Systems Technical Discussion'
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Calling a program on the i via OpenSSH

Can someone post a link that shows how to set up OpenSSH public /
private
keys with the iSeries being the server and a Windows machine being the
client?  I don't understand how to configure keys (I'm definitely out of
my
league on this) and the only examples that I can find are iSeries to
iSeries
or the iSeries as a client and that's not helping me with the Windows
part.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [3]https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [4]https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: [5]https://amazon.midrange.com
 

 

References

Visible links
1. https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter8.html#pubkey
2. https://club.alanseiden.com/learninghall/article/locking-down-ssh-on-the-ibm-i-with-public-keys/
3. https://lists.midrange.com/mailman/listinfo/midrange-l
4. https://archive.midrange.com/midrange-l
5. https://amazon.midrange.com/

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.