SSH on AIX | Unix Linux Forums | AIX

  Go Back    


AIX AIX is IBM's industry-leading UNIX operating system that meets the demands of applications that businesses rely upon in today's marketplace.

SSH on AIX

AIX


Tags
aix, unix

Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 04-01-2006
TheEngineer TheEngineer is offline
Registered User
 
Join Date: Apr 2006
Last Activity: 4 November 2010, 12:11 PM EDT
Location: Iraq
Posts: 36
Thanks: 0
Thanked 0 Times in 0 Posts
SSH on AIX

Dear All

please help,
when i am connected via telnet to an AIX system and i am trying to connect to another one via SSH then the message that appear "command is not available" and even when i am logging in with root previlage, does AIX not support the use of SSH or what is the problem??

thanks in advance.
TheEngineer
Sponsored Links
    #2  
Old 04-03-2006
ginoe ginoe is offline
Registered User
 
Join Date: Mar 2006
Last Activity: 5 December 2007, 9:53 AM EST
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Hi,

AIX supports SSH.
First you have to check in the Openssh software is installed on your aix server.
# lslpp -l | grep ssh
openssh.base.client 3.8.0.5300 COMMITTED Open Secure Shell Commands
openssh.base.server 3.8.0.5300 COMMITTED Open Secure Shell Server
openssh.license 3.8.0.5300 COMMITTED Open Secure Shell License
openssh.man.en_US 3.8.0.5300 COMMITTED Open Secure Shell
openssh.base.client 3.8.0.5300 COMMITTED Open Secure Shell Commands
openssh.base.server 3.8.0.5300 COMMITTED Open Secure Shell Server

You should have a binary /usr/bin/ssh.
If these are not present on the server, then you have to install the ssh software.
Sponsored Links
    #3  
Old 04-04-2006
TheEngineer TheEngineer is offline
Registered User
 
Join Date: Apr 2006
Last Activity: 4 November 2010, 12:11 PM EDT
Location: Iraq
Posts: 36
Thanks: 0
Thanked 0 Times in 0 Posts
many thanks for your help but fromwhere can i install ssh or openSSH and under which versions they are available??

thanks,
    #4  
Old 04-04-2006
scotbuff scotbuff is offline
Registered User
 
Join Date: Jun 2005
Last Activity: 7 March 2014, 9:17 AM EST
Location: Middletown, PA
Posts: 79
Thanks: 1
Thanked 0 Times in 0 Posts
SSH on AIX

These instructions look rather good. They appear to be the steps I followed and they contain instructions for AIX 4.3.3 through the AIX 5.3 since you did not specify your version.

http://wiki.ittoolbox.com/index.php/...OpenSSH_in_AIX
Sponsored Links
    #5  
Old 06-22-2009
filosophizer filosophizer is offline
Registered User
 
Join Date: Jan 2009
Last Activity: 27 January 2014, 7:13 AM EST
Posts: 299
Thanks: 44
Thanked 13 Times in 7 Posts
Great Document to configure SSH on AIX

SSH on AIX

Quote:
The OpenSSH software is shipped on the AIX 5.3 Expansion Pack. This version of OpenSSH is compiled and packaged as installp packages using the openssh-3.8.p1 level of source code. The installp packages include the man pages and the translated message filesets. The OpenSSH program contained in the Expansion Pack CD-ROM media is licensed under the terms and conditions of the IBM® International Program License Agreement (IPLA) for Non-Warranted Programs.
Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux® Applications CD, or you can also download the packages from the following AIX Toolbox for Linux Applications Web site:

http://www-1.ibm.com/servers/aix/pro.../download.html

Because the OpenSSL package contains cryptographic content, you must register on the Web site to download the packages. You can download the packages by completing the following steps:

1. Click the AIX Toolbox Cryptographic Content link on the right side of the AIX Toolbox for Linux Applications Web site.
2. Click I have not registered before.
3. Fill in the required fields in the form.
4. Read the license and then click Accept License. The browser automatically redirects to the download page.
5. Scroll down the list of cryptographic content packages until you see openssl-0.9.6m-1.aix4.3.ppc.rpm under OpenSSL — SSL Cryptographic Libraries.
6. Click the Download Now! button for the openssl-0.9.6m-1.aix4.3.ppc.rpm.

After you download the OpenSSL package, you can install OpenSSL and OpenSSH.

1. Install the OpenSSL RPM package using the geninstall command:

# geninstall -d/dev/cd0 Rpenssl-0.9.6m

Output similar to the following displays:

SUCCESSES
---------
openssl-0.9.6m-3

2. Install the OpenSSH installp packages using the geninstall command:

# geninstall -I"Y" -d/dev/cd0 Ipenssh.base

Use the Y flag to accept the OpenSSH license agreement after you have reviewed the license agreement.
Output similar to the following displays:

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
openssh.base.client 3.8.0.5200 USR APPLY SUCCESS
openssh.base.server 3.8.0.5200 USR APPLY SUCCESS
openssh.base.client 3.8.0.5200 ROOT APPLY SUCCESS
openssh.base.server 3.8.0.5200 ROOT APPLY SUCCESS

You can also use the SMIT install_software fast path to install OpenSSL and OpenSSH.

The following OpenSSH binary files are installed as a result of the preceding procedure:

scp
File copy program similar to rcp
sftp
Program similar to FTP that works over SSH1 and SSH2 protocol
sftp-server
SFTP server subsystem (started automatically by sshd daemon)
ssh
Similar to the rlogin and rsh client programs
ssh-add
Tool that adds keys to ssh-agent
ssh-agent
An agent that can store private keys
ssh-keygen
Key generation tool
ssh-keyscan
Utility for gathering public host keys from a number of hosts
ssh-keysign
Utility for host-based authentication
ssh-rand-helper
A program used by OpenSSH to gather random numbers. It is used only on AIX 5.1 installations.
sshd
Daemon that permits you to log in

The following general information covers OpenSSH:

* The /etc/ssh directory contains the sshd daemon and the configuration files for the ssh client command.
* The /usr/openssh directory contains the readme file and the original OpenSSH open-source license text file. This directory also contains the ssh protocol and Kerberos license text.
* The sshd daemon is under AIX SRC control. You can start, stop, and view the status of the daemon by issuing the following commands:

startsrc -s sshd OR startsrc -g ssh (group)
stopsrc -s sshd OR stopsrc -g ssh
lssrc -s sshd OR lssrc -s ssh

You can also start and stop the daemon by issuing the following commands:

/etc/rc.d/rc2.d/Ksshd start

OR

/etc/rc.d/rc2.d/Ssshd start

/etc/rc.d/rc2.d/Ksshd stop

OR

/etc/rc.d/rc2.d/Ssshd stop

* When the OpenSSH server fileset is installed, an entry is added to the /etc/rc.d/rc2.d directory. An entry is in inittab to start run-level 2 processes (l2:2:wait:/etc/rc.d/rc 2), so the sshd daemon will start automatically at boot time. To prevent the daemon from starting at boot time, remove the /etc/rc.d/rc2.d/Ksshd and /etc/rc.d/rc2.d/Ssshd files.
* OpenSSH software logs information to SYSLOG.
* The IBM Redbook, Managing AIX Server Farms, provides information about configuring OpenSSH in AIX and is available at the following Web site:

IBM Redbooks

* OpenSSH supports long user names (256 bytes), the same as the AIX base operating system. For more information on long user names, see the mkuser command.
* Some keywords, such as AllowUsers, DenyUsers, AllowGroups, and DenyGroups are not available by default in the ssh_config file or the sshd_config file. You must add these keywords to the configuration files in order to use them.

