![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command line string, stdin or a file. Why use OpenSSH? When you're running over unsecure public networks like the Internet, you can use the SSH command suite instead of the unsecure commands telnet, ftp, and r-commands.
OpenSSH delivers code that communicates using SSH1 and SSH2 protocols. What's the difference? The SSH2 protocol is a rewrite of SSH1. SSH2 contains separate, layered protocols, but SSH1 is one large set of code. SSH2 supports both RSA & DSA keys, but SSH1 supports only RSA, and SSH2 uses a strong crypto integrity check, where SSH1 uses a CRC-32 check. The Internet Engineering Task Force (IETF) maintains the secure shell standards.
OpenSSH has been updated to the 3.4p1 version of the open source code from openssh.org. You can get this version of binaries from the AIX 5L Expansion Pack and Web Download Pack. Or, you can download it from OpenSSH on AIX. Need to know more about the previous release, OpenSSH version 2.9.9, see OpenSSH is now bundled with AIX.
The primary new feature is user privilege separation, a
security enhancement that prevents super user escalation risks by reducing
the amount of code that runs with special privileges.
User privilege separation is enabled by default in the OpenSSH server
configuration file /etc/ssh/sshd_config:
#UsePrivilegeSeparation yes |
The way it works is that a separate server process is created for each
connection and when a request comes from a client, the ssh monitor process
forks an unpriviledged child process that handles all of the requests
from the client. If the client's request requires super user privileges
the request is sent to the privileged monitor process. When you view the
SSH processes started, you will see the sshd daemon for the monitor
process and an unprivileged process owned by the client. For further
detailed information about privilege separation, see the August 2002 article by Niels
Provos, Preventing Privilege Escalation.
Since AIX 5.2 is a new release of the AIX operating system, a separate
compilation of the OpenSSH source code was completed on this level of the
operating system. The VRMF of the 5.2 level of code is 3.4.0.5200, to
distinguish the install images from the 5.1 version. The
new VRMF will also help if migrating from AIX 5.1 to AIX 5.2. OpenSSH is
compiled using the C for AIX (cc) version 5.0 compiler.
The VRMF of the installation images will closely match the open source
code level, except for the "F" (Fix level). The fix level will be
increased each time a release is made that contains fixes between
major open source releases. For example, if we change the 3.4p1 level
of code to contain a patch from the 3.5 level of the open source code,
the "F" will be incremented (for example, 3.4.0.5201).
The OpenSSH source code has been enhanced with National Language Support (NLS) enablement since the initial 2.9.9 release in April 2002. In the October 2002 release, the message catalog file openssh.cat has been translated into 35 languages. The message catalog files are packaged in installp format with a name like openssh.msg.<LANGUAGE_ABBREVIATION> where LANGUAGE_ABBREVIATION is the 4-character locale code for the country (for example, DE_DE is UTF German). The message catalog filesets are available from the AIX 5L Expansion Pack and Web Download Pack and come bundled in the .tar.Z file. When installing OpenSSH filesets on different locales, the installation software installp determines the correct version of the message catalog fileset to install and the translated message catalog file gets copied into /usr/lib/nls/msg/<LANGUAGE_ABBREVIATION>.
Additional fixes in this release
In the latest OpenSSH version 3.4p1 binaries, we included several patches specific for AIX from the openssh.org site. The patches are for the following fixes:
- password expiration enforced
- updated files /etc/security/login and failedlogin
- updated the unsuccessful login count
- LOGIN environment variable set
- streaming large amounts of data no longer hangs the session
Since AIX 5.2 fully supports Pluggable Authentication Modules (PAM), OpenSSH
3.4.0.5200 has been compiled with PAM support. PAM is a framework where a
system administrator can add or stack multiple different authentication
modules by writing customized modules and configuring the system to use them.
On AIX 5.2, the PAM framework consists of a library, pluggable modules and a
configuration file. Because OpenSSH is compiled with PAM, the configuration file /etc/pam.conf
will be created on the server at openssh.base.server package installation time.
(In the future, /etc/pam.conf
will be created at openssh.base.server installation time).
