Deploying OpenSSH on AIX 4.3

Sandor W. Sklar

$Id: openssh-aix.html,v 1.15 2001/11/19 14:42:33 ssklar Exp ssklar $


Introduction

Should I take this tutorial?

This tutorial is designed for administrators of IBM RS/6000 systems who wish to improve the security and integrity of their servers running AIX 4.3, by replacing standard insecure network services with those provided by the OpenSSH implementation of the Secure Shell protocol.

Neither general network security, nor the use of the ssh client software is discussed in-depth; the primary focus of this tutorial is to detail the necessary components, steps, and configuration required to compile OpenSSH and its prerequisites from source and to deploy it across AIX systems.


About the examples

The example system used in this tutorial is an RS/6000 running AIX 4.3.3 Maintenance Level 08. The source software was compiled with the IBM C for AIX version 5.0.1 compiler.

The latest stable version of each software package was used for this tutorial. As options and behavior of software may change across releases, always refer to the documentation included with the source distribution for the most recent information.


About the author

Sandor W. Sklar is a Unix Systems Administrator at Stanford University. He, his wife, and two children live in Northern California, and may be contacted at <ssklar@stanford.edu>.



What is OpenSSH?

What is wrong with the default services?

AIX provides, as does most UNIX implementations, a large number of services, enabling remote users to log in interactively, transfer files to and from the server, and issue commands to the server in a non-interactive fashion. Unfortunately, most of the "daemons" (programs running on the server that fulfill requests for particular services) were designed during a time when security of systems and network traffic was an afterthought, if thought of at all.

The protocols behind such services as "telnet", "rsh", and "ftp" contain no provision for the encryption of traffic passed over the network; the methods used for authentication of users is in some protocols, extremely weak and easily forged; even worse is the transmission of user IDs and passwords from the client to the server in clear-text. Further, there is no guarantee that the data transferred through the network has not been intercepted by a third-party and possibly altered.

The Secure Shell (SSH) protocol was developed to "fix" the problems caused by these inherently insecure services.


The development of the Secure Shell protocol

In 1995, the original SSH protocol was developed by Tatu Ylönen, a researcher at the Helsinki University of Technology, in Finland. Along with developing the protocol, Ylönen also wrote an implementation for UNIX systems, distributing the source as free software, for unlimited use. As the popularity of the SSH software grew worldwide, Ylönen formed a company, SSH Communications Security, Ltd, in order to further development of the product (now licensed commercially, but with source available) and provide support.

In time, limitations and flaws were discovered in the original definition of the protocol. These problems could not be fixed without breaking compatibility with older versions, so a new protocol was defined, fixing the issues with the original SSH protocol. . As the various implementations of the protocol 2 software mature and gain features, the use of the older protocol 1-based software will fade. For now, though, implementations of both protocol 1 and protocol 2 are in widespread use around the world, and to provide service to the widest audience of clients, it is important for servers to support connections via both protocols.


What does SSH do?

The Secure Shell protocol (both protocols, but in different ways) "fixes" the following problems, most of which are inherent in the design of the various protocols that SSH can replace:


The OpenSSH project

The creation of OpenSSH, a completely free implementation of both protocol 1 and 2, was undertaken by the OpenBSD project, in order to provide a Secure Shell implementation unencumbered by restrictive licensing. First included with the release of OpenBSD 2.6, the quality and security of the code produced was excellent, and ported to other UNIX operating systems soon after.

Currently, the development of OpenSSH is divided between into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. The other team takes the clean version and makes it portable, so that it will build and run on many operating systems, including AIX. The portable releases can be identified by the "p" in the version number; source distributions without the "p" will compile only on OpenBSD.



Gathering the pieces

The ingredients used in the recipe

OpenSSH, like many other open source software applications, builds on the work and components of other applications to perform its tasks. This allows the developers of OpenSSH to focus on creating the stable and secure code that is at the core of the application, while relying on the expertise and ability of the developers of other applications to ensure that those components perform as designed.

Unfortunately, this model can make the deployment of OpenSSH a bit like a recipe: these numerous components need to be downloaded and compiled separately, and the various applications can use different systems for configuration, compilation, and installation of their code.


Obtain the prerequisites

The following open source software projects are required to compile and deploy OpenSSH. The version numbers for each package listed is the most current stable version at the time of this tutorial. Check the project's website to find out about updated releases.


Build and install gzip

GNU Zip (gzip) is an open source data compression program, similar to the standard UNIX compress/uncompress applications, but unencumbered by patents that might affect its status as free software.

Though gzip is not a prerequisite for building OpenSSH, its use is required in decompressing the source bundles that will be used later in this tutorial. The gzip format is the most often for the distribution of free software on the Internet, and so its presence on an AIX system is "almost" a requirement.

