SSH Tunnel is a secure encrypted dynamic port forwarding mechanism which allows secure connections to the IBM i server also. However, IBM i server uses multiple services and network channels. Some of these are used by the JT400 library also (used by Green Screens Server).
In general, Green Screens Server supports connecting to the IBM i server through SSH tunnel using SOCK5, but for this to work fully, JT400 also must support SOCK5 protocol. In recent posts, we wrote about SOCK5 support for the IBM JT400 library we contributed to. You can find it here...
This time we will show how to create an SSH Tunnel running as a Linux Service and how to use Green Screens Server to connect to the IBM i to make all internal connections secure and encrypted.
Linux side
On the Linux side, we created a new SSH key and a service to run a tunnel in the back. Later, inside the Green Screens Server Admin console, we will create a tunnel configuration and an IBM i server connection configured to use our tunnel.
NOTE: If you already installed Green Screens Server, you should have a greenscreens user already. If there is no user just yet, create it with the following commands...
sudo groupadd greenscreens
sudo useradd -m -s /bin/bash -g greenscreens greenscreens
Switch to the greenscreens user and navigate to the home folder first
su greenscreens
Create new SSH key for a tunnel
To create an SSH key, multiple algorithms are available. We recommend one of the last two from the list.
ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519
When a command is executed, it will prompt you for a file name output. Enter ibm_tunnel
Once files are created, make sure to apply proper permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/ibm_tunnel
chmod 644 ~/.ssh/ibm_tunnel.pub
chmod 600 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 755 ~ # ensure home is not writable by others
Create Linux service to run the tunnel
Create a new service file
sudo nano /etc/systemd/system/ssh-socks.service
And paste the following to the file, and save it (CTRL + X). Make sure to set proper IBM i server IP address or domain name instead of demo.ibm.com as shown in example.
[Unit]
Description=SSH SOCKS5 Tunnel
After=network.target
Wants=network-online.target
[Service]
Type=simple
User=greenscreens
StandardOutput=journal
StandardError=journal
Restart=always
RestartSec=5
WorkingDirectory=/home/greenscreens
ExecStart=/usr/bin/ssh -NTq -i /home/greenscreens/.ssh/ibm_tunnel -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -D 1080 tunnel@ibm.demo.com
[Install]
WantedBy=multi-user.target
At the end, we need to enable and start the service. Before that, go to the next chapter to configure an IBM user, then return here and use these commands to start a tunnel service.
sudo systemctl daemon-reload
sudo systemctl enable ssh-socks
sudo systemctl start ssh-socks
sudo systemctl status ssh-socks
IBM i side
At the IBM i side, we need to create a new limited user with *SIGNOFF flag and apply SSH public key generated at the Linux side so we can connect from remote.
NOTE: If you are using firewall or packet filtering rules, make sure to modify them and allow SSH connections from your Linux server.
CRTUSRPRF USRPRF(TUNNEL) PASSWORD('Secret123')
USRCLS(*USER)
INLMNU(*SIGNOFF)
LMTCPB(*YES)
HOMEDIR('/home/tunnel')
Then from PASE or QSH, configure user home directory
mkdir -p /home/tunnel
mkdir -p /home/tunnel/.ssh
chown tunnel:tunnel /home/tunnel
chmod 700 /home/tunnel
cp -a /etc/skel/. /home/tunnel
chown -R tunnel:tunnel /home/tunnel
Last step is to copy content from Linux /home/greenscreens/.ssh/ibm_tunnel.pub to the /home/tunnel/.ssh/authorized_keys then try to SSH from Linux to the IBM i server from command line.
ssh -i /home/greenscreens/.ssh/ibm_tunnel tunnel@demo.ibm.com
If that works, you are ready to start SSH-SOCKS service at the Linux side with systemctl commands as shown earlier.
IMPORTANT
For security reasons, make sure your SSH server identification keys are not default ones from installation.
When IBM i OpenSSH & OpenSSL — Licensed Program 5733-SC1 is installed, default SSH keys are installed also which you don't want to use as default. These keys are used to identify server during initial SSH connection handshake and plays important role in MITM protection. For security reasons, one should regenerate these keys as soon as 5733-SC1 is installed. Here is how to do it....
# navigate to SSH config
cd /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/
# remove default keys
rm ./ssh_host*
# regenerate all keys
ssh-keygen -A
# remove weak key
rm ssh_host_dsa_key*
#optionally enable stronger keys
# vi sshd_config
# then uncomment ecdsa and ed25519
# restart SSHD
ENDTCPSVR *SSHD
STRTCPSVR *SSHD
# Generate key hashes and output to the console
ssh-keygen -lf /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_host_rsa_key.pub
ssh-keygen -lf /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_host_ecdsa_key.pub
ssh-keygen -lf /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_host_ed25519_key.pub
Hashes generated with the last 3 commands can be used to verify server side response is coming from the real server. A MITM protection. Latest Green Screens Server update coming soon will support these hashes for increased security.
Green Screens Server
Last step is to use the Green Screens Admin console to configure the SSH tunnel. As shown in the image below, use SOCK5 as Type and enter the configuration name. SOCK5 always uses 127.0.0.1 as an interface to connect.
Attach newly created tunnel to the IBM i server configuration. Note that even if the connection points to the IBM i server IP address, actual connection is made locally to the SSH service which internally connects to the IBM i as defined in Linux ssh-sock service. So, address 127.0.0.1 here is local to the SSH daemon running on the IBM i server.
And finally, check the connection... If it is working, it will show a validation response. Validation procedure also verifies if all other types of connections are passing through.
Final note
If validation is successful, but still not able to open a terminal session, make sure IBM i internal firewall or packet filter does not block ports, especially port 23 to connect from localhost. SSH tunnel from remote (IBM i side) will connect to itself at localhost.