* OpenSSH images
Use the following steps to install the OpenSSH images:
* Configuration of OpenSSH compilation
The following information discusses how the OpenSSH code is compiled for AIX.
* OpenSSH and Kerberos Version 5 support
Kerberos is an authentication mechanism that provides a secure means of authentication for network users. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. In addition, Kerberos provides a system for authorization in the form of administering tokens, or credentials.


Installing OpenSSH on AIX 4.3.3 At 4.3.3, the openSSH is installed using the RPM format packages, not by using installp format which is available at 5.1, 5.2, and 5.3. In this procedure, you need to follow these three steps:

1.Installing the prerequisite filesets.

2.Downloading the rpm packages.

3.Installing the prerequisite rpm packages.
ExamplesEdit section

1.Installing the prerequiste filesets. The filesets rpm.rte and perl.rte are required to be installed prior to installing the rpm packages. The rpm.rte fileset can be found at the following:

Linux Toolbox CD or Linux Toolbox Website http://www.ibm.com/servers/aix/produ.../download.html

The filesets can be installed using smitty installp.

2.Downloading the rpm packages.

The rpm packages can be downloaded from the following website: http://www.ibm.com/servers/aix/produ.../download.html

Once on that page, the prngd (Psuedo Random Number Generator Daemon) daemon and the zlib compression and decompression library can be downloaded. These are the prerequistes for installing the openssl rpm package: prngd-0.9.23-3.aix4.3.ppc.rpm zlib-1.1.4-3.aix4.3.ppc.rpm

Next click AIX TOOLbox Cryptographic Content on the sorted content download in the upper right area and then register yourself, if you are not already a registered user. Then click on Accept License button at the bottom of the panel that appears and then you are ready to download the openssl and openssh rpm packages: openssl-0.9.6m-1.aix4.3.ppc.rpm openssl-devel-0.9.6m-1.aix4.3.ppc.rpm openssl-doc-0.9.6m-1.aix4.3.ppc.rpm openssh-3.6.1p2-1.aix4.3.ppc.rpm openssh-clients-3.6.1p2-1.aix4.3.ppc.rpm openssh-server-3.6.1p2-1.aix4.3.ppc.rpm

3.Installing the prerequisite rpm packages. Once you have all the rpm files in the current directory, run the following commands to install them.

1. rpm -i zlib-1.1.4-3.aix4.3.ppc.rpm
2. rpm -i prngd-0.9.23-3.aix4.3.ppc.rpm
3. rpm -i openssl-0.9.6m-1.aix4.3.ppc.rpm
4. rpm -i openssl-devel-0.9.6m-1.aix4.3.ppc.rpm
5. rpm -i openssl-doc-0.9.6m-1.aix4.3.ppc.rpm
6. rpm -i openssh-3.6.1p2-1.aix4.3.ppc.rpm
7. rpm -i openssh-server-3.6.1p2-1.aix4.3.ppc.rpm
8. rpm -i openssh-clients-3.6.1p2-1.aix4.3.ppc.rpm

Sometimes you may get the error: failed dependencies error while trying to install the openssl packages. In that case, run the following command:

# rpm -i --nodeps openssl-0.9.6m-1.aix4.3.ppc.rpm

The following command can be run to update the AIX-rpm:

# /usr/sbin/updtvpkg

The prngd needs to be installed before openssl and openssh, and openssl is the prerequiste for installing the openssh rpm packages. The openssl-devel-0.9.6m-1.aix4.3.ppc.rpm and openssl-doc-0.9.6m-1.aix4.3.ppc.rpm are not the required packages for installing the openSSH. To verify that these packages are installed, run the following command:

1. rpm -qa | egrep '(openssl|openssh|prng)'

--> prngd-0.9.23-3 openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 openssh-3.6.1p2-1 openssh-server-3.6.1p2-1 openssh-clients-3.6.1p2-1

These packages are installed under the /opt/freeware directory, and several symbolic links are created in /usr/bin or /usr/sbin, as shown in the following example:

1. ls -l /usr/bin/ssh

lrwxrwxrwx 1 root system 26 Dec 29 16:13 /usr/bin/opt freeware/bin/ssh

1. ls -l /usr/sbin/sshd

lrwxrwxrwx 1 root system 28 Dec 29 16:12 /usr/sbin/ opt/freeware/sbin/sshd Installing openSSH on 5.1, 5.2, and 5.3: At 5.1, 5.2, and 5.3, the installation of openssh itself is in installp format, but all the prerequisites (including openssl) can be installed using the same rpm -i commands (using the same 4.3.3. rpm packages). The installp format package can be downloaded from the following site: SourceForge.net: OpenSSH on AIX After installing the prerequisites using the following commands,

1. rpm -i zlib-1.1.4-3.aix4.3.ppc.rpm
2. rpm -i prngd-0.9.23-3.aix4.3.ppc.rpm
3. rpm -i openssl-0.9.7d-1.aix5.1.ppc.rpm
4. rpm -i openssl-devel-0.9.7d-1.aix5.1.ppc.rpm

use smitty installp to install the openssh filesets extracted from the tar file openssh-3.8.1p1_51.tar (for 5.1), openssh-3.8.1p1_52.tar (for 5.2), and openssh-3.8.1p1_53.tar (for 5.3). The following steps need to be followed to install openssh. 1.In the directory where the images are, run the command inutoc. 2.Run smitty install. 3.Select "Install and Update Software". 4.While in smitty do the following: a.Select "Install Software". b.Enter a dot (".") in the field for "INPUT device / directory for software" and press ENTER. c.Enter openssh in the "SOFTWARE to install" field. d.Scroll down to "Preview new LICENSE agreements?" and press tab key to change the field to yes. Read the license agreement. e.Scroll down to "ACCEPT new license agreements?" and press tab to change the field to yes. Press ENTER to begin the software installation. 5.Run the following command to see the openssh filesets installed: 6.# lslpp -l | grep ssh In this case, you notice that the ssh commands are in the /usr/bin directory. For example:

1. ls -al /usr/bin/ssh

-r-xr-xr-x 1 root system 309127 Jun 12 2003 /usr/bin/ssh

1. ls -al /usr/bin/scp

-r-xr-xr-x 1 root system 38582 Jun 12 2003 /usr/bin/scp Initial configuration at 4.3, 5.1, 5.2, and 5.3: The following entry in /etc/inittab invokes all the scripts starting from S under the etc/rc.d/rc2.d directory upon system startup: l2:2:wait:/etc/rc.d/rc 2 In the /etc/rc.d/rc2.d directory, the following example shows the required symbolic-link to start sshd: At 4.3.3:

1. ls -l /etc/rc.d/rc2.d | grep ssh

lrwxrwxrwx 1 root system 14 Dec 29 16:12 K55sshd -> ../init.d/sshd lrwxrwxrwx 1 root system 14 Dec 29 16:12 S55sshd -> ../init.d/sshd At 5.1, 5.2, and 5.3:

1. ls -l /etc/rc.d/rc2.d | grep ssh

-r-xr-xr-x 1 root system 307 Dec 29 16:39 Ksshd -r-xr-xr-x 1 root system 308 Dec 29 16:39 Ssshd The prngd daemon is started from the following entry in /etc/inittab: prng:2:wait:/usr/bin/startsrc -s prngd In order to specify the SSH2 protocol to be used for OpenSSH, add the following line to the /etc/ssh/sshd_config file: Protocol 2 To verify the SSH protocol version, you can use the telnet command:

1. telnet localhost 22

Trying... Connected to localhost.austin.ibm.com. Escape character is '^]'. SSH-2.0-OpenSSH_3.6.1p2 --> the above shows that you are using the ssh2 If you see the following:

1. telnet localhost 22

Trying... telnet: connect: A remote host refused an attempted connect operation. then the sshd daemon is not running. To terminate, type Ctrl-c and q. To start the daemon, run:

1. startsrc -s sshd

whenever the /etc/ssh/sshd_config file is modified, the ssh needs to be stopped and restarted as follows:

1. stopsrc -s sshd
2. startsrc -s sshd

The prngd daemon could also be stopped and started in the above method. Once the installation and configuration is complete: The first time you are going to connect to a server, you should receive a host key fingerprint from the adminstrator of that server. On the first attempt to connect to that remote server using OpenSSH, you will see the fingerprint of the remote server. You should verify if this matches with the one sent to you by the adminstrator. Only then, you can type yes.



Here are the steps involved for configuring OpenSSH for AIX.

After installation, start the sshd daemon by running:

# startsrc -s sshd

Verify that sshd is active by running this command:

# lssrc -s sshd

Once sshd is active, test it by attempting to connect to it using an OpenSSH client. If you installed the OpenSSH client package, issue the ssh client command:

# ssh localhost

You should receive this message: "The authenticity of host localhost (127.0.0.1) can't be established. RSA key fingerprint is 1c:bc:d4:a0:87:f8:0e:25:61:27:75:18:99:a2:5a:7d. Are you certain you want to continue connecting (yes/no)? (Warning: Permanently added localhost(RSA) to the list of known hosts. root@localhosts password."

This message indicates that this is the first time you've connected to this server. Respond with yes. This adds the server's host key to your client's known_hosts file. (Note: You won't receive this question on future connections to the same server.)

If you're connecting from a Windows* client, several SSH clients can be downloaded. One of the more popular is PuTTY, a free Win32 Telnet/SSH client.

Once you verify OpenSSH is working, you may further safeguard your SSH connection by implementing symmetric RSA or DSA authentication keys. Authentication keys allow users to specify a passphrase for their SSH connection and prevent someone else from spoofing username@hostname.

It also gives users the capability to connect to their OpenSSH server without being prompted for a password, either by using an empty passphrase (at the time of key generation) or with the assistance of an SSH agent.

For details on OpenSSH, read the Redbook, "Managing AIX Server Farms." Chapter 4 focuses on secure network connections on AIX and is almost entirely devoted to OpenSSH.

For details on OpenSSH for AIX, contact the IBM Support Center at 1-800-237-5511, Option 3.




Old News

System Administration Toolkit Set up remote access in UNIX through OpenSSH
Enabling automatic login using public keys

When you log in to a remote system with ssh, sftp, or scp, you still need to use your password to complete the login process. Once you have exchanged a valid key with a remote site by creating a public or private key and providing the public portion of the key into the ~/.ssh/authorized_keys file, you can eliminate this requirement and allow automatic logins.

To create the public or private key, you need to use ssh-keygen, specifying the type of key encryption. The rsa key type is used in the demonstration, but other key types are also valid. See Listing 11 to create the key.

Listing 11. Creating the key


$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):




You should enter the location of the file where you want to save the key (both the public and private components). Using the default (within the .ssh directory in your home directory) is usually fine (see Listing 12).

Listing 12. Prompt to enter a passphrase


Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):




If you enter a passphrase at this stage, you create a secure keyfile, but you also have to enter the passphrase each time you use the key. Pressing Return means that no password is required (see Listing 13).

Listing 13. Bypassing the password requirement by pressing the Return key


Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
98:da:8d:48:a8:09:44:b1:b3:62:51:2d:a9:6b:61:ba root@remotehost




A public key (id_rsa.pub) and the corresponding private key (id_rsa) have been created.

To enable automatic login, you must copy the contents of the public key into the authorized_keys file within the ~/.ssh directory of the remote host. You can do this automatically using SSH (see Listing 14).

Listing 14. Enabling automatic login


$ cat ./.ssh/id_rsa.pub | ssh mc@remotehost 'cat >> .ssh/authorized_keys';




Better still, if this is something that you do regularly across a range of hosts, you can use a small script or shell function that performs all of the necessary steps for you, as shown here in Listing 15.

Listing 15. Using a shell script to enable automatic login


OLDDIR='pwd';
if [ -z "$1" ]; then
echo Need user@host info;
exit;
fi;
cd $HOME;
if [ -e "./.ssh/id_rsa.pub" ]; then
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
else
ssh-keygen -t rsa;
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
fi;
cd $OLDDIR




Using the setremotekey script, you can copy an existing key or, if it doesn't already exist, create one before copying:

$ setremotekey mc@remotehost




Now, whenever you need to log in to a remote host with your public key, you can use the script of your personal key with the list of accepted keys for the user on the remote host.



OpenSSH is now bundled with AIX

IBM Wikis - AIX 5L Wiki - How to setup SSH in AIX to communicate with HMC
1. Download and install SSL and openSSH on AIX client

* rpm Ivh ssl
* smitty install to install openssh (base, manpage, msg)
Note: After the SSL and OpenSSH have been installed a directory called /.ssh will be created.

