advertisement
ssh-add sftp scp ssh-keygen ssh-keyscan ssh-keysign sshd sftp-server
Tool that adds keys to ssh-agent
Similar to the FTP program that works over SSH1 and SSH2 protocol
File copy program similar to rcp
Key generation tool
Utility for gathering public host keys from a number of hosts
Utility for host-based authentication
Daemon that permits you to log in
SFTP server subsystem (started automatically by sshd daemon)
The following general information covers OpenSSH: v The /etc/ssh/ssh_config directory contains the sshd daemon and the configuration files for the ssh command.
v The /usr/openssh directory contains the readme file and the original OpenSSH open-source license text file.
v The sshd daemon is under AIX SRC control. You can start, stop, and view the status of the daemon by issuing the following commands: startsrc -s sshd OR startsrc -g ssh (group) stopsrc -s sshd OR stopsrc -g ssh lssrc -s sshd OR lssrc -s ssh
You can also start and stop the daemon by issuing the following commands:
/etc/rc
.d/rc2.d/Ksshd start
OR
/etc/rc.d/rc2.d/Ssshd start
/etc/rc.d/rc2.d/Ksshd stop
OR
/etc/rc.d/rc2.d/Ssshd stop v When the OpenSSH server fileset is installed, an entry is added to the directory /etc/rc.d/rc2.d. An entry is in inittab to execute run level 2 processes (l2:2:wait:/etc/rc.d/rc 2), so the sshd daemon will start automatically at boot time. To prevent the daemon from starting at boot time, remove the
/etc/rc.d/rc2.d/Ksshd and /etc/rc.d/rc2.d/Ssshd files.
v OpenSSH software logs information to SYSLOG.
v The IBM Redbook, Managing AIX Server Farms, provides information about configuring OpenSSH in
AIX and is available at the following Web site: http://www.redbooks.ibm.com
Using OpenSSH with PAM
Beginning with AIX 5.2, OpenSSH is compiled with Pluggable Authentication Module (PAM) support. PAM is an alternate way of authenticating users. It provides an adaptable mechanism for authenticating AIX users by allowing a user-written module to be added to the login process. A user can write his own module or use the pam_aix module provided with AIX. The pam_aix module provides interfaces to AIX security services.
The following is an example of the /etc/pam.conf configuration file using the pam_aix PAM module, but other modules may be used if installed on the system. Create the /etc/pam.conf file with the following information in that file:
116
AIX 5L Version 5.2: Security Guide
sshd auth
OTHER auth sshd account
OTHER account sshd password
OTHER password sshd session
OTHER session required required required required required required required required
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
/usr/lib/security/pam_aix
Chapter 8. OpenSSH Software Tools
117
118
AIX 5L Version 5.2: Security Guide
Part 2. Network and Internet Security
Part 2 of this guide provides information about network and Internet security measures. These chapters describe how to install and configure IP Security; how to identify necessary and unecessary network services; auditing and monitoring network security, and more.
© Copyright IBM Corp. 2002, 2003
119
120
AIX 5L Version 5.2: Security Guide
advertisement
Related manuals
advertisement
Table of contents
- 9 Who Should Use This Book
- 9 Highlighting
- 9 Case-Sensitivity in AIX
- 9 ISO 9000
- 10 Related Publications
- 13 Trusted Computing Base
- 13 Installing a System with the Trusted Computing Base
- 14 Checking the Trusted Computing Base
- 14 Structure of the sysck.cfg file
- 15 Using the tcbck Command
- 17 Configuring Additional Trusted Options
- 18 Controlled Access Protection Profile and Evaluation Assurance Level 4+
- 18 CAPP/EAL4+ Compliant System Overview
- 19 Installing a CAPP/EAL4+ System
- 19 CAPP/EAL4+ Software Bundle
- 20 Physical Environment for a CAPP/EAL4+ System
- 20 Organizational Environment for a CAPP/EAL4+ System
- 21 System Configuration for a CAPP/EAL4+ System
- 28 Login Control
- 28 Setting Up Login Controls
- 29 Changing the Welcome Message on the Login Screen
- 29 Changing the Login Screen for the Common Desktop Environment
- 29 Setting up System Default Login Parameters
- 29 Securing Unattended Terminals
- 29 Enforcing Automatic Logoff
- 31 Managing X11 and CDE Concerns
- 31 Removing the /etc/rc.dt File
- 31 Preventing Unauthorized Monitoring of Remote X Server
- 31 Enabling and Disabling Access Control
- 31 Disabling User Permissions to Run the xhost Command