Fortunately, the source for gzip is available in an uncompressed tape archive (tar) format. After downloading the tarball and saving it into /usr/local/src, execute the following commands:

tar xvf gzip-1.2.4a.tar
cd gzip-1.2.4a
./configure && make check

When the auto-configuration and compilation is complete, the following lines will be output:

gzip test OK
   rm -f _gztest*

Now as root, run the command make install, and the following files will be installed into the subdirectories of /usr/local:

/usr/local/man/man1/gzip.1
/usr/local/man/man1/gzexe.1
/usr/local/man/man1/zdiff.1
/usr/local/man/man1/zgrep.1
/usr/local/man/man1/zmore.1
/usr/local/man/man1/znew.1
/usr/local/man/man1/zforce.1
/usr/local/man/man1/zcat.1
/usr/local/man/man1/zcmp.1
/usr/local/man/man1/gunzip.1
/usr/local/bin/gzip
/usr/local/bin/zdiff
/usr/local/bin/zgrep
/usr/local/bin/zmore
/usr/local/bin/znew
/usr/local/bin/zforce
/usr/local/bin/gzexe
/usr/local/bin/zcmp
/usr/local/bin/gunzip
/usr/local/bin/zcat
/usr/local/info/gzip.info

Build and install zlib

Zlib is a lossless, general-purpose compression library used by many open source software projects. The library uses the same compression algorithms used by the gzip program, which are more efficient than those used by UNIX compress.

After downloading the source for the latest version of zlib, and placing it into /usr/local/src, run the following commands:

gunzip -c zlib-1.1.3.tar.gz | tar xvf -
cd zlib-1.1.3
vi Makefile

Edit the file "Makefile", adding "-qmaxmem=-1" to the end of the CFLAGS line, so that it appears as such:

CFLAGS=-O -qmaxmem=-1

Run the command make test to compile and test the library. When that process is complete, the last line displayed on the screen will be:

*** zlib test OK ***

As root, run the command make install to install the following components into subdirectories of /usr/local/src:

/usr/local/lib/libz.a
/usr/local/include/zlib.h
/usr/local/include/zconf.h

Build and install prngd

The "Psudo Random Number Generator Daemon", prngd, provides a source of entropy on platforms that do not include a /dev/random special file for that purpose. Entropy, or "randomness", is an integral part of any encryption process. Generating a quantity of true random data is critical in securing password, secret phrases, and other encrypted data. Many UNIX platform provide a kernel-level source of random data, via the /dev/random special file.

Unfortunately, AIX 4.3 does not include this source of randomness. On AIX and other systems lacking /dev/random, the prngd application can provide the entropy required by OpenSSH and other cryptographic software.

After downloading the source for the latest version of prngd into /usr/local/src, run the following commands:

gunzip -c prngd-0.9.23.tar.gz | tar xvf -
cd prngd-0.9.23.tar.gz
vi Makefile

Find the AIX 4.3 w/cc section in the Makefile; uncomment and add the flag "-qmaxmem=-1" to the CFLAGS line, so that it appears as such:

# AIX 4.3 w/cc ("Joerg Petersen <j.petersen@msh.de>)
# Please also check out contrib/AIX-4.3/00README.aix-src
CFLAGS=-O -DAIX43 -qmaxmem=-1
# SYSLIBS=

The source can then be compiled by issuing the make command. The prngd Makefile does not include a rule for installing the daemon; it must be installed manually, by running the command:

mkdir /usr/local/sbin ; cp prngd /usr/local/sbin/
cp contrib/prngd.conf.aix43 /etc/prngd.conf

The longer the prngd daemon process is running, the better the quality of randomness it can provide to other applications that use entropy. Thus, this daemon should be run at startup and should never exit. There are numerous methods of running daemons at startup; this tutorial will present one using the AIX System Resource Controller (SRC). By using SRC, a consistent interface for starting, stopping, and querying the status of the "subsystem" will be made available.

To create a subsystem for controlling the prngd daemon, issue the command:

/usr/bin/mkssys -s prngd -p /usr/local/sbin/prngd -a '-f -c /etc/prngd.conf -s /var/tmp/egd-seed /dev/egd-pool' -u 0 -S -n 15 -f 9 -R -G local

The prngd subsystem can now be started via the command startsrc -s prngd. To have the prngd subsystem start at system boot, run the following command, which will add an entry to /etc/inittab:

/usr/sbin/mkitab "prngd:2:wait:startsrc -s prngd > /dev/console 2>&1"


Build and install OpenSSL

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The general-purpose cryptology libraries provided with OpenSSL are used by a number of encryption-related applications, including OpenSSH.

After downloading the latest source release of OpenSSL into /usr/local/src, run the following commands:

gunzip -c openssl-0.9.6b.tar.gz | tar xvf -
cd openssl-0.9.6b
./config && make && make test

Note: OpenSSL is a large and complicated package; the compilation and testing can take a very long time, especially on slower systems. When the test suite has completed, text similar to the following will be printed to the screen:

OpenSSL 0.9.6b 9 Jul 2001
built on: Sat Nov 17 17:41:15 PST 2001
platform: aix43-cc
options: bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish(idx)    
compiler: cc -DDSO_DLFCN -DHAVE_DLFCN_H -O -DAIX -DB_ENDIAN -qmaxmem=16384
Target "test" is up to date.

