64 An Introduction to Security in a CSM 1.3 for AIX 5L Environment
ii. In the second dialog box, change “ACCEPT new license agreements?”
to
YES.
If you want to install the client SSH software only (for example, on the
management server), use the F4 key for the
SOFTWARE to install
field and select only the SSH client software. If you want to install the
SSH server, leave the default value
_all_latest.
c. After the installation is finished, remove the temporary directory:
rm -rf /tmp/ssh
4. Perform the post-installation tasks described in 5.2.4, “Post-installation tasks”
on page 64.
5.2.4 Post-installation tasks
Depending on the version of OpenSSH software, several actions may be needed
to make the OpenSSH software functional. This section describes these actions
for each version we used in our environment.
openssh34p1_52 (Bonus Pack and Internet download)
After the OpenSSH Version 3.4 for AIX 5L Version 5.2 server software
installation, we performed the following steps:
1. Create the /etc/pam.conf file with the contents shown in Example 5-6.
Example 5-6 Recommended contents of the /etc/pam.conf file
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix
Note: If you are installing the Bull version of OpenSSH, you may get some
errors:
Disabling protocol version 2. Could not load host key
Privilege separation user sshd does not exist
rc.openssh: CMD: error detected in ....
This message can be ignored for now. This issue will be addressed in 5.2.4,
“Post-installation tasks” on page 64.
Chapter 5. Securing remote command execution 65
You can use the command shown in Example 5-7 to create this file.
Example 5-7 Command for /etc/pam.conf creation
cat <<EOF >/etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix
EOF
2. Update the /etc/inittab file to start the sshd daemon automatically after reboot:
mkitab -i rctcpip "sshd:23456789:once:startsrc -s sshd >/dev/console 2>&1"
3. Start the sshd daemon (the OpenSSH server):
startsrc -s sshd
For openssh34p1_51
We performed the following steps:
1. Update the /etc/inittab file to start the sshd daemon automatically after reboot:
mkitab -i rctcpip "sshd:23456789:once:startsrc -s sshd >/dev/console 2>&1"
2. Start the sshd daemon, the OpenSSH server:
startsrc -s sshd
For openssh-3.4.0.0.exe (Bull)
During the installation of this package, some errors may be reported (see 5.2.3,
“Installing SSH on AIX manually” on page 63). The following steps describe how
to fix these errors and start the SSH server on the node:
1. Create the sshd user:
mkuser sshd
2. Create the /var/empty directory:
mkdir /var/empty
3. Modify the value of the -h parameter for sshd in the /etc/rc.openssh script that
is used to start the sshd daemon.
The
-h parameter specifies the primary key file of the running sshd (server).
Three types of keys are generated automatically during the installation, as
shown in Table 5-1 on page 66.
Get An Introduction to Security in a CSM 1.3 for AIX 5L Environment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
