IBM eserver iseries ITSO Technical Forum 2005

Transcription

1 Open Source Security with Portable Utilities for i5/os ibm.com the power of one IBM eserver iseries ITSO Technical Forum 2005 Thomas Barlen Consulting IT Specialist IBM Germany 1

2 Acknowledgements This presentation was developed by Thomas Barlen, IBM Germany for the ITSO Technical Forum The support and help of IBM Rochester development, especially Walt Madden is very much appreciated. 2 2

3 Agenda Introduction Open source software OpenSSH OpenSSL zlib Portable Utilities for i5/os Setting up and using Secure Shell 3 3

4 Introduction 4 4

5 Introduction Several technologies are available in the market to secure data traffic across a network Data protection required to prevent sensitive data from being read by attackers By default, IP network traffic, such as Telnet or FTP transmit user / password information in the clear 25 R 88 23:29: BAEABDC 00D0D32BFF44 ETHV2 Type: 0800 Frame Type : IP DSCP: 0 ECN: 00-NECT Length: 88 Protocol: TCP Datagram ID: 82C8 Src Addr: Dest Addr: Fragment Flags: DON'T,LAST IP Header : C840003F064E88AC110105AC IP Options : NONE TCP... : Src Port: 53358,Unassigned Dest Port: 23,TELNET SEQ Number: ('6660DC7F'X) ACK Number: ('B04EDAED'X) Code Bits: ACK PSH Window: 7496 TCP Option: NO OP TCP Header : D06E DC7FB04EDAED80181D486FA A40479A7B5943F784 Data:002212A D9D3C5D5F C2C1D5F5D5C1* BARLEN2...BAN5NA* D5C5FFEF *NA.. * 5 5

6 Notes: Introduction Many companies have implemented Internet Protocol (IP) networks. The reason for moving to IP networks was the desire to use open communications standards and to be able to communicate with products from different vendors. The IP protocol was initially developed in the 1960s. At this time and even later in the evolution, nobody really thought of or at least implemented technologies to encrypt data traffic. By default, all IP network services transmit the data in clear text, no matter whether it is some invoice data or a user and a password. With the introduction of the Secure Sockets Layer (SSL) protocol, applications, such as Telnet or FTP, were suddenly able to protect data traffic by encrypting data in IP datagrams. 6 6

7 Introduction (cont d) Traditionally, the iseries supported the following technologies Secure Sockets Layer (SSL), Transport Layer Security (TLS) Virtual Private Networking (VPN) complying with the IPSec protocol framework Corporate Network SSL Internet Supplier VPN tunnel VPN tunnel Branch Office Problems: To use SSL / TLS for data protection, applications need to be changed to support SSL sockets Different SSL sockets APIs are available Difficult to write portable code VPN does not always work (i.e. network address translation, missing support in clients or servers) 7 7

8 Notes: Introduction (cont d) On the iseries server, OS/400 and i5/os provide data encryption support via SSL / TLS and VPN. Both technologies provide data encryption, ensure data integrity, and support authentication. The technologies are also based on open standards and therefore allow customers to establish secure communications between devices and products from different vendors. As SSL is implemented at the application layer, programmers have to write their applications to also support SSL sockets APIs. For operating system services, such as the Telnet, FTP, or LDAP service, the operating system vendor typically enables these services to support SSL. However, the problem starts when independent software vendors want to write IP-sockets applications that can be ported to different operating system platforms. Many times, different SSL sockets APIs exist on the different platforms, requiring the ISVs to change their application code to run on different platforms (note that IBM provides a common SSL interface via the Global Secure Toolkit). Using VPN to protect network traffic is also an excellent choice, but cannot be used in every environment. Sometimes, the VPN communication gateways or endpoints do not support traversal through firewalls when network address translation (NAT) is used. In other cases, the endpoint system does not even support the VPN. 8 8

9 Requirements and alternative solutions There was a demand for: Open source SSL implementations that could run on various platforms A solution to protect data traffic without changing an application or enabling VPN in an operating system Open source solutions OpenSSL provides SSL and TLS protocols and tools OpenSSH provides a secure shell and secure tunneling service to protect data traffic over an untrusted network OpenSSL OpenSSH 9 9

10 Notes: Requirements and alternative solutions Even though SSL/TLS and VPN technologies are based on Internet standards, there are situations where users wanted to have more flexibility in terms of protecting data traffic without having to change applications or in case of VPN, without having to establish VPN tunnels in a network. The issues mentioned previously about SSL and VPN technologies raised a demand for alternative solutions. These solutions should be based on open source software. Two open source technologies are available and widely used in the market: OpenSSL It supports the SSL and TLS protocol as well as utilities and cryptographic libraries OpenSSH Is a free version of the Secure Shell (SSH) protocol and connectivity tools 10 10

