IBM Support

Remote Command Execution from IBM i to Microsoft Windows Open SSHD

How To


Summary

This document describes an alternative to RUNRMTCMD: OpenSSH on IBM i and OpenSSHD on Windows.

This information is provided as is, there is no implied support. SSH is an open standard.

Steps

Note:  When I created this document, I used our internal system and my user. Make sure you replace my user profile with your own and your system name.

Windows SSHD Setup

This section covers enabling the SSHD (Secure Shell Daemon) on Windows 10 and later.

Note the Microsoft supplied SSHD does not work when you have biometrics or a PIN as the authentication method associated with your profile. Perhaps in the future they might add that support. If your Windows account uses a PIN or biometrics, you must create a local Windows account and password for this setup to work. I recommend adding that account to the administrators group; however, that is not a requirement.  

In this walk through, I am using my account that is part of the Administrators group. I'm also in a Windows domain environment. The domain environment doesn't seem to impact this setup.

All the steps to complete the tasks are run from an Elevated Windows PowerShell. 

In my environment, the latest Windows updates are installed. This maintenance is important as you might encounter problems when your PC or server is not up to date.

Step 1.

Check to see what is installed relating to SSH on your PC or server:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

If either the client or server is not installed run one or both of these commands to install the missing component:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Run the command Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' again to check the status to ensure they both show as installed.

You see output like this confirming the features are installed:

image-20220312133638-1

Step 2.

Set the Windows firewall to allow incoming SSH connections:

New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH

Step 3.

Start the SSHD service:

Start-Service sshd

Step 4.

Make the SSHD service start when Windows is rebooted:

Set-Service -Name sshd -StartupType 'Automatic'

Step 5.

Test the connection by using the loopback interface of the PC or server:

ssh jmckee@loopback

The first screen you see is a question asking whether you want to accept the key fingerprint. Type yes and press enter.

image-20220312134708-2

After the fingerprint is accepted, you are prompted for your password.

Finally, you are at a prompt connected over loopback to your PC or server.

This connection is only useful for testing, type exit to disconnect the SSH session.

The basic SSHD setup on Windows is complete.

IBM i SSH client setup

Follow up to step 6 in the following document:

https://www.ibm.com/support/pages/configuring-ibm-i-sshd-server-use-public-key-authentication

If at any time you get stuck on the steps in the document, open a support case with the IBM iGSC Communications mission team.

IBM i key Generation

All these steps are done as the user that is going to initiate the SSH connection to Windows.

Step 1.

Start a PASE session with the command: call qp2term

Step 2.

Change directory to the .ssh folder in the users home path:

cd /home/jmckee/.ssh

Step 3.

Generate the public and private key pair by running the following command:

ssh-keygen

The command prompts for a name.  Press enter to accept the default names, id_rsa, and id_rsa.pub.

It also asks for a passphrase. Press enter, do not enter a passphrase.

In this example, I took all the defaults.

If you want to specify different key lengths or types, you can do so.  You might want to open a case with our IBM iGSC Communications mission team for help.

I have a id_rsa private key and a id_rsa.pub key after I took the defaults.

Windows side key based authentication setup

Don't forget to run all the following from an elevated PowerShell command prompt.

Regarding locations:

If your Windows profile is a member of Administrators, the path for authorized keys is: C:\ProgramData\ssh

If your Windows profile is not a member of Administrators, the path is C:\Users\<profile>\.ssh

The public key is stored in a file that doesn't exist yet.  We will address this issue in the next steps.

In my re-create, my Windows profile is a member of the Administrators group.

Step 1.

Download the public key from the IBM i to the Windows PC.

First, decide where you going to store it and change directory to that location.  I'm using C:\ProgramData\ssh so that's where I'm changing my directory to before I download the key.

cd C:\ProgramData\ssh

It really doesn't matter where you store the key, where you copy it to matters in the next steps.

To get the key I'm using scp (secure copy); it is better than FTP since it's encrypted.

scp jmckee@rch740:/home/jmckee/.ssh/id_rsa.pub C:/ProgramData/ssh

You are prompted for your IBM i profile password.

SCP completes and you have the file.

Step 2.

Copy the downloaded public key into the appropriate authorized keys file.

A user who is a member of the Administrators group copies the public key to C:\ProgramData\ssh\administrators_authorized_keys

A user who is not a member of the Administrators group uses one of two files, pick one: 

C:\Users\<profile>\.ssh\authorized_keys or C:\Users\<profile>\.ssh\authorized_keys2

The command I use with my profile being a member of the Administrators group is:

copy c:\ProgramData\ssh\id_rsa.pub c:\ProgramData\ssh\administrators_authorized_keys

Step 2.

Set the ACL (Access Control List) for the authorized keys file.

The next commands are necessary to enable the use of the file administrators_authorized_keys.

