Introduction
What is Open Secure Shell?
What's new?
Additional fixes in this release
AIX 5.2 enhancements
Where to get documentation
Packaging
Downloadable resources
Related topics
Comments

Get the latest version of OpenSSH for AIX

Get OpenSSH v3.4p1 -- download it or get it in the latest AIX 5L Expansion Pack and Web Download Pack

Denise Genty
Published on January 30, 2003/Updated: February 10, 2006

What is Open Secure Shell?

Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command line string, stdin or a file. Why use OpenSSH? When you're running over unsecure public networks like the Internet, you can use the SSH command suite instead of the unsecure commands telnet, ftp, and r-commands.

OpenSSH delivers code that communicates using SSH1 and SSH2 protocols. What's the difference? The SSH2 protocol is a rewrite of SSH1. SSH2 contains separate, layered protocols, but SSH1 is one large set of code. SSH2 supports both RSA & DSA keys, but SSH1 supports only RSA, and SSH2 uses a strong crypto integrity check, where SSH1 uses a CRC-32 check. The Internet Engineering Task Force (IETF) maintains the secure shell standards.

What's new?

OpenSSH has been updated to the 3.4p1 version of the open source code from openssh.org. You can download it from OpenSSH on AIX.

The primary new feature is user privilege separation, a security enhancement that prevents super user escalation risks by reducing the amount of code that runs with special privileges. User privilege separation is enabled by default in the OpenSSH server configuration file /etc/ssh/sshd_config:

#UsePrivilegeSeparation yes

The way it works is that a separate server process is created for each connection and when a request comes from a client, the ssh monitor process forks an unpriviledged child process that handles all of the requests from the client. If the client's request requires super user privileges the request is sent to the privileged monitor process. When you view the SSH processes started, you will see the sshd daemon for the monitor process and an unprivileged process owned by the client. For further detailed information about privilege separation, see the August 2002 article by Niels Provos, Preventing Privilege Escalation.

Since AIX 5.2 is a new release of the AIX operating system, a separate compilation of the OpenSSH source code was completed on this level of the operating system. The VRMF of the 5.2 level of code is 3.4.0.5200, to distinguish the install images from the 5.1 version. The new VRMF will also help if migrating from AIX 5.1 to AIX 5.2. OpenSSH is compiled using the C for AIX (cc) version 5.0 compiler. The VRMF of the installation images will closely match the open source code level, except for the "F" (Fix level). The fix level will be increased each time a release is made that contains fixes between major open source releases. For example, if we change the 3.4p1 level of code to contain a patch from the 3.5 level of the open source code, the "F" will be incremented (for example, 3.4.0.5201).

The OpenSSH source code has been enhanced with National Language Support (NLS) enablement since the initial 2.9.9 release in April 2002. In the October 2002 release, the message catalog file openssh.cat has been translated into 35 languages. The message catalog files are packaged in installp format with a name like openssh.msg.<LANGUAGE_ABBREVIATION> where LANGUAGE_ABBREVIATION is the 4-character locale code for the country (for example, DE_DE is UTF German). The message catalog filesets are available from the AIX 5L Expansion Pack and Web Download Pack and come bundled in the .tar.Z file. When installing OpenSSH filesets on different locales, the installation software installp determines the correct version of the message catalog fileset to install and the translated message catalog file gets copied into /usr/lib/nls/msg/<LANGUAGE_ABBREVIATION>.

Additional fixes in this release

In the latest OpenSSH version 3.4p1 binaries, we included several patches specific for AIX from the openssh.org site. The patches are for the following fixes:

password expiration enforced
updated files /etc/security/login and failedlogin
updated the unsuccessful login count
LOGIN environment variable set
streaming large amounts of data no longer hangs the session

AIX 5.2 enhancements

Since AIX 5.2 fully supports Pluggable Authentication Modules (PAM), OpenSSH 3.4.0.5200 has been compiled with PAM support. PAM is a framework where a system administrator can add or stack multiple different authentication modules by writing customized modules and configuring the system to use them. On AIX 5.2, the PAM framework consists of a library, pluggable modules and a configuration file. Because OpenSSH is compiled with PAM, the configuration file /etc/pam.conf will be created on the server at openssh.base.server package installation time. (In the future, /etc/pam.conf will be created at openssh.base.server installation time).

