Pages

Monday, 9 January 2012

Installing OpenSSH on AIX

The OpenSSH software is shipped on the AIX 5.3 Expansion Pack. This version of OpenSSH is compiled and packaged as installp packages using the openssh-3.8.p1 level of source code. The installp packages include the man pages and the translated message filesets. The OpenSSH program contained in the Expansion Pack CD-ROM media is licensed under the terms and conditions of the IBM® International Program License Agreement (IPLA) for Non-Warranted Programs.
Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux® Applications CD, or you can also download the packages from the following AIX Toolbox for Linux Applications Web site:

http://www-1.ibm.com/servers/aix/pro.../download.html

Because the OpenSSL package contains cryptographic content, you must register on the Web site to download the packages. You can download the packages by completing the following steps:

1. Click the AIX Toolbox Cryptographic Content link on the right side of the AIX Toolbox for Linux Applications Web site.
2. Click I have not registered before.
3. Fill in the required fields in the form.
4. Read the license and then click Accept License. The browser automatically redirects to the download page.
5. Scroll down the list of cryptographic content packages until you see openssl-0.9.6m-1.aix4.3.ppc.rpm under OpenSSL — SSL Cryptographic Libraries.
6. Click the Download Now! button for the openssl-0.9.6m-1.aix4.3.ppc.rpm.

After you download the OpenSSL package, you can install OpenSSL and OpenSSH.

1. Install the OpenSSL RPM package using the geninstall command:

# geninstall -d/dev/cd0 Rpenssl-0.9.6m

Output similar to the following displays:

SUCCESSES
---------
openssl-0.9.6m-3

2. Install the OpenSSH installp packages using the geninstall command:

# geninstall -I"Y" -d/dev/cd0 Ipenssh.base

Use the Y flag to accept the OpenSSH license agreement after you have reviewed the license agreement.
Output similar to the following displays:

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
openssh.base.client 3.8.0.5200 USR APPLY SUCCESS
openssh.base.server 3.8.0.5200 USR APPLY SUCCESS
openssh.base.client 3.8.0.5200 ROOT APPLY SUCCESS
openssh.base.server 3.8.0.5200 ROOT APPLY SUCCESS

You can also use the SMIT install_software fast path to install OpenSSL and OpenSSH.

The following OpenSSH binary files are installed as a result of the preceding procedure:

scp
File copy program similar to rcp
sftp
Program similar to FTP that works over SSH1 and SSH2 protocol
sftp-server
SFTP server subsystem (started automatically by sshd daemon)
ssh
Similar to the rlogin and rsh client programs
ssh-add
Tool that adds keys to ssh-agent
ssh-agent
An agent that can store private keys
ssh-keygen
Key generation tool
ssh-keyscan
Utility for gathering public host keys from a number of hosts
ssh-keysign
Utility for host-based authentication
ssh-rand-helper
A program used by OpenSSH to gather random numbers. It is used only on AIX 5.1 installations.
sshd
Daemon that permits you to log in

The following general information covers OpenSSH:

* The /etc/ssh directory contains the sshd daemon and the configuration files for the ssh client command.
* The /usr/openssh directory contains the readme file and the original OpenSSH open-source license text file. This directory also contains the ssh protocol and Kerberos license text.
* The sshd daemon is under AIX SRC control. You can start, stop, and view the status of the daemon by issuing the following commands:

startsrc -s sshd OR startsrc -g ssh (group)
stopsrc -s sshd OR stopsrc -g ssh
lssrc -s sshd OR lssrc -s ssh

You can also start and stop the daemon by issuing the following commands:

/etc/rc.d/rc2.d/Ksshd start

OR

/etc/rc.d/rc2.d/Ssshd start

/etc/rc.d/rc2.d/Ksshd stop

OR

/etc/rc.d/rc2.d/Ssshd stop

* When the OpenSSH server fileset is installed, an entry is added to the /etc/rc.d/rc2.d directory. An entry is in inittab to start run-level 2 processes (l2:2:wait:/etc/rc.d/rc 2), so the sshd daemon will start automatically at boot time. To prevent the daemon from starting at boot time, remove the /etc/rc.d/rc2.d/Ksshd and /etc/rc.d/rc2.d/Ssshd files.
* OpenSSH software logs information to SYSLOG.
* The IBM Redbook, Managing AIX Server Farms, provides information about configuring OpenSSH in AIX and is available at the following Web site:

IBM Redbooks

* OpenSSH supports long user names (256 bytes), the same as the AIX base operating system. For more information on long user names, see the mkuser command.
* Some keywords, such as AllowUsers, DenyUsers, AllowGroups, and DenyGroups are not available by default in the ssh_config file or the sshd_config file. You must add these keywords to the configuration files in order to use them.

