Setup IBMi to allow other systems to access it's IFS folder using SFTP
We are going to setup our laptop as SFTP client (which will request for files) and IBMi as the SFTP host (which will contain the files). So in this case, our laptop will be the one that makes a request to download files.
In a nutshell, SFTP means the ability to do FTP without password based authentication. Without password means weak security? No, That's where the 'S' in the SFTP kicks in. Instead of password we will use the public/private keys. We will give the public key to the host (IBMi) and private key to the client (our laptop).
In order to setup IBMi as the SFTP host, where we need to,
- Login to your IBMi with a profile that has authority to create and manage user profiles. Preferably QSECOFR.
- Enter the command below to enter the PASE Environment
Call QP2TERM
- Start by creating the keypairs by entering the command
ssh-keygen -t RSA
You will be asked for multiple questions for generating the keypairs. It's good to know what does these options mean.
| Prompt | Response |
|---|---|
| Enter file in which to save the key (we will save the file in the default .ssh directory itself. So just hit enter |
hit enter |
| Enter passphrase (empty for no passphrase) (That's the power of SFTP, to use FTP without password :) So just hit enter) |
hit enter |
| Enter the same passphrase again (again, hit enter) |
hit enter |
- Use VS Code, ACS, or WinSCP to download the file
id_rsato the laptop and place it inC:\Users\<username>\.sshfolder. If there is no .ssh folder in your laptop, then please create one! - Since I already have lot of keys in my .ssh folder, I am going to rename the file as
goldenkey
We will be creating a separate IBMi user profile with limited security access for the SFTP file transfer purpose. Whoever making an SFTP connection to the IBMi using the new user profile will have the same level of security and file system access. So we need to decide what type of access are we going to provide to the SFTP client.
Full Access |
Restricted Access |
|---|---|
| The newly created user profile will just act like any other user profile in the IBMi. By default it will have access to all the files in the IFS root folder including critical config files. If you're okay with that security vulnerability, then follow the Full Access Method | The newly created user profile will have access only to a particular folder that we allow. This method is preferred if you're going to allow some 3rd party vendor to access your IBMi's files. If you're okay with the folder restriction, then follow the Restricted Access Method |
- Login to your IBMi with a profile that has authority to create and manage user profiles (preferably QSECOFR).
- Enter the below command to enter the PASE Environment
Call QP2TERM
- We will create separate user profile for this SFTP access. Note that the IBMi login for the user SFTPUSR1 is disabled.
system "CRTUSRPRF USRPRF(SFTPUSR1) INLMNU(*SIGNOFF)"
- Create a HOME directory on the IBM i to store the user's SSH-related files. We will be sharing this folder to the client.
mkdir /home/sftpusr1
- Create a .SSH directory within the user's home directory
mkdir /home/sftpusr1/.ssh
- Set permissions on the user's home directory.
chmod 755 /home/sftpusr1
- Set permissions on the user's .ssh directory.
chmod 700 /home/sftpusr1/.ssh
- Change ownership of the home directory to the SSH user.
chown sftpusr1 /home/sftpusr1
- Change ownership of the .SSH directory to the SSH user.
chown sftpusr1 /home/sftpusr1/.ssh
- Change the Home directory of the sftpusr1. Note that only this folder will be accessible by the client system (our laptop)
system "CHGUSRPRF USRPRF(sftpusr1) HOMEDIR('/home/sftpusr1')"
- Rename the public key
id_rsa.pubtoauthorized_keysand place it in the home directory of SFTP1 user.mv /home/$USER/.ssh/id_rsa.pub /home/sftpusr1/.ssh/authorized_keys
- Change ownership of the authorized_keys file to the SSH user.
chown sftpusr1 /home/sftpusr1/.ssh/authorized_keys
- Set permissions on the authorized_keys file.
chmod 600 /home/sftpusr1/.ssh/authorized_keys
- We will create a dummy file for testing the transfer
touch /home/sftpusr1/new.file
- Login to your IBMi with a profile that has authority to create and manage user profiles.
- Enter command
Call QP2TERMto enter the PASE Environment
- We will create separate user profile for this SFTP access. Note that the login for the user SFTPUSR1 is disabled.
system "CRTUSRPRF USRPRF(SFTPUSR1) INLMNU(*SIGNOFF)"
- We will create a separate Root folder for the user SFTPUSR1. IBMi provides with an installation script to create a separate root folder for the specified user. Now depending upon your IBMi version, the script will be present on different location. Run the below command.
If you're running V7R2 & above,
Note:
/QOpenSys/QIBM/ProdData/SC1/OpenSSH/sbin/chroot_setup_script.sh sftpusr1
If you're running on V6R1, the chroot_setup_script.sh will be present in,
/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/If you're running V7R1, the choot_setup_script.sh will be present in,/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1
- Change the LOCALE parameter in the user profile to *NONE
system "CHGUSRPRF USRPRF(SFTPUSR1) LOCALE(*NONE)"
- SSH Daemon need to be started using a QSECOFR user profile
-
/QOpenSys/usr/sbin/sshdNote: The SSH daemon must be started with the QSECOFR user profile to activate the chroot function. Starting the SSH daemon with a profile that has QSECOFR authority will not activate the chroot function. A user profile with a UID of (0) is required to activate the chroot function. The QSECOFR user profile on the IBM i is shipped with a UID of (0).
-
- Check whether a HOME directory is present for the SFTPUSR1 on the chroot. We will be sharing this folder to the client. If not then, create one.
test -d /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1 && echo dir_exists.- If you get the response dir_exists, then go to the next step. Else run the below command.
mkdir /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1
- Create a .SSH directory within the user's home directory
mkdir /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/.ssh
- Set permissions on the user's home directory.
chmod 755 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1
- Set permissions on the user's .ssh directory.
chmod 700 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/.ssh
- Change ownership of the home directory to the SSH user.
chown sftpusr1 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1
- Change ownership of the .SSH directory to the SSH user.
chown sftpusr1 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/.ssh
- Rename the public key
id_rsa.pubtoauthorized_keysand place it in the home directory of SFTP1 user.mv /home/$USER/.ssh/id_rsa.pub /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/.ssh/authorized_keys
- Change ownership of the authorized_keys file to the SSH user.
chown SFTPUSR1 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/.ssh/authorized_keys
- Set permissions on the authorized_keys file.
chmod 600 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/.ssh/authorized_keys
- We will create a dummy file for testing the transfer
touch /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/home/sftpusr1/new.file
That's it! We've successfully setup the IBMi as SFTP host. Now the only thing left is to,
- Go to the client machine (laptop) and open the terminal.
- Enter the below command to initiate an SFTP.
sftp -i "C:\Users\RavisankarPandian\.ssh\goldenkey" sftpusr1@129.40.94.17- Make sure to replace the user name with your username
- Make sure to replace your IBMi's IP address
- We will change the current directory of my local machine to the Downloads folder
lcd Downloads
- Let's download the
new.filethat we just created on our IBMi to our laptopget new.file
- Let's try uploading a file called
nick.jpgfrom my Downloads folder to the IBMi just for fun.put nick.jgp
- Once transfer is done, let's close the connection.
bye