As root, run the command make install to install the following files:

/usr/local/ssl/man/man1/CA.pl.1
/usr/local/ssl/man/man1/asn1parse.1
/usr/local/ssl/man/man1/ca.1
/usr/local/ssl/man/man1/ciphers.1
/usr/local/ssl/man/man1/crl.1
/usr/local/ssl/man/man1/crl2pkcs7.1
/usr/local/ssl/man/man1/dgst.1
/usr/local/ssl/man/man1/dhparam.1
/usr/local/ssl/man/man1/dsa.1
/usr/local/ssl/man/man1/dsaparam.1
/usr/local/ssl/man/man1/enc.1
/usr/local/ssl/man/man1/gendsa.1
/usr/local/ssl/man/man1/genrsa.1
/usr/local/ssl/man/man1/nseq.1
/usr/local/ssl/man/man1/openssl.1
/usr/local/ssl/man/man1/passwd.1
/usr/local/ssl/man/man1/pkcs12.1
/usr/local/ssl/man/man1/pkcs7.1
/usr/local/ssl/man/man1/pkcs8.1
/usr/local/ssl/man/man1/rand.1
/usr/local/ssl/man/man1/req.1
/usr/local/ssl/man/man1/rsa.1
/usr/local/ssl/man/man1/rsautl.1
/usr/local/ssl/man/man1/s_client.1
/usr/local/ssl/man/man1/s_server.1
/usr/local/ssl/man/man1/sess_id.1
/usr/local/ssl/man/man1/smime.1
/usr/local/ssl/man/man1/speed.1
/usr/local/ssl/man/man1/spkac.1
/usr/local/ssl/man/man1/verify.1
/usr/local/ssl/man/man1/version.1
/usr/local/ssl/man/man1/x509.1
/usr/local/ssl/man/man3/BIO_ctrl.3
/usr/local/ssl/man/man3/BIO_f_base64.3
/usr/local/ssl/man/man3/BIO_f_buffer.3
/usr/local/ssl/man/man3/BIO_f_cipher.3
/usr/local/ssl/man/man3/BIO_f_md.3
/usr/local/ssl/man/man3/BIO_f_null.3
/usr/local/ssl/man/man3/BIO_f_ssl.3
/usr/local/ssl/man/man3/BIO_find_type.3
/usr/local/ssl/man/man3/BIO_new.3
/usr/local/ssl/man/man3/BIO_new_bio_pair.3
/usr/local/ssl/man/man3/BIO_push.3
/usr/local/ssl/man/man3/BIO_read.3
/usr/local/ssl/man/man3/BIO_s_accept.3
/usr/local/ssl/man/man3/BIO_s_bio.3
/usr/local/ssl/man/man3/BIO_s_connect.3
/usr/local/ssl/man/man3/BIO_s_fd.3
/usr/local/ssl/man/man3/BIO_s_file.3
/usr/local/ssl/man/man3/BIO_s_mem.3
/usr/local/ssl/man/man3/BIO_s_null.3
/usr/local/ssl/man/man3/BIO_s_socket.3
/usr/local/ssl/man/man3/BIO_set_callback.3
/usr/local/ssl/man/man3/BIO_should_retry.3
/usr/local/ssl/man/man3/BN_CTX_new.3
/usr/local/ssl/man/man3/BN_CTX_start.3
/usr/local/ssl/man/man3/BN_add.3
/usr/local/ssl/man/man3/BN_add_word.3
/usr/local/ssl/man/man3/BN_bn2bin.3
/usr/local/ssl/man/man3/BN_cmp.3
/usr/local/ssl/man/man3/BN_copy.3
/usr/local/ssl/man/man3/BN_generate_prime.3
/usr/local/ssl/man/man3/BN_mod_inverse.3
/usr/local/ssl/man/man3/BN_mod_mul_montgomery.3
/usr/local/ssl/man/man3/BN_mod_mul_reciprocal.3
/usr/local/ssl/man/man3/BN_new.3
/usr/local/ssl/man/man3/BN_num_bytes.3
/usr/local/ssl/man/man3/BN_rand.3
/usr/local/ssl/man/man3/BN_set_bit.3
/usr/local/ssl/man/man3/BN_zero.3
/usr/local/ssl/man/man3/CRYPTO_set_ex_data.3
/usr/local/ssl/man/man3/DH_generate_key.3
/usr/local/ssl/man/man3/DH_generate_parameters.3
/usr/local/ssl/man/man3/DH_get_ex_new_index.3
/usr/local/ssl/man/man3/DH_new.3
/usr/local/ssl/man/man3/DH_set_method.3
/usr/local/ssl/man/man3/DH_size.3
/usr/local/ssl/man/man3/DSA_SIG_new.3
/usr/local/ssl/man/man3/DSA_do_sign.3
/usr/local/ssl/man/man3/DSA_dup_DH.3
/usr/local/ssl/man/man3/DSA_generate_key.3
/usr/local/ssl/man/man3/DSA_generate_parameters.3
/usr/local/ssl/man/man3/DSA_get_ex_new_index.3
/usr/local/ssl/man/man3/DSA_new.3
/usr/local/ssl/man/man3/DSA_set_method.3
/usr/local/ssl/man/man3/DSA_sign.3
/usr/local/ssl/man/man3/DSA_size.3
/usr/local/ssl/man/man3/ERR_GET_LIB.3
/usr/local/ssl/man/man3/ERR_clear_error.3
/usr/local/ssl/man/man3/ERR_error_string.3
/usr/local/ssl/man/man3/ERR_get_error.3
/usr/local/ssl/man/man3/ERR_load_crypto_strings.3
/usr/local/ssl/man/man3/RAND_add.3
/usr/local/ssl/man/man3/ERR_load_strings.3
/usr/local/ssl/man/man3/ERR_print_errors.3
