Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command line string, stdin or a file. Why use OpenSSH? When you're running over unsecure public networks like the Internet, you can use the SSH command suite instead of the unsecure commands telnet, ftp, and r-commands.
OpenSSH delivers code that communicates using SSH1 and SSH2 protocols. What's the difference? The SSH2 protocol is a re-write of SSH1. SSH2 contains separate, layered protocols, but SSH1 is one large set of code. SSH2 supports both RSA & DSA keys, but SSH1 supports only RSA, and SSH2 uses a strong crypto integrity check, where SSH1 uses a CRC-32 check. The Internet Engineering Task Force (IETF) maintains the secure shell standards.
OpenSSH source code is compiled on AIX 5L and shipped on the AIX 5L Expansion Pack and Web Download Pack. You can also get the installation images from OpenSSH on AIX.
When you install the AIX OpenSSH image from the Bonus Pack CD or from the website, you can get support from IBM Program Services. The code base for the binaries is OpenSSH version 3.4.0 which was retrieved from www.openssh.org. The package includes these binaries:
|ssh||rlogin/rsh-like client program|
|ssh-agent||agent that can store private keys|
|ssh-add||Tool which adds keys to ssh-agent|
|sftp||FTP-like program that works over SSH1 and SSH2 protocol|
|scp||File copy program that acts like rcp|
|ssh-keygen||Key generation tool|
|ssh-keyscan||Utility for gathering public host keys from a number of hosts|
|ssh-keysign||Utility for hostbased authentication|
|sshd||The daemon that permits you to login|
|sftp-server||SFTP server subsystem (started automatically by sshd)|
Any security patches that are announced, such as CERT advisories, are already incorporated into the 3.4.0 level of code. As new security patches are available, we'll incorporate them as soon as possible and make them available for download from the developerWorks download site.
Authentication mechanisms in OpenSSH include UNIX password, user public key, and hostbased such as .rhosts files. Encryption algorithms supported are DES, 3DES, Blowfish and AES.
Two configuration files shipped with the binaries are unchanged from the open source delivery and contain the default settings. They are
/etc/ssh/sshd_config. You will need to modify these files based on your security needs.
Here's an example of the client configuration file:
# $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # BatchMode no # CheckHostIP yes # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, # arcfour,aes192-cbc,aes256-cbc # EscapeChar ~
For its random number generator, the AIX OpenSSH code uses the built-in entropy code delivered with OpenSSH. The file ssh_prng_cmds was changed so that it contains only commands that produce output on AIX.
OpenSSH is dynamically linked with OpenSSL for use of the encryption library libcrypto.a. You can get the OpenSSL library from the AIX Toolbox for Linux Applications CD or from this website: ibm.com/servers/aix/products/aixos/linux/index.html.
OpenSSL is delivered in RPM format (instead of installp format). To install OpenSSL, use the
rpm -i command. If you install OpenSSH before OpenSSL, you will get this installation error message:
A prerequisite package has not been installed. OpenSSH requires Open SSL (Secure Sockets Layer). Please install Open SSL from the AIX Toolbox for Linux CD or Toolbox website: https://www6.software.ibm.com/dl/aixtbx/aixtbx-i?S_PKG=dlaixww...
The code is also dynamically linked with zlib, the data compression function. The zlib library is automatically installed for you on AIX 5.1.
International Language Support.The base OpenSSH 3.4.0 code was modified to add International Language Support. In the initial shipment of code, user messages will be displayed in U.S. English. In the future, translated message catalogs will be shipped. Languages supported will be Catalan, Spanish, Korean, Japanese, Polish, German, Hungarian, Solvakian, Russian, Italian, Chinese, Czech, and Taiwanese.
Message catalog. All user displayed messages (not system debug messages) were placed into a message catalog and the XPG4 catgets() calls were added to the source code to retrieve the correct language version of the message.
Binaries and configuration files. The binaries and configuration files have been packaged in AIX installp format, which can be installed by the Web-base system manager or SMIT tool.
|openssh.man.en_US||man page documentation|
|openssh.msg.en_US||English message catalog file|
VRMF. The Version, Release, Modification, and Fix (VRMF) level of the latest release is 3.4.0. The AIX VMRF will closely match the open source code level.
License files. Two license files are shipped with the binaries. The license file shipped with the open source code is distributed in the /user/openssh directory. The second license file is the IPLA non-warranted with Limited Program Services license. The packaging will use the AIX electronic license scheme which require that you view the IBM license text and accept the license prior to installation. Viewing and accepting the license can be done through the Web-based system manager or SMIT tool. A README file in /usr/openssh is delivered that will contain a list of updates to the code (security patches).
At installation, the daemon will be loadable so the key generation command, ssh-keygen, will be run post installation time to generate the keys for the server.
System Resource Controller (SRC). The sshd daemon has been enabled by the System Resource Controller (SRC). SRC makes it easier for you to create and control subsystems by providing a common way to start, stop, and collect status information on processes.
|startsrc -g ssh||Start the sshd daemon if it is not currently active|
|stopsrc -g ssh||Stop the sshd daemon;which requests that the sshd daemon complete all current processing, release resources|
|lssrc -g ssh||Obtain the status of sshd|
At openssh.server package install time, entries are added to the run level 2 directory
/etc/rc.d/rc2.d to automatically start sshd at boot time. An entry exists in
/etc/inittab to execute run level 2 processes:
If you don't want sshd to start at boot time, remove or rename these two files:
One benefit of OpenSSH is that it provides full encryption for UNIX password authentications (password included). This is the simpliest method of authentication. You have to do no additional configuration.
OpenSSH provides the public key cryptography authentication method, and it's very easy to configure. A user doesn't have to use UNIX passwords if public key crypto is used. Public key crypto provides better system administration if there are large number of users on a machine. Users need to create a key pair and give the public key to the system admin to gain access to the machine. A user account is still needed, but password validation isn't. For example, for guest level access, one common Unix account can be created that can be securely shared via each user having his public key available on the server.
The X11 Forwarding feature of OpenSSH is very useful. Machines behind firewalls usually don't have X ports open. When using SSH and enabling X11 Forwarding, a user can forward X sessions that are encrypted and authenticated. Firewalls usually leave the SSH ports open.
The OpenSSH web site
- Chapter 4 in the redbook Managing AIX Server Farms contains details about using OpenSSH with AIX.
- Download OpenSSH on AIX.
AIX 5L Expansion Pack and Web Download Pack
AIX Toolbox for Linux Applications
Get up-to-date information about OpenSSH 3.4pl
Denise Genty is a developer and team lead on the IBM AIX Network Security team in the AIX Communications area and has worked in AIX development for twelve years. Current projects include RADIUS, IP Security, and Open Secure Shell. Denise has a BS in Computer Science from Texas A&M University. You can contact her at email@example.com.