11 OpenSSL OpenSSL refers to an Open Source project that provides a full-featured SSL implementation It supports: Secure Sockets Layer v2 and v3 Transport Layer Security v1 A general purpose cryptographic library Allows programmers to write SSL/TLS sockets applications that can run on any platform that supports OpenSSL openssl command line tool can be used for: Application layer SSL / TLS Transport Layer Network Layer Data Link Layer Physical Layer Creation of RSA, DH and DSA key parameters Creation of X.509 certificates, Certificate Signing Requests (CSRs) and Certificate Revocation Lists (RCLs) Calculation of message digests Encryption and decryption with ciphers SSL/TLS client and server tests Handling of S/MIME signed or encrypted mail Information is available from

12 Notes: OpenSSL OpenSSL is an Open Source project that provides an SSL and TLS implementation. It supports the Secure Sockets Layer (SSL) version 2 and version 3 and Transport Layer Security (TLS) version 2 protocols. It also consists of a cryptographic library libcrypto that supports the following algorithms: Symmetric ciphers (blowfish, cast, des, idea, rc2, rc4, rc5) Public key and key agreements (dsa, dh, rsa) Authentication codes (hmac, md2, md4, md5, mdc2, ripemd, sha) The source code and documentation is available from the OpenSSL Web site at OpenSSL is available on many platforms. This is also one of the reasons why programmers who write applications that use SSL / TLS sockets, use OpenSSL. The advantage is that they can use a single program source and run it on various platforms as opposed to using vendor specific SSL implementations. OpenSSL also provides a command line utility under the same name. The openssl utility lets you create digital certificates, certificate revocation lists, certificate signing requests, certificate authorities, and much more. It basically can be used to create the environment that is needed to run SSL-enabled applications

13 zlib zlib is a public compression algorithm that: does not use patended material is used in many compression products can be freely downloaded and used for any purpose (personal or commercial) however, is not the fastest algorithm available Information is available from zlib 13 13

14 Notes: zlib Another publicly available product is the zlib compression library. It provides lossless data compression. The source code can be downloaded from the the zlib Web site at You also find many binaries for various products, such as Linux, Windows, and Unix, available on the Web. The license allows anybody to use zlib for personal use or in commercial products at no cost. zlib is also used in many products that are out there in the market. For example, the deflate compression option used with HTTP 1.1 uses zlib as the compression algorithm

15 OpenSSH Secure Shell (SSH) is a program to log into another computer over a network connection to run commands and copy files between computers Entire data traffic is encrypted including user and password information SSH is subject to licensing requirements OpenSSH is the free version of the SSH protocol suite it does not use any patended components, such as the IDEA encryption algorithm Several utilities are available with OpenSSH ssh - a secure command shell sftp - a secure ftp alternative scp - a secure file copy program ssh-keygen - a public/private key pair generation and management tool ssh-agent - an authentication agent that can store private keys ssh-add - used to add private keys to a running ssh-agent sshd - a daemon (server) program that handles incoming ssh connections Two protocols are available: SSH1 and SSH

16 Notes: OpenSSH The Secure Shell (SSH) was originally designed to provide mainly a secure remote login to and a file transfer utility between remote computers. The communication protocol is a SSH protocol which runs on top of TCP. Currently, there are two protocols supported, SSH1 and SSH2. These two protocols are entirely different and therefore not compatible. Today, a company named SSH Communications Security maintains these protocols. They also were the original developer of SSH. The SSH transport layer protocol is also described in the Internet draft at OpenSSH is the Open Source version of SSH and provides a set of tools that allows secure communications between two communication partners using the SSH protocol. The tools that are provided with OpenSSH are: ssh - The basic rlogin/rsh-like client program. sshd - The daemon that permits you to login. ssh_config - The client configuration file. sshd_config - The daemon configuration file. ssh-agent - An authentication agent that can store private keys. ssh-add - Tool which adds keys to in the above agent. sftp - FTP-like program that works over SSH1 and SSH2 protocol. scp - File copy program that acts like rcp(1). ssh-keygen - Key generation tool. sftp-server - SFTP server subsystem (started automatically by sshd). ssh-keyscan - Utility for gathering public host keys from a number of hosts. ssh-keysign - Helper program for hostbased authentication

17 OpenSSH (cont d) OpenSSH also supports the following services and functions: X11 forwarding X11 forwarding allows the encryption of remote X windows traffic Port Forwarding Port forwarding allows forwarding of TCP/IP connections to a remote system over an encrypted channel Data Compression Uses zlib for compression Kerberos and AFS Ticket Passing Passes tickets for Kerberos and AFS on to the remote machine Cryptographic functions Uses the OpenSSL cryptographic library Information can be found at Telnet client Dst addr: localhost Dst port: 2200 Client ssh client port 2200 to Server1 port 23 Port Forwarding Secure SSH channel to port 23 sshd port 22 Telnet server Server 17 17

