IBM Support

Starting the SSH Daemon in a Dedicated Subsystem Environment

Technote (troubleshooting)


Problem(Abstract)

This document describes how to start SSH as an autostart job in a subsystem.

Resolving the problem

To better control the environment and resources that are used by SSH jobs, we recommend that you run SSH jobs in a dedicated subsystem. This becomes even more obvious when we discuss how the SSHD environment works. When you start the SSHD daemon in IBM i5/OS, a single job for the daemon is started. When a client establishes an SSH session to the daemon, the daemon spawns a new job for this particular client. When a user is authenticated for this client session, another job is spawned. In addition, if the user runs a command or job, another job is started; this means that you might end up with three jobs for a single client user. Therefore, we recommend that you run all SSH jobs in a separate subsystem.

To set up the required subsystem environment, you must have at least the following i5/OS objects:

o Subsystem description (SBSD) with routing and memory entries and an autostart job entry
o Job queue (JOBQ)
o Job description (JOBD)
o User profile (USRPRF)

Note: This object is recommended to run sshd under a dedicated user profile.

The following steps show an example of starting the sshd daemon in a simple subsystem environment:
1. Create a library to store the SSDH-related objects. On the operating system command line, type the following:

CRTLIB LIB(SSHLIB) TEXT('SSH library')

Press the Enter key.
2. Create a subsystem description using the following CL command:

CRTSBSD SBSD(SSHLIB/SSHSBS) POOLS((1 *BASE)) TEXT('SSH jobs subsystem')

Press the Enter key. This command creates a subsystem description called SSHSBS in the SSHLIB library and assigns a single memory pool. You might want to create a dedicated memory pool in your environment rather than using the system base pool.
3. Create a job queue for submitting the job to the subsystem:

CRTJOBQ JOBQ(SSHLIB/SSHJOBQ) TEXT('SSH job queue')

Press the Enter key.
4. Create a user profile for the daemon job. This user profile is used to run the SSHD daemon; therefore, it should not be used to sign on the system. To ensure it will not be used to sign on the system, create the profile without a password and specify *SIGNOFF for the Initial menu. In addition, set Limit capabilities for the user profile to *YES. Ensure the profile is less than eight characters.

CRTUSRPRF USRPRF(SSHDUSR) PASSWORD(*NONE) INLMNU(*SIGNOFF) LMTCPB(*YES) SPCAUT(*ALLOBJ) + TEXT('SSHD Daemon user profile')

Press the Enter key.
5. Create a job description for the subsystem autostart job entry:

CRTJOBD JOBD(SSHLIB/SSHJOBD) JOBQ(SSHLIB/SSHJOBQ) TEXT('Job description for SSHD autostart') + USER(SSHDUSR) RQSDTA('QSH CMD(''/QOpenSys/usr/sbin/sshd'')')

Press the Enter key.
6. Create a class for the subsystem. The class defines the run priority of the SSH jobs and other resource related parameters.

CRTCLS CLS(SSHLIB/SSHCLS) TEXT('SSH job class')

Press the Enter key.
7. Add a routing entry to the subsystem so that the autostart job entry can start the SSHD daemon job:

ADDRTGE SBSD(SSHLIB/SSHSBS) SEQNBR(1) CMPVAL(*ANY) PGM(QCMD) CLS(SSHLIB/SSHCLS)

Press the Enter key.
8. Add the job queue that you previously created to the subsystem description:

ADDJOBQE SBSD(SSHLIB/SSHSBS) JOBQ(SSHLIB/SSHJOBQ) MAXACT(*NOMAX) SEQNBR(10)

Press the Enter key.
9. Add the autostart job entry to the subsystem description:

ADDAJE SBSD(SSHLIB/SSHSBS) JOB(SSHD) JOBD(SSHLIB/SSHJOBD)

Press the Enter key.

Whenever the subsystem is started, the job (as specified in the autostart job entry through the job description) is started. It runs with the priority defined in the class SSHCLS. It also runs under the SSHDUSR user profile. To fully automate the startup of the SSHD daemon at IPL time, you must change your startup program to include the STRSBS SSHLIB/SSHSBS command. When the subsystem is started with the previously created subsystem environment and no SSH connection is established, you should see one QP0ZSPWP running (as shown below in Figure 1).


Screen shot of the SSHD job (QP0ZSPWP) running in the dedicated SSH SBS.

Note: The primary function of the SSHD autostart job is to process the program call '/OpenSys/usr/sbin/sshd' defined in the SSHD JOBD. When processing of the autostart job completes, the SSHD job is no longer active. SSHD processing will be handled by job QP0ZSPWP. The QP0ZSPWP job will run in the dedicated SSH subsystem.

Historical Number

428379042

Document information

More support for: IBM i
Communications-TCP

Software version: 5.4.0

Operating system(s): IBM i

Reference #: N1014744

Modified date: 11 November 2012