- 33 Root Account
- 33 Disabling Direct root Login
- 34 Administrative Roles
- 34 Roles Overview
- 34 Setting Up and Maintaining Roles Using SMIT
- 35 Understanding Authorizations
- 38 User Accounts
- 38 Recommended User Attributes
- 39 User Account Control
- 40 Login User IDs
- 40 Strengthening User Security with Access Control Lists
- 40 PATH Environment Variable
- 41 Set Up Anonymous FTP with a Secure User Account
- 44 System Special User Accounts
- 44 Removing Unnecessary Default User Accounts
- 45 Access Control Lists
- 46 Using setuid and setgid Programs
- 47 Base Permissions
- 47 Extended Permissions
- 48 Access Control List Example
- 49 Access Authorization
- 50 Passwords
- 50 Establishing Good Passwords
- 51 Using the /etc/passwd File
- 52 Using the /etc/passwd File and Network Environments
- 52 Hiding User Names and Passwords
- 52 Setting Recommended Password Options
- 54 Extending Password Restrictions
- 55 User Authentication
- 55 Login User IDs
- 55 Disk Quota System Overview
- 55 Understanding the Disk Quota System
- 56 Recovering from Over-Quota Conditions
- 56 Setting Up the Disk Quota System
- 59 Auditing Subsystem
- 59 Detecting Events
- 59 Collecting Event Information
- 60 Processing the Audit Trail Information
- 60 Event Selection
- 61 Auditing Subsystem Configuration
- 61 Collecting Auditing Subsystem Information
- 61 Audit Logging
- 62 Audit Record Format
- 62 Audit Logger Configuration
- 62 Selecting Audit Events
- 62 Kernel Audit Trail Modes
- 64 Processing Audit Records
- 65 Using the Audit Susbystem for a Quick Security Check
- 65 Setting Up Auditing
- 66 Selecting Audit Events
- 67 Selecting Audit Classes
- 67 Selecting an Audit Data-Collection Method
- 67 Example of Real-Time File Modification Monitoring
- 68 Example of a Generic Audit Log Scenario
- 71 Setting Up an LDAP Security Information Server
- 72 Setting Up an LDAP Client
- 73 LDAP User Management
- 74 LDAP Host Access Control
- 74 LDAP Security Information Server Auditing
- 75 LDAP Commands
- 75 The mksecldap Command
- 78 The secldapclntd Daemon
- 79 LDAP Management Commands
- 81 The ldap.cfg File Format
- 82 Mapping File Format for LDAP Attributes
- 83 Related Information
- 85 IBM 4758 Model 2 Cryptographic Coprocessor
- 85 Verifying the IBM 4758 Model 2 Cryptographic Coprocessor for use with the PKCS #11 Subsystem
- 86 PKCS #11 Subsystem Configuration
- 86 Initializing the Token
- 86 Setting the Security Officer PIN
- 86 Initializing the User PIN
- 87 Setting the PKCS #11 Function Control Vector
- 87 PKCS #11 Usage
- 89 Overview of Certificate Authentication Service
- 90 Certificates
- 91 Keystores
- 91 Implementation of Certificate Authentication Service
- 91 Creating PKI User Accounts
- 92 Server Implementation
- 93 Client Implementation
- 101 Planning for Certificate Authentication Service
- 101 Certificate Considerations
- 101 Keystore Considerations
- 102 User Registry Considerations
- 102 Configuration Considerations
- 102 Security Considerations
- 103 Other Certificate Authentication Service Considerations
- 103 Packaging of Certificate Authentication Service
- 104 Installing and Configuring Certificate Authentication Service
- 104 Install and Configure the LDAP Server
- 107 Install and Configure Certificate Authentication Service Server
- 107 Configure LDAP For Certificate Authentication Service Server
- 109 Configure Certificate Authentication Service Client
- 113 Administration Configuration Examples
- 117 PAM Library
- 118 PAM Modules
- 119 PAM Configuration File
- 120 Adding a PAM Module
- 120 Changing the /etc/pam.conf
- 121 Enabling PAM Debug
- 121 Integrating PAM in AIX
- 121 PAM Module
- 122 pam_aix Module
- 126 Using OpenSSH with PAM
- 131 Operating System-Specific Security
- 131 Network Access Control
- 132 Network Auditing
- 132 Trusted Path, Trusted Shell, and Secure Attention Key (SAK)
- 133 TCP/IP Command Security
- 134 Remote Command Execution Access (/etc/hosts.equiv)
- 135 Restricted File Transfer Program Users (/etc/ftpusers)
- 135 Trusted Processes
- 136 Network Trusted Computing Base
- 137 Data Security and Information Protection
- 138 User Based TCP Port Access Control with Discretionary Access Control for Internet Ports
- 138 Access control for TCP based services
- 139 Privileged Ports for Running Local Services
- 141 Identifying Network Services with Open Communication Ports