18 Notes: OpenSSH (cont d) Besides the utilities, such as ssh, sftp, and so forth, OpenSSH also provides other functions. They include: X11 forwarding X11 forwarding provides encryption of remote X windows network traffic Port Forwarding Port forwarding allows forwarding of TCP/IP connections to a remote system over an encrypted channel. This is particularly useful for application that do not support SSL encryption, such as POP or SNMP. Data Compression OpenSSH compresses data before it encrypts data using zlib for compression. This can improve the overall performance. Kerberos and AFS Ticket Passing Passes tickets for Kerberos and AFS on to the remote system. A user can access all her Kerberos and AFS services without the need to enter a password again. Cryptographic functions Uses the OpenSSL cryptographic library

19 OpenSSH utilities - ssh ssh is the client utility used to connect to and run commands on a server running the SSH daemon (sshd) basic syntax: ssh [user@]hostname [command] ssh can also be used to forward an arbitrary TCP/IP port over a secure channel between the client and the server. The ssh client is also needed to programmatically connect to the Hardware Management Console (HMC) on the eserver iseries i5 and pseries p5 models A popular ssh client is PuTTY Available for Windows and Unix clients 19 19

20 Notes: OpenSSH utilities - ssh The ssh client utility is a program for logging into a remote system and for performing commands on a remote system. It is intended to replace the rsh and rlogin utilities, which do not provide a secure connection. It also provides secure encrypted communications between two systems over an untrusted network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. In the Unix and Linux world it is a common utility to securely communicate to a remote system. ssh is also used as a client to establish a secure shell connection to the Hardware Management Console (HMC) with the POWER5-based iseries and pseries systems. The ssh connection with the HMC provides administrators with a command line interface. ssh connects and logs into the specified hostname (with optional user name). The user must prove his/her identity to the remote system using one of several authentication methods depending on the protocol version used. A popular graphical ssh clients is the PuTTY client. It can be freely downloaded from the Internet. One of the download pages is This is also the page of the PuTTY programmer. This ssh client is published under the MIT license which is compatible with the GNU GPL license. It allows individuals as well as companies to use the client without restriction

21 OpenSSH utilities sftp and scp sftp is the client utility used to connect with and transfer files to or from a server running the SSH daemon (sshd) basic syntax: sftp [user@]hostname [:file filename] It is a completely different protocol than normal FTP cannot use sftp to connect with an FTP server, or vice-versa sftp is similar to i5/os FTP with some important differences: sftp can only transfer data in binary format sftp does not provide the enhanced functions available when transferring files in the QSYS.LIB (database) file system sftp does not provide the CCSID data conversion options available with i5/os FTP supports compression (-C flag) scp is the client utility used to connect with and transfer a single file to or from a server running the SSH daemon (sshd) basic syntax: scp [[user@]hostname] file1 file2 scp is similar to the sftp utility for transferring a single file 21 21

22 Notes: OpenSSH utilities sftp and scp sftp is a secure ftp replacement. As with all implementations of sftp on other platforms, sftp can only transfer data in binary format. Note that sftp also does not provide the enhanced functions available in the i5/os ftp utility when transferring files in the QSYS.LIB file system nor does it provide the CCSID data conversion options available in the i5/os ftp utility. scp is a secure file copy program and is an alternative to sftp for copying a single file in the integrated file system (IFS). It is the OpenSSH version of rcp

23 OpenSSH utilities ssh-keygen The ssh-keygen utility generates public/private key pairs basic syntax: ssh-keygen t type One of the authentication mechanisms ssh supports, is using a public/private key pair instead of passwords. ssh-keygen is used to generate these key pairs. A key pair can be further protected with a passphrase A key pair consists of two files: a public key file that you place on the servers you want to connect to or for the server keys on the client system a private key file that you closely guard on your client system or in case of the sshd daemon on the server system 23 23

24 Notes: OpenSSH utilities ssh-keygen ssh-keygen is a public/private key generation and management tool. ssh allows users to authenticate using these public and private keys as an alternative to using their OS signon password. As the key names suggest, public keys can be freely distributed while private keys should be protected. Client side The public key can be distributed to the server the client connects to. The corresponding private key stays on the client and is typically stored encrypted via a pass phrase key. Whenever the client user wants to use the private key for authentication, the user has to enter the pass phrase to unlock the key. Server side The public key key can be distributed to any client that connects to this server. The private key is stored in a file on the server. This file should be protected via object authorities. Usually, private key files on the server side are not encrypted using a pass phrase. If this would be the case, somebody would have to enter the pass phrase every time the server daemon starts. Under i5/os, the keys are stored in files in the IFS