2. Generate the priv/pub keys on AIX client

* cd ~/.ssh/
* Type ssh-keygen t rsa
Note: This will create id_rsa and id_rsa.pub

3. From AIX client add public key to HMC

* scp hscroot@hmc_name:.ssh/authorized_keys2 temp_hmc
* cat id_rsa.pub >> temp_hmc
* scp tem_hmc hscroot@hmc_name:.ssh/authorized_keys2
* Test it. Ex ssh hscroot@hmc_name date

index
Configuring OpenSSH on AIX
You should configure SSH to encrypt all communications between the server and client on your AIX operating system.
You must first install the OpenSSH file set on AIX and then configure it.
Installing OpenSSH on AIX
To install the openssh file set:
Note: Some text may appear on separate lines for presentation purposes only.

1. Install the OpenSSL package, which you can find at:

SourceForge.net: OpenSSH on AIX

2. Click OpenSSL at the top of the Web page. Registration is required. After registering, you are redirected to a Web page where you can download OpenSSL.
3. Install the following file sets from the AIX Base installation media:
* openssh.base
* openssh.license
* openssh.msg.en_US
* openssh.man.en_US
4. If the file sets were not found on the AIX Base installation media, they can be downloaded from the URL: developerWorks : IBM's resource for developers and IT professionals. In the left navigation frame, click Open Source Projectsand then click OpenSSH for AIX Images. Select OpenSSH 3.6 or higher.
5. Start the sshd daemon by running the command: /usr/bin/startsrc -s sshd
Note: If the AIX machine on which OpenSSH is installed also has GSA installed, the SSH daemon will not start. This is a known problem. You will need to first check to see if the sshd user exists on the system. If not, it should be created with the following commands:

mkgroup sshd

mkuser -a pgrp=sshd login=false home=/var/empty
gecos="OpenSSH privilege separation" account_locked=true sshd

6. As user tioadmin, configure SSH so that the server can communicate with relevant users on other systems and components of the data center.
Attention: Ensure that you are logged on to user ID tioadmin directly. Do not usesu - to tioadmin or the following steps will fail to run correctly.

OpenSSH is installed on AIX.
Configuring OpenSSH on AIX
To configure SSH:

1. Log on as tioadmin.
2. Run the following commands:

ssh-keygen -t rsa -N "" -f $HOME/.ssh/id_rsa
cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

3. You can test this by running: ssh -v tioadmin@localhost, where localhost is your host name. If SSH is properly configured, you will not be prompted for a password.
4. Copy the public key for user tioadmin to the servers that Tivoli® Provisioning Manager will be managing in your data center.
5. It is required to configure SSH to accept connections from new hosts without prompting for confirmation. Create a file in /home/thinkcontrol/.ssh called config. The file should contain the following line:

StrictHostKeyChecking no

6. Copy the id_rsa.pub file, which contains the public keys, into the authorized keys file of the administrative account of any server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager is managing.
1. Ensure that the managed server has an administrative account for which the SSH RSA keys (id_rsa, id_rsa.pub, and authorized_keys) have already been generated and should be contained into the .ssh directory of the respective administrative account home directory.
2. Append the content (a single line of text) of the id_rsa.pub file which contains the public key from the server that will initiate the SSH session to the authorized_keys file of the administrative account of any target server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager will be managing.
3. To verify, on the Tivoli Provisioning Manager server, type:

ssh <tioadmin/other_administrative_account_on_the_target_server>@<target_server_IP_or_hostname>

There should be no password prompt, followed by the prompt on the remote machine. After a successful logon, an entry for the communication partner will be created into a known_hosts file. As a troubleshooting step, sometimes this file may contain old or invalid entries associated with the managed server IP address or name. Deleting that entry should fix the connection problem.

SSH is now configured on AIX.




Recommended links

YouTube - passwordless ssh trust

* The OpenSSH web site


* Chapter 4 in the redbook Managing AIX Server Farms contains details about using OpenSSH with AIX.


* Download OpenSSH on AIX.


* AIX 5L Expansion Pack and Web Download Pack


* AIX Toolbox for Linux Applications


* Get up-to-date information about OpenSSH 3.4pl


---------- Post updated at 09:50 AM ---------- Previous update was at 09:50 AM ----------

Great Document to configure SSH on AIX

SSH on AIX

Quote:
The OpenSSH software is shipped on the AIX 5.3 Expansion Pack. This version of OpenSSH is compiled and packaged as installp packages using the openssh-3.8.p1 level of source code. The installp packages include the man pages and the translated message filesets. The OpenSSH program contained in the Expansion Pack CD-ROM media is licensed under the terms and conditions of the IBM® International Program License Agreement (IPLA) for Non-Warranted Programs.
Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux® Applications CD, or you can also download the packages from the following AIX Toolbox for Linux Applications Web site:

http://www-1.ibm.com/servers/aix/pro.../download.html

Because the OpenSSL package contains cryptographic content, you must register on the Web site to download the packages. You can download the packages by completing the following steps:

1. Click the AIX Toolbox Cryptographic Content link on the right side of the AIX Toolbox for Linux Applications Web site.
2. Click I have not registered before.
3. Fill in the required fields in the form.
4. Read the license and then click Accept License. The browser automatically redirects to the download page.
5. Scroll down the list of cryptographic content packages until you see openssl-0.9.6m-1.aix4.3.ppc.rpm under OpenSSL — SSL Cryptographic Libraries.
6. Click the Download Now! button for the openssl-0.9.6m-1.aix4.3.ppc.rpm.

After you download the OpenSSL package, you can install OpenSSL and OpenSSH.

1. Install the OpenSSL RPM package using the geninstall command:

# geninstall -d/dev/cd0 Rpenssl-0.9.6m

Output similar to the following displays:

SUCCESSES
---------
openssl-0.9.6m-3

2. Install the OpenSSH installp packages using the geninstall command:

# geninstall -I"Y" -d/dev/cd0 Ipenssh.base

Use the Y flag to accept the OpenSSH license agreement after you have reviewed the license agreement.
Output similar to the following displays:

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
openssh.base.client 3.8.0.5200 USR APPLY SUCCESS
openssh.base.server 3.8.0.5200 USR APPLY SUCCESS
openssh.base.client 3.8.0.5200 ROOT APPLY SUCCESS
openssh.base.server 3.8.0.5200 ROOT APPLY SUCCESS

You can also use the SMIT install_software fast path to install OpenSSL and OpenSSH.

