[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

OpenSSH Software Tools

OpenSSH software tools support the SSH1 and SSH2 protocols. The tools provide shell functions where network traffic is encrypted and authenticated. OpenSSH is based on client and server architecture. OpenSSH runs the sshd daemon process on the AIX host and waits for the connection from clients. It supports public-key and private-key pairs for authentication and encryption of channels to ensure secure network connections and host-based authentication. For more information about OpenSSH, see the following Web site:

http://www.openssh.org

The preceding Web site provides the man page information on the OpenSSH commands.

For more information about OpenSSH on AIX, see the following Web site, which has the latest installp format packages for AIX 5L:

http://oss.software.ibm.com/developerworks/projects/opensshi

This section explains how to install and configure OpenSSH on AIX. The OpenSSH software is shipped on the AIX 5.2 Bonus Pack. This version of OpenSSH is compiled and packaged as installp packages using the openssh-3.4p1 level of source code. The OpenSSH program contained in the Bonus Pack CD-ROM media is licensed under the terms and conditions of the IBM International Program License Agreement (IPLA) for Non-Warranted Programs. OpenSSH is also available for AIX 4.3.3 in several RPM format packages, provided by the AIX toolbox for Linux applications.

Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software. The OpenSSL software package contains the encrypted library. OpenSSL is provided in RPM packages in the AIX toolbox for Linux applications. The installation packages include the man pages and the translated message filesets.

  1. Install the OpenSSL RPM package using the geninstall command, as follows:
    # geninstall -d/dev/cd0 R:openssl-0.9.6e
    Output similar to the following displays:
    SUCCESSES
    ---------
    openssl-0.9.6e-1
  2. Next, install the OpenSSH installp packages using the geninstall comand as follows:
    # geninstall -I"Y" -d/dev/cd0 I:openssh.base
    Use the Y flag to accept the OpenSSH license agreement.

    Output similar to the following displays:

    Installation Summary                                                           
    --------------------                                                           
    Name                        Level           Part        Event       Result     
    -------------------------------------------------------------------------------
    openssh.base.client         3.4.0.5200      USR         APPLY       SUCCESS    
    openssh.base.server         3.4.0.5200      USR         APPLY       SUCCESS    
    openssh.base.client         3.4.0.5200      ROOT        APPLY       SUCCESS    
    openssh.base.server         3.4.0.5200      ROOT        APPLY       SUCCESS     

You can also use the SMIT install_software fast path to install OpenSSL and OpenSSH.

The following OpenSSH binary files are installed as a result of the preceding procedure:

ssh
Similar to the rlogin and rsh client programs
ssh-agent
An agent that can store private keys
ssh-add
Tool that adds keys to ssh-agent
sftp
Similar to the FTP program that works over SSH1 and SSH2 protocol
scp
File copy program similar to rcp
ssh-keygen
Key generation tool
ssh-keyscan
Utility for gathering public host keys from a number of hosts
ssh-keysign
Utility for host-based authentication
sshd
Daemon that permits you to log in
sftp-server
SFTP server subsystem (started automatically by sshd daemon)

The following general information covers OpenSSH:

Using OpenSSH with PAM

Beginning with AIX 5.2, OpenSSH is compiled with Pluggable Authentication Module (PAM) support. PAM is an alternate way of authenticating users. It provides an adaptable mechanism for authenticating AIX users by allowing a user-written module to be added to the login process. A user can write his own module or use the pam_aix module provided with AIX. The pam_aix module provides interfaces to AIX security services.

The following is an example of the /etc/pam.conf configuration file using the pam_aix PAM module, but other modules may be used if installed on the system. Create the /etc/pam.conf file with the following information in that file:

sshd	  auth            required        /usr/lib/security/pam_aix
OTHER   auth            required        /usr/lib/security/pam_aix
sshd    account         required        /usr/lib/security/pam_aix
OTHER   account         required        /usr/lib/security/pam_aix
sshd    password        required        /usr/lib/security/pam_aix
OTHER   password        required        /usr/lib/security/pam_aix
sshd    session         required        /usr/lib/security/pam_aix
OTHER   session         required        /usr/lib/security/pam_aix

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]