25 OpenSSH utilities ssh-agent and ssh-add ssh-agent is a background utility that can store your private key pass phrase into memory to avoid needing to retype the pass phrase each time an SSH connection is started basic syntax: eval `ssh-agent` SSH communicates with ssh-agent via environment variables eval syntax necessary to set these environment variables in the current shell process After ssh-agent has been started, the ssh-add utility is used to add private keys to the agent s memory ssh-add is used to add a private keys to the ssh-agent basic syntax: ssh-add If entered without parameter, it adds rsa, dsa, and identity files out of the.ssh directory 25 25

26 Notes: OpenSSH utilities ssh-agent ssh-agent is an authentication agent that can store private keys. ssh-agent allows a user to load their private key into memory to avoid needing to retype the pass phrase each time an SSH connection is started. It is typically started at the beginning of one session and subsequent program calls are started as clients to the ssh-agent process. The ssh-add utility adds RSA and DSA identities to the agent

27 OpenSSH sshd daemon sshd is the SSH server daemon that handles incoming ssh connections basic syntax: sshd Together with the ssh client appication provide a secure channel through an insecure connection. Replaces rlogin and rsh Listens by default on port 22 A separate daemon process is spawned for every new request Can be started with a d option (debug) for troubleshooting 27 27

28 Notes: OpenSSH sshd daemon The ssh daemon (sshd) is the daemon (server) program for ssh. Together these programs replace rlogin and rsh, and provide a secure encrypted communications link between two untrusted hosts over an insecure connection. The sshd daemon listens on port 22 for connections from clients. It is normally started at IPL time. It spawns a new daemon process for each incoming connection. This implementation of the sshd daemon supports both SSH protocol version 1 and 2 simultaneously

29 Portable Utilities for i5/os 29 29

30 Portable Utilities for i5/os Portable Utilities for i5/os is a license program option (LPO) LPO number 5733-SC1 Only available in US English (2924) Messages are translated in more languages LPO consists of two options, *BASE and 1 both need to be installed Contains the following: OpenSSH connectivity tools (ssh, sftp, scp, ssh-keygen, ssh-agent, ssh-add, sshd) version 3.5p1 OpenSSL toolkit, version 0.9.7d zlib compression library, version Requires i5/os Portable Application Solution Environment (PASE) 5722-SS1 Option 33 Is a free of charge LPO Automatically configured with new configurations in e-config Separately orderable at no additional charge for customers who previously ordered and obtained V5R3 i5/os 5733-SC1 Portable Utilities for i5/os 1 N/C 2924 English U/L SBCS Primary 1 N/C 5809 CD-ROM 1 N/C V2V18G BOTC Portable Utilities 1 N/C 30 30

31 Notes: Portable Utilities for i5/os A new LPO 5733-SC1, IBM Portable Utilities for i5/os, is now available for V5R3 i5/os users. The 5733-SC1 LPO contains the OpenSSH, OpenSSL and zlib open source packages ported to i5/os using the i5/os PASE runtime environment. The LPO requires i5/os V5R3 and also requires that i5/os Option 33 (i5/os PASE - Portable Solutions Application Environment) is installed. There is only a single English build available, however this single build does include the following translations of the OpenSSH messages which will be used based on the LANG and NLSPATH environment variable settings: CA_ES and ca_es (Catalan) CS_CZ and cs_cz (Czech) DE_DE and de_de (German) EN_US and en_us (English) ES_ES and es_es (Spanish) FR_FR and fr_fr (French) HU_HU and hu_hu (Hungarian) IT_IT and it_it (Italian) JA_JP and ja_jp and Ja_JP (Japanese) KO_KR and ko_kr (Korean) PL_PL and pl_pl (Polish) PT_BR and pt_br (Portuguese) RU_RU and ru_ru (Russian) SK_SK and sk_sk (Slovak) ZH_CN and Zh_CN and zh_cn (Simplified Chinese) ZH_TW and Zh_TW and zh_tw (Traditional Chinese) 31 31

32 Notes: Portable Utilities for i5/os The versions and installation directories for the products are as follows: The OpenSSH version is 3.5p1 and is located in directory /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/ The OpenSSL version is 0.9.7d and is located in directory /QOpenSys/QIBM/ProdData/SC1/OpenSSL/openssl-0.9.7d/ The zlib version is and is located in directory /QOpenSys/QIBM/ProdData/SC1/zlib/zlib-1.1.4/ Since General Availability (GA) of the LPO, the LPO is automatically added to e-config configuration files. if a customer already has V5R3 installed or previously ordered, the LPO can be ordered at no cost

33 Portable Utilities for i5/os OpenSSH Implementation Installation via Restore License Program RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924) RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM) Product is installed under /QOpenSys/QIBM/ProdData/SC1 Subdirectories for OpenSSL, OpenSSH, and zlib Each subdirectory contains a product/version specific directory example: /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1 Configuration files for the sshd daemon are stored in: /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc Configuration files for user-specifc files are stored in: ~/.ssh (~ represents the user s home directory. Example: /home/barlen/) No additional setup required for OpenSSL and zlib 33 33