- 143 Identifying TCP and UDP Sockets
- 145 IP Security Overview
- 145 IP Security and the Operating System
- 146 IP Security Features
- 147 Security Associations
- 147 Tunnels and Key Management
- 148 Native Filtering Capability
- 149 Digital Certificate Support
- 149 Virtual Private Networks and IP Security
- 150 Installing the IP Security Feature
- 150 Loading IP Security
- 151 Planning IP Security Configuration
- 151 Hardware Acceleration
- 152 Tunnels Versus Filters
- 153 Tunnels and Security Associations
- 154 Tunnel Considerations
- 157 Using IKE with DHCP or Dynamically Assigned Addresses
- 159 Configuring Internet Key Exchange Tunnels
- 159 Using Web-based System Manager to Configure IKE Tunnels
- 161 Using the SMIT Interface for IKE Tunnel Configuration
- 161 Command Line Interface for IKE Tunnel Configuration
- 164 IKE Tunnel Configuration Scenarios
- 165 Working with Digital Certificates and the Key Manager
- 165 Format of Digital Certificates
- 166 Security Considerations for Digital Certificates
- 167 Certificate Revocation Lists (CRLs)
- 167 Uses for Digital Certificates in Internet Applications
- 168 Digital Certificates and Certificate Requests
- 168 The Key Manager Tool
- 175 Configuring Manual Tunnels
- 175 Setting Up Tunnels and Filters
- 175 Creating a Manual Tunnel on the First Host
- 176 Creating a Manual Tunnel on the Second Host
- 178 Setting Up Filters
- 178 Static Filter Rules
- 181 Autogenerated Filter Rules and User Specified Filter Rules
- 182 Predefined Filter Rules
- 182 Subnet Masks
- 183 Host-Firewall-Host Configuration
- 184 Logging Facilities
- 186 Labels in Field Entries
- 188 IP Security Problem Determination
- 188 Troubleshooting Manual Tunnel Errors
- 189 Troubleshooting IKE Tunnel Errors
- 195 Tracing Facilities
- 195 ipsecstat
- 197 IP Security Reference
- 197 List of Commands
- 197 List of Methods
- 199 Operating System Security Mechanisms
- 201 NIS+ Security Mechanisms
- 202 NIS+ Principals
- 202 NIS+ Security Levels
- 204 NIS+ Authentication and Credentials
- 204 User and Machine Credentials
- 204 DES versus Local Credentials
- 206 NIS+ Authorization and Access
- 206 Authorization Classes
- 208 NIS+ Access Rights
- 210 NIS+ Security and Administrative Rights
- 211 NIS+ Security Reference
- 213 NFS Authentication
- 213 Public Key Cryptography for Secure NFS
- 214 NFS Authentication Requirements
- 214 NFS Authentication Process
- 215 Naming Network Entities for DES Authentication
- 216 The /etc/publickey File
- 216 Booting Considerations of Public Key Systems
- 216 Performance Considerations of Secure NFS
- 217 Checklist for Administering Secure NFS
- 217 Configuring Secure NFS
- 218 Exporting a File System Using Secure NFS
- 219 Mounting a File System Using Secure NFS
- 221 Managing Multiple User Registries
- 221 Current Approaches
- 222 Using Enterprise Identity Mapping
- 223 Understanding the Secure Remote Commands
- 224 System Configuration
- 224 Kerberos Version 5 User Validation
- 224 DCE Configuration
- 225 Local Configuration
- 225 Related Information
- 225 Authenticating to AIX Using Kerberos
- 225 Installing and Configuring the System for Kerberos Integrated Login Using KRB5
- 229 Installing and Configuring the System for Kerberos Integrated Login Using KRB5A
- 230 KRB5A Authentication Load Module Questions and Troubleshooting Information
- 230 How do I Configure an AIX Kerberos Client that Authenticates Against an Active Directory Server KDC
- 231 How do I Modify AIX Configuration for Kerberos Integrated Login
- 232 How do I Create an AIX User for Kerberos Integrated Login with the KRB5A Load Module
- 232 How do I Create Kerberos Principals on Active Directory
- 232 How do I Change the Password of Kerberos Authenticated User
- 232 How do I Remove a Kerberos Authenticated User
- 232 How do I Migrate an AIX User to a Kerberos Authenticated User
- 232 What do I do if the Password is Forgotten
- 232 What is the Purpose of the auth_name and auth_domain Attributes
- 233 Can a Kerberos-Authenticated User Become Authenticated Using Standard AIX Authentication
- 233 Do I Need to Set up Kerberos Server (KDC) on AIX When Using a Windows 2000 Active Directory Server
- 233 AIX Does not Accept my Password
- 233 Cannot Log Into the System
- 239 Security Web Sites
- 239 Security Mailing Lists
- 239 Security Online References
- 256 Trademarks