The following OpenSSH binary files are installed as a result of the preceding procedure:

scp
File copy program similar to rcp
sftp
Program similar to FTP that works over SSH1 and SSH2 protocol
sftp-server
SFTP server subsystem (started automatically by sshd daemon)
ssh
Similar to the rlogin and rsh client programs
ssh-add
Tool that adds keys to ssh-agent
ssh-agent
An agent that can store private keys
ssh-keygen
Key generation tool
ssh-keyscan
Utility for gathering public host keys from a number of hosts
ssh-keysign
Utility for host-based authentication
ssh-rand-helper
A program used by OpenSSH to gather random numbers. It is used only on AIX 5.1 installations.
sshd
Daemon that permits you to log in

The following general information covers OpenSSH:

* The /etc/ssh directory contains the sshd daemon and the configuration files for the ssh client command.
* The /usr/openssh directory contains the readme file and the original OpenSSH open-source license text file. This directory also contains the ssh protocol and Kerberos license text.
* The sshd daemon is under AIX SRC control. You can start, stop, and view the status of the daemon by issuing the following commands:

startsrc -s sshd OR startsrc -g ssh (group)
stopsrc -s sshd OR stopsrc -g ssh
lssrc -s sshd OR lssrc -s ssh

You can also start and stop the daemon by issuing the following commands:

/etc/rc.d/rc2.d/Ksshd start

OR

/etc/rc.d/rc2.d/Ssshd start

/etc/rc.d/rc2.d/Ksshd stop

OR

/etc/rc.d/rc2.d/Ssshd stop

* When the OpenSSH server fileset is installed, an entry is added to the /etc/rc.d/rc2.d directory. An entry is in inittab to start run-level 2 processes (l2:2:wait:/etc/rc.d/rc 2), so the sshd daemon will start automatically at boot time. To prevent the daemon from starting at boot time, remove the /etc/rc.d/rc2.d/Ksshd and /etc/rc.d/rc2.d/Ssshd files.
* OpenSSH software logs information to SYSLOG.
* The IBM Redbook, Managing AIX Server Farms, provides information about configuring OpenSSH in AIX and is available at the following Web site:

IBM Redbooks

* OpenSSH supports long user names (256 bytes), the same as the AIX base operating system. For more information on long user names, see the mkuser command.
* Some keywords, such as AllowUsers, DenyUsers, AllowGroups, and DenyGroups are not available by default in the ssh_config file or the sshd_config file. You must add these keywords to the configuration files in order to use them.

* OpenSSH images
Use the following steps to install the OpenSSH images:
* Configuration of OpenSSH compilation
The following information discusses how the OpenSSH code is compiled for AIX.
* OpenSSH and Kerberos Version 5 support
Kerberos is an authentication mechanism that provides a secure means of authentication for network users. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. In addition, Kerberos provides a system for authorization in the form of administering tokens, or credentials.


Installing OpenSSH on AIX 4.3.3 At 4.3.3, the openSSH is installed using the RPM format packages, not by using installp format which is available at 5.1, 5.2, and 5.3. In this procedure, you need to follow these three steps:

1.Installing the prerequisite filesets.

2.Downloading the rpm packages.

3.Installing the prerequisite rpm packages.
ExamplesEdit section

1.Installing the prerequiste filesets. The filesets rpm.rte and perl.rte are required to be installed prior to installing the rpm packages. The rpm.rte fileset can be found at the following:

Linux Toolbox CD or Linux Toolbox Website http://www.ibm.com/servers/aix/produ.../download.html

The filesets can be installed using smitty installp.

2.Downloading the rpm packages.

The rpm packages can be downloaded from the following website: http://www.ibm.com/servers/aix/produ.../download.html

Once on that page, the prngd (Psuedo Random Number Generator Daemon) daemon and the zlib compression and decompression library can be downloaded. These are the prerequistes for installing the openssl rpm package: prngd-0.9.23-3.aix4.3.ppc.rpm zlib-1.1.4-3.aix4.3.ppc.rpm

Next click AIX TOOLbox Cryptographic Content on the sorted content download in the upper right area and then register yourself, if you are not already a registered user. Then click on Accept License button at the bottom of the panel that appears and then you are ready to download the openssl and openssh rpm packages: openssl-0.9.6m-1.aix4.3.ppc.rpm openssl-devel-0.9.6m-1.aix4.3.ppc.rpm openssl-doc-0.9.6m-1.aix4.3.ppc.rpm openssh-3.6.1p2-1.aix4.3.ppc.rpm openssh-clients-3.6.1p2-1.aix4.3.ppc.rpm openssh-server-3.6.1p2-1.aix4.3.ppc.rpm

3.Installing the prerequisite rpm packages. Once you have all the rpm files in the current directory, run the following commands to install them.

1. rpm -i zlib-1.1.4-3.aix4.3.ppc.rpm
2. rpm -i prngd-0.9.23-3.aix4.3.ppc.rpm
3. rpm -i openssl-0.9.6m-1.aix4.3.ppc.rpm
4. rpm -i openssl-devel-0.9.6m-1.aix4.3.ppc.rpm
5. rpm -i openssl-doc-0.9.6m-1.aix4.3.ppc.rpm
6. rpm -i openssh-3.6.1p2-1.aix4.3.ppc.rpm
7. rpm -i openssh-server-3.6.1p2-1.aix4.3.ppc.rpm
8. rpm -i openssh-clients-3.6.1p2-1.aix4.3.ppc.rpm

Sometimes you may get the error: failed dependencies error while trying to install the openssl packages. In that case, run the following command:

# rpm -i --nodeps openssl-0.9.6m-1.aix4.3.ppc.rpm

The following command can be run to update the AIX-rpm:

# /usr/sbin/updtvpkg

The prngd needs to be installed before openssl and openssh, and openssl is the prerequiste for installing the openssh rpm packages. The openssl-devel-0.9.6m-1.aix4.3.ppc.rpm and openssl-doc-0.9.6m-1.aix4.3.ppc.rpm are not the required packages for installing the openSSH. To verify that these packages are installed, run the following command:

1. rpm -qa | egrep '(openssl|openssh|prng)'

--> prngd-0.9.23-3 openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 openssh-3.6.1p2-1 openssh-server-3.6.1p2-1 openssh-clients-3.6.1p2-1

These packages are installed under the /opt/freeware directory, and several symbolic links are created in /usr/bin or /usr/sbin, as shown in the following example:

1. ls -l /usr/bin/ssh

lrwxrwxrwx 1 root system 26 Dec 29 16:13 /usr/bin/opt freeware/bin/ssh

1. ls -l /usr/sbin/sshd

lrwxrwxrwx 1 root system 28 Dec 29 16:12 /usr/sbin/ opt/freeware/sbin/sshd Installing openSSH on 5.1, 5.2, and 5.3: At 5.1, 5.2, and 5.3, the installation of openssh itself is in installp format, but all the prerequisites (including openssl) can be installed using the same rpm -i commands (using the same 4.3.3. rpm packages). The installp format package can be downloaded from the following site: SourceForge.net: OpenSSH on AIX After installing the prerequisites using the following commands,

