IBM Support

Changing the Default Shell for Inbound Secure Shell (SSH) Connections to the IBM i

Technote (troubleshooting)


Problem(Abstract)

This document describes how the default shell for inbound SSH connections to the IBM i can be changed.

Resolving the problem

This document describes how the default shell for inbound SSH connections to the IBM i can be changed.

Shell is a UNIX term for the interactive use with an operating system. The shell understands and executes the commands a user enters. The Bourne shell '/OpenSys/usr/bin/bsh' is the default shell used for inbound SSH connections to the IBM i. The default shell for inbound SSH connections can be changed to either the Korn shell or the C shell.

A new sshd_config option specific to the IBM i 4.7p1 implementation of OpenSSH named ibmpaseforishell can be added to specify a different shell to be used for incoming SSH connections. The 4.7p1 implementation of OpenSSH is available on V7R1 machines that have version 7 of the IBM Portable Utilities 5733SC1 installed. To use this option, add the ibmpaseforishell option to the sshd_config file. The sshd_config file is stored in the IFS directory below:

/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc

The value for the ibmpaseforishell option is the pathname to the shell to be used. Listed below is an example of how the default shell can be changed to the C Shell by adding the ibmpaseforishell option to the sshd_config file:

#PidFile /var/tmp/sshd.pid
#MaxStartups 10

#no default banner path
#Banner /some/path

#ibm pase for IBM i shell
ibmpaseforishell /QOpenSys/usr/bin/csh

#override default of no subsystems
Subsystem sftp /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1/libexec/sftp-server

Note: The ibmpaseforishell keyword can also be used to restrict SSH access to the IBM i. In the example below, changing the value of the ibmpaseforishell keyword to the sftp-server file restricts SSH access to the IBM i:

Example
#restrict access to the ibm pase for IBM i shell
ibmpaseforishell /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1/libexec/sftp-server

Considerations to Make

  • The SSHD must be restarted for the changes to take effect.
  • The specified shell will be used for every inbound SSH session to the IBM i. There is no way to specify a shell for individual user profiles in the sshd_config file. If different shells are required for certain users, a login script ~/.profile can be created for these users. The desired shell can be inserted into the user's login script.
  • The OpenSSH implementation 4.7p1 code can be installed on earlier releases of the operating system by installing PTF SI39652 (V5R4) and SI40092 (V6R1).
  • The installation of the PTFs will not change the location of sshd_config file. For V5R4 machines, the sshd_config will remain in the openssh-3.5p1 path. For V6R1 machines, the sshd_config file will remain in the openssh-3.8.1p1 path.
  • On V7R2 machines, the sshd_config file resides in IFS directory /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc .

Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.2
Operating System IBM i 7.1
Operating System IBM i 6.1

Historical Number

598442206

Document information

More support for: IBM i
Communications-TCP

Software version: 5.4.0, 5.4.5, 6.1, 6.1.0, 6.1.1, 7.1, 7.1.0, 7.2, 7.2.0

Operating system(s): IBM i

Reference #: N1011555

Modified date: 13 September 2012