SSH tunnels allow you to route various kinds of traffic (i.e. telnet, JDBC) through an encrypted connection to your remote IBM i. It is similar in purpose to a VPN connection yet fairly different in implementation. SSH tunnels do not require any additional software on the IBM i side.
This tutorial will guide you through creating an SSH tunnel for ACS (IBM i Access Client Solutions).
First, configure your Litmis Spaces firewall to allow traffic from any IP on port 22 (the SSH port), as shown below. You should have received a URL to the browser-based firewall when you first became a customer.
*SSHD server from a 5250 command line using the following command.
Next, download the Bitvise client (free) and install it on your Windows desktop. Bitvise will be used to configure and route ACS traffic.
The below video shows how to configure Bitvise to route all traffic for 127.0.0.1 to the public IP address of your IBM i. Once Bitvise is configured then you will setup a new connection in ACS. Notice how the IP address used in ACS is 127.0.0.1. This is telling ACS to route the telnet (and other traffic like Run SQL Scripts) to the local laptop where Bitvise is waiting to receive the traffic and forward it to the public IBM i IP address. When the SSH server on IBM i receives the traffic it will route it to the correct port (i.e. port 23 for telnet).
If you have any questions feel free to email firstname.lastname@example.org.
Password-less Authentication (optional)
To add an extra layer of security you can turn off password authentication and instead rely entirely on SSH keys. This means only those that have copied their public SSH key to the IBM i can log in (big security benefit). By doing this you eliminate the ability for a hacker to do a brute force attack through repeated login attempts with user and password.
/QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/sshd_config to have the following configurations set.
PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no
You'll need to restart SSH for the changes to take effect.
ENDTCPSVR *SSHD STRTCPSVR *SSHD
Next you need to create an SSH key on your laptop that can be copied to your
~/.ssh/authorized_keys file on the IBM i. Select the Client key manager on the Login tab.
Select Generate New and Generate, as shown below. It's your choice whether you specify a passphrase for this file.
Export the SSH key to a file named
id_rsa.pub, as shown below.
Go back to the main Bitvise window, select the Login tab, and select the Initial method and the Client key that was created in the previous step.
The contents of
id_rsa.pub will look like the below (significantly shortened for the sake of brevity).
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoV2Qo6RIdIqp7ehNeBxxxxxx/pUIBbMLu/VnQkvm15ilAybpE= Generated by aaron@DESKTOP-J5NQFT6.
You'll need to paste(n1) the contents of
/home/<your_ibmi_profile>/.ssh/authorized_keys on the IBM i. Before doing that make sure all of the directories exist and have correct permissions. Run the following commands from a
CALL QP2TERM session.
mkdir -p /home/<your_ibmi_profile>/.ssh chmod 755 /home/<your_ibmi_profile> chmod 700 /home/<your_ibmi_profile>/.ssh chmod 600 /home/<your_ibmi_profile>/.ssh/authorized_keys
n1 - A simple way to do this is to compose the following
echo statement in notepad.exe and then paste it into a
CALL QP2TERM session. The reason for notepad.exe is it's much easier to copy and paste in that app vs. a green screen, as it concerns text wrapping.
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoV2Qo6RIdIqp7ehNeBxxxxxx/pUIBbMLu/VnQkvm15ilAybpE= Generated by aaron@DESKTOP-J5NQFT6." > /home/<your_ibmi_profile>/.ssh/authorized_keys
At this point the server-side configuration is complete.