1. rpm -i zlib-1.1.4-3.aix4.3.ppc.rpm
2. rpm -i prngd-0.9.23-3.aix4.3.ppc.rpm
3. rpm -i openssl-0.9.7d-1.aix5.1.ppc.rpm
4. rpm -i openssl-devel-0.9.7d-1.aix5.1.ppc.rpm

use smitty installp to install the openssh filesets extracted from the tar file openssh-3.8.1p1_51.tar (for 5.1), openssh-3.8.1p1_52.tar (for 5.2), and openssh-3.8.1p1_53.tar (for 5.3). The following steps need to be followed to install openssh. 1.In the directory where the images are, run the command inutoc. 2.Run smitty install. 3.Select "Install and Update Software". 4.While in smitty do the following: a.Select "Install Software". b.Enter a dot (".") in the field for "INPUT device / directory for software" and press ENTER. c.Enter openssh in the "SOFTWARE to install" field. d.Scroll down to "Preview new LICENSE agreements?" and press tab key to change the field to yes. Read the license agreement. e.Scroll down to "ACCEPT new license agreements?" and press tab to change the field to yes. Press ENTER to begin the software installation. 5.Run the following command to see the openssh filesets installed: 6.# lslpp -l | grep ssh In this case, you notice that the ssh commands are in the /usr/bin directory. For example:

1. ls -al /usr/bin/ssh

-r-xr-xr-x 1 root system 309127 Jun 12 2003 /usr/bin/ssh

1. ls -al /usr/bin/scp

-r-xr-xr-x 1 root system 38582 Jun 12 2003 /usr/bin/scp Initial configuration at 4.3, 5.1, 5.2, and 5.3: The following entry in /etc/inittab invokes all the scripts starting from S under the etc/rc.d/rc2.d directory upon system startup: l2:2:wait:/etc/rc.d/rc 2 In the /etc/rc.d/rc2.d directory, the following example shows the required symbolic-link to start sshd: At 4.3.3:

1. ls -l /etc/rc.d/rc2.d | grep ssh

lrwxrwxrwx 1 root system 14 Dec 29 16:12 K55sshd -> ../init.d/sshd lrwxrwxrwx 1 root system 14 Dec 29 16:12 S55sshd -> ../init.d/sshd At 5.1, 5.2, and 5.3:

1. ls -l /etc/rc.d/rc2.d | grep ssh

-r-xr-xr-x 1 root system 307 Dec 29 16:39 Ksshd -r-xr-xr-x 1 root system 308 Dec 29 16:39 Ssshd The prngd daemon is started from the following entry in /etc/inittab: prng:2:wait:/usr/bin/startsrc -s prngd In order to specify the SSH2 protocol to be used for OpenSSH, add the following line to the /etc/ssh/sshd_config file: Protocol 2 To verify the SSH protocol version, you can use the telnet command:

1. telnet localhost 22

Trying... Connected to localhost.austin.ibm.com. Escape character is '^]'. SSH-2.0-OpenSSH_3.6.1p2 --> the above shows that you are using the ssh2 If you see the following:

1. telnet localhost 22

Trying... telnet: connect: A remote host refused an attempted connect operation. then the sshd daemon is not running. To terminate, type Ctrl-c and q. To start the daemon, run:

1. startsrc -s sshd

whenever the /etc/ssh/sshd_config file is modified, the ssh needs to be stopped and restarted as follows:

1. stopsrc -s sshd
2. startsrc -s sshd

The prngd daemon could also be stopped and started in the above method. Once the installation and configuration is complete: The first time you are going to connect to a server, you should receive a host key fingerprint from the adminstrator of that server. On the first attempt to connect to that remote server using OpenSSH, you will see the fingerprint of the remote server. You should verify if this matches with the one sent to you by the adminstrator. Only then, you can type yes.



Here are the steps involved for configuring OpenSSH for AIX.

After installation, start the sshd daemon by running:

# startsrc -s sshd

Verify that sshd is active by running this command:

# lssrc -s sshd

Once sshd is active, test it by attempting to connect to it using an OpenSSH client. If you installed the OpenSSH client package, issue the ssh client command:

# ssh localhost

You should receive this message: "The authenticity of host localhost (127.0.0.1) can't be established. RSA key fingerprint is 1c:bc:d4:a0:87:f8:0e:25:61:27:75:18:99:a2:5a:7d. Are you certain you want to continue connecting (yes/no)? (Warning: Permanently added localhost(RSA) to the list of known hosts. root@localhosts password."

This message indicates that this is the first time you've connected to this server. Respond with yes. This adds the server's host key to your client's known_hosts file. (Note: You won't receive this question on future connections to the same server.)

If you're connecting from a Windows* client, several SSH clients can be downloaded. One of the more popular is PuTTY, a free Win32 Telnet/SSH client.

Once you verify OpenSSH is working, you may further safeguard your SSH connection by implementing symmetric RSA or DSA authentication keys. Authentication keys allow users to specify a passphrase for their SSH connection and prevent someone else from spoofing username@hostname.

It also gives users the capability to connect to their OpenSSH server without being prompted for a password, either by using an empty passphrase (at the time of key generation) or with the assistance of an SSH agent.

For details on OpenSSH, read the Redbook, "Managing AIX Server Farms." Chapter 4 focuses on secure network connections on AIX and is almost entirely devoted to OpenSSH.

For details on OpenSSH for AIX, contact the IBM Support Center at 1-800-237-5511, Option 3.




Old News

System Administration Toolkit Set up remote access in UNIX through OpenSSH
Enabling automatic login using public keys

When you log in to a remote system with ssh, sftp, or scp, you still need to use your password to complete the login process. Once you have exchanged a valid key with a remote site by creating a public or private key and providing the public portion of the key into the ~/.ssh/authorized_keys file, you can eliminate this requirement and allow automatic logins.

To create the public or private key, you need to use ssh-keygen, specifying the type of key encryption. The rsa key type is used in the demonstration, but other key types are also valid. See Listing 11 to create the key.

Listing 11. Creating the key


$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):




You should enter the location of the file where you want to save the key (both the public and private components). Using the default (within the .ssh directory in your home directory) is usually fine (see Listing 12).

Listing 12. Prompt to enter a passphrase


Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):




If you enter a passphrase at this stage, you create a secure keyfile, but you also have to enter the passphrase each time you use the key. Pressing Return means that no password is required (see Listing 13).

Listing 13. Bypassing the password requirement by pressing the Return key


Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
98:da:8d:48:a8:09:44:b1:b3:62:51:2d:a9:6b:61:ba root@remotehost




A public key (id_rsa.pub) and the corresponding private key (id_rsa) have been created.

To enable automatic login, you must copy the contents of the public key into the authorized_keys file within the ~/.ssh directory of the remote host. You can do this automatically using SSH (see Listing 14).

Listing 14. Enabling automatic login


$ cat ./.ssh/id_rsa.pub | ssh mc@remotehost 'cat >> .ssh/authorized_keys';




Better still, if this is something that you do regularly across a range of hosts, you can use a small script or shell function that performs all of the necessary steps for you, as shown here in Listing 15.

