SSH Tunnels

SSH tunnels allow you to route various kinds of traffic (i.e. telnet, JDBC) through an encrypted connection to your remote IBM i. It is similar in purpose to a VPN connection yet fairly different in implementation. SSH tunnels do not require any additional software on the IBM i side.

This tutorial will guide you through creating an SSH tunnel for ACS (IBM i Access Client Solutions).

First, configure your Litmis Spaces firewall to allow traffic from any IP on port 22 (the SSH port), as shown below. You should have received a URL to the browser-based firewall when you first became a customer.

SSH Firewall Configuration

Start the *SSHD server from a 5250 command line using the following command.


Next, download the Bitvise client (free) and install it on your Windows desktop. Bitvise will be used to configure and route ACS traffic.

The below video shows how to configure Bitvise to route all traffic for to the public IP address of your IBM i. Once Bitvise is configured then you will setup a new connection in ACS. Notice how the IP address used in ACS is This is telling ACS to route the telnet (and other traffic like Run SQL Scripts) to the local laptop where Bitvise is waiting to receive the traffic and forward it to the public IBM i IP address. When the SSH server on IBM i receives the traffic it will route it to the correct port (i.e. port 23 for telnet).

If you have any questions feel free to email

Password-less Authentication (optional)

To add an extra layer of security you can turn off password authentication and instead rely entirely on SSH keys. This means only those that have copied their public SSH key to the IBM i can log in (big security benefit). By doing this you eliminate the ability for a hacker to do a brute force attack through repeated login attempts with user and password.

Edit file /QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/sshd_config to have the following configurations set.

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no

You'll need to restart SSH for the changes to take effect.


Next you need to create an SSH key on your laptop that can be copied to your ~/.ssh/authorized_keys file on the IBM i. Select the Client key manager on the Login tab.

Select Generate New and Generate, as shown below. It's your choice whether you specify a passphrase for this file.

Export the SSH key to a file named, as shown below.

Go back to the main Bitvise window, select the Login tab, and select the Initial method and the Client key that was created in the previous step.

The contents of will look like the below (significantly shortened for the sake of brevity).

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoV2Qo6RIdIqp7ehNeBxxxxxx/pUIBbMLu/VnQkvm15ilAybpE= Generated by aaron@DESKTOP-J5NQFT6.

You'll need to paste(n1) the contents of into /home/<your_ibmi_profile>/.ssh/authorized_keys on the IBM i. Before doing that make sure all of the directories exist and have correct permissions. Run the following commands from a CALL QP2TERM session.

mkdir -p /home/<your_ibmi_profile>/.ssh
chmod 755 /home/<your_ibmi_profile>
chmod 700 /home/<your_ibmi_profile>/.ssh
chmod 600 /home/<your_ibmi_profile>/.ssh/authorized_keys

n1 - A simple way to do this is to compose the following echo statement in notepad.exe and then paste it into a CALL QP2TERM session. The reason for notepad.exe is it's much easier to copy and paste in that app vs. a green screen, as it concerns text wrapping.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoV2Qo6RIdIqp7ehNeBxxxxxx/pUIBbMLu/VnQkvm15ilAybpE= Generated by aaron@DESKTOP-J5NQFT6." > /home/<your_ibmi_profile>/.ssh/authorized_keys

At this point the server-side configuration is complete.

results matching ""

    No results matching ""