/usr/local/ssl/man/man3/ERR_put_error.3
/usr/local/ssl/man/man3/ERR_remove_state.3
/usr/local/ssl/man/man3/EVP_DigestInit.3
/usr/local/ssl/man/man3/EVP_EncryptInit.3
/usr/local/ssl/man/man3/EVP_OpenInit.3
/usr/local/ssl/man/man3/EVP_SealInit.3
/usr/local/ssl/man/man3/EVP_SignInit.3
/usr/local/ssl/man/man3/EVP_VerifyInit.3
/usr/local/ssl/man/man3/OPENSSL_VERSION_NUMBER.3
/usr/local/ssl/man/man3/OpenSSL_add_all_algorithms.3
/usr/local/ssl/man/man3/RAND_bytes.3
/usr/local/ssl/man/man3/RAND_cleanup.3
/usr/local/ssl/man/man3/RAND_egd.3
/usr/local/ssl/man/man3/RAND_load_file.3
/usr/local/ssl/man/man3/RAND_set_rand_method.3
/usr/local/ssl/man/man3/RSA_blinding_on.3
/usr/local/ssl/man/man3/bio.3
/usr/local/ssl/man/man3/RSA_check_key.3
/usr/local/ssl/man/man3/RSA_generate_key.3
/usr/local/ssl/man/man3/RSA_get_ex_new_index.3
/usr/local/ssl/man/man3/RSA_new.3
/usr/local/ssl/man/man3/RSA_padding_add_PKCS1_type_1.3
/usr/local/ssl/man/man3/RSA_print.3
/usr/local/ssl/man/man3/RSA_private_encrypt.3
/usr/local/ssl/man/man3/RSA_public_encrypt.3
/usr/local/ssl/man/man3/RSA_set_method.3
/usr/local/ssl/man/man3/RSA_sign.3
/usr/local/ssl/man/man3/RSA_sign_ASN1_OCTET_STRING.3
/usr/local/ssl/man/man3/RSA_size.3
/usr/local/ssl/man/man3/blowfish.3
/usr/local/ssl/man/man3/bn.3
/usr/local/ssl/man/man3/bn_internal.3
/usr/local/ssl/man/man3/buffer.3
/usr/local/ssl/man/man3/crypto.3
/usr/local/ssl/man/man3/d2i_DHparams.3
/usr/local/ssl/man/man3/d2i_RSAPublicKey.3
/usr/local/ssl/man/man3/des.3
/usr/local/ssl/man/man3/dh.3
/usr/local/ssl/man/man3/dsa.3
/usr/local/ssl/man/man3/err.3
/usr/local/ssl/man/man3/evp.3
/usr/local/ssl/man/man3/hmac.3
/usr/local/ssl/man/man3/lh_stats.3
/usr/local/ssl/man/man3/lhash.3
/usr/local/ssl/man/man3/md5.3
/usr/local/ssl/man/man3/mdc2.3
/usr/local/ssl/man/man3/rand.3
/usr/local/ssl/man/man3/rc4.3
/usr/local/ssl/man/man3/ripemd.3
/usr/local/ssl/man/man3/rsa.3
/usr/local/ssl/man/man3/sha.3
/usr/local/ssl/man/man3/threads.3
/usr/local/ssl/man/man3/SSL_CIPHER_get_name.3
/usr/local/ssl/man/man3/SSL_CTX_add_extra_chain_cert.3
/usr/local/ssl/man/man3/SSL_CTX_add_session.3
/usr/local/ssl/man/man3/SSL_CTX_flush_sessions.3
/usr/local/ssl/man/man3/SSL_CTX_free.3
/usr/local/ssl/man/man3/SSL_CTX_get_ex_new_index.3
/usr/local/ssl/man/man3/SSL_CTX_get_verify_mode.3
/usr/local/ssl/man/man3/SSL_CTX_new.3
/usr/local/ssl/man/man3/SSL_CTX_load_verify_locations.3
/usr/local/ssl/man/man3/SSL_CTX_sess_number.3
/usr/local/ssl/man/man3/SSL_CTX_sess_set_cache_size.3
/usr/local/ssl/man/man3/SSL_CTX_sess_set_get_cb.3
/usr/local/ssl/man/man3/SSL_CTX_sessions.3
/usr/local/ssl/man/man3/SSL_CTX_set_cipher_list.3
/usr/local/ssl/man/man3/SSL_CTX_set_client_CA_list.3
/usr/local/ssl/man/man3/SSL_CTX_set_default_passwd_cb.3
/usr/local/ssl/man/man3/SSL_CTX_set_mode.3
/usr/local/ssl/man/man3/SSL_CTX_set_options.3
/usr/local/ssl/man/man3/SSL_CTX_set_session_cache_mode.3
/usr/local/ssl/man/man3/SSL_CTX_set_session_id_context.3
/usr/local/ssl/man/man3/SSL_CTX_set_ssl_version.3
/usr/local/ssl/man/man3/SSL_CTX_set_timeout.3
/usr/local/ssl/man/man3/SSL_CTX_set_verify.3
/usr/local/ssl/man/man3/SSL_CTX_use_certificate.3
/usr/local/ssl/man/man3/SSL_SESSION_free.3
/usr/local/ssl/man/man3/SSL_SESSION_get_ex_new_index.3
/usr/local/ssl/man/man3/SSL_SESSION_get_time.3
/usr/local/ssl/man/man3/SSL_accept.3
/usr/local/ssl/man/man3/SSL_clear.3
/usr/local/ssl/man/man3/SSL_connect.3
/usr/local/ssl/man/man3/SSL_free.3
/usr/local/ssl/man/man3/SSL_get_ciphers.3
/usr/local/ssl/man/man3/SSL_get_client_CA_list.3
/usr/local/ssl/man/man3/SSL_get_current_cipher.3
/usr/local/ssl/man/man3/SSL_get_error.3
/usr/local/ssl/man/man3/SSL_get_ex_data_X509_STORE_CTX_idx.3
/usr/local/ssl/man/man3/SSL_get_ex_new_index.3
/usr/local/ssl/man/man3/SSL_get_fd.3
/usr/local/ssl/man/man3/SSL_get_rbio.3
/usr/local/ssl/man/man3/SSL_get_peer_cert_chain.3
/usr/local/ssl/man/man3/SSL_get_peer_certificate.3
/usr/local/ssl/man/man3/SSL_get_session.3
/usr/local/ssl/man/man3/SSL_get_verify_result.3
/usr/local/ssl/man/man3/SSL_get_version.3
/usr/local/ssl/man/man3/SSL_library_init.3
/usr/local/ssl/man/man3/SSL_load_client_CA_file.3
/usr/local/ssl/man/man3/SSL_new.3
/usr/local/ssl/man/man3/SSL_pending.3
/usr/local/ssl/man/man3/SSL_read.3
/usr/local/ssl/man/man3/SSL_set_bio.3
/usr/local/ssl/man/man3/SSL_set_connect_state.3
/usr/local/ssl/man/man3/SSL_set_fd.3
/usr/local/ssl/man/man3/SSL_set_session.3
/usr/local/ssl/man/man3/SSL_set_shutdown.3
/usr/local/ssl/man/man3/SSL_set_verify_result.3
/usr/local/ssl/man/man3/SSL_shutdown.3
/usr/local/ssl/man/man3/SSL_write.3
/usr/local/ssl/man/man3/d2i_SSL_SESSION.3
/usr/local/ssl/man/man3/ssl.3
/usr/local/ssl/man/man5/config.5
/usr/local/ssl/man/man7/des_modes.7
/usr/local/ssl/bin/openssl
/usr/local/ssl/bin/c_rehash
/usr/local/ssl/lib/libcrypto.a
/usr/local/ssl/lib/libssl.a
/usr/local/ssl/include/openssl/e_os.h
/usr/local/ssl/include/openssl/e_os2.h
/usr/local/ssl/include/openssl/crypto.h
/usr/local/ssl/include/openssl/tmdiff.h
/usr/local/ssl/include/openssl/opensslv.h
/usr/local/ssl/include/openssl/opensslconf.h
/usr/local/ssl/include/openssl/ebcdic.h
/usr/local/ssl/include/openssl/symhacks.h
/usr/local/ssl/include/openssl/md2.h
/usr/local/ssl/include/openssl/md4.h
/usr/local/ssl/include/openssl/md5.h
/usr/local/ssl/include/openssl/sha.h
/usr/local/ssl/include/openssl/mdc2.h
/usr/local/ssl/include/openssl/hmac.h
/usr/local/ssl/include/openssl/ripemd.h
/usr/local/ssl/include/openssl/des.h
/usr/local/ssl/include/openssl/rc2.h
/usr/local/ssl/include/openssl/rc4.h
/usr/local/ssl/include/openssl/rc5.h
/usr/local/ssl/include/openssl/idea.h
/usr/local/ssl/include/openssl/blowfish.h
/usr/local/ssl/include/openssl/cast.h
/usr/local/ssl/include/openssl/bn.h
/usr/local/ssl/include/openssl/rsa.h
/usr/local/ssl/include/openssl/dsa.h
/usr/local/ssl/include/openssl/dh.h
/usr/local/ssl/include/openssl/dso.h
/usr/local/ssl/include/openssl/buffer.h
/usr/local/ssl/include/openssl/bio.h
/usr/local/ssl/include/openssl/stack.h
/usr/local/ssl/include/openssl/safestack.h
/usr/local/ssl/include/openssl/lhash.h
/usr/local/ssl/include/openssl/rand.h
/usr/local/ssl/include/openssl/err.h
/usr/local/ssl/include/openssl/objects.h
/usr/local/ssl/include/openssl/obj_mac.h
/usr/local/ssl/include/openssl/evp.h
/usr/local/ssl/include/openssl/asn1.h
/usr/local/ssl/include/openssl/asn1_mac.h
/usr/local/ssl/include/openssl/pem.h
/usr/local/ssl/include/openssl/pem2.h
/usr/local/ssl/include/openssl/x509.h
/usr/local/ssl/include/openssl/x509_vfy.h
/usr/local/ssl/include/openssl/x509v3.h
/usr/local/ssl/include/openssl/conf.h
/usr/local/ssl/include/openssl/conf_api.h
/usr/local/ssl/include/openssl/txt_db.h
/usr/local/ssl/include/openssl/pkcs7.h
/usr/local/ssl/include/openssl/pkcs12.h
/usr/local/ssl/include/openssl/comp.h
/usr/local/ssl/include/openssl/ssl.h
/usr/local/ssl/include/openssl/ssl2.h
/usr/local/ssl/include/openssl/ssl3.h
/usr/local/ssl/include/openssl/ssl23.h
/usr/local/ssl/include/openssl/tls1.h
/usr/local/ssl/misc/CA.sh
/usr/local/ssl/misc/CA.pl
/usr/local/ssl/misc/der_chop
/usr/local/ssl/misc/c_hash
/usr/local/ssl/misc/c_info
/usr/local/ssl/misc/c_issuer
/usr/local/ssl/misc/c_name
/usr/local/ssl/openssl.cnf

Build and install TCP Wrappers (optional)

TCP Wrappers provides a simple application, tcpd, that can be used to limit access to various network services based on the IP address of the client. It is often used, and in fact, was designed for "wrapping" services spawned by inetd. The package also provides a library, libwrap.a, that applications, including OpenSSH, can link to and gain the access controls that TCP Wrappers provides. While it is not necessary for deploying OpenSSH, TCP Wrappers adds another level of access control and logging capability that an administrator might appreciate.

To build TCP Wrappers, issue the following commands after downloading the source distribution into /usr/local/src:

gunzip -c tcp_wrappers_7.6.tar.gz | tar xvf -
cd tcp_wrappers_7.6
vi Makefile

Before compiling the source, several changes will need to be made to the file "Makefile":

After saving the above changes to the Makefile, run the command make aix to compile the source.

The Makefile for TCP Wrappers does not include an install target. To place the files in the proper locations, enter the following commands as root:

cp tcpdchk safe_finger try-from tcpdmatch tcpd /usr/local/sbin/
cp libwrap.a /usr/local/lib/
cp hosts_access.3 /usr/local/man/man3/
cp hosts_access.5 hosts_options.5 /usr/local/man/man5/
cp tcpd.8 tcpdchk.8 tcpdmatch.8 /usr/local/man/man8/
mkdir -p /usr/local/share/tcpd/
cp Banners.Makefile /usr/local/share/tcpd/
mkdir /usr/local/include/
cp tcpd.h /usr/local/include/
touch /etc/tcpd.conf

Configuration of TCP Wrappers will not be detailed in this tutorial. See the included README and man pages for instructions on usage and configuration settings.



Building OpenSSH

The configuration options

Now that all of the prerequisites are in place, the OpenSSH source can be compiled. After downloading the latest version the OpenSSH source into /usr/local/src, extract the contents with the commands:

gunzip -c openssh-3.0.1p1.tar.gz | tar xvf -
cd openssh-3.0.1p1

There are a number of options that must be defined at compile-time, and other options that can have their default values set during compilation. For a list and description of all of the compile-time configuration options, type the command ./configure --help in the source directory. For this tutorial, the following options will be specified:

./configure --sysconfdir=/etc/ssh --with-cflags="-qmaxmem=-1" --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-prngd-socket=/dev/egd-pool --with-ipv4-default --with-pid-dir=/var/tmp

When configuration completes, a summary of the options will be printed to the screen, similar to:

OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/tmp
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Random number collection: PRNGD/EGD (socket /dev/egd-pool)
Manpage format: man
PAM support: no
KerberosIV support: no
Smartcard support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: yes
Translate v4 in v6 hack: no
Host: powerpc-ibm-aix4.3.3.0
Compiler: cc
Compiler flags: -g -qmaxmem=-1
Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include
Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib
Libraries: -lwrap -lz -lcrypto

Compile and install the components

Issue the command make to compile the source. When the build is complete, run the command make install as root, to install the various files in their proper places.

