Setting up an SSH client

Secure Shell (SSH) is a client/server network application. It is used as a communication vehicle between the host system (for example, a laptop computer) and the system command-line interface (CLI).

Overview

The system acts as the SSH server in this relationship. If you require command-line access without entering a password, it uses the principles of public and private keys for authentication.

Authenticating SSH logins

Generate a Secure Shell (SSH) key pair to use the command-line interface (CLI). Additionally, when you use the SSH to log in to the system, you must use the RSA-based private key authentication.

When you are using AIX® hosts, SSH logins are authenticated on the system by using the RSA-based authentication that is supported in the OpenSSH client that is available for AIX . This scheme is based on the supplied password (or if you require command-line access without entering a password, then public-key cryptography is used) by using an algorithm that is known commonly as RSA.
Note: The authentication process for host systems that are not AIX is similar.

With this scheme (as in similar OpenSSH systems on other host types), the encryption, and decryption is done by using separate keys. This scheme means that it is not possible to derive the decryption key from the encryption key.

Because physical possession of the private key allows access to the system, the private key must be kept in a protected place, such as the .ssh directory on the AIX host, with restricted access permissions.

When SSH client (A) attempts to connect to SSH server (B), the SSH password (if you require command-line access without entering a password, the key pair) authenticates the connection. The key consists of two halves: the public keys and private keys. The SSH client public key is put onto SSH Server (B) using some means outside of the SSH session. When SSH client (A) tries to connect, the private key on SSH client (A) is able to authenticate with its public half on SSH server (B).

The system supports up to 32 interactive SSH sessions on the management IP address simultaneously.
Note: After an SSH interactive session times out, session gets automatically closed. Session timeout limit is set to 15 minutes, by default. The limit value can be changed by using the CLI command. See chsecurity.

To connect to the system, the SSH client requires a user login name and an SSH password (or if you require command-line access without entering a password, the key pair). Authenticate to the system by using a management username and password. When you use an SSH client to access a system, you must use your username and password. The system uses the password (and if not a password, the SSH key pair) to authorize the user who is accessing the system.

For multifactor authentication, IBM Security Verify communicates with the system and uses a PAM module to handle second factor authentication for SSH logins. For more information about multifactor authentication, refer to the Multifactor authentication.