OpenSSH Software Tools

OpenSSH software tools support the SSH1 and SSH2 protocols. The tools provide shell functions where network traffic is encrypted and authenticated. OpenSSH is based on client and server architecture. OpenSSH runs the sshd daemon process on the AIX host and waits for the connection from clients. It supports public-key and private-key pairs for authentication and encryption of channels to ensure secure network connections and host-based authentication. For more information about OpenSSH, see the following Web site:

http://www.openssh.org

The preceding Web site provides the man page information on the OpenSSH commands.

For more information about OpenSSH on AIX, see the following Web site, which has the latest installp format packages for AIX 5L:

http://oss.software.ibm.com/developerworks/projects/opensshi

This section explains how to install and configure OpenSSH on AIX. The OpenSSH software is shipped on the AIX 5.2 Bonus Pack. This version of OpenSSH is compiled and packaged as installp packages using the openssh-3.4p1 level of source code. The OpenSSH program contained in the Bonus Pack CD-ROM media is licensed under the terms and conditions of the IBM International Program License Agreement (IPLA) for Non-Warranted Programs. OpenSSH is also available for AIX 4.3.3 in several RPM format packages, provided by the AIX toolbox for Linux applications.

Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software. The OpenSSL software package contains the encrypted library. OpenSSL is provided in RPM packages in the AIX toolbox for Linux applications. The installation packages include the man pages and the translated message filesets.

1. Install the OpenSSL RPM package using the geninstall command, as follows:

   # geninstall -d/dev/cd0 R:openssl-0.9.6e

   Output similar to the following displays:

   SUCCESSES
   ---------
   openssl-0.9.6e-1

2. Next, install the OpenSSH installp packages using the geninstall comand as follows:

   # geninstall -I"Y" -d/dev/cd0 I:openssh.base

   Use the Y flag to accept the OpenSSH license agreement.

   Output similar to the following displays:

   Installation Summary                                                           
   --------------------                                                           
   Name                        Level           Part        Event       Result     
   -------------------------------------------------------------------------------
   openssh.base.client         3.4.0.5200      USR         APPLY       SUCCESS    
   openssh.base.server         3.4.0.5200      USR         APPLY       SUCCESS    
   openssh.base.client         3.4.0.5200      ROOT        APPLY       SUCCESS    
   openssh.base.server         3.4.0.5200      ROOT        APPLY       SUCCESS     

You can also use the SMIT install_software fast path to install OpenSSL and OpenSSH.

The following OpenSSH binary files are installed as a result of the preceding procedure:

ssh

Similar to the rlogin and rsh client programs

ssh-agent

An agent that can store private keys

ssh-add

Tool that adds keys to ssh-agent

sftp

Similar to the FTP program that works over SSH1 and SSH2 protocol

scp

File copy program similar to rcp

ssh-keygen

Key generation tool

ssh-keyscan

Utility for gathering public host keys from a number of hosts

ssh-keysign

Utility for host-based authentication

sshd

Daemon that permits you to log in

sftp-server

SFTP server subsystem (started automatically by sshd daemon)

The following general information covers OpenSSH:

• The /etc/ssh/ssh_config directory contains the sshd daemon and the configuration files for the ssh command.
• The /usr/openssh directory contains the readme file and the original OpenSSH open-source license text file.
• The sshd daemon is under AIX SRC control. You can start, stop, and view the status of the daemon by issuing the following commands:

  startsrc -s sshd   OR startsrc -g ssh  (group)
  stopsrc -s sshd    OR stopsrc -g ssh
  lssrc -s sshd      OR lssrc -s ssh

  You can also start and stop the daemon by issuing the following commands:

  /etc/rc
  .d/rc2.d/Ksshd start
  

  OR

  /etc/rc.d/rc2.d/Ssshd start

  /etc/rc.d/rc2.d/Ksshd stop
  

  OR

  /etc/rc.d/rc2.d/Ssshd stop

• When the OpenSSH server fileset is installed, an entry is added to the directory /etc/rc.d/rc2.d. An entry is in inittab to execute run level 2 processes (l2:2:wait:/etc/rc.d/rc 2), so the sshd daemon will start automatically at boot time. To prevent the daemon from starting at boot time, remove the /etc/rc.d/rc2.d/Ksshd and /etc/rc.d/rc2.d/Ssshd files.
• OpenSSH software logs information to SYSLOG.
• The IBM Redbook, Managing AIX Server Farms, provides information about configuring OpenSSH in AIX and is available at the following Web site:

  http://www.redbooks.ibm.com

Using OpenSSH with PAM

Beginning with AIX 5.2, OpenSSH is compiled with Pluggable Authentication Module (PAM) support. PAM is an alternate way of authenticating users. It provides an adaptable mechanism for authenticating AIX users by allowing a user-written module to be added to the login process. A user can write his own module or use the pam_aix module provided with AIX. The pam_aix module provides interfaces to AIX security services.

The following is an example of the /etc/pam.conf configuration file using the pam_aix PAM module, but other modules may be used if installed on the system. Create the /etc/pam.conf file with the following information in that file:

sshd	  auth            required        /usr/lib/security/pam_aix
OTHER   auth            required        /usr/lib/security/pam_aix
sshd    account         required        /usr/lib/security/pam_aix
OTHER   account         required        /usr/lib/security/pam_aix
sshd    password        required        /usr/lib/security/pam_aix
OTHER   password        required        /usr/lib/security/pam_aix
sshd    session         required        /usr/lib/security/pam_aix
OTHER   session         required        /usr/lib/security/pam_aix