The following files will be installed into /usr/local:

/usr/local/man/man1/ssh.1
/usr/local/man/man1/scp.1
/usr/local/man/man1/ssh-add.1
/usr/local/man/man1/ssh-agent.1
/usr/local/man/man1/ssh-keygen.1
/usr/local/man/man1/ssh-keyscan.1
/usr/local/man/man1/sftp.1
/usr/local/man/man8/sshd.8
/usr/local/man/man8/sftp-server.8
/usr/local/bin/ssh
/usr/local/bin/scp
/usr/local/bin/ssh-add
/usr/local/bin/ssh-agent
/usr/local/bin/ssh-keygen
/usr/local/bin/ssh-keyscan
/usr/local/bin/sftp
/usr/local/sbin/sshd
/usr/local/share/Ssh.bin
/usr/local/libexec/sftp-server

The directory /etc/ssh will also be created, with the contents:

/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_prng_cmds
/etc/ssh/moduli
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub


Configuration and usage

The host keys

As part of the install process, host keys will be generated and placed in /etc/ssh. There are three types of host keys, each comprised of two files (a "key pair"): a "secret" portion, whose contents should not be accessable by any user other then root, and a "public" portion, whose contents are transferred to the client system each time a connection is initiated.

At the start of each new connection to a server, client compares the public portion of the server's host key to one from a previous connection, saved in a file in the user's home directory. If the current version and previous versions are not identical, the client will be issued a warning that the server they have connected to may have been spoofed or compromised, and should not be trusted. For this reason, it is important to back up the server keys, and ensure that those files are not replaced during an upgrade of the OpenSSH software.

The three types of key pairs are:

If the file containing the public half of a key pair is damaged, it can easily be regenerated from the secret half, with the ssh-keygen utility. If the private half is damaged or compromised by a security breach, the entire key pair is useless, and must be regenerated. If this occurs, all users of the system must be told that there is a new host key, and they will have to delete the public portion of the old server key from their ~/.ssh/known_hosts or known_hosts2 file. If they don't, they will receive a warning message each time they connect to the server, or, depending on their local configuration, they will not be able to connect at all.


Setting configuration options

Secure Shell server (sshd) options are defined in the file /etc/ssh/sshd_config. A default file is placed into that location during the install process. For a list and description of all the possible options, see the sshd(8) man page. A few of the more common options, and their recommended settings are:

It is useful to set options even if the setting is to the default value, as defaults can change between version releases. Using the above options, the /etc/ssh/sshd_config configuration file would be:

#############################################################
#
# /etc/ssh/sshd_config
#
# configuration file for the OpenSSH ssh daemon
#
############################################################


# deny connections from members of these groups:


DenyGroups uucp, mail, nobody, nogroup


# deny connections from these users:


DenyUsers daemon, bin, sys, adm, uucp, guest, nobody, lpd


# allow host-based authentication (.rhosts and /etc/hosts.equiv)
# if the host key exchange was successful.  I realize that this
# is reducing the security of my server.  [  protocol 2 only]


HostbasedAuthentication yes


# permit the use of user .rhosts and .shosts files.  Again, I 
# release that I am reducing the security of my server in favor
# of functionality for clients:


IgnoreRhosts no


# messages logged to syslog from sshd will be at priority INFO:


LogLevel INFO


# root will not be permitted to log in interactively, but can
# run commands remotely ...


PermitRootLogin forced-commands-only


# accept protocol 2 connections first, then fall back to protocol 1


Protocol 2,1


# straight .rhosts authentication will not be permitted, as this is
# exactly the same as "rsh/rcp" ...

RhostsAuthentication no

# however, .rhosts authentication with successful RSA host 
# authentication will be permitted [protocol 1 only]:

RhostsRSAAuthentication yes

# ensure that the permissions on a user's ssh-related files are
# set properly; deny connections if they are not:

StrictModes yes

# define the subsystem "sftp" to enable the secure replacement for
# the ftp protocol:

Subsystem   sftp   /usr/local/libexec/sftp-server

# have syslogd dispatch sshd messages to the AUTH facility ...

SyslogFacility AUTH

# permit the forwarding of X11 connections.  This doesn't decrease
# security at all ...

X11Forwarding yes

############################################################

Running the daemon at system boot

As with most programs that are to be run upon system startup, there are a number of ways to accomplish this goal. This tutorial presents one possibility, again using the System Resource Controller (SRC) feature of AIX. Using the SRC provides a method of controlling the daemon consistent with other subsystems present on AIX systems.

To create a subsystem that will control the sshd daemon, issue the following command as root:

/usr/bin/mkssys -s sshd -p /usr/local/sbin/sshd -a '-D' -u 0 -S -n 15 -f 9 -R -G local

The above command will create a new subsystem named "sshd". The program that will be started by this subsystem is /usr/local/sbin/sshd, with the "-D" argument. The program will be run as root, and will use signals for communication with the SRC. When requested to stop, the daemon will be sent the TERM signal, and if that fails, the KILL signal. The subsystem will be restarted if it stops abnormally, and it will be included in the SRC group named "local".

