• Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (6)

1 AnthonyEnglish commented Permalink

Chris, <div>&nbsp;</div> Maybe we should put together a developerWorks wiki on gotchas for migrations to AIX 7.1. So far, before the migration, check: <br /> ssh keys <br /> revert to default tuning parameters <br /> remove MPIO filesets <br /> save sendmail config <br /> aixpert save XML files <div>&nbsp;</div> After the migration: <br /> install MPIO filesets <br /> Replace Kerberos entry KRB5A in /usr/lib/security/methods.cfg with KRB5. <div>&nbsp;</div> Anthony

2 dxtans commented Permalink

Chris, <br /> And tcp wrappers gets over written, well the hosts.allow/deny files <br /> inetd.conf and snmpd.conf gets over written. <div>&nbsp;</div> Good call on work around for SSH, bit of a bummer with sshd_confif, as my config file is heavily populated with chroot directives and allowed groups, fortunately I took local backups of my config files, so quickly got back to normal. <div>&nbsp;</div> DT

3 cggibbo commented Permalink

Hi Anthony and Dave, thanks for the comments. The wiki sounds like a great idea. We've got a decent list of tips and tricks already.

4 cggibbo commented Permalink

Oh yeah, /etc/motd is also over written.

5 sk@ commented Permalink

Chris, <br /> whats your thought , this procedure may vary if use different vendor ssh production in 5.3 and moving to open ssh in 7.1 ? <br /> ta <div>&nbsp;</div>

6 ZlatkoAIX commented Permalink

Preserving the keys is good when it comes to prevent disruption, and the workaround will do. However it is also important to take into account why the key replacement was added in OpenSSH 5.8. The replacement was driven by two factors: a) weaknesses in the keys by using pseudo-random sources with unsufficient enthropy, and b) potential unauthorised access to host keys. Both vulnerabilities compromise the security of the encrypted connection, and key preservation will keep the servers exposed.

Add a Comment Add a Comment