Hello Rob,

Am 06.01.2020 um 21:50 schrieb Rob Berendt <rob@xxxxxxxxx>:

I may end up using this ssh technique instead. I'm sure your steps sound easy to someone who has done this a few times before but I may need a little hand holding.

No problem. Just ask if you need clarification on a topic.

<snip>
What would I do? I'd ask the tech guys to install an ssh server on windows and log in to there with proper keys to call dnscmd directly over this session.
ssh Administrator@Servername "dnscmd record add blah"
</snip>

1 - Sometimes if I can give an example of a Windows ssh server that may help. And it may help me because they we'd both be using a known good combination.
2 - How to configure and consume "proper keys".

I need to ask a friend about these. As far as I can see, he used OpenSSH and made an install package with configuration settings and key stuff.

Do you know how this key-thing basically works?

3 - How to best initiate a session from IBM i.

call qp2something with the ssh command line as parameter.

As for #3 I played with
QSH CMD('ssh rob@gdl57 dir >/test.txt')
And got connection refused. Which makes sense because my laptop doesn't have a ssh server running on it.

Yes, you're right. I'm surprised that qsh can find ssh — I was expecting the binaries only available to PASE.

So some example uses to make sure that I
A - Pass the right connection stuff
B - Generate an acceptable return code and/or log file to check

You need to test return codes. First: I'm not sure if dnscmd properly set's return codes and second, if these will be passed on to cmd and finally the ssh-server for giving it to the client.

And whatever else you recommend for production use.
As a demonstration of my trying to figure this out on my own I have this link too
https://www.ibm.com/support/pages/configuring-ibm-i-ssh-sftp-and-scp-clients-use-public-key-authentication

LOL! "Once the SSH server administrator has placed the public key into the appropriate location on the remote side, you can test the connection to see if Public-key authentication works." — The most important part is left out. :-)

After running ssh-keygen -t rsa, you end up with id_rsa and id_rsa.pub in .ssh of the calling user. The id_rsa.pub content (one long line) must be appended to .ssh/authorized_keys, if it exists. If not, it's the first line in a new file, obviously.

The more I can tell the Windows admin "do this" the less internet searching they have to do and get exposed to all the FUD scaring them out of letting the Windows server serve up remote commands.

After a quick search, I found out that the destination user's home directory on the Windows side also must have a .ssh-subdirectory. From there, the above said stuff is the same.

If your windows-guys are afraid, then later (when it's clear that the solution works), they can restrict connections by source IP and commands allowed to be run. But that's for later.

Don't hesitate to ask if in doubt. ssh -v (and more v to be more verbose) is often helpful in diagnosing problems. I don't know if and where OpenSSH logs messages on Windows. Text file? Or to the Eventlog-Facility? Dunno.

:wq! PoC

PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.