AIX Tip of the Week

Installing OpenSSH on AIX - Update

Date: August 22, 2005

OpenSSH is a freeware tool that provides a secure, industry accepted alternative to the "r-commands", telnet and ftp. The download location and installation procedure have changed numerous times. The current procedure requires two steps:

First install the prereq OpenSSL libraries. The "rpm" install file can be found on the "Linux Toolbox for AIX" CD or downloaded from the web at

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixtbx&S_PKG=dlaixww

I recommend downloading from the website to ensure you get the most current version and one that is is compatible with the current OpenSSH version. You'll need to register to do the download. It's painless.

Second, install OpenSSH. The install file can be downloaded from

http://sourceforge.net/projects/openssh-aix

For more information see

http://www-128.ibm.com/developerworks/eserver/articles/openssh_aix.html
http://www.openssh.org

Finally if you want to use "ssh" with your PC, you'll need the client code. I use "putty", which can be found at

http://www.chiark.greenend.org.uk/~sgtatham/putty/


Archive

Date: September 9, 2003

Security concerns are common to all operating systems (not just Windows). Two common exposures are the telnet and ftp commands. Both commands transmit the password over the network in clear text, making it trivial for a hacker to capture and use the password to gain entry.

One alternative is the public domain openSSH tool (secure shell). It provides secure remote login and file transfer. You should consider installing it (or equivalent) on all servers, especially those connected to a public network. The attached file describes how to obtain and install SSH on AIX.

Documentation for SSH can be found at the website:

http://www.openssh.org

Update May 2005: Download OpenSSH

Finally, I use PuTTY on my Windows PC. PuTTY is freeware implementation SSH for Win32 platforms. It can be downloaded from:

http://www.chiark.greenend.org.uk/~sgtatham/putty


Installing openSSH on AIX

This document describes the procedure for installing openSSH on AIX 4.3.3 and 5.1.

Installing OpenSSH on AIX 4.3.3

At 4.3.3., the openSSH is installed using the RPM format packages, not by using installp format which is available at 5.1. and 5.2. In this procedure, you need to follow these three steps:

  1. Installing the prerequisite filesets.
  2. Downloading the rpm packages.
  3. Installing the prerequisite rpm packages openSSH rpm packages.

  1. Installing the prerequiste filesets.

    The filesets rpm.rte and perl.rte are required to be installed prior to installing the rpm packages. The rpm.rte fileset can be found at the following:

    Linux Toolbox CD or Linux Toolbox Website
    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
    

    The filesets can be installed using smitty installp.

  2. Downloading the rpm packages.

    The rpm packages can be downloaded from the following website:
    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

    Once on that page, the prngd (Psuedo Random Number Generator Daemon) daemon and the zlib compression and decompression library can be downloaded. These are the prerequistes for installing the openssl rpm package. These are prngd-0.9.23-2.aix4.3.ppc.rpm and zlib-1.1.4-1.aix4.3.ppc.rpm respectively.

    Then click AIX TOOLbox Cryptographic Content on the sorted content download in the upper right area and then register yourself, if you are not already a registered user. Then click on Accept License button at the bottom of the panel that appears and then you are ready to download the openssl and openssh rpm packages which are:

         openssl-0.9e-2.aix4.3.ppc.rpm
         openssl-devel-0.9.6e-2.aix4.3.ppc.rpm
         openssl-doc-0.9.6e-2.aix4.3.ppc.rpm
         openssh-3.4p1-4.aix4.3.ppc.rpm
         openssh-server-3.4p1-4.aix4.3.ppc.rpm
         openssh-clients-3.4p1-4.aix4.3.ppc.rpm
    

  3. Installing the prerequisite rpm packages.

    Once you have all the rpm files in the current directory, run the following commands to install them.

    # rpm -i zlib-1.1.4-1.aix4.3.ppc.rpm
    # rpm -i prngd-0.9.23-2.aix4.3.ppc.rpm
    # rpm -i openssl-0.9e-2.aix4.3.ppc.rpm
    # rpm -i openssl-devel-0.9.6e-2.aix4.3.ppc.rpm
    # rpm -i openssl-doc-0.9.6e-2.aix4.3.ppc.rpm
    # rpm -i openssh-3.4p1-4.aix4.3.ppc.rpm
    # rpm -i openssh-server-3.4p1-4.aix4.3.ppc.rpm
    # rpm -i openssh-clients-3.4p1-4.aix4.3.ppc.rpm
    

    Sometimes you may get the error: failed dependencies error while trying to install the openssl packages. In that case, run the following command:

    # rpm -i --nodeps openssl-0.9.6e-2.aix4.3.ppc.rpm
    

    The following command can be run to update the AIX-rpm:

    # /usr/sbin/updtvpkg
    

    The prngd needs to be installed before openssl and openssh, and openssl is the prerequiste for installing the openssh rpm packages. The openssl-devel-0.9.6e-2.aix4.3.ppc.rpm and the openssl-doc-0.9.6e-2.aix4.3.ppc.rpm are not the required packages for installing the openSSH.