34 Notes: Portable Utilities for i5/os OpenSSH Implementation Portable Utilities for i5/os are installed via the RSTLICPGM CL command. To get the OpenSSH, OpenSSL, and zlib open source products installed, you need to restore option *BASE and option 1. If you install the license program option on a system with primary language US English, you do not need to specify the language parameter. For all other languages, you need to specify 2924 for the *BASE option language parameter. The installation process installs the products in the IFS directories: /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1 /QOpenSys/QIBM/ProdData/SC1/OpenSSL/openssl-0.9.7d /QOpenSys/QIBM/ProdData/SC1/zlib/zlib When setting up the sshd daemon (covered later in this presentation), configuration and public/private key pair files are stored in the following directory: /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc Each user that connects through ssh will also need key information. This information is stored in the.ssh directory in the user s home directory. When using OpenSSH, there is no additional setup required for OpenSSL and zlib

35 Setting up sshd The sshd daemon is the server part of ssh Must run in i5/os to be able to connect to the iseries from a client via ssh Runs in the PASE environment Before sshd starts, some basic setup has to be performed Configuration overview 1. Set up public/private keys for SSH protocol 1 2. Set up public/private keys for SSH protocol 2 3. If changes are required, modify sshd configuration file 4. Start sshd / schedule autostart of sshd 35 35

36 Notes: Setting up sshd For a client to be able to establish an ssh connection to a server, such as the iseries server, the sshd daemon must run on the server side. Before you can start the sshd daemon, you need to perform some initial setup tasks. The setup tasks are as follows: 1. Set up public/private keys for SSH protocol 1 (rsa1 key) 2. Set up public/private keys for SSH protocol 2 (rsa and dsa keys) 3. If changes are required, modify sshd configuration file 4. Start sshd / schedule autostart of sshd 36 36

37 Setting up sshd (cont d) Setting up key pairs 1 Changing the directory in the PASE Shell cd /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc 2 Creating the public/private key pair for SSH protocol 1 ssh-keygen t rsa1 -b f ssh_host_key -N '' 3 4 Creating the public/private key pair for SSH protocol 2 dsa ssh-keygen t dsa -b f ssh_host_dsa_key -N '' Creating the public/private key pair for SSH protocol 2 rsa ssh-keygen t rsa -b f ssh_host_rsa_key -N '' Generating public/private rsa key pair. Your identification has been saved in ssh_host_rsa_key. Your public key has been saved in ssh_host_rsa_key.pub. The key fingerprint is: 1f:cf:f6:c4:c4:7d:57:49:a4:3d:33:b5:a4:0e:3e:6c [email protected] 37 37

38 Setting up sshd (cont d) Customizing the configuration file Only required when default values do not meet requirements Syntax of the sshd configuration file is in the sshd man page 5 Edit the configuration file in etc directory of OpenSSH using Edit File (EDTF) (/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc) edtf sshd_config #Port 22 #Protocol 2,1 #ListenAddress #ListenAddress :: The commented values are default values # HostKey for protocol version 1 #HostKey /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key #HostKey /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits

39 Setting up sshd (cont d) Starting the sshd daemon Can be done manually Can be automatically started 6a Manual start of sshd daemon in PASE (call qp2term) sshd 6b Automatic start of sshd daemon via batch job SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/sbin/sshd')) Runs under the user profile that started the PASE shell or submitted the job Important The user under which the sshd daemon runs must have *ALLOBJ special authority It is recommended to create a separate user profile, such as SSHDUSR and submit the job under that user: SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/sbin/sshd')) JOB(SSHD) JOBQ(your_queue) USER(SSHDUSR) The user profile name must be 8 character or less in length 39 39

40 Notes: Setting up sshd The steps on the previous charts described how to set up the environment for and to run the sshd daemon. The following list provides a more detailed explanation of the setup tasks. 1. Start the PASE shell via CALL QP2TERM and change the current directory to the etc directory of OpenSSH. The command to change to the directory is: cd /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc 2. Create the public/private key pair for use with the SSH 1 protocol. These keys are used for authentication. ssh-keygen t rsa1 -b f ssh_host_key -N '' With this command, a key pair of type RSA1 with a key length of 2048 bits gets generated. The command creates two files. ssh_host_key contains the private key and ssh_host_key.pub contains the public key. The private key file gets by default a public authority of exclude and only the owner of the file gets read and write authority to it. It is important to protect the private key files. The N parameter lets you define a pass phrase that will be used to encrypt the key file while stored on disk. For a server job it is not necessarily a good idea to define a pass phrase, because there is probably nobody around to enter the pass phrase when the daemon starts automatically. If the pass phrase is not defined (-N ), the private key file is not encrypted and the daemon can read the key when it starts. 3. Create the public/private key pair for use with the SSH 2 protocol with a key type for DSA (Digital Signature Algorithm). ssh-keygen t dsa -b f ssh_host_dsa_key -N '' The command creates two files. ssh_host_dsa_key contains the private key and ssh_host_dsa_key.pub contains the public key. 4. Create the public/private key pair for use with the SSH 2 protocol with a key type for DSA (Digital Signature Algorithm). ssh-keygen t rsa -b f ssh_host_rsa_key -N '' The command creates two files. ssh_host_rsa_key contains the private key and ssh_host_rsa_key.pub contains the public key