Listing 15. Using a shell script to enable automatic login


OLDDIR='pwd';
if [ -z "$1" ]; then
echo Need user@host info;
exit;
fi;
cd $HOME;
if [ -e "./.ssh/id_rsa.pub" ]; then
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
else
ssh-keygen -t rsa;
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
fi;
cd $OLDDIR




Using the setremotekey script, you can copy an existing key or, if it doesn't already exist, create one before copying:

$ setremotekey mc@remotehost




Now, whenever you need to log in to a remote host with your public key, you can use the script of your personal key with the list of accepted keys for the user on the remote host.



OpenSSH is now bundled with AIX

IBM Wikis - AIX 5L Wiki - How to setup SSH in AIX to communicate with HMC
1. Download and install SSL and openSSH on AIX client

* rpm Ivh ssl
* smitty install to install openssh (base, manpage, msg)
Note: After the SSL and OpenSSH have been installed a directory called /.ssh will be created.

2. Generate the priv/pub keys on AIX client

* cd ~/.ssh/
* Type ssh-keygen t rsa
Note: This will create id_rsa and id_rsa.pub

3. From AIX client add public key to HMC

* scp hscroot@hmc_name:.ssh/authorized_keys2 temp_hmc
* cat id_rsa.pub >> temp_hmc
* scp tem_hmc hscroot@hmc_name:.ssh/authorized_keys2
* Test it. Ex ssh hscroot@hmc_name date

index
Configuring OpenSSH on AIX
You should configure SSH to encrypt all communications between the server and client on your AIX operating system.
You must first install the OpenSSH file set on AIX and then configure it.
Installing OpenSSH on AIX
To install the openssh file set:
Note: Some text may appear on separate lines for presentation purposes only.

1. Install the OpenSSL package, which you can find at:

SourceForge.net: OpenSSH on AIX

2. Click OpenSSL at the top of the Web page. Registration is required. After registering, you are redirected to a Web page where you can download OpenSSL.
3. Install the following file sets from the AIX Base installation media:
* openssh.base
* openssh.license
* openssh.msg.en_US
* openssh.man.en_US
4. If the file sets were not found on the AIX Base installation media, they can be downloaded from the URL: developerWorks : IBM's resource for developers and IT professionals. In the left navigation frame, click Open Source Projectsand then click OpenSSH for AIX Images. Select OpenSSH 3.6 or higher.
5. Start the sshd daemon by running the command: /usr/bin/startsrc -s sshd
Note: If the AIX machine on which OpenSSH is installed also has GSA installed, the SSH daemon will not start. This is a known problem. You will need to first check to see if the sshd user exists on the system. If not, it should be created with the following commands:

mkgroup sshd

mkuser -a pgrp=sshd login=false home=/var/empty
gecos="OpenSSH privilege separation" account_locked=true sshd

6. As user tioadmin, configure SSH so that the server can communicate with relevant users on other systems and components of the data center.
Attention: Ensure that you are logged on to user ID tioadmin directly. Do not usesu - to tioadmin or the following steps will fail to run correctly.

OpenSSH is installed on AIX.
Configuring OpenSSH on AIX
To configure SSH:

1. Log on as tioadmin.
2. Run the following commands:

ssh-keygen -t rsa -N "" -f $HOME/.ssh/id_rsa
cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

3. You can test this by running: ssh -v tioadmin@localhost, where localhost is your host name. If SSH is properly configured, you will not be prompted for a password.
4. Copy the public key for user tioadmin to the servers that Tivoli® Provisioning Manager will be managing in your data center.
5. It is required to configure SSH to accept connections from new hosts without prompting for confirmation. Create a file in /home/thinkcontrol/.ssh called config. The file should contain the following line:

StrictHostKeyChecking no

6. Copy the id_rsa.pub file, which contains the public keys, into the authorized keys file of the administrative account of any server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager is managing.
1. Ensure that the managed server has an administrative account for which the SSH RSA keys (id_rsa, id_rsa.pub, and authorized_keys) have already been generated and should be contained into the .ssh directory of the respective administrative account home directory.
2. Append the content (a single line of text) of the id_rsa.pub file which contains the public key from the server that will initiate the SSH session to the authorized_keys file of the administrative account of any target server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager will be managing.
3. To verify, on the Tivoli Provisioning Manager server, type:

ssh <tioadmin/other_administrative_account_on_the_target_server>@<target_server_IP_or_hostname>

There should be no password prompt, followed by the prompt on the remote machine. After a successful logon, an entry for the communication partner will be created into a known_hosts file. As a troubleshooting step, sometimes this file may contain old or invalid entries associated with the managed server IP address or name. Deleting that entry should fix the connection problem.

SSH is now configured on AIX.




Recommended links

YouTube - passwordless ssh trust

* The OpenSSH web site


* Chapter 4 in the redbook Managing AIX Server Farms contains details about using OpenSSH with AIX.


* Download OpenSSH on AIX.


* AIX 5L Expansion Pack and Web Download Pack


* AIX Toolbox for Linux Applications


* Get up-to-date information about OpenSSH 3.4pl


---------- Post updated at 09:52 AM ---------- Previous update was at 09:50 AM ----------

Get the latest version of OpenSSH for AIX
Quote:
Get the latest version of OpenSSH for AIX

Get OpenSSH v3.4p1 -- download it or get it in the latest AIX 5L Expansion Pack and Web Download Pack
developerWorks


Document options
Set printer orientation to landscape mode

Print this page
Email this page

E-mail this page

My developerWorks needs you!


Connect to your technical community

Rate this page


Help us improve this content

Level: Introductory

Denise Genty (genty@us.ibm.com), AIX Network Security Developer Team Lead, IBM

30 Jan 2003
Updated 10 Feb 2006

OpenSSH is a free software tool that supports SSH1 and SSH2 protocols. It's reliable and secure and is widely accepted in the IT industry to replace the r-commands, telnet, and ftp services, providing secure encrypted sessions between two hosts over the network. Get information in this article about OpenSSH version 3.4p1.



What is Open Secure Shell?

Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command line string, stdin or a file. Why use OpenSSH? When you're running over unsecure public networks like the Internet, you can use the SSH command suite instead of the unsecure commands telnet, ftp, and r-commands.

OpenSSH delivers code that communicates using SSH1 and SSH2 protocols. What's the difference? The SSH2 protocol is a rewrite of SSH1. SSH2 contains separate, layered protocols, but SSH1 is one large set of code. SSH2 supports both RSA & DSA keys, but SSH1 supports only RSA, and SSH2 uses a strong crypto integrity check, where SSH1 uses a CRC-32 check. The Internet Engineering Task Force (IETF) maintains the secure shell standards.


Back to top


What's new?

