Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

Deploying OpenSSH on AIX

Sandor W. Sklar (ssklar@stanford.edu), Systems Administrator, Freelance Developer
Sandor W. Sklar is a Unix systems administrator at Stanford University, in beautiful Northern California. When not poking through his systems for real or imagined security holes, he enjoys spending time with his wife and two children.

Summary:  This tutorial is designed for administrators of IBM RS/6000 systems who wish to improve the security and integrity of their servers running AIX by replacing standard insecure network services with those provided by the OpenSSH implementation of the Secure Shell protocol.

Date:  01 Jun 2001
Level:  Intermediate PDF:  A4 and Letter (343 KB | 20 pages)Get Adobe® Reader®

Activity:  18946 views
Comments:  

Replacing insecure network services

Replacing the telnet service

Replacing the use of the insecure telnet protocol with the much more secure ssh protocol is simple. Users will have to substitute the use of an ssh client for their telnet client. When connecting via telnet, the user enters $ telnet earth.

They are then prompted to enter their user name and password:

Trying 123.456.789.012 ...
Connected to earth.galaxy.com
Escape character is '^]

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
login: user
user's Password: ******
                

If the user account and password are correct, the user is authenticated and provided access to the system. To perform the same action using ssh, the user types:

$ ssh earth
user@earth's password: ******
                

As with telnet, the user will then be logged in if the user account and password specified are valid. The difference, though, is that all network traffic between the client and the server, including the user name and password, is encrypted, making them immune from packet sniffing attacks. SSH clients usually use the name of the user that is logged in on the client system when connecting to the remote system. If the end user wishes to use a different user account, they will need to add that account name before the host name, joined with an "@" sign. For example:

$ ssh user@earth

The telnet service should be disabled on the server by either deleting or commenting out the telnet entry in /etc/inetd.conf.


Replacing the 'r' services

The r services are those that use only the /etc/hosts.equiv file and the ~/.rhosts files within users home directories to perform authentication. These services include rsh, rlogin, and rcp. All of these services can be replaced by OpenSSH, exponentially increasing the overall security of the server. Several "layers" of security may be imposed on the use of these services, depending on the options set in the /etc/ssh/sshd_config file by the server's administrator.

The OpenSSH distribution includes both the client and server programs necessary to replace the insecure r commands. For the examples presented in the following table, it is assumed that:

  • The fully qualified domain name of the client system is listed in either the /etc/hosts.equiv file on the server named earth, or in the .rhosts file within the user's home directory
  • If the client is a UNIX system, the ssh program is set-UID root, and has the UsePriveligedPort yes option in the /etc/ssh_config configuration file
  • The /etc/sshd_config file on the server earth contains the options: HostbasedAuthentication yes, IgnoreRhosts no, and RhostsRSAAuthentication yes
  • The public key for the client system is in either the server's global known hosts file, or the user's known hosts file.
Insecure command Secure equivalent Action performed Security advantage
rsh earthrlogin earth ssh earthslogin earth provides the user with an interactive login session on the server named earth, without having to enter a password. The host key of the client system is checked against the server's known hosts file. If they do not match, the connection is refused. All communications between the server and the client are encrypted.
rsh earth uptime ssh earth uptime executes the uptime command on the server named earth, without having to enter a password.
rcp earth:/etc/passwd /tmp/earth-passwd scp earth:/etc/passwd /tmp/earth-passwd copies the /etc/passwd file from the server named earth and saves it on the local system as /tmp/earth-passwd, without the user needing to enter a password.

The rexec command, though similarly named, uses a different but also insecure method of authorizing a remote user to run a command on a server without entering her password. Instead of the .rhosts file, a .netrc file in the user's home directory on the client system contains the user name and password. This data, and all other data transferred over the network is sent in clear-text. By using the ssh client's ability to execute commands, use of the rexec service can be avoided, and the daemon that provides this service can be disabled on the server.

In order to take advantage of the increased security provided by the OpenSSH replacements, the login, shell, and exec services should be commented out or deleted from the server's /etc/inetd.conf.


Replacing the ftp service

For those systems that are required to provide an interactive file transfer service, the sftp-server is included with the OpenSSH distribution. Using the same authentication and encryption methods as ssh, users can use the sftp client program to connect to and transfer files to and from remote servers. Operation of the sftp program is similar to standard FTP clients, though the sftp-server program lacks some of the "bells and whistles" of the ftpd daemon.

If the features provided by the sftpd-server program meet the requirements for your FTP service, the standard ftpd daemon should be disabled by commenting out or deleting the ftp entry in /etc/inetd.conf.

6 of 9 | Previous | Next

Comments



static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=124311
TutorialTitle=Deploying OpenSSH on AIX
publish-date=06012001
author1-email=ssklar@stanford.edu
author1-email-cc=