Get the latest version of OpenSSH for AIX

Get OpenSSH v3.4p1 -- download it or get it in the latest AIX 5L Expansion Pack and Web Download Pack

OpenSSH is a free software tool that supports SSH1 and SSH2 protocols. It's reliable and secure and is widely accepted in the IT industry to replace the r-commands, telnet, and ftp services, providing secure encrypted sessions between two hosts over the network. Get information in this article about OpenSSH version 3.4p1.

Denise Genty (genty@us.ibm.com), AIX Network Security Developer Team Lead, IBM

Denise Genty is a developer and team lead on the IBM AIX Network Security team in the AIX Communications area and has worked in AIX development for twelve years. Current projects include RADIUS, IP Security, and Open Secure Shell. Denise has a BS in Computer Science from Texas A&M University. You can contact her at genty@us.ibm.com.



10 February 2006 (First published 30 January 2003)

Also available in

What is Open Secure Shell?

Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command line string, stdin or a file. Why use OpenSSH? When you're running over unsecure public networks like the Internet, you can use the SSH command suite instead of the unsecure commands telnet, ftp, and r-commands.

OpenSSH delivers code that communicates using SSH1 and SSH2 protocols. What's the difference? The SSH2 protocol is a rewrite of SSH1. SSH2 contains separate, layered protocols, but SSH1 is one large set of code. SSH2 supports both RSA & DSA keys, but SSH1 supports only RSA, and SSH2 uses a strong crypto integrity check, where SSH1 uses a CRC-32 check. The Internet Engineering Task Force (IETF) maintains the secure shell standards.


What's new?

OpenSSH has been updated to the 3.4p1 version of the open source code from openssh.org. You can get this version of binaries from the AIX 5L Expansion Pack and Web Download Pack. Or, you can download it from OpenSSH on AIX. Need to know more about the previous release, OpenSSH version 2.9.9, see OpenSSH is now bundled with AIX.

The primary new feature is user privilege separation, a security enhancement that prevents super user escalation risks by reducing the amount of code that runs with special privileges. User privilege separation is enabled by default in the OpenSSH server configuration file /etc/ssh/sshd_config:

#UsePrivilegeSeparation yes

The way it works is that a separate server process is created for each connection and when a request comes from a client, the ssh monitor process forks an unpriviledged child process that handles all of the requests from the client. If the client's request requires super user privileges the request is sent to the privileged monitor process. When you view the SSH processes started, you will see the sshd daemon for the monitor process and an unprivileged process owned by the client. For further detailed information about privilege separation, see the August 2002 article by Niels Provos, Preventing Privilege Escalation.

Since AIX 5.2 is a new release of the AIX operating system, a separate compilation of the OpenSSH source code was completed on this level of the operating system. The VRMF of the 5.2 level of code is 3.4.0.5200, to distinguish the install images from the 5.1 version. The new VRMF will also help if migrating from AIX 5.1 to AIX 5.2. OpenSSH is compiled using the C for AIX (cc) version 5.0 compiler. The VRMF of the installation images will closely match the open source code level, except for the "F" (Fix level). The fix level will be increased each time a release is made that contains fixes between major open source releases. For example, if we change the 3.4p1 level of code to contain a patch from the 3.5 level of the open source code, the "F" will be incremented (for example, 3.4.0.5201).

The OpenSSH source code has been enhanced with National Language Support (NLS) enablement since the initial 2.9.9 release in April 2002. In the October 2002 release, the message catalog file openssh.cat has been translated into 35 languages. The message catalog files are packaged in installp format with a name like openssh.msg.<LANGUAGE_ABBREVIATION> where LANGUAGE_ABBREVIATION is the 4-character locale code for the country (for example, DE_DE is UTF German). The message catalog filesets are available from the AIX 5L Expansion Pack and Web Download Pack and come bundled in the .tar.Z file. When installing OpenSSH filesets on different locales, the installation software installp determines the correct version of the message catalog fileset to install and the translated message catalog file gets copied into /usr/lib/nls/msg/<LANGUAGE_ABBREVIATION>.


Additional fixes in this release

In the latest OpenSSH version 3.4p1 binaries, we included several patches specific for AIX from the openssh.org site. The patches are for the following fixes:

  • password expiration enforced
  • updated files /etc/security/login and failedlogin
  • updated the unsuccessful login count
  • LOGIN environment variable set
  • streaming large amounts of data no longer hangs the session

AIX 5.2 enhancements

Since AIX 5.2 fully supports Pluggable Authentication Modules (PAM), OpenSSH 3.4.0.5200 has been compiled with PAM support. PAM is a framework where a system administrator can add or stack multiple different authentication modules by writing customized modules and configuring the system to use them. On AIX 5.2, the PAM framework consists of a library, pluggable modules and a configuration file. Because OpenSSH is compiled with PAM, the configuration file /etc/pam.conf will be created on the server at openssh.base.server package installation time. (In the future, /etc/pam.conf will be created at openssh.base.server installation time).

The default PAM module can be pam_aix, where pam_aix is provided by the base AIX operating system (automatically installed on AIX 5.2 in /usr/lib/security). The pam_aix module allows access to the AIX security services by providing access to AIX builtin functions such as the AIX pam_aix authentication() call. The /etc/pam.conf for OpenSSH will look like this:

sshd    auth            required        /usr/lib/security/pam_aix
OTHER   auth            required        /usr/lib/security/pam_aix
sshd    account         required        /usr/lib/security/pam_aix
OTHER   account         required        /usr/lib/security/pam_aix
sshd    password        required        /usr/lib/security/pam_aix
OTHER   password        required        /usr/lib/security/pam_aix
sshd    session         required        /usr/lib/security/pam_aix
OTHER   session         required        /usr/lib/security/pam_aix

The permissions on /etc/pam.conf will be 644.

Cryptographic applications depend on random numbers. If the random numbers are not highly random and are not protected during generation, the security of the encryption may be weakened.

OpenSSH on AIX 5.1 is compiled using the entropy gathering mechanism (random numbers) provided with the OpenSSH source code (ssh-rand-helper), as opposed to AIX 4.3.3 (AIX Linux Toolbox) which uses the PRNGD open source daemon (prngd-0.9.23-3.aix4.3.ppc.rpm package).

The AIX 5.2 base security provides new pseudo random number generator devices, /dev/random and /dev/urandomM, pseudo-device driver and configuration routines that select various hardware device interrupts to provide entropy. OpenSSH in AIX 5.2 is compiled to take advantage of the new device /dev/urandom. You will also need the latest OpenSSL version, openssl-0.9.6e-2.aix4.3.ppc.rpm (AIX Linux Toolbox), for OpenSSH to use the /dev/urandom device.


Where to get documentation

  • The OpenSSH fileset includes man pages with openssh.man.en_US.
  • On the web, openBSD provides very good man pages.
  • For installation instructions on the different levels of AIX (AIX 4.3.3, AIX 5.1 and AIX 5.2), see the IBM redbook Managing AIX Server Farms. Chapter 4.2 provides details about software prerequisites and about how to manage the OpenSSH server and use the client commands.
  • The AIX 5.2 Security Guide has information about AIX and PAM.

Packaging

Four installation packages contain the installp format of the code:

Installation packageDescription
openssh.baseContains the binary executable files for the client and server pieces of secure shell. There are two separate filesets, openssh.base.client and openssh.base.server. You may install the client portion only, but if you install the server portion, the client pieces automatically get installed.
penssh.licenseThe IPLA non-warranted with Limited Program Services license text. This is the fileset that ensures that you read and accept the software license before installation.
openssh.man.en_USMan pages as shipped with the openssh.org source code. The man pages install into /usr/share/man directory and can be viewed using the man command. There are man pages for each command and the ssh_config and sshd_config configuration files.
openssh.msg.<LANGUAGE_ABBREVIATION>Translated message catalog file. The only .msg fileset that gets installed relates to the locale you have installed on the operating system.

The installation packaging contains the scripts necessary to install the executables into the correct directories.

The following files are in the openssh.base.client fileset and are installed in /usr/bin:

ssh
scp
sftp
ssh-add
ssh-keygen
ssh-keyscan
ssh-agent
ssh-keysign
ssh-rand-helper

The following files are in the openssh.base.server fileset and are installed in /usr/sbin:

sshd
sftp-server

The following configuration files are installed in /etc/ssh:

ssh_config
sshd_config

The packaging creates the sshd user, group, and /var/empty directory needed for server execution on 3.4p1 level of code. The packaging also enables the SRC control of the daemon, generates host keys and checks for the prerequisite of OpenSSL before installing.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=13031
ArticleTitle=Get the latest version of OpenSSH for AIX
publish-date=02102006