OpenSSH has been updated to the 3.4p1 version of the open source code from openssh.org. You can get this version of binaries from the AIX 5L Expansion Pack and Web Download Pack. Or, you can download it from OpenSSH on AIX. Need to know more about the previous release, OpenSSH version 2.9.9, see OpenSSH is now bundled with AIX.

The primary new feature is user privilege separation, a security enhancement that prevents super user escalation risks by reducing the amount of code that runs with special privileges. User privilege separation is enabled by default in the OpenSSH server configuration file /etc/ssh/sshd_config:

#UsePrivilegeSeparation yes


The way it works is that a separate server process is created for each connection and when a request comes from a client, the ssh monitor process forks an unpriviledged child process that handles all of the requests from the client. If the client's request requires super user privileges the request is sent to the privileged monitor process. When you view the SSH processes started, you will see the sshd daemon for the monitor process and an unprivileged process owned by the client. For further detailed information about privilege separation, see the August 2002 article by Niels Provos, Preventing Privilege Escalation.

Since AIX 5.2 is a new release of the AIX operating system, a separate compilation of the OpenSSH source code was completed on this level of the operating system. The VRMF of the 5.2 level of code is 3.4.0.5200, to distinguish the install images from the 5.1 version. The new VRMF will also help if migrating from AIX 5.1 to AIX 5.2. OpenSSH is compiled using the C for AIX (cc) version 5.0 compiler. The VRMF of the installation images will closely match the open source code level, except for the "F" (Fix level). The fix level will be increased each time a release is made that contains fixes between major open source releases. For example, if we change the 3.4p1 level of code to contain a patch from the 3.5 level of the open source code, the "F" will be incremented (for example, 3.4.0.5201).

The OpenSSH source code has been enhanced with National Language Support (NLS) enablement since the initial 2.9.9 release in April 2002. In the October 2002 release, the message catalog file openssh.cat has been translated into 35 languages. The message catalog files are packaged in installp format with a name like openssh.msg.<LANGUAGE_ABBREVIATION> where LANGUAGE_ABBREVIATION is the 4-character locale code for the country (for example, DE_DE is UTF German). The message catalog filesets are available from the AIX 5L Expansion Pack and Web Download Pack and come bundled in the .tar.Z file. When installing OpenSSH filesets on different locales, the installation software installp determines the correct version of the message catalog fileset to install and the translated message catalog file gets copied into /usr/lib/nls/msg/<LANGUAGE_ABBREVIATION>.


Back to top


Additional fixes in this release

In the latest OpenSSH version 3.4p1 binaries, we included several patches specific for AIX from the openssh.org site. The patches are for the following fixes:

* password expiration enforced
* updated files /etc/security/login and failedlogin
* updated the unsuccessful login count
* LOGIN environment variable set
* streaming large amounts of data no longer hangs the session



Back to top


AIX 5.2 enhancements

Since AIX 5.2 fully supports Pluggable Authentication Modules (PAM), OpenSSH 3.4.0.5200 has been compiled with PAM support. PAM is a framework where a system administrator can add or stack multiple different authentication modules by writing customized modules and configuring the system to use them. On AIX 5.2, the PAM framework consists of a library, pluggable modules and a configuration file. Because OpenSSH is compiled with PAM, the configuration file /etc/pam.conf will be created on the server at openssh.base.server package installation time. (In the future, /etc/pam.conf will be created at openssh.base.server installation time).

The default PAM module can be pam_aix, where pam_aix is provided by the base AIX operating system (automatically installed on AIX 5.2 in /usr/lib/security). The pam_aix module allows access to the AIX security services by providing access to AIX builtin functions such as the AIX pam_aix authentication() call. The /etc/pam.conf for OpenSSH will look like this:

sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix


The permissions on /etc/pam.conf will be 644.

Cryptographic applications depend on random numbers. If the random numbers are not highly random and are not protected during generation, the security of the encryption may be weakened.

OpenSSH on AIX 5.1 is compiled using the entropy gathering mechanism (random numbers) provided with the OpenSSH source code (ssh-rand-helper), as opposed to AIX 4.3.3 (AIX Linux Toolbox) which uses the PRNGD open source daemon (prngd-0.9.23-3.aix4.3.ppc.rpm package).

The AIX 5.2 base security provides new pseudo random number generator devices, /dev/random and /dev/urandomM, pseudo-device driver and configuration routines that select various hardware device interrupts to provide entropy. OpenSSH in AIX 5.2 is compiled to take advantage of the new device /dev/urandom. You will also need the latest OpenSSL version, openssl-0.9.6e-2.aix4.3.ppc.rpm (AIX Linux Toolbox), for OpenSSH to use the /dev/urandom device.


Back to top


Where to get documentation

* The OpenSSH fileset includes man pages with openssh.man.en_US.
* On the web, openBSD provides very good man pages.
* For installation instructions on the different levels of AIX (AIX 4.3.3, AIX 5.1 and AIX 5.2), see the IBM redbook Managing AIX Server Farms. Chapter 4.2 provides details about software prerequisites and about how to manage the OpenSSH server and use the client commands.
* The AIX 5.2 Security Guide has information about AIX and PAM.



Back to top


Packaging

Four installation packages contain the installp format of the code:
openssh.base Contains the binary executable files for the client and server pieces of secure shell. There are two separate filesets, openssh.base.client and openssh.base.server. You may install the client portion only, but if you install the server portion, the client pieces automatically get installed.
openssh.license The IPLA non-warranted with Limited Program Services license text. This is the fileset that ensures that you read and accept the software license before installation.
openssh.man.en_US Man pages as shipped with the openssh.org source code. The man pages install into /usr/share/man directory and can be viewed using the man command. There are man pages for each command and the ssh_config and sshd_config configuration files.
openssh.msg.<LANGUAGE_ABBREVIATION> Translated message catalog file. The only .msg fileset that gets installed relates to the locale you have installed on the operating system.

The installation packaging contains the scripts necessary to install the executables into the correct directories.

The following files are in the openssh.base.client fileset and are installed in /usr/bin:

ssh
scp
sftp
ssh-add
ssh-keygen
ssh-keyscan
ssh-agent
ssh-keysign
ssh-rand-helper


The following files are in the openssh.base.server fileset and are installed in /usr/sbin:

sshd
sftp-server


The following configuration files are installed in /etc/ssh:

ssh_config
sshd_config


The packaging creates the sshd user, group, and /var/empty directory needed for server execution on 3.4p1 level of code. The packaging also enables the SRC control of the daemon, generates host keys and checks for the prerequisite of OpenSSL before installing.


Resources

* Download the opensshi-aix package from OpenSSH on AIX.

* Get information about the AIX 5L Expansion Pack and Web Download Pack.

* See the openBSD man pages.

* See Preventing Privilege Escalation, article by Niels Provos, August 2002.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes



All times are GMT -4. The time now is 11:39 PM.