41 Notes: Setting up sshd (cont d) 5. Customizing the sshd configuration file is optional. It is only required when the default values do meet your requirements. The configuration file is in the IFS directory /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc The configuration file name is sshd_config (be careful when selecting the file. There are two files, one for the server named sshd_config and one for the client names ssh_config.). The configuration file, by default, has all configuration directives as comments listed. The values shown, represent the default settings. After you have finished the configuration, you can start the sshd daemon. You can either start the daemon manually or put it into the startup program to automatically start the daemon when the system starts. The user under which the sshd daemon runs has to have *ALLOBJ special authority to be able to login users via ssh. It is recommended to create a separate user just for running the sshd daemon. The user profile name must be 8 characters or less. sshd uses the i5/os Set Profile API (QsySetToProfileHandle) to switch from the user profile that started sshd to the user profile that is connecting

42 Client considerations Take the following considerations into account when running ssh, sftp, or scp 1. The user profile you specify when connecting to the sshd daemon must be 8 characters or less in length, otherwise authentication fails. Example: sshd[3699]: Failed password for illegal user barlen1111 from port Every i5/os user who uses ssh must have a home directory (i.e. /home/<userid>) 3. The default values for the ssh client environment in i5/os can be customized in the system-wide ssh_config file in /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh- 3.5p1/etc These settings are valid for all users. 4. ssh user settings can be overridden with user specific configuration files in the user s home directory /home/<userid>/.ssh/config 5. The following authorities should be used: - The public authority of the user s home directory should not include write authority chmod go-w /home/<userid> - The user's.ssh directory and authorized_keys file must not have any public authorities chmod go-rwx /home/<userid>/.ssh chmod go-rwx /home/<userid>/.ssh/authorized_keys 42 42

43 Notes: Client considerations When you use ssh, sftp, or scp, you need to adhere to a few rules: 1. Whether you connect from a PC client or from one iseries to another iseries systems sshd daemon in i5/os, the user name cannot be longer than 8 characters. That means, user profiles that are 9 or 10 characters long cannot be used to authenticate with ssh. In case of a longer user name, the sshd issues a message as shown on the previous chart. On the client side it appears that you entered a wrong password. 2. ssh stored information in a user s home directory. Therefore, for every user that uses ssh, a home directory needs to be created. 3. Just like the sshd system wide settings are configured in the sshd_config file, there is also a system wide configuration file for ssh client settings. These settings are used for every ssh, sftp, and scp client request. The system-wide configuration file, with the name ssh_config, is stored in directory /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc 4. The system-wide settings can be overridden on a per-user basis with a file named config. This file must be stored in the user s.ssh directory. For example: /home/barlen/.ssh/config. The easiest way to create a user specific file is by copying the system-wide file, rename it, and tailor it to your needs. 5. Similar to the need for protecting the sshd private key files, you also need to ensure protection for the user s home directory, the.ssh sub-directory, and the authorized_keys file. The recommended authority settings are shown on the previous chart

44 Using ssh from i5/os ssh can be used from QShell or PASE Shell (QP2TERM) To use it in QShell, you need to set the path /QOpenSys/usr/bin An ssh session presents you with the PASE shell instead of a 5250 session To establish a secure tunnel for Telnet or other applications, you need to use port forwarding as described later in this presentation Sessions started with the CALL QP2TERM or QSH CL commands from an i5/os job are not true TTY devices. This causes problems when using ssh within one of these sessions. Use the -T option with ssh to not allocate a TTY device when connecting: ssh T [user@]hostname More examples: ssh -T -C sshtest@rchasm05 Establishes an ssh session under user sshtest to system rchasm05. All data traffic is compressed (-C). ssh -T -v rchasm05 Establishes an ssh session under the user that signed on to the local system to the remote system rchasm05. The session generates debug output (-v) 44 44

45 Notes: Using ssh from i5/os You can initiate ssh sessions from QShell or the PASE shell (CALL QP2TERM) to other systems running an sshd daemon. The PASE shell already has the correct path set up so that you just need to enter the ssh command to start a session. In QShell, you need to first add the correct path or call the ssh command directly from the directory /QOpenSys/usr/bin. This directory contains symbolic links for all ssh-related commands to the product directory except for sshd. When you establish an ssh session to another iseries server, you do get a shell rather than a 5250 session. If you want to run an ssh-encrypted Telnet session, you need to enable port forwarding as explained later in this presentation. In a typical Unix or Linux environment, ssh uses TTY terminals. Since the QShell and the PASE shell are not real TTY terminals, you need to specify the T option to disable the alllocation of TTY terminals