* OpenSSH images
Use the following steps to install the OpenSSH images:
* Configuration of OpenSSH compilation
The following information discusses how the OpenSSH code is compiled for AIX.
* OpenSSH and Kerberos Version 5 support
Kerberos is an authentication mechanism that provides a secure means of authentication for network users. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. In addition, Kerberos provides a system for authorization in the form of administering tokens, or credentials.


Installing OpenSSH on AIX 4.3.3 At 4.3.3, the openSSH is installed using the RPM format packages, not by using installp format which is available at 5.1, 5.2, and 5.3. In this procedure, you need to follow these three steps:

1.Installing the prerequisite filesets.

2.Downloading the rpm packages.

3.Installing the prerequisite rpm packages.
ExamplesEdit section

1.Installing the prerequiste filesets. The filesets rpm.rte and perl.rte are required to be installed prior to installing the rpm packages. The rpm.rte fileset can be found at the following:

Linux Toolbox CD or Linux Toolbox Website http://www.ibm.com/servers/aix/produ.../download.html

The filesets can be installed using smitty installp.

2.Downloading the rpm packages.

The rpm packages can be downloaded from the following website: http://www.ibm.com/servers/aix/produ.../download.html

Once on that page, the prngd (Psuedo Random Number Generator Daemon) daemon and the zlib compression and decompression library can be downloaded. These are the prerequistes for installing the openssl rpm package: prngd-0.9.23-3.aix4.3.ppc.rpm zlib-1.1.4-3.aix4.3.ppc.rpm

Next click AIX TOOLbox Cryptographic Content on the sorted content download in the upper right area and then register yourself, if you are not already a registered user. Then click on Accept License button at the bottom of the panel that appears and then you are ready to download the openssl and openssh rpm packages: openssl-0.9.6m-1.aix4.3.ppc.rpm openssl-devel-0.9.6m-1.aix4.3.ppc.rpm openssl-doc-0.9.6m-1.aix4.3.ppc.rpm openssh-3.6.1p2-1.aix4.3.ppc.rpm openssh-clients-3.6.1p2-1.aix4.3.ppc.rpm openssh-server-3.6.1p2-1.aix4.3.ppc.rpm

3.Installing the prerequisite rpm packages. Once you have all the rpm files in the current directory, run the following commands to install them.

1. rpm -i zlib-1.1.4-3.aix4.3.ppc.rpm
2. rpm -i prngd-0.9.23-3.aix4.3.ppc.rpm
3. rpm -i openssl-0.9.6m-1.aix4.3.ppc.rpm
4. rpm -i openssl-devel-0.9.6m-1.aix4.3.ppc.rpm
5. rpm -i openssl-doc-0.9.6m-1.aix4.3.ppc.rpm
6. rpm -i openssh-3.6.1p2-1.aix4.3.ppc.rpm
7. rpm -i openssh-server-3.6.1p2-1.aix4.3.ppc.rpm
8. rpm -i openssh-clients-3.6.1p2-1.aix4.3.ppc.rpm

Sometimes you may get the error: failed dependencies error while trying to install the openssl packages. In that case, run the following command:

# rpm -i --nodeps openssl-0.9.6m-1.aix4.3.ppc.rpm

The following command can be run to update the AIX-rpm:

# /usr/sbin/updtvpkg

The prngd needs to be installed before openssl and openssh, and openssl is the prerequiste for installing the openssh rpm packages. The openssl-devel-0.9.6m-1.aix4.3.ppc.rpm and openssl-doc-0.9.6m-1.aix4.3.ppc.rpm are not the required packages for installing the openSSH. To verify that these packages are installed, run the following command:

1. rpm -qa | egrep '(openssl|openssh|prng)'

--> prngd-0.9.23-3 openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 openssh-3.6.1p2-1 openssh-server-3.6.1p2-1 openssh-clients-3.6.1p2-1

These packages are installed under the /opt/freeware directory, and several symbolic links are created in /usr/bin or /usr/sbin, as shown in the following example:

1. ls -l /usr/bin/ssh

lrwxrwxrwx 1 root system 26 Dec 29 16:13 /usr/bin/opt freeware/bin/ssh

1. ls -l /usr/sbin/sshd

lrwxrwxrwx 1 root system 28 Dec 29 16:12 /usr/sbin/ opt/freeware/sbin/sshd Installing openSSH on 5.1, 5.2, and 5.3: At 5.1, 5.2, and 5.3, the installation of openssh itself is in installp format, but all the prerequisites (including openssl) can be installed using the same rpm -i commands (using the same 4.3.3. rpm packages). The installp format package can be downloaded from the following site: SourceForge.net: OpenSSH on AIX After installing the prerequisites using the following commands,

1. rpm -i zlib-1.1.4-3.aix4.3.ppc.rpm
2. rpm -i prngd-0.9.23-3.aix4.3.ppc.rpm
3. rpm -i openssl-0.9.7d-1.aix5.1.ppc.rpm
4. rpm -i openssl-devel-0.9.7d-1.aix5.1.ppc.rpm

use smitty installp to install the openssh filesets extracted from the tar file openssh-3.8.1p1_51.tar (for 5.1), openssh-3.8.1p1_52.tar (for 5.2), and openssh-3.8.1p1_53.tar (for 5.3). The following steps need to be followed to install openssh. 1.In the directory where the images are, run the command inutoc. 2.Run smitty install. 3.Select "Install and Update Software". 4.While in smitty do the following: a.Select "Install Software". b.Enter a dot (".") in the field for "INPUT device / directory for software" and press ENTER. c.Enter openssh in the "SOFTWARE to install" field. d.Scroll down to "Preview new LICENSE agreements?" and press tab key to change the field to yes. Read the license agreement. e.Scroll down to "ACCEPT new license agreements?" and press tab to change the field to yes. Press ENTER to begin the software installation. 5.Run the following command to see the openssh filesets installed: 6.# lslpp -l | grep ssh In this case, you notice that the ssh commands are in the /usr/bin directory. For example:

1. ls -al /usr/bin/ssh

-r-xr-xr-x 1 root system 309127 Jun 12 2003 /usr/bin/ssh

1. ls -al /usr/bin/scp

-r-xr-xr-x 1 root system 38582 Jun 12 2003 /usr/bin/scp Initial configuration at 4.3, 5.1, 5.2, and 5.3: The following entry in /etc/inittab invokes all the scripts starting from S under the etc/rc.d/rc2.d directory upon system startup: l2:2:wait:/etc/rc.d/rc 2 In the /etc/rc.d/rc2.d directory, the following example shows the required symbolic-link to start sshd: At 4.3.3:

1. ls -l /etc/rc.d/rc2.d | grep ssh

lrwxrwxrwx 1 root system 14 Dec 29 16:12 K55sshd -> ../init.d/sshd lrwxrwxrwx 1 root system 14 Dec 29 16:12 S55sshd -> ../init.d/sshd At 5.1, 5.2, and 5.3:

1. ls -l /etc/rc.d/rc2.d | grep ssh

-r-xr-xr-x 1 root system 307 Dec 29 16:39 Ksshd -r-xr-xr-x 1 root system 308 Dec 29 16:39 Ssshd The prngd daemon is started from the following entry in /etc/inittab: prng:2:wait:/usr/bin/startsrc -s prngd In order to specify the SSH2 protocol to be used for OpenSSH, add the following line to the /etc/ssh/sshd_config file: Protocol 2 To verify the SSH protocol version, you can use the telnet command:

1. telnet localhost 22

Trying... Connected to localhost.austin.ibm.com. Escape character is '^]'. SSH-2.0-OpenSSH_3.6.1p2 --> the above shows that you are using the ssh2 If you see the following:

1. telnet localhost 22

Trying... telnet: connect: A remote host refused an attempted connect operation. then the sshd daemon is not running. To terminate, type Ctrl-c and q. To start the daemon, run:

1. startsrc -s sshd

whenever the /etc/ssh/sshd_config file is modified, the ssh needs to be stopped and restarted as follows:

1. stopsrc -s sshd
2. startsrc -s sshd

The prngd daemon could also be stopped and started in the above method. Once the installation and configuration is complete: The first time you are going to connect to a server, you should receive a host key fingerprint from the adminstrator of that server. On the first attempt to connect to that remote server using OpenSSH, you will see the fingerprint of the remote server. You should verify if this matches with the one sent to you by the adminstrator. Only then, you can type yes.



Here are the steps involved for configuring OpenSSH for AIX.

After installation, start the sshd daemon by running:

# startsrc -s sshd

Verify that sshd is active by running this command:

# lssrc -s sshd

Once sshd is active, test it by attempting to connect to it using an OpenSSH client. If you installed the OpenSSH client package, issue the ssh client command:

# ssh localhost

You should receive this message: "The authenticity of host localhost (127.0.0.1) can't be established. RSA key fingerprint is 1c:bc:d4:a0:87:f8:0e:25:61:27:75:18:99:a2:5a:7d. Are you certain you want to continue connecting (yes/no)? (Warning: Permanently added localhost(RSA) to the list of known hosts. root@localhosts password."

This message indicates that this is the first time you've connected to this server. Respond with yes. This adds the server's host key to your client's known_hosts file. (Note: You won't receive this question on future connections to the same server.)

If you're connecting from a Windows* client, several SSH clients can be downloaded. One of the more popular is PuTTY, a free Win32 Telnet/SSH client.

Once you verify OpenSSH is working, you may further safeguard your SSH connection by implementing symmetric RSA or DSA authentication keys. Authentication keys allow users to specify a passphrase for their SSH connection and prevent someone else from spoofing username@hostname.

It also gives users the capability to connect to their OpenSSH server without being prompted for a password, either by using an empty passphrase (at the time of key generation) or with the assistance of an SSH agent.

For details on OpenSSH, read the Redbook, "Managing AIX Server Farms." Chapter 4 focuses on secure network connections on AIX and is almost entirely devoted to OpenSSH.

For details on OpenSSH for AIX, contact the IBM Support Center at 1-800-237-5511, Option 3.




Old News

System Administration Toolkit Set up remote access in UNIX through OpenSSH
Enabling automatic login using public keys

When you log in to a remote system with ssh, sftp, or scp, you still need to use your password to complete the login process. Once you have exchanged a valid key with a remote site by creating a public or private key and providing the public portion of the key into the ~/.ssh/authorized_keys file, you can eliminate this requirement and allow automatic logins.

To create the public or private key, you need to use ssh-keygen, specifying the type of key encryption. The rsa key type is used in the demonstration, but other key types are also valid. See Listing 11 to create the key.

Listing 11. Creating the key


$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):




You should enter the location of the file where you want to save the key (both the public and private components). Using the default (within the .ssh directory in your home directory) is usually fine (see Listing 12).

Listing 12. Prompt to enter a passphrase


Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):




If you enter a passphrase at this stage, you create a secure keyfile, but you also have to enter the passphrase each time you use the key. Pressing Return means that no password is required (see Listing 13).

Listing 13. Bypassing the password requirement by pressing the Return key


Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
98:da:8d:48:a8:09:44:b1:b3:62:51:2d:a9:6b:61:ba root@remotehost




A public key (id_rsa.pub) and the corresponding private key (id_rsa) have been created.

To enable automatic login, you must copy the contents of the public key into the authorized_keys file within the ~/.ssh directory of the remote host. You can do this automatically using SSH (see Listing 14).

Listing 14. Enabling automatic login


$ cat ./.ssh/id_rsa.pub | ssh mc@remotehost 'cat >> .ssh/authorized_keys';




Better still, if this is something that you do regularly across a range of hosts, you can use a small script or shell function that performs all of the necessary steps for you, as shown here in Listing 15.

Listing 15. Using a shell script to enable automatic login


OLDDIR='pwd';
if [ -z "$1" ]; then
echo Need user@host info;
exit;
fi;
cd $HOME;
if [ -e "./.ssh/id_rsa.pub" ]; then
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
else
ssh-keygen -t rsa;
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
fi;
cd $OLDDIR




Using the setremotekey script, you can copy an existing key or, if it doesn't already exist, create one before copying:

$ setremotekey mc@remotehost




Now, whenever you need to log in to a remote host with your public key, you can use the script of your personal key with the list of accepted keys for the user on the remote host.



OpenSSH is now bundled with AIX

IBM Wikis - AIX 5L Wiki - How to setup SSH in AIX to communicate with HMC
1. Download and install SSL and openSSH on AIX client

* rpm Ivh ssl
* smitty install to install openssh (base, manpage, msg)
Note: After the SSL and OpenSSH have been installed a directory called /.ssh will be created.

2. Generate the priv/pub keys on AIX client

* cd ~/.ssh/
* Type ssh-keygen t rsa
Note: This will create id_rsa and id_rsa.pub

3. From AIX client add public key to HMC

* scp hscroot@hmc_name:.ssh/authorized_keys2 temp_hmc
* cat id_rsa.pub >> temp_hmc
* scp tem_hmc hscroot@hmc_name:.ssh/authorized_keys2
* Test it. Ex ssh hscroot@hmc_name date

index
Configuring OpenSSH on AIX
You should configure SSH to encrypt all communications between the server and client on your AIX operating system.
You must first install the OpenSSH file set on AIX and then configure it.
Installing OpenSSH on AIX
To install the openssh file set:
Note: Some text may appear on separate lines for presentation purposes only.

1. Install the OpenSSL package, which you can find at:

SourceForge.net: OpenSSH on AIX

2. Click OpenSSL at the top of the Web page. Registration is required. After registering, you are redirected to a Web page where you can download OpenSSL.
3. Install the following file sets from the AIX Base installation media:
* openssh.base
* openssh.license
* openssh.msg.en_US
* openssh.man.en_US
4. If the file sets were not found on the AIX Base installation media, they can be downloaded from the URL: developerWorks : IBM's resource for developers and IT professionals. In the left navigation frame, click Open Source Projectsand then click OpenSSH for AIX Images. Select OpenSSH 3.6 or higher.
5. Start the sshd daemon by running the command: /usr/bin/startsrc -s sshd
Note: If the AIX machine on which OpenSSH is installed also has GSA installed, the SSH daemon will not start. This is a known problem. You will need to first check to see if the sshd user exists on the system. If not, it should be created with the following commands:

mkgroup sshd

mkuser -a pgrp=sshd login=false home=/var/empty
gecos="OpenSSH privilege separation" account_locked=true sshd

6. As user tioadmin, configure SSH so that the server can communicate with relevant users on other systems and components of the data center.
Attention: Ensure that you are logged on to user ID tioadmin directly. Do not usesu - to tioadmin or the following steps will fail to run correctly.

OpenSSH is installed on AIX.
Configuring OpenSSH on AIX
To configure SSH:

1. Log on as tioadmin.
2. Run the following commands:

ssh-keygen -t rsa -N "" -f $HOME/.ssh/id_rsa
cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

3. You can test this by running: ssh -v tioadmin@localhost, where localhost is your host name. If SSH is properly configured, you will not be prompted for a password.
4. Copy the public key for user tioadmin to the servers that Tivoli® Provisioning Manager will be managing in your data center.
5. It is required to configure SSH to accept connections from new hosts without prompting for confirmation. Create a file in /home/thinkcontrol/.ssh called config. The file should contain the following line:

StrictHostKeyChecking no

6. Copy the id_rsa.pub file, which contains the public keys, into the authorized keys file of the administrative account of any server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager is managing.
1. Ensure that the managed server has an administrative account for which the SSH RSA keys (id_rsa, id_rsa.pub, and authorized_keys) have already been generated and should be contained into the .ssh directory of the respective administrative account home directory.
2. Append the content (a single line of text) of the id_rsa.pub file which contains the public key from the server that will initiate the SSH session to the authorized_keys file of the administrative account of any target server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager will be managing.
3. To verify, on the Tivoli Provisioning Manager server, type:

ssh <tioadmin/other_administrative_account_on_the_target_server>@<target_server_IP_or_hostname>

There should be no password prompt, followed by the prompt on the remote machine. After a successful logon, an entry for the communication partner will be created into a known_hosts file. As a troubleshooting step, sometimes this file may contain old or invalid entries associated with the managed server IP address or name. Deleting that entry should fix the connection problem.

SSH is now configured on AIX.




Recommended links

YouTube - passwordless ssh trust

* The OpenSSH web site


* Chapter 4 in the redbook Managing AIX Server Farms contains details about using OpenSSH with AIX.


* Download OpenSSH on AIX.


* AIX 5L Expansion Pack and Web Download Pack


* AIX Toolbox for Linux Applications


* Get up-to-date information about OpenSSH 3.4pl

No comments:

Post a Comment

Twitter Bird Gadget