Installing OpenSSH on AIX - Update

Date: August 22, 2005

OpenSSH is a freeware tool that provides a secure, industry accepted alternative to the "r-commands",
telnet and ftp. The download location and installation procedure have changed numerous times. The current
procedure requires two steps:

First install the prereq OpenSSL libraries. The "rpm" install file can be found on the "Linux Toolbox for AIX"
CD or downloaded from the web at

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixtbx&S_PKG=dlaixww

I recommend downloading from the website to ensure you get the most current version and one that is is
compatible with the current OpenSSH version. You'll need to register to do the download. It's painless.

Second, install OpenSSH. The install file can be downloaded from

http://sourceforge.net/projects/openssh-aix

For more information see

http://www-128.ibm.com/developerworks/eserver/articles/openssh_aix.html
http://www.openssh.org

Finally if you want to use "ssh" with your PC, you'll need the client code. I use "putty", which can be found at

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Archive
Date: September 9, 2003

Security concerns are common to all operating systems (not just Windows). Two common exposures are the
telnet and ftp commands. Both commands transmit the password over the network in clear text, making it
trivial for a hacker to capture and use the password to gain entry.

One alternative is the public domain openSSH tool (secure shell). It provides secure remote login and file
transfer. You should consider installing it (or equivalent) on all servers, especially those connected to a
public network. The attached file describes how to obtain and install SSH on AIX.

Documentation for SSH can be found at the website:

http://www.openssh.org

Update May 2005: Download OpenSSH

Finally, I use PuTTY on my Windows PC. PuTTY is freeware implementation SSH for Win32 platforms. It
can be downloaded from:

http://www.chiark.greenend.org.uk/~sgtatham/putty

Installing openSSH on AIX

This document describes the procedure for installing openSSH on AIX 4.3.3 and 5.1.

Installing OpenSSH on AIX 4.3.3

At 4.3.3., the openSSH is installed using the RPM format packages, not by using installp format which is
available at 5.1. and 5.2. In this procedure, you need to follow these three steps:
1. Installing the prerequisite filesets.
2. Downloading the rpm packages.
3. Installing the prerequisite rpm packages openSSH rpm packages.

1. Installing the prerequiste filesets.

The filesets rpm.rte and perl.rte are required to be installed prior to installing the rpm packages.
The rpm.rte fileset can be found at the following:
Linux Toolbox CD or Linux Toolbox Website
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
The filesets can be installed using smitty installp.
2. Downloading the rpm packages.
The rpm packages can be downloaded from the following website:
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

Once on that page, the prngd (Psuedo Random Number Generator Daemon) daemon and the zlib
compression and decompression library can be downloaded. These are the prerequistes for
installing the openssl rpm package. These are prngd-0.9.23-2.aix4.3.ppc.rpm and zlib-1.1.4-
1.aix4.3.ppc.rpm respectively.

Then click AIX TOOLbox Cryptographic Content on the sorted content download in the
upper right area and then register yourself, if you are not already a registered user. Then click on
Accept License button at the bottom of the panel that appears and then you are ready to
download the openssl and openssh rpm packages which are:
openssl-0.9e-2.aix4.3.ppc.rpm
openssl-devel-0.9.6e-2.aix4.3.ppc.rpm
openssl-doc-0.9.6e-2.aix4.3.ppc.rpm
openssh-3.4p1-4.aix4.3.ppc.rpm
openssh-server-3.4p1-4.aix4.3.ppc.rpm
openssh-clients-3.4p1-4.aix4.3.ppc.rpm
3. Installing the prerequisite rpm packages.
Once you have all the rpm files in the current directory, run the following commands to install them.
# rpm -i zlib-1.1.4-1.aix4.3.ppc.rpm
# rpm -i prngd-0.9.23-2.aix4.3.ppc.rpm
# rpm -i openssl-0.9e-2.aix4.3.ppc.rpm
# rpm -i openssl-devel-0.9.6e-2.aix4.3.ppc.rpm
# rpm -i openssl-doc-0.9.6e-2.aix4.3.ppc.rpm
# rpm -i openssh-3.4p1-4.aix4.3.ppc.rpm
# rpm -i openssh-server-3.4p1-4.aix4.3.ppc.rpm
# rpm -i openssh-clients-3.4p1-4.aix4.3.ppc.rpm
Sometimes you may get the error: failed dependencies error while trying to install the
openssl packages. In that case, run the following command:
# rpm -i --nodeps openssl-0.9.6e-2.aix4.3.ppc.rpm
The following command can be run to update the AIX-rpm:
# /usr/sbin/updtvpkg
The prngd needs to be installed before openssl and openssh, and openssl is the prerequiste for
installing the openssh rpm packages. The openssl-devel-0.9.6e-2.aix4.3.ppc.rpm and the
openssl-doc-0.9.6e-2.aix4.3.ppc.rpm are not the required packages for installing the openSSH.

