SSH Public Key Setup Using ACS
The world has a lot for us to disagree about, but if there’s one thing we can get the whole world to agree on, is that passwords are a major pain. Passwords are the necessary mechanism for securing many things, but where passwords are not required and still allow for secure authentication is where everyone would prefer to be.
IBM i has had the option for public key authentication for SSH users for a long time now. It allows you to establish SSH connections without having to provide a password. This is great for running automated jobs, and for developers who frequently need to access the system. There is a nice Redbook that details the steps for establishing this, and is still a good read for establishing SSH connections from IBM i to another IBM i system, but a recent version of IBM i Access Client Solutions has made it significantly easier to establish public key authentication from your workstation to the IBM i server. I’m going to cover the steps you’ll need to accomplish this.
First off, go out and grab the latest version of IBM i Access Client Solutions (ACS), which is 22.214.171.124 at the time of this writing.
Make sure the SSH server daemon is started on your IBM i server. You can verify this by checking TCP/IP Servers in Navigator for i.
TCP/IP Server status in Navigator for i
If you do not have an SSH client installed on your computer, I highly recommend PuTTY, which is a free download as well.
Along with PuTTY comes the PuTTYgen program. This allows you to create a public/private key pair on your workstation. Launch the program click on Generate. Once generated, save both the public and private keys. On Windows, navigator to C:\Users\<profile>\.ssh and save them there. Make sure you save the public key with a .pub extension.
Saving the private and public keys.
Launch PuTTY. Key in the host name or IP address of your IBM i server, click Save, and click Open. Key in that dreaded password to sign on to the system. If you sign on and you get the message – Could not chdir to home directory /home/<profile>: No such file or directory – you will need to create a home directory. Use mkdir /home/<profile> to create a home directory for yourself. The next step is very important. You must set the permissions on your home directory. Run the command chmod 755 /home/<profile> to set them.
Creating a home directory and setting the permissions to it.
Next, we need to tell the PuTTY application which private key we want to use. Start up the PuTTY program, and load the session that you just saved. Along the left side go to Connection > SSH > Auth. Click on the Browse button next to Private key file for authentication and select the private key you created. Go back to the Session category on the left and click Save so that it will remember the private key to use.
Setting the private key to use in PuTTY.
Fire up ACS and click on System Configurations. Either create a connection for the system you want to access, or choose the existing system. Click on the Edit button. Click on the SSH Key setup tab. Click on the Copy SSH key(s) to server button, choose the public key you generated, click Open, and click Yes to proceed. You will get a confirmation if the copy succeeded.
Selecting the public key to copy.
Okay! Now we’re ready to go back to PuTTY and test if we can authenticate using the keys we generated. Choose the session you created for your IBM i server and click Open. If everything is configured correctly, you will just need to key in your user name and then you will not need to key in your password.
Successful connection using the private/public key pair.
. Once selected, right-click and choose General > SSH Terminal.