For those of you who follow either my articles on PowerWire or my videos at learning.formaserve.co.uk you will know my inclination over the past few years is in Open-sourceon the IBM i, and one of the easiest ways of obtaining packages is via the Access for Client Solutions (ACS) application from IBM, unless you are in favour of the CLI (Command Line Interface) method of using YUM.
By taking the option of Open-source Package Management off the ACS Tools menu, the first step we have to take is to make a SSH (Secure Shell) connection to your designated IBM i. After selecting the server to connect to, and the user ID for the connection, we are then asked to provide either a password or a SSH private key.
Ah, as I always use private/public key authentication when using a PASE SSH sesssion for all my BASH work, why not use this key combination to stop me having to input my password each time.
Using the browse button next to the SSH key input, I selected the same private key I used for my PASE SSH session and low and behold, it failed as can be seen in the figure below.
What was I missing here? I knew the key combination worked as I had been using them for many months. The keys I used had been generated by the OpenSSL package on Windows 10.
Time to open a PMR with IBM.
On the first communication with IBM (you can see where this is going!), they stated that the private/public key pair must be generated by the PuTTY package and not the OpenSSL version.
The PuTTY version stores the private key as a .PPK file and this is the file we have to specify on the ACS Open-source Package Management connection screen. So I installed the latest PuTTY package from https://www.chiark.greenend.org.uk/~sgtatham/putty/ (version 0.75) and used the PuTTYgen program to generate my PPK file.
The PuTTYgen program gave me the option to save both the private and public key.
The public key was added to my authorized_keys file in the .SSH directory of my home directory on the IBM i.
Time to try ACS package management again, and guess what? Yes, failed again!
Back to IBM to report my findings.
They next suggested I copy the key directly from the Key Generator and paste into my authorized_keys (omitting the save public key option)
Tried again, and still failed.
IBM then kindly provided one of their key pairs for me to try (for testing purposes only!) and it worked first time!
After a few toing and froing with IBM, it was found that they were using version 0.73 of the PuTTY key generator, where I was using version 0.75 and that was where the problem laid.
After finding version 0.73, I re-generated the keys and it worked straight away. Result!
For those interested, the version of PuTTY that is compatible with ACS can be found at https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.73.html
As the page stated, please be aware there are known security vulnerablilities within this program, so install at your own risk!
By the way, the user profile specified in the ACS open-source package management connection must have QSECOFR authority, as authorities/owernship are checked and set during the maintenance of the open-source packages.
By following this article, we can now get at all the available open-source packages that have been made available to us, very easily, no need to remember passwords. One less, they all count!
If you have any questions, either on this article, or anything else open source, use the comments below, or send me a message on twitter @AndyYouens
Andy Youens is an IBM i consultant/instructor at Milton Keynes, UK-based FormaServe Systems with over 40 years IBM midrange experience.
IBM Champion 2021
Leave a Reply