On IBM i systems, the SSH service is playing an important role in modernisation, it can be used, for instance, to take advantage of new software development tools such as VS Code For I, or it can be used in an innovative software release context using pipelines. SSH (or rather SFTP) is also playing a key role in securing data exchange flows by gradually replacing the plain-text transfers that used to use the FTP protocol, popular in the IBM i context.
At the moment SSHD server doesn’t have any kind of exit point that we can use in order to restrict or manage connections to this server… This doesn’t mean that is not possibile to make this server secure! In this article we will show how to restrict access to specific users (or groups of users) and log the access attempts that are made.
What do we need to know? Well, the SSHD server has the same behavior that it has on other platforms and therefore allows you to use the same directives, so if you are familiar with some other UNIX like platform, well in this case you won’t have any kind of problem. As far as logging is concerned, again we will use a very convenient and widely used utility on UNIX systems namely syslogd.
How to configure and activate SysLogD?
This service is automatically installed with the 5733SC1 operating system product. Activating the daemon is quite simple, you only need to submit a job that activates it as per this command: SBMJOB CMD(STRQSH CMD(‘/QOPENSYS/USR/SBIN/SYSLOGD’)) JOB(SYSLOGD) JOBQ(QSYSNOMAX) (P.S. you need to put this command into you QSTRUP)
To check that’s everything ok, you need to look in your NETSTAT opt. 3 and in this way you need to find the UDP port 514 in listening status.
So, now that the deamon is active, you need only to change your SSHD configuration file in order to send to syslog server all entries:
Restart sshd server and check into /var/log/messages or /var/log/auth files
How to restrict access to ssh?
The logic behind the configuration of user restriction in ssh can be bi-directional, i.e. defining a list of users who are not authorised to connect and consequently all the others are, or defining the list of users who are authorised and the others are not. In my case, the choice falls on the second possibility by authorising access to this service to restricted groups of users.
Last week, I had the opportunity to deploy a new partition with Ubuntu on Power installed. This was not the first time I was venturing into such a situation; I had previously deployed some Linux machines, but they were not production machines. This time however is different, a real production partition, internal for my team but still production.
I think some of you are wondering why Ubuntu, well actually the choice was quite simple as I already use it regularly on different architecture, in fact I have the possibility to use it in the x86 world for some tools and services. So building on these skills, I decided to venture out with the installation of a new instance of my favourite architecture, the Power world.
My setup…
My setup involves installing an Ubuntu 24.04 partition on an S1022 server. The disks were presented via fibre channel using one V7300 Storwize.
What I like…
The installation process is the classic one for all versions of Ubuntu and starts automatically once the image is loaded on the Vios and the optic is selected as the device for booting the system. The OS natively supports the network cards that are presented to it, but most importantly, it has native support for MultiPath; no configuration on my part was necessary to define it. This I must say, is a nice plus.
The only thing that needs to be taken into consideration is the need to update the /etc/fstab file when disks are changed, for example in storage migration cases or following a clone of such a disk.
Another very interesting point from my point of view is related to performance, the system turns out to be very performant by taking advantage of all the 8 threads made available by the processor.
What I’m still not sure about…
Here, my experience can be considered satisfactory, I am aware that Ubuntu is a free operating system, which can be installed on our Power servers without any problems but which clearly do not enable us in any way to open a call to the various vendors. One point on which I am noticing improvements is undoubtedly related to the packages available in the various APT repositories. What I am noticing is a continuous improvement in the amount of packages made available, which means that there is a growing interest from developers on the platform, which for me is only a positive aspect. As I said, the number is continuously growing, however the number is perhaps still too low compared to the “little brother” of the x86 version. Unfortunately, there are still too many packages missing that are certainly useful at best and at worst are actually required to run certain software. Once this point is fixed, the diffusion can certainly be improved.
Another point, perhaps the most serious from my point of view, is related to the lack of support for the RMC connection. The RMC connection is the connection established between the HMC console and the single partition and is preparatory to activities of modifying the resources of the partition (such as CPU and RAM), rather than for adding new adapters to the partition, and finally it is essential for the Live Partition Mobility mechanism. Here, without this type of connection it is not possible to perform this type of activity with the machine turned on and this is a problem, because in a scenario in which you want to have the systems always available, having to turn off the system to add RAM is very limiting. I found some packages from IBM, but they are very (maybe too) old, so they are not compatible with new versions due to missing dependencies.
And you, what do you think about adopting Power systems with Linux OS for production workloads?
Of course, stability and resilience that is the ability to always be able to rely on the availability of the system, its application services, and especially its data.
Another focus is the simplicity of the tool and the management of the user experience. Ideally, it would then be ideal to have rich documentation that can help the end user but especially the platform manager.
One point that is often overlooked, however, is the aspect of the user community and the possibility of being able to contribute to the evolution of this platform. Here, in the context of IBM Power systems there is ample room for community and its members, just think of you reading this post, all the various more or less organized groups of people who share their information, their knowledge and sometimes their questions. Over the years, I have had the pleasure and opportunity to be able to attend some events such as the Common Europe or Tech Exchange, and I was able to see how specialists in the field were extremely willing to engage in discussion by giving different points of view to the various speakers.
However, the very interesting thing that I would like to focus on is the possibility of making suggestions or making requests. Yes because in the first instance a platform belongs to those who use it, those who fight with it and bang their heads on it every day. IBM in this case provides the Ideas portal, the place where any developer, systems engineer, end user can propose new features, changes to tools or system behaviours, etc. to IBM developers.
Giving feedback on the portal is very easy, just log in with an IBM id (everyone can create their own for free), and select the technology for which you are opening an implementation request. Among the most popular are requests related to IBM i systems, AIX and PowerVM. At this point, it will be necessary to enter a title to the idea, and the tool will check that there is not already an idea with similar content to that suggested in the title. Finally, once you have verified that it is okay, you will need to detail the request as much as possible-the more information the better. The game is done!
The Ideas Portal also allows users to compare and evaluate the ideas of other users. In fact, from there, it is possible to check the other proposed ideas and give your support by voting them.
So, at this point, please try to take a look of Ideas Portal and let me know what do you think about.
