How To
Summary
When EFS is enabled on a system, and a user's login password is synced up with their EFS keystore password, the user's EFS keys are automatically loaded upon login. The main AIX authentication routine passes the same password given during login to the EFS login routine, and the EFS login routine is able to authenticate using that password.
However, if SSH public keys are used to log in without password, there is no possibility to do the same because no password is given during the login attempt. In this case, to allow EFS keys to be loaded when public key authentication is in use, you must add the target user's authorized_keys to their EFS keystore.
Steps
The short answer of how to achieve this is to use the 'efskeymgr -P ~/.ssh/authorized_keys' command on the target system to push the authorized_keys contents into the user's keystore.
The target system needs to have the following in its /etc/ssh/sshd_config file:
AllowPKCS12keystoreAutoOpen yes
FingerprintHash md5
The source system needs to have in its /etc/ssh/ssh_config file:
AllowPKCS12keystoreAutoOpen yes
With that, EFS keys are automatically be loaded during public key authentication.
A more detailed example of how to get this working is given below.
First steps on the target system with EFS already enabled with 'efsenable -a':
# hostname
testlab179
Using a file system called /efsfs for this test, make sure to enable EFS on it:
# chfs -a efs=yes /efsfs
# lsfs -q /efsfs
Name Nodename Mount Pt VFS Size Options Auto Accounting
/dev/fslv08 -- /efsfs jfs2 2097152 rw yes no
(lv size: 2097152, fs size: 2097152, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: yes, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no)
Set inheritance on this file system to automatically encrypt files:
# efsmgr -s -E /efsfs
Create a user and set its initial password:
# mkuser user2
# passwd user2
Changing password for "user2"
user2's New password:
Enter the new password again:
An EFS keystore is created at this point:
# ls -l /var/efs/users/user2
total 8
-rw------- 1 root system 0 Feb 23 20:22 .lock
-rw------- 1 root system 1914 Feb 23 20:22 keystore
Log in and change the user's initial password:
# ssh user2@testlab179
user2@testlab179's password:
[compat]: 3004-610 You are required to change your password.
Please choose a new one.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for "user2"
user2's Old password:
user2's New password:
Enter the new password again:
Connection to testlab179 closed.
Log in again with the new password and verify the user's keys are loaded:
# ssh user2@testlab179
user2@testlab179's password:
$ efskeymgr -V
List of keys loaded in the current process:
Key #0:
Kind ..................... User key
Id (uid / gid) ......... 595
Type ..................... Private key
Algorithm ................ RSA_1024
Validity ................. Key is valid
Fingerprint .............. 54e38285:4296092d:94e73214:cb5b69dc:39bb2686
Create a test file, which will be automatically encrypted due to the file system inheritance option that was set earlier:
$ echo "test EFS file" > /efsfs/user2_test
$ cat /efsfs/user2_test
test EFS file
Test by doing an su to another user, and verify that the encryption prevents this user from reading this file even though read permissions are open:
# su - user3
$ ls -l /efsfs/user2_test
-rw-r--r-- 1 user2 staff 14 Feb 23 20:37 /efsfs/user2_test
$ cat /efsfs/user2_test
cat: 0652-050 Cannot open /efsfs/user2_test.
Next, on the source system, create a user:
# hostname
testlab178
# mkuser user1
Continue to set the password for this user, log in, and create an SSH key pair:
$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Created directory '/home/user1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:I3X0duVWzQgzoIzk7R7+YLkykNl66GZP8wdla16oaKI user1@testlab178
The key's randomart image is:
+---[RSA 2048]----+
| . o.+. o+|
| o + o . o.o+|
| o = . o . o|
| o .o. . . |
| +. So o |
| + .+.++ . |
| +o.*= . |
| *.*+.+o |
| E=.=.oo.. |
+----[SHA256]-----+
Transfer the /home/user1/.ssh/id_rsa.pub file to the target system, and insert its contents in user2's authorized_keys file.
Permissions and ownership of user2's .ssh directory and authorized_keys file need to be set like this:
$ ls -ld /home/user2/.ssh
drwx------ 2 user2 staff 256 Feb 23 20:40 /home/user2/.ssh
$ ls -l /home/user2/.ssh/authorized_keys
-rw-r--r-- 1 user2 staff 395 Feb 23 20:40 /home/user2/.ssh/authorized_keys
The contents of the authorized_keys file contains the id_rsa.pub contents from user1 on the source system, and other keys can be added as you need:
$ cat /home/user2/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...etc...k5W5s3KUJ+j1rHiOMsjBoGR user1@testlab178
At this point, user1 from the source system can use public key authentication to log in as user2 on the target system without at password, but EFS keys will not be loaded:
# hostname
testlab178
# su - user1
$ ssh user2@testlab179
<success>
$ id
uid=595(user2) gid=1(staff)
$ efskeymgr -V
There is no key loaded in the current process.
To continue, on the target system, push the keys from authorized_keys into user2's EFS keystore:
$ hostname
testlab179
$ id
uid=595(user2) gid=1(staff)
$ efskeymgr -P /home/user2/.ssh/authorized_keys
user2's EFS password:
Add these options to /etc/ssh/sshd_config on the target system and restart sshd:
AllowPKCS12keystoreAutoOpen yes
FingerprintHash md5
Back on the source system, add the following to /etc/ssh/ssh_config:
AllowPKCS12keystoreAutoOpen yes
Attempt a login again, and verify the keys are loaded and the encrypted file can be read:
$ ssh user2@testlab179
Last login: Wed Feb 23 20:52:45 CST 2022 on ssh from testlab178.aus.stglabs.ibm.com
$ efskeymgr -V
List of keys loaded in the current process:
Key #0:
Kind ..................... User key
Id (uid / gid) ......... 595
Type ..................... Private key
Algorithm ................ RSA_1024
Validity ................. Key is valid
Fingerprint .............. 54e38285:4296092d:94e73214:cb5b69dc:39bb2686
$ cat /efsfs/user2_test
test EFS file
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cwO7AAI","label":"Communication Applications-\u003ESSH"},{"code":"a8m3p000000hA6SAAU","label":"Security-\u003EEFS"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
04 September 2022
UID
ibm16559208