To have the subsystem started at system boot, run the following command to add an entry to /etc/inittab, after the "prngd" entry:

/usr/sbin/mkitab -i prngd "sshd:2:wait:startsrc -s sshd > /dev/console 2>&1"


Replacing insecure services

Replacing the telnet service

Replacing the use of the insecure telnet protocol with the much more secure ssh protocol is simple. Users will have to substitute the use of an ssh client for their telnet client. When connecting via telnet, the user will enter:

$ telnet earth

They will then be prompted to enter their user name and password:

Trying 123.456.789.012 ...
Connected to earth.galaxy.com
Escape character is '^]
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
login: user
user's Password: ******

If the user account specified and the password is correct, the user will then be logged in. To perform the same action using ssh, the user will type:

$ ssh earth
user@earth's password: ******

As with telnet, the user will then be logged in if the user account and password specified are valid. The difference, though, is that all network traffic between the client and the server, including the user name and password, will be encrypted, and thus, immune from packet sniffing attacks. SSH clients usually use the name of the user that is logged in on the client system when connecting to the remote system. If the end user wishes to use a different user account, they will need to add that account name before the host name, connected with an "@" sign:

$ ssh user@earth

The telnet service should be disabled on the server, by either deleting or commenting out the telnet entry in /etc/inetd.conf.


Replacing the "r" services

The "r" services are those that use only the file /etc/hosts.equiv and the "~/.rhosts" files within users home directories to perform authentication. These services include rsh, rlogin, and rcp. All of these services can be replaced by OpenSSH, exponentially increasing the overall security of the server. Several "layers" of security may be imposed on the use of these services, depending on the options set in the /etc/ssh/sshd_config file by the server's administrator.

The OpenSSH distribution includes both the client and server programs necessary to replace the insecure "r" commands. For the examples presented in the following table, it is assumed that:

Insecure command Secure equivalent Action performed Security advantage
rsh earth
rlogin earth
ssh earth
slogin earth
provides the user with an interactive login session on the server named earth, without having to enter a password. The host key of the client system is checked against the server's known hosts file. If they do not match, the connection is refused. All communications between the server and the client are encrypted.
rsh earth uptime
ssh earth uptime
executes the uptime command on the server named earth, without having to enter a password.
rcp earth:/etc/passwd /tmp/earth-passwd
scp earth:/etc/passwd /tmp/earth-passwd
copies the file /etc/passwd from the server named earth and saves it on the local system as /tmp/earth-passwd, without the user needing to enter a password.

The "rexec" command, though similarly named, uses a different but also insecure method of authorizing a remote user to run a command on a server without entering her password. Instead of the .rhosts file, a .netrc file in the user's home directory on the client system contains the user name and password. This data, and all other data transferred over the network is sent in clear-text. By using the ssh client's ability to execute commands, use of the rexec service can be avoided, and the daemon that provides this service can be disabled on the server.

In order to take advantage of the increased security provided by the OpenSSH replacements, the "login", "shell", and "exec" services should be commented out or deleted from the server's /etc/inetd.conf.


Replacing the ftp service

For those systems that are required to provide an interactive file transfer service, the sftp-server is included with the OpenSSH distribution. Using the same authentication and encryption methods as ssh, users can use the sftp client program to connect to and transfer files to and from remote servers. Operation of the sftp program is similar to standard ftp clients, though the sftp-server program lacks some of the "bells and whistles" of the ftpd daemon.

If the features provided by the sftpd-server program meet the requirements for your FTP service, the standard ftpd daemon should be disabled by commenting out or deleting the "ftp" entry in /etc/inetd.conf.



Summary

Further topics

The Secure Shell protocol is a flexible and powerful tool; this tutorial has only scratched the surface of its capabilities. SSH can be used in many different ways, including but not limited to: securing remote X11 sessions, providing encryption for services not designed with such protection, the use of public keys to provide seamless login and the secure execution of specific commands, and so on.

OpenSSH can be extended to include Kerberos authentication, AFS token passing, Smart Card support, and a number of other related technologies. For more information about using these and other features with OpenSSH, refer to the items listed in the references and resources section.


References and resources

The web site for the OpenSSH project, <http://www.openssh.com>, is the primary source for information about new releases of OpenSSH. It also contains a Frequently Asked Questions page, a form for reporting bugs, and an archive of the various OpenSSH related mailing lists.

SSH, The Secure Shell: The Definitive Guide, by Daniel J. Barrett and Richard E. Silverman, published by O'Reilly & Associates, is, as the title states, the definitive guide to the Secure Shell protocol, providing in-depth explanations about almost everything SSH-related. The book also has a website, <http://www.snailbook.com>, containing news, an FAQ, and discussion forums dedicated to SSH.

A number of Internet Drafts (working documents of the Internet Engineering Task Force, IETF) related to Secure Shell have been published: they can be found at the web site <http://www.ietf.org/html.charters/secsh-charter.html>.

A general discussion mailing list for discussion of Secure Shell is hosted by Security Focus. To subscribe to this list, send an empty message to <secureshell-subscribe@securityfocus.com>. A read-only list for announcements of updates to OpenSSH and related software can be subscribed to by sending a message containing only the word "SUBSCRIBE" in the body, to <openssh-unix-announce-request@mindrot.org>.



$Id: openssh-aix.html,v 1.15 2001/11/19 14:42:33 ssklar Exp ssklar $