Securing SSH on IBM i

by | 26/05/25 | AIX, IBM i, Linux, System Management, Uncategorized | 0 comments

On IBM i systems, the SSH service is playing an important role in modernisation, it can be used, for instance, to take advantage of new software development tools such as VS Code For I, or it can be used in an innovative software release context using pipelines. SSH (or rather SFTP) is also playing a key role in securing data exchange flows by gradually replacing the plain-text transfers that used to use the FTP protocol, popular in the IBM i context.

At the moment SSHD server doesn’t have any kind of exit point that we can use in order to restrict or manage connections to this server… This doesn’t mean that is not possibile to make this server secure! In this article we will show how to restrict access to specific users (or groups of users) and log the access attempts that are made.

What do we need to know? Well, the SSHD server has the same behavior that it has on other platforms and therefore allows you to use the same directives, so if you are familiar with some other UNIX like platform, well in this case you won’t have any kind of problem. As far as logging is concerned, again we will use a very convenient and widely used utility on UNIX systems namely syslogd.

How to configure and activate SysLogD?

This service is automatically installed with the 5733SC1 operating system product. Activating the daemon is quite simple, you only need to submit a job that activates it as per this command: SBMJOB CMD(STRQSH CMD(‘/QOPENSYS/USR/SBIN/SYSLOGD’)) JOB(SYSLOGD) JOBQ(QSYSNOMAX) (P.S. you need to put this command into you QSTRUP)

To check that’s everything ok, you need to look in your NETSTAT opt. 3 and in this way you need to find the UDP port 514 in listening status.

So, now that the deamon is active, you need only to change your SSHD configuration file in order to send to syslog server all entries:

  1. Edit file /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_config
    • uncomment # SyslogFacility AUTH
    • uncomment # LogLevel INFO
  2. Create syslog configuration file /QOpenSys/etc/syslog.conf
    • add this line *.info /var/log/messages
    • add this line auth.info /var/log/auth
  3. Create necessary folders and files
    • mkdir /var/log
    • touch /var/log/messages
    • touch /var/log/auth
  4. Restart sshd server and check into /var/log/messages or /var/log/auth files

How to restrict access to ssh?

The logic behind the configuration of user restriction in ssh can be bi-directional, i.e. defining a list of users who are not authorised to connect and consequently all the others are, or defining the list of users who are authorised and the others are not.
In my case, the choice falls on the second possibility by authorising access to this service to restricted groups of users.

  1. Edit file /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_config
    • For authorise a specific group add the following line: AllowGroups group1 group2
    • For authorise a specific user add the following line: AllowUsers user1 user2
    • To deny access to a specific user add the following line: DenyUsers user1 user2

And you, what kind of approach do you use to secure ssh?

Andrea

This article is also ok for AIX or Linux, in this case you need to change only the path of configuration files, i.e. /etc/ssh/sshd_config

Submit a Comment

Your email address will not be published. Required fields are marked *