The default PAM module can be pam_aix, where pam_aix is provided by the base
AIX operating system (automatically installed on AIX 5.2 in /usr/lib/security).
The pam_aix module allows access to the AIX security services by providing
access to AIX builtin functions such as the AIX pam_aix authentication() call.
The /etc/pam.conf for OpenSSH will look like this:
sshd auth required /usr/lib/security/pam_aix OTHER auth required /usr/lib/security/pam_aix sshd account required /usr/lib/security/pam_aix OTHER account required /usr/lib/security/pam_aix sshd password required /usr/lib/security/pam_aix OTHER password required /usr/lib/security/pam_aix sshd session required /usr/lib/security/pam_aix OTHER session required /usr/lib/security/pam_aix |
The permissions on /etc/pam.conf will be 644.
Cryptographic applications depend on random numbers. If the random numbers are not highly random and are not protected during generation, the security of the encryption may be weakened.
OpenSSH on AIX 5.1 is compiled using the entropy gathering mechanism (random
numbers) provided with the OpenSSH source code (ssh-rand-helper), as opposed
to AIX 4.3.3 (AIX Linux Toolbox) which uses the PRNGD open source
daemon (prngd-0.9.23-3.aix4.3.ppc.rpm package).
The AIX 5.2 base security provides new pseudo random number generator devices,
/dev/random and /dev/urandomM, pseudo-device driver and configuration routines
that select various hardware device interrupts to provide entropy. OpenSSH in
AIX 5.2 is compiled to take advantage of the new device /dev/urandom. You will
also need the latest OpenSSL version, openssl-0.9.6e-2.aix4.3.ppc.rpm (AIX
Linux Toolbox), for OpenSSH to use the /dev/urandom device.
- The OpenSSH fileset includes man pages with
openssh.man.en_US. - On the web, openBSD provides very good man pages.
- For installation instructions on the different levels of AIX (AIX 4.3.3, AIX 5.1 and AIX 5.2), see the IBM redbook Managing AIX Server Farms. Chapter 4.2 provides details about software prerequisites and about how to manage the OpenSSH server and use the client commands.
- The AIX 5.2 Security Guide has information about AIX and PAM.
Four installation packages contain the installp format of the code:
| openssh.base | Contains the binary executable files for the client and server
pieces of secure shell. There are two separate filesets,
openssh.base.client and openssh.base.server. You may install
the client portion only, but if you install the server portion,
the client pieces automatically get installed. |
|---|---|
| penssh.license | The IPLA non-warranted with Limited Program Services license text. This is the fileset that ensures that you read and accept the software license before installation. |
| openssh.man.en_US | Man pages as shipped with the openssh.org source code.
The man pages install into /usr/share/man directory and
can be viewed using the man command. There are man
pages for each command and the ssh_config and
sshd_config configuration files. |
| openssh.msg.<LANGUAGE_ABBREVIATION> | Translated message catalog file. The only .msg
fileset that gets installed relates to the locale
you have installed on the operating system. |
The installation packaging contains the scripts necessary to install the executables into the correct directories.
The following files are in the openssh.base.client fileset and are installed in /usr/bin:
ssh scp sftp ssh-add ssh-keygen ssh-keyscan ssh-agent ssh-keysign ssh-rand-helper |
The following files are in the openssh.base.server fileset and are installed in /usr/sbin:
sshd sftp-server |
The following configuration files are installed in /etc/ssh:
ssh_config sshd_config |
The packaging creates the sshd user, group, and /var/empty directory
needed for server execution on 3.4p1 level of code. The packaging also
enables the SRC control of the daemon, generates host keys and checks
for the prerequisite of OpenSSL before installing.
- Download the opensshi-aix package from OpenSSH on AIX.
- Get information about the AIX 5L Expansion Pack and Web Download Pack.
- See the openBSD man pages.
- See Preventing Privilege Escalation, article by Niels Provos, August 2002.
Denise Genty is a developer and team lead on the IBM AIX Network Security team in the AIX Communications area and has worked in AIX development for twelve years. Current projects include RADIUS, IP Security, and Open Secure Shell. Denise has a BS in Computer Science from Texas A&M University. You can contact her at genty@us.ibm.com.
