|
SSH daemon under AIX5
I was under the impression that SSH would be default installed with AIX5...
I believe I tried connection once from home to my AIX5 box, via Putty set to SSH (port 22), and it did connect.. but then something hung up, and i just killed putty without logging off (I wasn't able to do anything else), and after that i wasn't ever able to connect via SSH again. But I would really like to have SSH, because the box is open on the internet... and i don't feel safe enough as it is when someone is Telneting in to the box, unsecure. So is SSH normall installed and activated? If so, how do i check and clear whatever i've done to screw it up.. and if not.. how do i go about installing an SSH daemon and setting it up. Thanks! |
Notorious,
OpenSSH is on the AIX 5L V 5.x Expansion Pack CD. It's not in the base CD set, so you'll have to add it in from that CD set if you didn't during the base os install. You install it with smit or smitty fast path: smitty installp It installs just like any other piece of software, but the way it is started on boot is a little different. Rather than putting the startup for this daemon in the normal places to start things (e.g., inetd.conf, rc.tcpip, etc....) it adds this one in with a SYS V like configuration. Once it's installed, if you look for what is calling it you'll be puzzled and first and then finally get around to checking: /etc/rc.d/rc2.d which is where you'll see: Ksshd* Ssshd* Not that it matters much, but I just wanted to point that out to you. Incidentally, I'd also recommend disallowing remote root logins via SSH for security reasons. Make people (you included) ssh in with a normal account and then SU to root. To do that: i. Edit /etc/ssh/sshd_config ii. PermitRootLogin no On that same note, in fact, I'd prevent root from directly loggin in remotely under any circumstance. i. Edit /etc/security/user ii. Under the default settings: rlogin = false iii. add rlogin = true for each user account in their own stanza (for anyone you want to log in remotely) HTH |
thank you.. I will try this.. i do not have the expansion CD's... As the company I bought the box from only sent me a copy of the first CD...
although I was able to source documentation about installing and obtaining OpenSSH from IBM's infocenter... Thanks for u'r tips tho... and yes I would consider removing root access compleatly from remote logins... One question tho... if I log in as a normal user, and su to root... do I actually become root? are there any drawbacks in comparison to running/logging in as root directly? Thanks, Sascha |
Sascha,
Yes, an: su - root really makes you root and by using the space and dash in this manner it loads root's profile so the paths and such are correct. If you just do: su root It keeps your paths and customization. Always do: su - root so that you get what you expect. Many people don't allow a direct root login at all. This way a person would need to have cracked two passwords to get into the root account. We only allow direct root login at the terminal attached to the box, because if someone has broken into the server room AND knows the root password, you're screwed anyway. This is common practice. |
Ok.. I have a little problem..
According to this article: http://publib.boulder.ibm.com/infoce...ty/openssh.htm openSSh needs OpenSSL to be installed first... now it tells me to go here to get it: http://www-1.ibm.com/servers/aix/pro.../download.html and then Click the AIX Toolbox Cryptographic Content link on the right side of the AIX Toolbox for Linux Applications Web site. which is this URL: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p but it doesn't work... So does anyone know where I can DL the proper rpm? I checked OpenSSL's site, but they seem to be generic RPM's and I wouldn't know if they're properly ported for AIX. So i'd rather have someone with some knowledge chime in. thanks Sascha |
Sascha,
Ah yes. OpenSSL. I knew there was something I forgot to tell you earlier. I used the OpenSSL RPMs from the "AIX Toolbox for Linux Applications for POWER Systems" CD that came with the 5L 5.2 media set. It worked fine. But you mentioned that you don't have the CDs. How about: http://www.bullfreeware.com/ http://www.bullopensource.org/downlo...l-0.9.6.12.exe (for 5.2, note that they have it for 5.1 and 4.3.3. as well) You'll have to read the instructions on the Bull site on how to do the install of their stuff. That might work. Sometimes the Bull software works great, others, not so great. Good luck. |
Sascha,
Incidentally, you should really work on getting some AIX CD media. If you have a software support contract with IBM on ANY RS/6000 or p-series box, call: IBM software @ 1-800-879-2755 option #2 and request a software refresh This will get you the whole current CD set of AIX 5L. If you need something older or don't have a contract, there's always ebay. Search for "AIX cd" and there's almost always someone selling a set. For example, today there is a 5.1 media set with everything for about 30 bucks. http://cgi.ebay.com/ws/eBayISAPI.dll...sPageName=WDVW |
I agree... and I will do so.. seeing that it's really only $30 US plus shipping, I can't go wrong having original CD's, especially for the extra little options it comes with.
but I would like to get this installed ASAP, as transactions are done daily and i'm affraid that "people" are watching... If there any place (FTP for example) that has this file i'm looking for that you know of? btw, I have now disabled rlogin except for the users that should have it... thanks for the tip :D |
Yep. Two posts back I mentioned the Bull Freeware site.
That link has the file in .bff format. This is not an RPM, but it's simple to use. Read up on how to do that install (click the "install" link on the left menu), download the execuatable from the site, and install it. Then install OpenSSH. |
Ahh perfect! lol.. i totally missed that post of u'rs! lol
Thank u again. :D |
Just an update... the installtion went great.. but I did use the proper files from the IBM site.. the site was working today... so i decided to do it that way... and SSH works like a charm!
So far the AIX migration has gone very well.. Thanks to everyone that helped! One thing... is there a way for me to deny telnet access to certain people and have them only use SSH? I'd like to leave telnet for the local network users, but only allow SSH connections for the remote users. Thanks! |
There is probably a smart way, let's see if someone has an idea.
I see a very brutal way : comment the telnetd line in /etc/inetd.conf #telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a if you do so and reboot your system, probably telnetd will not start, and nobody will be able to connect through telnet... |
>>>> There is probably a smart way, let's see if someone has an idea.
yeah, use tcpwrappers Rgds Mark Taylor |
Quote:
|
| All times are GMT -5. The time now is 06:08 PM. |