SSH on AIX

The OpenSSH software is shipped on the AIX 5.3 Expansion Pack. This version of OpenSSH is compiled and packaged as installp packages using the openssh-3.8.p1 level of source code. The installp packages include the man pages and the translated message filesets. The OpenSSH program contained in the Expansion Pack CD-ROM media is licensed under the terms and conditions of the IBM^® International Program License Agreement (IPLA) for Non-Warranted Programs.

Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux^® Applications CD, or you can also download the packages from the following AIX Toolbox for Linux Applications Web site:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

Because the OpenSSL package contains cryptographic content, you must register on the Web site to download the packages. You can download the packages by completing the following steps:

1. Click the AIX Toolbox Cryptographic Content link on the right side of the AIX Toolbox for Linux Applications Web site.
2. Click I have not registered before.
3. Fill in the required fields in the form.
4. Read the license and then click Accept License. The browser automatically redirects to the download page.
5. Scroll down the list of cryptographic content packages until you see openssl-0.9.6m-1.aix4.3.ppc.rpm under OpenSSL — SSL Cryptographic Libraries.
6. Click the Download Now! button for the openssl-0.9.6m-1.aix4.3.ppc.rpm.

After you download the OpenSSL package, you can install OpenSSL and OpenSSH.

1. Install the OpenSSL RPM package using the geninstall command:

   # geninstall -d/dev/cd0 R:openssl-0.9.6m

   Output similar to the following displays:

   SUCCESSES
   ---------
   openssl-0.9.6m-3

2. Install the OpenSSH installp packages using the geninstall command:

   # geninstall -I"Y" -d/dev/cd0 I:openssh.base

   Use the Y flag to accept the OpenSSH license agreement after you have reviewed the license agreement.

   Output similar to the following displays:

   Installation Summary                                                           
   --------------------                                                           
   Name                        Level           Part        Event       Result     
   -------------------------------------------------------------------------------
   openssh.base.client         3.8.0.5200      USR         APPLY       SUCCESS    
   openssh.base.server         3.8.0.5200      USR         APPLY       SUCCESS    
   openssh.base.client         3.8.0.5200      ROOT        APPLY       SUCCESS    
   openssh.base.server         3.8.0.5200      ROOT        APPLY       SUCCESS     

You can also use the SMIT install_software fast path to install OpenSSL and OpenSSH.

The following OpenSSH binary files are installed as a result of the preceding procedure:

scp

File copy program similar to rcp

sftp

Program similar to FTP that works over SSH1 and SSH2 protocol

sftp-server

SFTP server subsystem (started automatically by sshd daemon)

ssh

Similar to the rlogin and rsh client programs

ssh-add

Tool that adds keys to ssh-agent

ssh-agent

An agent that can store private keys

ssh-keygen

Key generation tool

ssh-keyscan

Utility for gathering public host keys from a number of hosts

ssh-keysign

Utility for host-based authentication

ssh-rand-helper

A program used by OpenSSH to gather random numbers. It is used only on AIX 5.1 installations.

sshd

Daemon that permits you to log in

• The /etc/ssh directory contains the sshd daemon and the configuration files for the ssh client command.
• The /usr/openssh directory contains the readme file and the original OpenSSH open-source license text file. This directory also contains the ssh protocol and Kerberos license text.
• The sshd daemon is under AIX SRC control. You can start, stop, and view the status of the daemon by issuing the following commands:

  startsrc -s sshd   OR startsrc -g ssh  (group)
  stopsrc -s sshd    OR stopsrc -g ssh
  lssrc -s sshd      OR lssrc -s ssh

  You can also start and stop the daemon by issuing the following commands:

  /etc/rc.d/rc2.d/Ksshd start

  OR

  /etc/rc.d/rc2.d/Ssshd start

  /etc/rc.d/rc2.d/Ksshd stop

  OR

  /etc/rc.d/rc2.d/Ssshd stop

• When the OpenSSH server fileset is installed, an entry is added to the /etc/rc.d/rc2.d directory. An entry is in inittab to start run-level 2 processes (l2:2:wait:/etc/rc.d/rc 2), so the sshd daemon will start automatically at boot time. To prevent the daemon from starting at boot time, remove the /etc/rc.d/rc2.d/Ksshd and /etc/rc.d/rc2.d/Ssshd files.
• OpenSSH software logs information to SYSLOG.
• The IBM Redbook, Managing AIX Server Farms, provides information about configuring OpenSSH in AIX and is available at the following Web site:

  http://www.redbooks.ibm.com

• OpenSSH supports long user names (256 bytes), the same as the AIX base operating system. For more information on long user names, see the mkuser command.
• Some keywords, such as AllowUsers, DenyUsers, AllowGroups, and DenyGroups are not available by default in the ssh_config file or the sshd_config file. You must add these keywords to the configuration files in order to use them.

• OpenSSH images
  Use the following steps to install the OpenSSH images:
• Configuration of OpenSSH compilation
  The following information discusses how the OpenSSH code is compiled for AIX.
• OpenSSH and Kerberos Version 5 support
  Kerberos is an authentication mechanism that provides a secure means of authentication for network users. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. In addition, Kerberos provides a system for authorization in the form of administering tokens, or credentials.

Here are the steps involved for configuring OpenSSH for AIX.

