If you want to have ssh server on your IBM i more secure, you can try this procedure.
Maybe you heard something about Terrapin attack or Cipher Block Chaining (CBC) encryption vulnerability.
You can verify with ssh -Q cipher command which ciphers can be used by the SSHD server :
bash-5.2$> ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.comBy this command you can find out if remote ssh server is allowed to use specific cipher :
ssh -c 'chacha20-poly1305@openssh.com' servername/addressIf this cipher is not allowed on server, then you will get of allowed ciphers :
Unable to negotiate with servername/address port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com By editing the configuration file /QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/sshd_config you can tell SSHD which ciphers can be used. Option ciphers is designated for this purpose.
#to remowe specific ciphers from offer
ciphers -chacha20-poly1305@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
#to add specific ciphers to offer
ciphers +chacha20-poly1305@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
#to remowe use only specific ciphers
ciphers chacha20-poly1305@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.seRestart of SSHD server is required after configuration changes :
ENDTCPSVR SERVER(*SSHD)
STRTCPSVR SERVER(*SSHD)With NETSTAT command and option 3. Work with IPv4 connection status you can check if SSH server is up and running
Work with IPv4 Connection Status
System: SERVER
Type options, press Enter.
3=Enable debug 4=End 5=Display details 6=Disable debug
8=Display jobs
Remote Remote Local
Opt Address Port Port Idle Time State
* * ftp-con > 000:58:14 Listen
* * ssh 000:03:35 Listen
* * telnet 000:58:12 Listen
* * smtp 000:58:14 Listen