Sets variable $acl to name of file:
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
Protects file from inheritance and removes inherited rules:
$acl.SetAccessRuleProtection($true, $false)
Creates variable that sets Administrators full control and allowed access:
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
Creates variable that sets System full control and allowed access:
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
Sets the administrators rule to file:
$acl.SetAccessRule($administratorsRule)
Sets the System rule to file:
$acl.SetAccessRule($systemRule)
Finalizes settings, essentially a save of settings:
$acl | Set-Acl

If your using a profile not a member of administrators group, run the following against the authorized keys file:

Repair-AuthorizedKeyPermission -FilePath C:\Users\<profile>\.ssh\authorized_keys or Repair-AuthorizedKeyPermission -FilePath C:\Users\<profile>\.ssh\authorized_keys2

Step 3.

Test your setup.

On the IBM i login as your ssh user.

Go into PASE by using the command call qp2term.

ssh -T <user>@<WindowsServer>

Example:

ssh -T jmckee@9.5.65.69

If it works, you were not prompted for a password and were presented with the ssh prompt.

Note: You have to answer yes to accept the key fingerprint on the first connection.

Windows side debug

To debug issues with connecting and authentication to the Windows SSHD server, you must modify the file c:\proramData\ssh\sshd_config

The sshd_config file is protected and can't be opened from notepad.exe or other editors unless those editors are run elevated.  The easiest way to edit the sshd_config file is to first run notepad.exe elevated.  Browse to the path c:\ProgramData\ssh Then set the filter from 'text files' to 'all files'.

Find the #LogLevel INFO and uncomment that statement by removing the #.  Then, change the INFO to DEBUG3.

The line looks like this: LogLevel DEBUG3

Save the changes and exit.

Restart sshd from an elevated Windows PowerShell:
Stop-Service sshd
Start-Service sshd
 
All the logging is in the Windows Event Logs.
To open the Windows Event Viewer, use Windows search and search for "Windows Event Viewer" or run the following command:
eventvwr.msc /s

In the Windows event viewer, browse to "Applications and Service Logs" and expand it.
At first it appears to be empty under the "Applications and Service Logs", give it some time and it populates.
Browse to OpenSSH => Operational. 
You see all the connections or errors in this logging interface.

Automation Example

I created a directory on my PC to store the dtfx file, bat file, and Excel spreadsheet.

The directory is c:\DT_Request
Windows run sshd as a service, which normally prevents it from accessing many parts of the Windows file system. Avoid use of the desktop or c:\ drive to store things, Windows usually blocks those locations from a remote request.
I saved my data transfer to a file called auto_transfer.dtfx
The transfer was modified to run automatically and to not show a completion message.
In this test case, it downloads the qiws/qcustcdt contents to a file named qiws.xlsx.
I made sure it ran and cleaned up the resulting Excel file.

I created a bat file in the same location as the dtfx.
The contents look like this:

@echo off
C:\Users\Public\IBM\ClientSolutions\Start_Programs\Windows_x86-64\acslaunch_win-64.exe /plugin=logon /system=rch740 /userid=jmckee /password=mypassword
echo authenticating...
echo Transferring...
C:\Users\Public\IBM\ClientSolutions\Start_Programs\Windows_x86-64\acslaunch_win-64.exe /plugin=download /userid=jmckee c:\DT_Request\auto_transfer.dtfx

The first line authenticates with the IBM i to prevent password prompting for the data transfer request.
Having your password stored in a text file is not ideal. There are third-party products to convert a bat file to an EXE to help hide details like that. You could also set authorities in a multiuser environment so nobody except the owner can view that file. These details are beyond the scope of this document.
The next step is to create a shell script on the IBM i and call it from a CL program.

My Shell script looks like this:
 ************Beginning of data**************              
#! /QOpenSys/usr/bin/bsh                                                                                ssh -T jmckee@9.5.67.69 "C:\DT_Request\auto_transfer.bat"

 ************End of Data********************
The fist line says to use Bash for the shell. I am able to use Bash because I deployed Open Source software by using IBM i Access Client Solutions. Your code can use the default sh shell. I also used the VI editor provided by IBM i Access Client Solutions Open Source to create and edit the script through an SSH terminal connection to the IBM i.

Once that was done, I called the shell script to make sure it worked from PASE. Then, I cleaned up the excel file on the target PC.
I then created a simple CL program to call the shell script that looks like this:
        *************** Beginning of data *************************************
0001.00              QSH        CMD('/home/jmckee/dt.sh>/dev/null 2>/dev/null')
0002.00
        ****************** End of data ****************************************
Now that I have a CL program, I can call that in batch by using the profile that I set up SSH with.
The >/dev/null 2>/dev/null prevents the terminal windows from opening and keeps the program quiet.

Additional Information

This is a companion video that goes along with this document.

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CTVAA2","label":"IBM i Access"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
23 March 2022

UID

ibm10888107

Page Feedback