SSH - Run Remote Commands on iSeries

Matthew Roessner
Matthew Roessner used Ask the Experts™
on
Does anyone know if it is  possible  to submit a remote command on an iSeries server using SSH (sftp) using a different user than what is configured for SSH?

For example, if I wanted to make a change to a user profile, I would run this command:

CHGUSRPRF USRPRF(USERPROFILE) LMTCPB(*YES)

If I wanted to run that command as another user (called SUPERUSER) - I would run:

SBMJOB CMD(CHGUSRPRF USRPRF(USERPROFILE) LMTCPB(*YES)) JOB(SFTPCMD) USER(SUPERUSER)

Wondering if there is a way to submit the above command (using the SUPERUSER user profile) via SSH (with the cavaet that the SUPERUSER user profile is not the user configured for SFTP. The following code "should" work - but when it does it tells me I don't have access to the CHGUSRPRF command (which the SFTPUSER doesn't - but the SUPERUSER does)

SBMJOB CMD(QSH CMD('ssh -T sftpuser@servername ''system "SBMJOB CMD(CHGUSRPRF USRPRF(USERPROFILE) LMTCPB(*YES)) JOB(SFTPCMD) USER(SUPERUSER)" ''')) JOB(SFTPJOB) USER(SFTPUSER)

Hopefully that makes sense

I was just hoping to get around having to configure SFTP for the SUPERUSER if I didn't have to...

Any help would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gary PattersonVP Technology / Senior Consultant

Commented:
Basic process:

1) Create a CL program containing command (s) you want to execute with alternate authority.
2) Compile to run under *OWNER authority.  CRTCLPGM USER(*OWNER) or use CHGCLPGM USER(*OWNER) with existing program.
3) Change program owner (CHGOBJOWN) to a user with adequate authority to run the commands.

Then CALL or SBMJOB the CL through SSH.  COmmadn should run under authority of program owner, not current user.
Gary PattersonVP Technology / Senior Consultant

Commented:
Also, note that for the mechanism that you demonstrated above to work, USER must have *USE rights to SUPERUSER's profile.  Which means that they can indirectly run anything that SUPERUSER can run.

Using adopted authority is safer, since the user can only run specific programs, and not any random command.
Matthew RoessnerSenior Systems Programmer

Author

Commented:
Yeah Gary - that would definitely work.  I was hoping to create a more dynamic process where I didn't have to create a CL. I was hoping to be able to create a script that I could call and just be able to change the command out - without needing to create and compile a program...
Senior Systems Programmer
Commented:
I will  likely have to do some sort of solution like Gary Patterson recommended...but ultimately isn't what I wanted to do. I was hoping to just run something like

SBMJOB CMD(QSH CMD('ssh -T sftpuser@servername ''system "SBMJOB CMD(CHGUSRPRF USRPRF(MYUSER) LMTCPB(*YES)) JOB(SFTPCMD) USER(SUPERUSER)" ''')) JOB(SFTPJOB) USER(SFTPUSER)

SFTPUSER is the user who has ssh keys assigned to it
But SFTPUSER doesn't have access to the CHGUSRPRF command - so I was hoping to submit a job (as SUPERUSER) using an elevated authority...

Not ideal but wasn't sure how else to do it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial