LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices

Reply
 
LinkBack Search this Thread
Old 02-16-2005, 08:15 AM   #1
NOTORIOUS VR
Member
 
Registered: Jan 2005
Location: TORONTO, CANADA
Distribution: SuSE 9.2
Posts: 50

Rep: Reputation: 15
SSH daemon under AIX5


I was under the impression that SSH would be default installed with AIX5...

I believe I tried connection once from home to my AIX5 box, via Putty set to SSH (port 22), and it did connect.. but then something hung up, and i just killed putty without logging off (I wasn't able to do anything else), and after that i wasn't ever able to connect via SSH again.

But I would really like to have SSH, because the box is open on the internet... and i don't feel safe enough as it is when someone is Telneting in to the box, unsecure.

So is SSH normall installed and activated? If so, how do i check and clear whatever i've done to screw it up.. and if not.. how do i go about installing an SSH daemon and setting it up.

Thanks!
 
Old 02-16-2005, 11:39 AM   #2
abyss
Member
 
Registered: May 2001
Location: New York, USA
Distribution: AIX, Ubuntu
Posts: 113

Rep: Reputation: 15
Notorious,

OpenSSH is on the AIX 5L V 5.x Expansion Pack CD. It's not in the base CD set, so you'll have to add it in from that CD set if you didn't during the base os install.

You install it with smit or smitty fast path:

smitty installp

It installs just like any other piece of software, but the way it is started on boot is a little different.

Rather than putting the startup for this daemon in the normal places to start things (e.g., inetd.conf, rc.tcpip, etc....) it adds this one in with a SYS V like configuration.

Once it's installed, if you look for what is calling it you'll be puzzled and first and then finally get around to checking:

/etc/rc.d/rc2.d

which is where you'll see:

Ksshd* Ssshd*

Not that it matters much, but I just wanted to point that out to you.

Incidentally, I'd also recommend disallowing remote root logins via SSH for security reasons. Make people (you included) ssh in with a normal account and then SU to root.

To do that:

i. Edit /etc/ssh/sshd_config
ii. PermitRootLogin no

On that same note, in fact, I'd prevent root from directly loggin in remotely under any circumstance.

i. Edit /etc/security/user
ii. Under the default settings: rlogin = false
iii. add rlogin = true for each user account in their own stanza (for anyone you want to log in remotely)

HTH
 
Old 02-16-2005, 01:11 PM   #3
NOTORIOUS VR
Member
 
Registered: Jan 2005
Location: TORONTO, CANADA
Distribution: SuSE 9.2
Posts: 50

Original Poster
Rep: Reputation: 15
thank you.. I will try this.. i do not have the expansion CD's... As the company I bought the box from only sent me a copy of the first CD...
although I was able to source documentation about installing and obtaining OpenSSH from IBM's infocenter...

Thanks for u'r tips tho... and yes I would consider removing root access compleatly from remote logins...

One question tho... if I log in as a normal user, and su to root... do I actually become root? are there any drawbacks in comparison to running/logging in as root directly?

Thanks,

Sascha
 
Old 02-16-2005, 01:23 PM   #4
abyss
Member
 
Registered: May 2001
Location: New York, USA
Distribution: AIX, Ubuntu
Posts: 113

Rep: Reputation: 15
Sascha,

Yes, an:

su - root

really makes you root and by using the space and dash in this manner it loads root's profile so the paths and such are correct. If you just do:

su root

It keeps your paths and customization.

Always do:

su - root

so that you get what you expect.

Many people don't allow a direct root login at all. This way a person would need to have cracked two passwords to get into the root account. We only allow direct root login at the terminal attached to the box, because if someone has broken into the server room AND knows the root password, you're screwed anyway. This is common practice.
 
Old 02-16-2005, 02:27 PM   #5
NOTORIOUS VR
Member
 
Registered: Jan 2005
Location: TORONTO, CANADA
Distribution: SuSE 9.2
Posts: 50

Original Poster
Rep: Reputation: 15
Ok.. I have a little problem..

According to this article:

http://publib.boulder.ibm.com/infoce...ty/openssh.htm


openSSh needs OpenSSL to be installed first...

now it tells me to go here to get it:

http://www-1.ibm.com/servers/aix/pro.../download.html

and then Click the AIX Toolbox Cryptographic Content link on the right side of the AIX Toolbox for Linux Applications Web site.
which is this URL: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p

but it doesn't work...

So does anyone know where I can DL the proper rpm? I checked OpenSSL's site, but they seem to be generic RPM's and I wouldn't know if they're properly ported for AIX.

So i'd rather have someone with some knowledge chime in.

thanks

Sascha
 
Old 02-16-2005, 02:35 PM   #6
abyss
Member
 
Registered: May 2001
Location: New York, USA
Distribution: AIX, Ubuntu
Posts: 113

Rep: Reputation: 15
Sascha,

Ah yes. OpenSSL. I knew there was something I forgot to tell you earlier.

I used the OpenSSL RPMs from the "AIX Toolbox for Linux Applications for POWER Systems" CD that came with the 5L 5.2 media set. It worked fine.