To verify that these packages are installed, run the following command:
# rpm -qa | egrep '(openssl|openssh|prng)'
-->

zlib-1.1.4-1
prngd-0.9.23-2
openssl-0.9.6e-2
openssl-devel-0.9.6e-2
 openssl-doc-0.9.6e-2
openssh-3.4p1-4
openssh-server-3.4p1-4
openssh-clients-3.4p1-4
These packages are installed under the /opt/freeware directory, and several symbolic links are
created in /usr/bin or /usr/sbin, as shown in the following example:
# ls -l /usr/bin/ssh
lrwxrwxrwx 1 root system 26 Oct 17 08:07 /usr/bin/ssh
-> ../../opt/
freeware/bin/ssh
# ls -l /usr/sbin/sshd
lrwxrwxrwx 1 root system 28 Oct 17 08:06 /usr/sbin/sshd
-> ../../op
t/freeware/sbin/sshd

Installing openSSH on 5.1

At 5.1., the installation of openssh itself is in installp format, but all the prerequisites (including openssl)
can be installed using the same rpm -i commands (using the same 4.3.3. rpm packages).

The installp format package can be downloaded from the following site:
http://oss.software.ibm.com/developerworks/projects/opensshi.

After installing the prerequisites using the following commands:

# rpm -i zlib-1.1.4-1.aix4.3.ppc.rpm
# rpm -i prngd-0.9.23-2.aix4.3.ppc.rpm
# rpm -i openssl-0.9e-2.aix4.3.ppc.rpm
# rpm -i openssl-devel-0.9.6e-2.aix4.3.ppc.rpm
# rpm -i openssl-doc-0.9.6e-2.aix4.3.ppc.rpm
Use smitty installp to install the openssh fileset extracted from the tar file openssh34p1_51.tar. The
following filesets are needed to be extracted from the tar file to install openSSH.
openssh.base.client
openssh.base.server
openssh.license
openssh.man.en_US
openssh.msg.en_US
You also need to change the field for Accept new License agreement to yes in the smit panel or
else the installation will fail.
# lslpp -l | grep ssh <-- you can see the fileset are installed.

openssh.base.client 3.4.0.0 COMMITTED Open Secure Shell Commands

openssh.base.server 3.4.0.0 COMMITTED Open Secure Shell Server
openssh.license 3.4.0.0 COMMITTED Open Secure Shell License
openssh.man.en_US 3.4.0.0 COMMITTED Open Secure Shell
openssh.msg.en_US 3.4.0.0 COMMITTED Open Secure Shell Messages -
You also need to change the field for Accept new License agreement to yes in the smit panel or
else the installation will fail.
# lslpp -l | grep ssh <-- you can see the fileset are installed.

openssh.base.client 3.4.0.0 COMMITTED Open Secure Shell Commands

openssh.base.server 3.4.0.0 COMMITTED Open Secure Shell Server
openssh.license 3.4.0.0 COMMITTED Open Secure Shell License
openssh.man.en_US 3.4.0.0 COMMITTED Open Secure Shell
openssh.msg.en_US 3.4.0.0 COMMITTED Open Secure Shell Messages -
openssh.base.client 3.4.0.0 COMMITTED Open Secure Shell Commands
openssh.base.server 3.4.0.0 COMMITTED Open Secure Shell Server
In this case, you notice that the ssh commands are in the /usr/bin directory:
# ls -al /usr/bin/ssh
-r-xr-xr-x 1 root system 503240 Sep 06 13:11 /usr/bin/ssh
# ls -al /usr/bin/scp
-r-xr-xr-x 1 root system 64654 Sep 06 13:11 /usr/bin/scp
and so on..
Initial configuration at 4.3 and 5.1:
The following entry in /etc/inittab invokes all the scripts starting from S under the etc/rc.d/rc2.d directory
upon system startup: l2:2:wait:/etc/rc.d/rc 2

In the /etc/rc.d/rc2.d directory, the following example shows the required symbolic-link to start sshd:

At 4.3.3:
#ls -l /etc/rc.d/rc2.d | grep ssh
lrwxrwxrwx 1 root system 14 Oct 17 08:06 K55sshd -> ../init.d/sshd
lrwxrwxrwx 1 root system 14 Oct 17 08:06 S55sshd -> ../init.d/sshd
At 5.1:
# ls -l /etc/rc.d/rc2.d | grep ssh
-r-xr-xr-x 1 root system 307 Oct 21 16:11 Ksshd
-r-xr-xr-x 1 root system 308 Oct 21 16:11 Ssshd
The prngd is started from the following entry in /etc/inittab:
prng:2:wait:/usr/bin/startsrc -s prngd
In order to specify the SSH2 protocol to be used for OpenSSH, add the following line to the
/etc/ssh/sshd_config file:
Protocol 2
To verify the SSH protocol version, you can use the telnet command and
# telnet localhost 22
Trying...
Connected to localhost.austin.ibm.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.4p1
--> the above shows that you are using the ssh2
If you see the following:
# telnet localhost 22
Trying...
telnet: connect: A remote host refused an attempted connect operation.
then the sshd daemon is not running. To terminate, type Ctrl-c and q. if that is the case, then run:
#startsrc -s sshd
whenever the /etc/ssh/sshd_config file is modified, the ssh needs to be stopped and restarted in the
folowing way:
# stopsrc -s sshd
# startsrc -s sshd
The prngd could also be stopped and started in the above method.

Once the installation and configuration is complete:

The first time you are going to connect to a server, you should receive a host key fingerprint from the
adminstrator of that server. On the first attempt to connect to that remote server using OpenSSH, you will
see the fingerprint of the remote server. You should verify if this matches with the one sent to you by the
adminstrator. Only then, you can type yes.