Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

Deploying OpenSSH on AIX

Sandor W. Sklar (ssklar@stanford.edu), Systems Administrator, Freelance Developer
Sandor W. Sklar is a Unix systems administrator at Stanford University, in beautiful Northern California. When not poking through his systems for real or imagined security holes, he enjoys spending time with his wife and two children.

Summary:  This tutorial is designed for administrators of IBM RS/6000 systems who wish to improve the security and integrity of their servers running AIX by replacing standard insecure network services with those provided by the OpenSSH implementation of the Secure Shell protocol.

Date:  01 Jun 2001
Level:  Intermediate PDF:  A4 and Letter (343 KB | 20 pages)Get Adobe® Reader®

Activity:  18946 views
Comments:  

What is OpenSSH

What is wrong with the default network services?

Like most UNIX implementations, AIX provides a large number of network services enabling remote users to log in interactively, transfer files to and from the server, and issue commands to the server in a non-interactive fashion. Unfortunately, most of the daemons (programs running on the server that fulfill requests for particular services) were designed during a time when the security of systems and network traffic was an afterthought -- if it was thought of at all.

The protocols behind such services as telnet, rsh, and ftp contain no provision for the encryption of traffic passed over the network. Most network protocols contain methods for user authentication, but the methods are extremely weak and easily forged. Protocols allowing the transmission of user IDs and passwords from the client to the server in clear-text are common-place. In addition, there is no guarantee that the data transferred through the network has not been intercepted by a third-party and possibly altered.

The Secure Shell (SSH) protocol was developed to address the aforementioned problems caused by these inherently insecure services.


The development of the Secure Shell protocol

In 1995, the original SSH protocol was developed by Tatu Ylönen, a researcher at the Helsinki University of Technology, in Finland. Along with developing the protocol, Ylönen also wrote an implementation for UNIX systems, distributing the source as free software for unlimited use. As the popularity of the SSH software grew worldwide, Ylönen formed a company, SSH Communications Security, Ltd., in order to further development of the product (now licensed commercially, but with source available) and provide support.

In time, limitations and flaws were discovered in the original definition of the protocol. These problems could not be fixed without breaking compatibility with older versions, so a new protocol was defined fixing the issues with the original SSH protocol. As the various implementations of the protocol 2-based software mature and gain features, the use of the older protocol 1-based software will fade. For now, though, implementations of both protocol 1 and protocol 2 are in widespread use around the world; to provide service to the widest audience of clients, it is important for servers to support client connections via both protocols.


What does SSH do?

The Secure Shell protocol protects against the following problems, most of which are inherent in the design of the various protocols that SSH can replace:

  • User and host authentication

    SSH uses several strong cryptographic methods to ensure that both the client and the server are who they say they are. Unless both the server and the client agree that the user and host identities are valid, the connection is denied.

  • Encryption of network traffic

    All data transmitted over the network between an SSH client and an SSH server is encrypted with algorithms of varying strength. This ensures that if the network traffic is sniffed (intercepted and read by an unauthorized party), the contents of the packets will be unreadable.

  • Integrity of data transmission

    The SSH protocol assures the integrity of all data transmitted to and from a server. If a third-party attempts to alter the data packets, SSH detects this and alerts the user.


The OpenSSH project

The creation of OpenSSH, a free implementation of both SSH protocol 1 and 2, was undertaken by the OpenBSD project in order to provide a Secure Shell implementation unencumbered by restrictive licensing. OpenSSH was first included with the release of OpenBSD 2.6. The quality and security of the code produced was excellent and it was quickly ported to other UNIX operating systems.

Currently, the development of OpenSSH is divided into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. The other team takes the clean version and makes it portable so it builds and runs on many different operating systems, including AIX. The portable releases can be identified by the "p" in the version number (e.g., OpenSSH 3.0.1p1); source distributions without the "p" compile only on OpenBSD.

2 of 9 | Previous | Next

Comments



static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=124311
TutorialTitle=Deploying OpenSSH on AIX
publish-date=06012001
author1-email=ssklar@stanford.edu
author1-email-cc=