But you mentioned that you don't have the CDs.

How about:

http://www.bullfreeware.com/

http://www.bullopensource.org/downlo...l-0.9.6.12.exe

(for 5.2, note that they have it for 5.1 and 4.3.3. as well)

You'll have to read the instructions on the Bull site on how to do the install of their stuff.

That might work. Sometimes the Bull software works great, others, not so great.

Good luck.
 
Old 02-16-2005, 02:41 PM   #7
abyss
Member
 
Registered: May 2001
Location: New York, USA
Distribution: AIX, Ubuntu
Posts: 113

Rep: Reputation: 15
Sascha,

Incidentally, you should really work on getting some AIX CD media.

If you have a software support contract with IBM on ANY RS/6000 or p-series box, call:

IBM software @ 1-800-879-2755 option #2 and request a software refresh

This will get you the whole current CD set of AIX 5L.

If you need something older or don't have a contract, there's always ebay.

Search for "AIX cd" and there's almost always someone selling a set.

For example, today there is a 5.1 media set with everything for about 30 bucks.

http://cgi.ebay.com/ws/eBayISAPI.dll...sPageName=WDVW
 
Old 02-16-2005, 02:52 PM   #8
NOTORIOUS VR
Member
 
Registered: Jan 2005
Location: TORONTO, CANADA
Distribution: SuSE 9.2
Posts: 50

Original Poster
Rep: Reputation: 15
I agree... and I will do so.. seeing that it's really only $30 US plus shipping, I can't go wrong having original CD's, especially for the extra little options it comes with.

but I would like to get this installed ASAP, as transactions are done daily and i'm affraid that "people" are watching...

If there any place (FTP for example) that has this file i'm looking for that you know of?

btw, I have now disabled rlogin except for the users that should have it... thanks for the tip
 
Old 02-16-2005, 03:10 PM   #9
abyss
Member
 
Registered: May 2001
Location: New York, USA
Distribution: AIX, Ubuntu
Posts: 113

Rep: Reputation: 15
Yep. Two posts back I mentioned the Bull Freeware site.

That link has the file in .bff format. This is not an RPM, but it's simple to use.

Read up on how to do that install (click the "install" link on the left menu), download the execuatable from the site, and install it.

Then install OpenSSH.
 
Old 02-16-2005, 03:23 PM   #10
NOTORIOUS VR
Member
 
Registered: Jan 2005
Location: TORONTO, CANADA
Distribution: SuSE 9.2
Posts: 50

Original Poster
Rep: Reputation: 15
Ahh perfect! lol.. i totally missed that post of u'rs! lol

Thank u again.
 
Old 02-17-2005, 10:42 AM   #11
NOTORIOUS VR
Member
 
Registered: Jan 2005
Location: TORONTO, CANADA
Distribution: SuSE 9.2
Posts: 50

Original Poster
Rep: Reputation: 15
Just an update... the installtion went great.. but I did use the proper files from the IBM site.. the site was working today... so i decided to do it that way... and SSH works like a charm!

So far the AIX migration has gone very well.. Thanks to everyone that helped!

One thing... is there a way for me to deny telnet access to certain people and have them only use SSH?

I'd like to leave telnet for the local network users, but only allow SSH connections for the remote users.

Thanks!
 
Old 02-17-2005, 12:36 PM   #12
zorba4
Member
 
Registered: Feb 2004
Location: Paris
Posts: 398

Rep: Reputation: 31
There is probably a smart way, let's see if someone has an idea.
I see a very brutal way : comment the telnetd line in /etc/inetd.conf
#telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a
if you do so and reboot your system, probably telnetd will not start, and nobody will be able to connect through telnet...
 
Old 02-21-2005, 03:18 AM   #13
Mark Taylor
Member
 
Registered: Apr 2004
Posts: 60

Rep: Reputation: 15
>>>> There is probably a smart way, let's see if someone has an idea.

yeah, use tcpwrappers

Rgds
Mark Taylor
 
Old 03-11-2005, 01:23 PM   #14
outspoken
LQ Newbie
 
Registered: Nov 2004
Distribution: Gentoo
Posts: 24

Rep: Reputation: 15
Quote:
Originally posted by abyss

Always do:

su - root

so that you get what you expect.
i would not recommend ALWAYS becoming root with the root environment, it is not always needed and if you are making use of exports or any custom shell varibles, history, or even if you are in a specific working directory it will all be blown away by entering the root's environment. think about what you need to accomplish before execution and use best judgement.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP/IP Printservers under AIX5? NOTORIOUS VR AIX 2 02-18-2005 08:14 AM
ssh daemon colors? daryl314 Linux - Software 4 01-25-2005 11:13 AM
Does AIX5.2 use crypt or md5 synthol6 AIX 1 07-26-2004 08:08 AM
Configuration of SSH daemon on Slackware 9.1 - Newbie BenChase Slackware 7 12-14-2003 10:57 PM
Solaris 9 and SSH Daemon g_goblin Solaris / OpenSolaris 3 11-05-2003 01:36 AM


All times are GMT -5. The time now is 05:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration