Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

Deploying OpenSSH on AIX

Sandor W. Sklar (ssklar@stanford.edu), Systems Administrator, Freelance Developer
Sandor W. Sklar is a Unix systems administrator at Stanford University, in beautiful Northern California. When not poking through his systems for real or imagined security holes, he enjoys spending time with his wife and two children.

Summary:  This tutorial is designed for administrators of IBM RS/6000 systems who wish to improve the security and integrity of their servers running AIX by replacing standard insecure network services with those provided by the OpenSSH implementation of the Secure Shell protocol.

Date:  01 Jun 2001
Level:  Intermediate PDF:  A4 and Letter (343 KB | 20 pages)Get Adobe® Reader®

Activity:  18946 views
Comments:  

Gathering the pieces

Recipe Ingredients

OpenSSH, like many other open source software projects, builds on the work and components of other applications to perform its tasks. This allows the developers of OpenSSH to focus on creating the stable and secure code that is at the core of the application, while relying on the expertise and ability of the developers of other applications to ensure that those components perform as designed.

Unfortunately, this model can make the deployment of OpenSSH a bit like a recipe: numerous components need to be downloaded and compiled separately, and the various applications often use different systems for configuration, compilation, and installation of their code.


Obtain the prerequisites

The following open source software projects are required to compile and deploy OpenSSH. The version numbers for each package listed is the most current stable version at the time of this tutorial. Check the project's Web site to find out about updated releases.


Build and install gzip

GNU Zip (gzip) is an open source data compression program similar to the standard UNIX compress/uncompress applications, but unencumbered by patents that might affect its status as free software.

Although gzip is not a prerequisite for building OpenSSH, its use is required in decompressing the source bundles used later in this tutorial. The gzip format is used most often for the distribution of free software on the Internet, and so its presence on an AIX system is almost a requirement.

Fortunately, the source for gzip is available in an uncompressed tape archive (tar) format. After downloading the tarball and saving it into /usr/local/src, execute the following commands:

tar xvf gzip-1.2.4a.tar
cd gzip-1.2.4a
./configure && make check

When the auto-configuration and compilation is complete, the following lines are output:

gzip test OK
rm -f _gztest*

Now, run the make install command (as root); the following files will be installed in the appropriate subdirectories of /usr/local:

/usr/local/man/man1/gzip.1
/usr/local/man/man1/gzexe.1
/usr/local/man/man1/zdiff.1
/usr/local/man/man1/zgrep.1
/usr/local/man/man1/zmore.1
/usr/local/man/man1/znew.1
/usr/local/man/man1/zforce.1
/usr/local/man/man1/zcat.1
/usr/local/man/man1/zcmp.1
/usr/local/man/man1/gunzip.1
/usr/local/bin/gzip
/usr/local/bin/zdiff
/usr/local/bin/zgrep
/usr/local/bin/zmore
/usr/local/bin/znew
/usr/local/bin/zforce
/usr/local/bin/gzexe
/usr/local/bin/zcmp
/usr/local/bin/gunzip
/usr/local/bin/zcat
/usr/local/info/gzip.info


Build and install zlib

Zlib is a lossless, general-purpose compression library used by many open source software projects. The library uses the same compression algorithms used by the gzip program, which are more efficient than those used by UNIX compress.

After downloading the source for the latest version of zlib, place it in /usr/local/src, and run the following commands:

gunzip -c zlib-1.1.3.tar.gz | tar xvf -
cd zlib-1.1.3
vi Makefile

Edit Makefile, adding -qmaxmem=-1 to the end of the CFLAGS line:

CFLAGS=-O -qmaxmem=-1
                

Run the make test command to compile and test the library. When that process is complete, the last line displayed on the screen will be:

*** zlib test OK ***

As root run make install to install the following header files and library to their correct location:

/usr/local/lib/libz.a
/usr/local/include/zlib.h
/usr/local/include/zconf.h

Note: -qmaxmem=-1 is a option specific to IBM's C for AIX compiler; it tells the compiler to use as much memory as necessary during the compilation in order to obtain the best optimization of the binary.


Build and install prngd

The Pseudo Random Number Generator Daemon, prngd, provides a source of entropy on platforms that do not include a /dev/random file for that purpose. Entropy, or randomness, is an integral part of any encryption process. Generating a quantity of true random data is critical in securing password, secret phrases, and other encrypted data. Many UNIX platforms provide a kernel-level source of random data, via /dev/random.

Unfortunately, AIX 4.3 or 5.1 does not include this source of randomness. On AIX and other systems lacking /dev/random, the prngd application can provide the entropy required by OpenSSH and other cryptographic software.

After downloading the source for the latest version of prngd into /usr/local/src, run the following commands:

gunzip -c prngd-0.9.23.tar.gz | tar xvf -
cd prngd-0.9.23.tar.gz
vi Makefile

Find the AIX 4.3 w/cc section in Makefile; uncomment and add the-qmaxmem=-1 flag to the CFLAGS line so that it appears like the following:

# AIX 4.3 w/cc ("Joerg Petersen <j.petersen@msh.de>)
# Please also check out contrib/AIX-4.3/00README.aix-src
CFLAGS=-O -DAIX43 -qmaxmem=-1
# SYSLIBS=

The source can then be compiled by issuing the make command. The prngd Makefile does not include a rule for installing the daemon; it must be installed manually by running the following command:

mkdir /usr/local/sbin ; cp prngd /usr/local/sbin/
cp contrib/prngd.conf.aix43 /etc/prngd.conf

The longer the prngd daemon process is running, the better the quality of randomness it can provide to other applications that use entropy. Thus, this daemon should be run at startup and should never exit. There are numerous methods of running daemons at startup; this tutorial will present one using the AIX System Resource Controller (SRC). By using SRC, a consistent interface for starting, stopping, and querying the status of the subsystem will be made available.

To create a subsystem for controlling the prngd daemon, issue the followingcommand:

/usr/bin/mkssys -s prngd -p /usr/local/sbin/prngd -a '-f -c 
/etc/prngd.conf -s /var/tmp/egd-seed /dev/egd-pool' -u 0 -S -n 15 
-f 9 -R -G local

The prngd subsystem can now be started by executing the startsrc -s prngd command. To have the prngd subsystem start at system boot, enter the following command, which adds an entry to /etc/inittab:

/usr/sbin/mkitab "prngd:2:wait:startsrc -s prngd > 
/dev/console 2>&1"


Build and install OpenSSL

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The general-purpose cryptology libraries provided with OpenSSL are used by a number of encryption-related applications, including OpenSSH.

After downloading the latest source release of OpenSSL into /usr/local/src, run the following commands:

gunzip -c openssl-0.9.6b.tar.gz | tar xvf 
-cd openssl-0.9.6b
./config && make && make test

Note: OpenSSL is a large and complicated package. The compilation and testing can take a very long time, especially on slower systems. When the test suite has completed, text similar to the following will be printed to the screen:

OpenSSL 0.9.6b 9 Jul 2001
built on: Sat Nov 17 17:41:15 PST 2001
platform: aix43-cc
options: bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish(idx)    
compiler: cc -DDSO_DLFCN -DHAVE_DLFCN_H -O -DAIX -DB_ENDIAN -qmaxmem=16384
Target "test" is up to date.

Now as root run make install to install the requisite program files:

/usr/local/ssl/man/man1/CA.pl.1
/usr/local/ssl/man/man1/asn1parse.1
/usr/local/ssl/man/man1/ca.1
/usr/local/ssl/man/man1/ciphers.1
/usr/local/ssl/man/man1/crl.1
/usr/local/ssl/man/man1/crl2pkcs7.1
/usr/local/ssl/man/man1/dgst.1
/usr/local/ssl/man/man1/dhparam.1

---[snip]---
many, many similar lines...
/usr/local/ssl/include/openssl/ssl3.h
/usr/local/ssl/include/openssl/ssl23.h
/usr/local/ssl/include/openssl/tls1.h
/usr/local/ssl/misc/CA.sh
/usr/local/ssl/misc/CA.pl
/usr/local/ssl/misc/der_chop
/usr/local/ssl/misc/c_hash
/usr/local/ssl/misc/c_info
/usr/local/ssl/misc/c_issuer
/usr/local/ssl/misc/c_name
/usr/local/ssl/openssl.cnf


Build and install TCP Wrappers (optional)

TCP Wrappers provides a simple application, tcpd, that can be used to limit access to various network services based on the IP address of the client. It is often used, and in fact, was designed for "wrapping" services spawned by inetd. The package also provides a library, libwrap.a, that applications, including OpenSSH, can link to and gain the access controls that TCP Wrappers provides. While it is not necessary for deploying OpenSSH, TCP Wrappers adds another level of access control and logging capability that an administrator might appreciate.

To build TCP Wrappers, issue the following commands after downloading the source distribution into /usr/local/src:

gunzip -c tcp_wrappers_7.6.tar.gz | tar xvf -
cd tcp_wrappers_7.6
vi Makefile

Before compiling the source, several changes need to be made to the Makefile:

  • Uncomment the REAL_DAEMON_DIR line for AIX, so that it appears:
    # SysV.4 Solaris 2.x OSF AIX
    REAL_DAEMON_DIR=/usr/sbin
    

  • Uncomment the following line:
    #STYLE = -DPROCESS_OPTIONS # Enable language extensions.
    

  • Change the line:
    FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
    

    to

    FACILITY= LOG_LOCAL7 # tcpd messages will be logged to facility local7
    

  • Change the line:
     TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\"   
     -DHOSTS_ALLOW=\"/etc/hosts.allow\"
     

    to

     TABLES = -DHOSTS_DENY=\"/etc/tcpd.conf\"   
     -DHOSTS_ALLOW=\"/etc/tcpd.conf\"
     

  • Add -qmaxmem=-1 to the CFLAGS block:
    CFLAGS  = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
            $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
            -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
            -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
            $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
            $(VSYSLOG) $(HOSTNAME) -qmaxmem=-1
      

After saving the above changes to the Makefile, run the make aix command to compile the source.

The Makefile for TCP Wrappers does not include an install target. To place the files in the proper locations, enter the following root commands:

cp tcpdchk safe_finger try-from tcpdmatch tcpd /usr/local/sbin/
cp libwrap.a /usr/local/lib/
cp hosts_access.3 /usr/local/man/man3/
cp hosts_access.5 hosts_options.5 /usr/local/man/man5/
cp tcpd.8 tcpdchk.8 tcpdmatch.8 /usr/local/man/man8/
mkdir -p /usr/local/share/tcpd/
cp Banners.Makefile /usr/local/share/tcpd/
mkdir /usr/local/include/
cp tcpd.h /usr/local/include/
touch /etc/tcpd.conf
  

Configuration of TCP Wrappers will not be detailed in this tutorial. See the included README and man pages for instructions on usage and configuration settings.

3 of 9 | Previous | Next

Comments



static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=124311
TutorialTitle=Deploying OpenSSH on AIX
publish-date=06012001
author1-email=ssklar@stanford.edu
author1-email-cc=