After installation, start the sshd daemon by running:

# startsrc -s sshd

Verify that sshd is active by running this command:

# lssrc -s sshd

Once sshd is active, test it by attempting to connect to it using an OpenSSH client. If you installed the OpenSSH client package, issue the ssh client command:

# ssh localhost

You should receive this message: "The authenticity of host localhost (127.0.0.1) can't be established. RSA key fingerprint is 1c:bc:d4:a0:87:f8:0e:25:61:27:75:18:99:a2:5a:7d. Are you certain you want to continue connecting (yes/no)? (Warning: Permanently added localhost(RSA) to the list of known hosts. root@localhosts password:)."

This message indicates that this is the first time you've connected to this server. Respond with yes. This adds the server's host key to your client's known_hosts file. (Note: You won't receive this question on future connections to the same server.)

If you're connecting from a Windows* client, several SSH clients can be downloaded. One of the more popular is PuTTY, a free Win32 Telnet/SSH client.

Once you verify OpenSSH is working, you may further safeguard your SSH connection by implementing symmetric RSA or DSA authentication keys. Authentication keys allow users to specify a passphrase for their SSH connection and prevent someone else from spoofing username@hostname.

It also gives users the capability to connect to their OpenSSH server without being prompted for a password, either by using an empty passphrase (at the time of key generation) or with the assistance of an SSH agent.

For details on OpenSSH, read the Redbook, "Managing AIX Server Farms." Chapter 4 focuses on secure network connections on AIX and is almost entirely devoted to OpenSSH.

For details on OpenSSH for AIX, contact the IBM Support Center at 1-800-237-5511, Option 3.

Old News

System Administration Toolkit Set up remote access in UNIX through OpenSSH

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):

Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):

Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
98:da:8d:48:a8:09:44:b1:b3:62:51:2d:a9:6b:61:ba root@remotehost

$ cat ./.ssh/id_rsa.pub | ssh mc@remotehost 'cat >> .ssh/authorized_keys';

OLDDIR='pwd';
if [ -z "$1" ]; then
    echo Need user@host info;
    exit;
fi;
cd $HOME;
if [ -e "./.ssh/id_rsa.pub" ]; then
    cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
else
    ssh-keygen -t rsa;
    cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
fi;
cd $OLDDIR

$ setremotekey mc@remotehost

OpenSSH is now bundled with AIX

IBM Wikis - AIX 5L Wiki - How to setup SSH in AIX to communicate with HMC

index

Configuring OpenSSH on AIX

You must first install the OpenSSH file set on AIX and then configure it.

Installing OpenSSH on AIX

Note: Some text may appear on separate lines for presentation purposes only.

1. Install the OpenSSL package, which you can find at:

    http://sourceforge.net/projects/openssh-aix

2. Click OpenSSL at the top of the Web page. Registration is required. After registering, you are redirected to a Web page where you can download OpenSSL.
3. Install the following file sets from the AIX Base installation media:
   • openssh.base
   • openssh.license
   • openssh.msg.en_US
   • openssh.man.en_US
4. If the file sets were not found on the AIX Base installation media, they can be downloaded from the URL: http://www.ibm.com/developerworks. In the left navigation frame, click Open Source Projectsand then click OpenSSH for AIX Images. Select OpenSSH 3.6 or higher.
5. Start the sshd daemon by running the command: /usr/bin/startsrc -s sshd

   Note: If the AIX machine on which OpenSSH is installed also has GSA installed, the SSH daemon will not start. This is a known problem. You will need to first check to see if the sshd user exists on the system. If not, it should be created with the following commands:

   mkgroup sshd   

   mkuser -a pgrp=sshd login=false home=/var/empty
   gecos="OpenSSH privilege separation" account_locked=true sshd

6. As user tioadmin, configure SSH so that the server can communicate with relevant users on other systems and components of the data center.

   Attention: Ensure that you are logged on to user ID tioadmin directly. Do not usesu - to tioadmin or the following steps will fail to run correctly.

Configuring OpenSSH on AIX

1. Log on as tioadmin.
2. Run the following commands:

   ssh-keygen -t rsa -N "" -f $HOME/.ssh/id_rsa 
   cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys 

3. You can test this by running: ssh -v tioadmin@localhost, where localhost is your host name. If SSH is properly configured, you will not be prompted for a password.
4. Copy the public key for user tioadmin to the servers that Tivoli^® Provisioning Manager will be managing in your data center.
5. It is required to configure SSH to accept connections from new hosts without prompting for confirmation. Create a file in /home/thinkcontrol/.ssh called config. The file should contain the following line:

   StrictHostKeyChecking no

6. Copy the id_rsa.pub file, which contains the public keys, into the authorized keys file of the administrative account of any server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager is managing.
   1. Ensure that the managed server has an administrative account for which the SSH RSA keys (id_rsa, id_rsa.pub, and authorized_keys) have already been generated and should be contained into the .ssh directory of the respective administrative account home directory.
   2. Append the content (a single line of text) of the id_rsa.pub file which contains the public key from the server that will initiate the SSH session to the authorized_keys file of the administrative account of any target server in the data center that the Tivoli Provisioning Manager server must communicate with or manage. Include any servers in the data center that Tivoli Provisioning Manager will be managing.
   3. To verify, on the Tivoli Provisioning Manager server, type:

      ssh <tioadmin/other_administrative_account_on_the_target_server>@<target_server_IP_or_hostname>

      There should be no password prompt, followed by the prompt on the remote machine. After a successful logon, an entry for the communication partner will be created into a known_hosts file. As a troubleshooting step, sometimes this file may contain old or invalid entries associated with the managed server IP address or name. Deleting that entry should fix the connection problem.

Recommended links

YouTube - passwordless ssh trust

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019