The default PAM module can be pam_aix, where pam_aix is provided by the base AIX operating system (automatically installed on AIX 5.2 in /usr/lib/security). The pam_aix module allows access to the AIX security services by providing access to AIX builtin functions such as the AIX pam_aix authentication() call. The /etc/pam.conf for OpenSSH will look like this:

sshd    auth            required        /usr/lib/security/pam_aix
OTHER   auth            required        /usr/lib/security/pam_aix
sshd    account         required        /usr/lib/security/pam_aix
OTHER   account         required        /usr/lib/security/pam_aix
sshd    password        required        /usr/lib/security/pam_aix
OTHER   password        required        /usr/lib/security/pam_aix
sshd    session         required        /usr/lib/security/pam_aix
OTHER   session         required        /usr/lib/security/pam_aix

The permissions on /etc/pam.conf will be 644.

Cryptographic applications depend on random numbers. If the random numbers are not highly random and are not protected during generation, the security of the encryption may be weakened.

OpenSSH on AIX 5.1 is compiled using the entropy gathering mechanism (random numbers) provided with the OpenSSH source code (ssh-rand-helper), as opposed to AIX 4.3.3 (AIX Linux Toolbox) which uses the PRNGD open source daemon (prngd-0.9.23-3.aix4.3.ppc.rpm package).

The AIX 5.2 base security provides new pseudo random number generator devices, /dev/random and /dev/urandomM, pseudo-device driver and configuration routines that select various hardware device interrupts to provide entropy. OpenSSH in AIX 5.2 is compiled to take advantage of the new device /dev/urandom. You will also need the latest OpenSSL version, openssl-0.9.6e-2.aix4.3.ppc.rpm (AIX Linux Toolbox), for OpenSSH to use the /dev/urandom device.

Where to get documentation

The OpenSSH fileset includes man pages with openssh.man.en_US.
On the web, openBSD provides very good man pages.
For installation instructions on the different levels of AIX (AIX 4.3.3, AIX 5.1 and AIX 5.2), see the IBM redbook Managing AIX Server Farms. Chapter 4.2 provides details about software prerequisites and about how to manage the OpenSSH server and use the client commands.
The AIX 5.2 Security Guide has information about AIX and PAM.

Packaging

Four installation packages contain the installp format of the code:

Installation package	Description
openssh.base	Contains the binary executable files for the client and server pieces of secure shell. There are two separate filesets, `openssh.base.client` and `openssh.base.server`. You may install the client portion only, but if you install the server portion, the client pieces automatically get installed.
penssh.license	The IPLA non-warranted with Limited Program Services license text. This is the fileset that ensures that you read and accept the software license before installation.
openssh.man.en_US	Man pages as shipped with the openssh.org source code. The man pages install into `/usr/share/man` directory and can be viewed using the `man` command. There are man pages for each command and the `ssh_config` and `sshd_config` configuration files.
openssh.msg.<LANGUAGE_ABBREVIATION>	Translated message catalog file. The only `.msg` fileset that gets installed relates to the locale you have installed on the operating system.

The installation packaging contains the scripts necessary to install the executables into the correct directories.

The following files are in the openssh.base.client fileset and are installed in /usr/bin:

ssh
scp
sftp
ssh-add
ssh-keygen
ssh-keyscan
ssh-agent
ssh-keysign
ssh-rand-helper

The following files are in the openssh.base.server fileset and are installed in /usr/sbin:

sshd
sftp-server

The following configuration files are installed in /etc/ssh:

ssh_config
sshd_config

The packaging creates the sshd user, group, and /var/empty directory needed for server execution on 3.4p1 level of code. The packaging also enables the SRC control of the daemon, generates host keys and checks for the prerequisite of OpenSSL before installing.