46 Using sftp and scp sftp and scp do not work in QShell or PASE shell due to the issue with TTY terminal allocation when password authentication is used Solution: Use public/private key authentication with the ssh-agent support (more on the next chart) sftp and scp from other platforms to transfer files from/to the iseries also work fine with passwords scp and sftp examples scp /starttfr Uses scp to transfer the local file /starttfr to the remote system s rchasm05 IFS directory /home/thomas under the name starttfr2. The user name for authentication is thomas. sftp rchasm05 Connecting to rchasm05... sftp> put /own55 /home/barlen/own55a Uploading /own55 to /home/barlen/own55a sftp> quit Uses sftp to transfer file /own55 to the remote system rchasm05 into directory and file /home/barlen/own55a

47 Using scp and sftp from i5/os with ssh-agent support The following steps provide an overview of setting up key authentication and its use with scp between two i5/os operating systems Steps 1 to 3 are one-time setup steps Steps 4 and 5 need to be performed whenever a new session is initialized (not a new scp or sftp command) 1. On the source system, create a key pair in the PASE shell ssh-keygen -t rsa 2. FTP the public key file to the target server 3. Append the public key file of the source system user to the target system s authorized_keys file of the target user In QShell you can do this via: cat authorized_keys id_rsa.pub > authorized_keys Authorized_keys file is stored in ~/.ssh/authorized_keys 47 47

48 Using scp and sftp from i5/os with ssh-agent support 4. Before starting scp or sftp, you need to start the authentication agent on the source system and add the private key to the agent ssh-agent $SHELL ssh-add Enter passphrase for /home/barlen/.ssh/id_rsa: Identity added: /home/barlen/.ssh/id_rsa (/home/barlen/.ssh/id_rsa) 5. From the started agent shell, you can now run scp, sftp, or ssh with key authentication scp /own55 rchasm05:/home/barlen/own55b Note that the shell does not return any messages when the command completed successfully

49 Notes: Using sftp and scp scp and sftp can be used to transfer files in binary mode between systems. When using these commands from the PASE shell, password authentication does not work. Unlike the ssh command, which provides the T switch, the scp and sftp command do not support the suppression of allocating a TTY device. The scp and sftp command work, however, fine when initiated from other platforms that support TTY devices. To be able to use scp and sftp from the PASE shell, you can use public/private key authentication instead of password authentication. For this scenario to work, you need to use the ssh authentication agent. This agent can store private keys and when required by an applications, such as scp, forward the key in the authentication request. The use of the ssh authentication agent ssh-agent also requires the use of ssh-add. The latter utility adds the private key of the user that calls the utililty to the ssh-agent. If the private key file is encrypted, ssh-add will ask for the passphrase to decrypt the file. In the previous example, the ssh-agent is started with a parameter of $SHELL. This parameter actually refers to an environment variable that contains the path and name of the current shell (/QOpenSys/usr/bin/sh). The agent then runs in a new shell. You also need to install the public key of the source user on the target system. You need to transfer the public key file (for example id_rsa.pub) to the target system. Once the file is there, you have to append the content (just a single line) to the authorized_keys file. The authorized_keys file can contain one or more public keys. Each key needs to be in a separate line. If the authorized_keys file does not exist in the.ssh sub-directory of the target user, you can just copy the public key file to the authorized_keys file. Also note that the permissions of these files are critical. The permission for the.ssh directory and the authorized_keys file are as follows: chmod 755 ~/.ssh chmod 644 ~/.ssh/authorized_keys After the key is loaded and the public key is installed on the target system, you can run scp, sftp, or ssh T

50 Tunneling Telnet traffic in a secure ssh channel Tunneling or forwarding allows you to establish a secure connection for applications that would otherwise not protect data traffic SMTP, POP, IMAP, SNMP, etc. Example: Setting up an ssh tunnel for Telnet between two iseries servers SystemA (manual tunnel setup) 1. ssh T L 5251:localhost:23 systemb (keep the session open) 2. TELNET RMTSYS(LOCALHOST) PORT(5251) SystemA ssh -L Telnet Client SystemB sshd Telnet Server SystemA (automatic tunnel setup) 1. The private key file is generated without passphrase 2. SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/QOpenSys/usr/bin/ssh' '-T' '-N' '-L5251:localhost:23' 'systemb')) JOB(SSHTUN23) JOBQ(SSHTUNQ) 3. TELNET RMTSYS(LOCALHOST) PORT(5251) 50 50

51 Notes: Tunneling Telnet traffic in a secure ssh channel A very powerful function with ssh is the capability of tunneling or forwarding IP traffic in a secure tunnel. This is very useful for applications that do not support SSL or TLS. As shown in the example on the previous chart, a user might do a Telnet from one i5/os to another i5/os. Even though the Telnet server in i5/os supports SSL, the client does not. As an alternative to using VPN, you can also establish an SSH tunnel between the two systems and then tunnel the Telnet traffic through the secure connection. The first set of commands is a manual tunnel setup and can surely being used to test the connection. The commands perform the following: Via a shell session, enter the command ssh T L 5251:localhost:23 systemb. The command establishes an ssh tunnel from the local system (SystemA) to systemb. At the same time, the L switch with its arguments starts a local listener on SystemA for the localhost for port Whenever a connection request is received on the localhost port 5251, SSH will forward that traffic to port 23 on systemb. That way the Telnet is encrypted. To start a Telnet session over the secure tunnel, you just need to enter the Telnet command with a destination host of localhost and the port 5251 like this: TELNET RMTSYS(LOCALHOST) PORT(5251) In this example, the user who starts the ssh tunnel has to enter a password for user/password authentication or a passphrase when using key authentication (permitting that the private key file is protected by a passphrase). The shell session with the ssh tunnel must be kept active all times to allow any user on SystemA to establish a Telnet session via the tunnel

52 Notes: Tunneling Telnet traffic in a secure ssh channel Even though the previous approach does everything we want, it is rather cumbersome to have somebody start a tunnel after each IPL and then keep the session with the tunnel up all times. A method that actually allows you to automatically start ssh tunnels and keep them active at all times is shown in the seconds set of commands. In this case, the ssh tunnel session is established via a batch job. You could then submit this job in the system startup program or a subsystem autostart job. It is a more complex call than just entering the ssh command in an interactive shell. Each parameter to the ssh command needs to be separately specified in the program call. The N parameter causes the program to not submit any command to the sshd. It only establishes a forwarding tunnel. The user that submits the job or the user that is specified for the USER parameter of the SBMJOB command has to use key authentication. Password authentication does not work, because in a batch job there is nobody who could enter the password. The keys need to be generated with an empty passphrase, so that the ssh client can automatically open the private key file without prompting for a passphrase. As with other key files too, the private key file for the tunnel user must also be protected. That means there should be no public authority to the key files at all

53 Security considerations Even though ssh is designed to improve security, it can also raise some security issues ssh, scp, and sftp all use the same port port forwarding (ssh tunnel) basically tunnels any kind of IP traffic (except applications, such as FTP) ssh may require your FW to open a new port you may want to use a port other than 22 for ssh can be configured in the ssh_config and sshd_config files Firewalls or IP packet filtering in i5/os cannot distinguish between different kinds of tunneled applications Without ssh, a FW can differentiate based on ports what kind of application is carried in a datagram (port 23 Telnet, port 25 SMTP, etc.) With ssh, all tunneled traffic uses the same port (by default port 22) Somebody could establish tunnels for applications that should not be accessible from outside For tunneling, try not to use the g ssh option It allows remote systems to use forwarded ports on a system that has a tunnel established 53 53

54 Notes: Security considerations ssh provides additional security by encrypting data, performing stronger authentication than passwords, and ensuring the integrity of transferred data. However, ssh uses just one port to run applications, such as ssh, scp, and sftp. With traditional IP-based applications, well-known ports are used to access applications, such as Telnet, POP, or SMTP. If you wanted to allow only access to the Telnet server, you could allow only port 23 through a firewall or IP packet filtering in i5/os. No client would then be able to connect to the SMTP server, because this one uses port 25. With ssh, also port forwarding uses the ssh port to tunnel any kind of application traffic through. That means, a firewall which filters traffic also based on ports, could not detect anymore if the application data in an IP datagram belongs to a Telnet or POP session. Typically, when you initiate port forwarding, sessions are initiated via the localhost on the system the ssh tunnel was established on. If other clients connect from the outside to the forwarded port on the tunnel initiating side, the connection is refused. However, there is one option you can specify when you start a port forwarding connection that allows also remote clients to use the tunnel for communications. The option is -g. This can also open backdoors in your network. Only use this option if it is absolutely necessary

55 Additional Information OpenSSH home page OpenSSL home page zlib home page Information on Portable Utilities for i5/os Page with links to several SSH implementations for Windows (including Windows ports of OpenSSH) SSH, the Secure Shell: The Definitive Guide by Daniel J. Barrett & Richard Silverman; published by O'Reilly 55 55

56 Notices This information was developed for products and services offered in the U.S.A. Note to U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces

57 Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: IBM eserver Redbooks (logo) iseries OS/400 IBM IBM.COM The following terms are trademarks of other companies: Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. Other company, product, and service names may be trademarks or service marks of others

58 iseries Application Innovation Program Join and receive Solution Assessment Education Technical Assistance Hardware Access Technical Support and more At no cost! Enroll here: 58 58