What is Open Secure Shell?
Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command line string, stdin or a file. Why use OpenSSH? When you're running over unsecure public networks like the Internet, you can use the SSH command suite instead of the unsecure commands telnet, ftp, and r-commands.
OpenSSH delivers code that communicates using SSH1 and SSH2 protocols. What's the difference? The SSH2 protocol is a rewrite of SSH1. SSH2 contains separate, layered protocols, but SSH1 is one large set of code. SSH2 supports both RSA & DSA keys, but SSH1 supports only RSA, and SSH2 uses a strong crypto integrity check, where SSH1 uses a CRC-32 check. The Internet Engineering Task Force (IETF) maintains the secure shell standards.
OpenSSH has been updated to the 3.4p1 version of the open source code from openssh.org. You can get this version of binaries from the AIX 5L Expansion Pack and Web Download Pack. Or, you can download it from OpenSSH on AIX.
The primary new feature is user privilege separation, a security
enhancement that prevents super user escalation risks by reducing the
amount of code that runs with special privileges. User privilege
separation is enabled by default in the OpenSSH server configuration file
The way it works is that a separate server process is created for each
connection and when a request comes from a client, the
monitor process forks an unpriviledged child process that handles all of
the requests from the client. If the client's request requires super user
privileges the request is sent to the privileged monitor process. When you
view the SSH processes started, you will see the
for the monitor process and an unprivileged process owned by the client.
For further detailed information about privilege separation, see the
August 2002 article by Niels Provos, Preventing
Since AIX 5.2 is a new release of the AIX operating system, a separate
compilation of the OpenSSH source code was completed on this level of the
operating system. The VRMF of the 5.2 level of code is 22.214.171.12400, to
distinguish the install images from the 5.1 version. The new VRMF will
also help if migrating from AIX 5.1 to AIX 5.2. OpenSSH is compiled using
C for AIX (cc) version 5.0 compiler. The VRMF of the
installation images will closely match the open source code level, except
for the "F" (Fix level). The fix level will be increased each time a
release is made that contains fixes between major open source releases.
For example, if we change the 3.4p1 level of code to contain a patch from
the 3.5 level of the open source code, the "F" will be incremented (for
The OpenSSH source code has been enhanced with National Language Support (NLS) enablement since the initial 2.9.9 release in April 2002. In the October 2002 release, the message catalog file openssh.cat has been translated into 35 languages. The message catalog files are packaged in installp format with a name like openssh.msg.<LANGUAGE_ABBREVIATION> where LANGUAGE_ABBREVIATION is the 4-character locale code for the country (for example, DE_DE is UTF German). The message catalog filesets are available from the AIX 5L Expansion Pack and Web Download Pack and come bundled in the .tar.Z file. When installing OpenSSH filesets on different locales, the installation software installp determines the correct version of the message catalog fileset to install and the translated message catalog file gets copied into /usr/lib/nls/msg/<LANGUAGE_ABBREVIATION>.
Additional fixes in this release
In the latest OpenSSH version 3.4p1 binaries, we included several patches specific for AIX from the openssh.org site. The patches are for the following fixes:
- password expiration enforced
- updated files /etc/security/login and failedlogin
- updated the unsuccessful login count
- LOGIN environment variable set
- streaming large amounts of data no longer hangs the session
AIX 5.2 enhancements
Since AIX 5.2 fully supports Pluggable Authentication Modules (PAM),
OpenSSH 126.96.36.19900 has been compiled with PAM support. PAM is a framework
where a system administrator can add or stack multiple different
authentication modules by writing customized modules and configuring the
system to use them. On AIX 5.2, the PAM framework consists of a library,
pluggable modules and a configuration file. Because OpenSSH is compiled
with PAM, the configuration file
/etc/pam.conf will be
created on the server at
installation time. (In the future,
/etc/pam.conf will be
openssh.base.server installation time).
The default PAM module can be
pam_aix is provided by the base AIX operating system
(automatically installed on AIX 5.2 in
pam_aix module allows access to the AIX security services
by providing access to AIX builtin functions such as the AIX
pam_aix authentication() call. The
for OpenSSH will look like this:
sshd auth required /usr/lib/security/pam_aix OTHER auth required /usr/lib/security/pam_aix sshd account required /usr/lib/security/pam_aix OTHER account required /usr/lib/security/pam_aix sshd password required /usr/lib/security/pam_aix OTHER password required /usr/lib/security/pam_aix sshd session required /usr/lib/security/pam_aix OTHER session required /usr/lib/security/pam_aix
The permissions on
/etc/pam.conf will be 644.
Cryptographic applications depend on random numbers. If the random numbers are not highly random and are not protected during generation, the security of the encryption may be weakened.
OpenSSH on AIX 5.1 is compiled using the entropy gathering mechanism
(random numbers) provided with the OpenSSH source code
ssh-rand-helper), as opposed to AIX 4.3.3 (AIX Linux
Toolbox) which uses the
PRNGD open source daemon
The AIX 5.2 base security provides new pseudo random number generator
pseudo-device driver and configuration routines that select various
hardware device interrupts to provide entropy. OpenSSH in AIX 5.2 is
compiled to take advantage of the new device
You will also need the latest OpenSSL version,
openssl-0.9.6e-2.aix4.3.ppc.rpm (AIX Linux Toolbox), for
OpenSSH to use the
Where to get documentation
- The OpenSSH fileset includes man pages with
- On the web, openBSD provides very good man pages.
- For installation instructions on the different levels of AIX (AIX 4.3.3, AIX 5.1 and AIX 5.2), see the IBM redbook Managing AIX Server Farms. Chapter 4.2 provides details about software prerequisites and about how to manage the OpenSSH server and use the client commands.
- The AIX 5.2 Security Guide has information about AIX and PAM.
Four installation packages contain the
installp format of the
|openssh.base||Contains the binary
executable files for the client and server pieces of secure
shell. There are two separate filesets,
|penssh.license||The IPLA non-warranted with Limited Program Services license text. This is the fileset that ensures that you read and accept the software license before installation.|
|openssh.man.en_US||Man pages as shipped
with the openssh.org source code. The man pages install into
message catalog file. The only |
The installation packaging contains the scripts necessary to install the executables into the correct directories.
The following files are in the
openssh.base.client fileset and
are installed in
ssh scp sftp ssh-add ssh-keygen ssh-keyscan ssh-agent ssh-keysign ssh-rand-helper
The following files are in the
openssh.base.server fileset and
are installed in
The following configuration files are installed in
The packaging creates the
sshd user, group, and
/var/empty directory needed for server execution on 3.4p1
level of code. The packaging also enables the SRC control of the daemon,
generates host keys and checks for the prerequisite of OpenSSL before
- Download the opensshi-aix package from OpenSSH on AIX.
- Get information about the AIX 5L Expansion Pack and Web Download Pack.
- See the openBSD man pages.
- See Preventing Privilege Escalation, article by Niels Provos, August 2002.