    To verify that these packages are installed, run the following command:

    # rpm -qa | egrep '(openssl|openssh|prng)'
    -->
    
    zlib-1.1.4-1
    prngd-0.9.23-2
    openssl-0.9.6e-2
    openssl-devel-0.9.6e-2
    openssl-doc-0.9.6e-2
    openssh-3.4p1-4
    openssh-server-3.4p1-4
    openssh-clients-3.4p1-4
    

    These packages are installed under the /opt/freeware directory, and several symbolic links are created in /usr/bin or /usr/sbin, as shown in the following example:

    # ls -l /usr/bin/ssh
    lrwxrwxrwx   1 root     system        26 Oct 17 08:07 /usr/bin/ssh -> ../../opt/
    freeware/bin/ssh
    #  ls -l /usr/sbin/sshd
    lrwxrwxrwx   1 root     system        28 Oct 17 08:06 /usr/sbin/sshd -> ../../op
    t/freeware/sbin/sshd
    

Installing openSSH on 5.1

At 5.1., the installation of openssh itself is in installp format, but all the prerequisites (including openssl) can be installed using the same rpm -i commands (using the same 4.3.3. rpm packages).

The installp format package can be downloaded from the following site: http://oss.software.ibm.com/developerworks/projects/opensshi.

After installing the prerequisites using the following commands:

# rpm -i zlib-1.1.4-1.aix4.3.ppc.rpm
# rpm -i prngd-0.9.23-2.aix4.3.ppc.rpm
# rpm -i openssl-0.9e-2.aix4.3.ppc.rpm
# rpm -i openssl-devel-0.9.6e-2.aix4.3.ppc.rpm
# rpm -i openssl-doc-0.9.6e-2.aix4.3.ppc.rpm

Use smitty installp to install the openssh fileset extracted from the tar file openssh34p1_51.tar. The following filesets are needed to be extracted from the tar file to install openSSH.

openssh.base.client
openssh.base.server
openssh.license
openssh.man.en_US          
openssh.msg.en_US         

You also need to change the field for Accept new License agreement to yes in the smit panel or else the installation will fail.

# lslpp -l | grep ssh <-- you can see the fileset are installed.

  openssh.base.client        3.4.0.0  COMMITTED  Open Secure Shell Commands
  openssh.base.server        3.4.0.0  COMMITTED  Open Secure Shell Server
  openssh.license            3.4.0.0  COMMITTED  Open Secure Shell License
  openssh.man.en_US          3.4.0.0  COMMITTED  Open Secure Shell
  openssh.msg.en_US          3.4.0.0  COMMITTED  Open Secure Shell Messages -

You also need to change the field for Accept new License agreement to yes in the smit panel or else the installation will fail.

# lslpp -l | grep ssh <-- you can see the fileset are installed.

  openssh.base.client        3.4.0.0  COMMITTED  Open Secure Shell Commands
  openssh.base.server        3.4.0.0  COMMITTED  Open Secure Shell Server
  openssh.license            3.4.0.0  COMMITTED  Open Secure Shell License
  openssh.man.en_US          3.4.0.0  COMMITTED  Open Secure Shell
  openssh.msg.en_US          3.4.0.0  COMMITTED  Open Secure Shell Messages -
  openssh.base.client        3.4.0.0  COMMITTED  Open Secure Shell Commands
  openssh.base.server        3.4.0.0  COMMITTED  Open Secure Shell Server

In this case, you notice that the ssh commands are in the /usr/bin directory:

# ls -al /usr/bin/ssh
-r-xr-xr-x   1 root     system       503240 Sep 06 13:11 /usr/bin/ssh
# ls -al /usr/bin/scp
-r-xr-xr-x   1 root     system        64654 Sep 06 13:11 /usr/bin/scp
and so on..

Initial configuration at 4.3 and 5.1:

The following entry in /etc/inittab invokes all the scripts starting from S under the etc/rc.d/rc2.d directory upon system startup: l2:2:wait:/etc/rc.d/rc 2

In the /etc/rc.d/rc2.d directory, the following example shows the required symbolic-link to start sshd:

At 4.3.3:

#ls -l /etc/rc.d/rc2.d | grep ssh
lrwxrwxrwx   1 root     system        14 Oct 17 08:06 K55sshd -> ../init.d/sshd
lrwxrwxrwx   1 root     system        14 Oct 17 08:06 S55sshd -> ../init.d/sshd

At 5.1:

# ls -l /etc/rc.d/rc2.d | grep ssh
-r-xr-xr-x   1 root     system          307 Oct 21 16:11 Ksshd
-r-xr-xr-x   1 root     system          308 Oct 21 16:11 Ssshd

The prngd is started from the following entry in /etc/inittab:

prng:2:wait:/usr/bin/startsrc -s prngd

In order to specify the SSH2 protocol to be used for OpenSSH, add the following line to the /etc/ssh/sshd_config file:

Protocol 2

To verify the SSH protocol version, you can use the telnet command and

# telnet localhost 22
Trying...
Connected to localhost.austin.ibm.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.4p1
--> the above shows that you are using the ssh2

If you see the following:

# telnet localhost 22
Trying...
telnet: connect: A remote host refused an attempted connect operation.

then the sshd daemon is not running. To terminate, type Ctrl-c and q. if that is the case, then run:

#startsrc -s sshd
whenever the /etc/ssh/sshd_config file is modified, the ssh needs to be stopped and restarted in the folowing way:
# stopsrc -s sshd
# startsrc -s sshd

The prngd could also be stopped and started in the above method.

Once the installation and configuration is complete:

The first time you are going to connect to a server, you should receive a host key fingerprint from the adminstrator of that server. On the first attempt to connect to that remote server using OpenSSH, you will see the fingerprint of the remote server. You should verify if this matches with the one sent to you by the adminstrator. Only then, you can type yes.


Bruce Spencer,
baspence@us.ibm.com