66 An Introduction to Security in a CSM 1.3 for AIX 5L Environment
Table 5-1 Key files generated during OpenSSH (Bull) installation
We do not recommend using the rsa1 key type, because rsa and dsa provide
a higher security level.
The original value of the
-h parameter is /etc/openssh/ssh_host_key.
The ssh_host_key file contains the rsa1 type of key. If you want to use the rsa
key instead of rsa1, you should change the value of the
-h parameter to:
/etc/openssh/ssh_host_rsa_key
Edit the /etc/rc.openssh file and change the value of the -h parameter
manually, or you can use Example 5-8.
Example 5-8 Modifying the OpenSSH control file
str1='-h \/etc\/openssh\/ssh_host_key'
str2='-h \/etc\/openssh\/ssh_host_rsa_key'
sed s/"$str1"/"$str2"/ /etc/rc.openssh >/tmp/rc.openssh
mv /tmp/rc.openssh /etc/rc.openssh
4. Ensure that the sshd process is not running (ps -ef|grep [s]shd) and start it
using the
/etc/rc.openssh script (which will be automatically executed at
system init time, during the machine boot):
/etc/rc.openssh
5. Link the /usr/local/bin files to /usr/bin on the management server, because
CSM software requires the SSH binaries in the /usr/bin directory for SSH
autoconfiguration. You can use the following command:
ln -s /usr/local/bin/* /usr/bin/
5.2.5 Installing OpenSSH 3.4 for AIX 5L on AIX servers using NIM
You can also use the automated procedure offered by NIM to install OpenSSH
on your nodes.
This section describes how to set up the NIM server to install OpenSSH Version
3.4 for AIX 5L Version 5.2 on the nodes.
Configure NIM on the CSM management server. See
An Introduction to CSM 1.3
for AIX 5L,
SG24-6859, for more information.
Key type Private key file name Public key file name
rsa1 /etc/openssh/ssh_host_key /etc/openssh/ssh_host_key.pub
rsa /etc/openssh/ssh_host_rsa_key /etc/openssh/ssh_host_rsa_key.pub
dsa /etc/openssh/ssh_host_dsa_key /etc/openssh/ssh_host_dsa_key.pub
Chapter 5. Securing remote command execution 67
When you create the lpp_source NIM resource, a directory structure similar to
the following is created on your system:
/csminstall/AIX/aix520/lpp_source/installp/ppc
/csminstall/AIX/aix520/lpp_source/RPMS/ppc
/csminstall/AIX/aix520/lpp_source/usr
The steps for adding the SSH server installation to NIM are as follows:
1. Create an installp_bundle resource file.
The bundle file is a formatted list of the files to be installed by NIM. You can
create the file in any directory on the NIM server. We created the
/csminstall/AIX/aix520/sshd34-52.bnd file, with the content shown in
Example 5-9.
Example 5-9 Example of a bundle file for the sshd installation
#cat /csminstall/AIX/aix520/sshd34-52.bnd
R:openssl-0.9.6e-2
I:openssh.base.client
I:openssh.base.server
I:openssh.man.en_US
2. Copy the installation filesets listed in the sshd34-52.bnd file to the appropriate
lpp_source directories. Copy the installp files into the installp/ppc lpp_source
subdirectory and the rpm file to the lpp_source RPMS/ppc subdirectory.
You can use the
gencopy command to copy your files to the appropriate
directories:
a. Insert the Bonus Pack CD-ROM.
b. Use the
gencopy command to copy the SSH installp files:
gencopy -t /csminstall/AIX/aix520/lpp_source/ -d /dev/cd0 \
-f /csminstall/AIX/aix520/sshd34-52.bnd
c. Use the gencopy command to copy the SSL RPM file:
gencopy -t /csminstall/AIX/aix520/lpp_source/ -d /tmp/ssl/ \
-f /csminstall/AIX/aix520/sshd34-52.bnd
The -d parameter specifies the source directory. Use the real location of
your openssl-0.9.6e-2*.rpm installation file.
You can also copy these files manually to the appropriate lpp_source
directories, as shown in Example 5-10 on page 68.
Note: You may use a different version of the openssl fileset. In that case, you
should modify the bundle file accordingly.
68 An Introduction to Security in a CSM 1.3 for AIX 5L Environment
Example 5-10 Copy the installation source files to the lpp_source subdirectories
#insert the Bonus Pack CD-ROM
mount /cdrom
cd /cdrom/installp/ppc
cp openssh.base.client* /csminstall/AIX/aix520/lpp_source/installp/ppc/
cp openssh.base.server* /csminstall/AIX/aix520/lpp_source/installp/ppc/
cp openssh.man.en_US* /csminstall/AIX/aix520/lpp_source/installp/ppc/
cd /tmp/ssl/ #go to the directory where your openssl resides
cp openssl-0.9.6e-2* /csminstall/AIX/aix520/lpp_source/RPMS/ppc/
To verify this step:
find /csminstall/AIX/aix520/lpp_source/ -name ‘openss*’
The output of the find command should be similar to this:
/csminstall/AIX/aix520/lpp_source/RPMS/ppc/openssl-0.9.6e-2.aix4.3.ppc.rpm
/csminstall/AIX/aix520/lpp_source/installp/ppc/openssh.base
/csminstall/AIX/aix520/lpp_source/installp/ppc/openssh.man.en_US
To finish copying the source files, you have to recreate the .toc file in the
installp/ppc subdirectory:
cd /csminstall/AIX/aix520/lpp_source/installp/ppc/
rm .toc
inutoc
3. Create a script resource file.
The script resource file is a regular shell script. In later steps, we set up the
NIM to execute this script on the target node. You can create the file in any
directory on the NIM server. We use this script to create the /etc/pam.conf file
that is required for the sshd daemon (in OpenSSH Version 3.4. for AIX 5L
Version 5.2) to accept client connections. In this script, we also configure the
sshd to start automatically at the node’s initialization time (after reboot).
Finally, the sshd subsystem is started.
We created the /csminstall/AIX/aix520/sshd_conf.ksh file, as shown in
Example 5-11 on page 69.
Get An Introduction to Security in a CSM 1.3 for AIX 5L Environment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
