wiki

User Tools

Site Tools

Trace: aix_ssh_howto
aix:aix_ssh_howto

Table of Contents

Howto use SSH

Client SSH

How To Create SSH Keys

Different type of SSH keys exists. At this time it's no more recommended to use DSA or RSA1, support is removed from latest SSH versions. RSA2 is the most often use, and the latest is ECDSA (asymetric algorithm).

Each user can generate SSH keys pair, it will be located in $HOME/.ssh/

Now generate a key RSA2 with length 4096 bits, press enter if you want to use it without passphrase (password), then press enter as passphrase: 

[toto@aix72]/home/toto # ssh-keygen -t rsa -b 4096

Or directly 

[toto@aix72]/home/toto # echo | ssh-keygen -q -t rsa -b 4096 -N ''

Check your ssh key type: 

[toto@aix72]/home/toto # ssh-keygen  -l -f id_rsa.pub
4096 SHA256:hI0QsTxu220Jxxxxxxxxxxx4BdSXrECyaLOzIfxWrB0Mxc root@aix72 (RSA)
[toto@aix72]/home/toto/.ssh # ls -lsa
total 8
   0 drwx------    2 toto usr             256 Aug 16 16:14 .
   4 drwxr-xr-x    4 toto usr            4096 Oct 11 14:06 ..
   4 -rw-r--r--    1 toto usr             1993 Mar  8 2010 authorized_keys
   4 -rw-------    1 toto usr             1675 Feb  4 2009 id_rsa
   4 -rw-r--r--    1 toto usr              394 Feb  4 2009 id_rsa.pub
   4 -rw-r--r--    1 toto usr             547 Oct 18 15:18 known_hosts

Now in the folder $HOME/.ssh, you have a public key (id_rsa.pub) and the private key (id_rsa).

The public key will be distributed to other servers if needed, and the private will stay on local server.

Automatic connection using SSH Keys

To have an automatic connection without prompted for password, you have to put the public key on the target server, in the folder of the target user, who can be different from source user.

For example with RSA2 key

copy the file from source server: $HOME/.ssh/id_rsa.pub to target server in $HOME/.ssh/authorized_keys 

[toto@aix72]/home/toto/.ssh # scp id_rsa.pub targetuser@tagethost:/home/targetuser/.ssh/authorized_keys

Copy/paste from the key is also possible.

Now you have to do a first connection from source server, with source user to target server and user, to accept (register) once the source host key into the file $HOME/.ssh/known_hosts . This step is required, else automatic connection will failed.

Important 

Typically permissions
  * .ssh directory 700 (drwx------)
  * public key (.pub file) 644 (-rw-r--r--)
  * private key (id_rsa) 600 (-rw-------)
  * home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x)).

What is the host key ? During installation of OpenSSH, some host keys are generated into /etc/ssh (most often use folder) 

[root@aix72]/etc/ssh #
total 196
   4 drwxr-xr-x    2 root     system         4096 Jul  7 09:49 .
  20 drwxr-xr-x   49 root     system        20480 Oct 31 10:37 ..
 132 -rw-------    1 root     system       132839 Jul  7 09:49 moduli
   4 -rw-r--r--    1 root     system         1524 Jul  7 11:46 ssh_config
   4 -rw-------    1 root     system          668 Jan  6 2009  ssh_host_dsa_key
   4 -rw-r--r--    1 root     system          590 Jan  6 2009  ssh_host_dsa_key.pub
   4 -rw-------    1 root     system          227 Mar 19 2014  ssh_host_ecdsa_key
   4 -rw-r--r--    1 root     system          174 Mar 19 2014  ssh_host_ecdsa_key.pub
   4 -rw-------    1 root     system          963 Jan  6 2009  ssh_host_key
   4 -rw-r--r--    1 root     system          627 Jan  6 2009  ssh_host_key.pub
   4 -rw-------    1 root     system         1675 Jan  6 2009  ssh_host_rsa_key
   4 -rw-r--r--    1 root     system          382 Jan  6 2009  ssh_host_rsa_key.pub
   4 -rw-r--r--    1 root     system         3214 Oct 10 12:18 sshd_config

Differents type of key pairs are generated, the latest ECDSA is currently the default for host key.

Once the first connection established, you can use automatic connections, you can try to connect to the target: 

[toto@aix72]/home/toto # ssh targetuser@tagethost
Last unsuccessful login: Mon Sep 18 16:52:57 CEST 2017 on ssh from 10.10.10.31
Last login: Tue Oct 31 11:02:55 CET 2017 on ssh from aix72
[targetuser@tagethost]/home/targetuser #

To automatically add new host keys into known_hosts, use the following option 

ssh -o StrictHostKeyChecking=accept-new <host>
How to replace unsafe protocols:
  • rsh, rexec by ssh
  • telnet, rlogin by ssh
  • rcp by scp or rsync -e ssh
  • ftp by sftp

Server SSH

The ssh default folder config 

[root@aix72]/etc/ssh #
total 196
   4 drwxr-xr-x    2 root     system         4096 Jul  7 09:49 .
  20 drwxr-xr-x   49 root     system        20480 Oct 31 10:37 ..
 132 -rw-------    1 root     system       132839 Jul  7 09:49 moduli
   4 -rw-r--r--    1 root     system         1524 Jul  7 11:46 ssh_config
   4 -rw-------    1 root     system          668 Jan  6 2009  ssh_host_dsa_key
   4 -rw-r--r--    1 root     system          590 Jan  6 2009  ssh_host_dsa_key.pub
   4 -rw-------    1 root     system          227 Mar 19 2014  ssh_host_ecdsa_key
   4 -rw-r--r--    1 root     system          174 Mar 19 2014  ssh_host_ecdsa_key.pub
   4 -rw-------    1 root     system          963 Jan  6 2009  ssh_host_key
   4 -rw-r--r--    1 root     system          627 Jan  6 2009  ssh_host_key.pub
   4 -rw-------    1 root     system         1675 Jan  6 2009  ssh_host_rsa_key
   4 -rw-r--r--    1 root     system          382 Jan  6 2009  ssh_host_rsa_key.pub
   4 -rw-r--r--    1 root     system         3214 Oct 10 12:18 sshd_config

Test your server config file, in case of problem 

[root@aix72]/etc/ssh # sshd -t -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 286
debug2: parse_server_config: config /etc/ssh/sshd_config len 286
debug3: /etc/ssh/sshd_config:13 setting Port 22
debug3: /etc/ssh/sshd_config:15 setting ListenAddress 0.0.0.0
debug3: /etc/ssh/sshd_config:19 setting Protocol 2
debug3: /etc/ssh/sshd_config:33 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:34 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:39 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:84 setting UsePAM no
debug3: /etc/ssh/sshd_config:101 setting UseDNS no
debug3: /etc/ssh/sshd_config:102 setting PidFile /var/run/sshd.pid
debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/sbin/sftp-server
debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2k  26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:35Iaa1st06it22Cyp2vHeio6GN1bbBd1It7Zfl+NR8E
debug1: private host key #1: ssh-dss SHA256:XY2aajOLDDzmuFV92R379t4YV67MbbRh75L+bt9y0Aw
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:bckbyaaqlZqbbT/rf/mig/BzqxGjpzJrhIID9tCicPg
debug1: private host key #3: ssh-ed25519 SHA256:Dd0aakyMCF/sVBDnR2bbb6AGvlEDx3JHN/Mi9v1InwM

List the current parameters value 

[root@aix72]/etc/ssh # sshd -T
port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
usepam no
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
...

Example of host key generation for ECDSA, if missing: 

[root@aix72]/etc/ssh # echo | ssh-keygen -q -t ecdsa -b 521  -f /etc/ssh/ssh_host_ecdsa_key -N ''

Server SSH options

access restriction or enhanced

You can allow or deny users or groups 

AllowUsers *
AllowGroups system staff root_access aix-all-srvgrp
DenyUsers nobody
DenyGroups ftpusers monitor

Specific options for a user or group

Match Address 192.168.184.8,202.54.1.1,192.168.1.0/24
  PermitRootLogin yes
      
Match User vivek Address 192.168.1.0/24
  PermitTunnel yes
  PasswordAuthentication yes
Match Host *.home.lan
  X11Forwarding yes
  
Match User *,!foo
  X11Forwarding yes
  PermitTunnel yes
  PermitTTY no
Match Address 10.20.30.40,80.90.100.200 Host dispatch.raymii.org
  PasswordAuthentication Yes
  PermitRootLogin yes
  
Match Group users
  ChrootDirectory /home
  AllowTCPForwarding no

IBM AIX: Regular users can ssh into AIX but sftp fails

A regular user can ssh into AIX but a sftp request fails for the same user.

Steps The most common reason for this problem is incorrect permission on the /etc/ssh/sshd_config file.

The /etc/ssh/sshd_config file is configured by default with the following line for sftp service: 

Subsystem       sftp    /usr/sbin/sftp-server

OpenSSH on AIX is configured to use sftp-server by default and it requires the permission to be 644 on sshd_config.

The default permission on /etc/ssh/sshd_config is 644 and owned by root system. Check the permission on sshd_config. 

# ls -l /etc/ssh/sshd_config

If the permission on the sshd_config file is not 644 change it to 644. (rw-r–r–). 

# chmod 644 /etc/ssh/sshd_config

If your environment requires that permission on sshd_config to be 640 due to security concerns you can use internal-sftp instead of sftp-server. They are virtually the same functionally. SFTP will work with permission 640 on sshd_config if configured to use internal-sftp.

To use internal-sftp change the sftp-server line in sshd_config to the following: 

Subsystem       sftp   internal-sftp

Stop and restart sshd afterwards. 

# stopsrc -s sshd
# startsrc -s sshd

CIS AIX 7.2

/etc/ssh/sshd_config 

Port 22
ListenAddress 0.0.0.0
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
MaxAuthTries 4
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
RekeyLimit 1G 3600
PermitUserEnvironment no
PidFile /var/run/sshd.pid
Banner /etc/ssh/ssh_banner
Subsystem       sftp    /usr/sbin/sftp-server -u 027 -f AUTH -l INFO
AllowUsers root user1 oracle

FIXME

To prevent usage for specific Ciphers or KexAlgorithms, you can also exclude some: 

KexAlgorithms -*sha1,*sha1-*
MACs -*sha1,*sha1-*

Full specs (second example) 

Port 22
ListenAddress 0.0.0.0
Protocol 2
RekeyLimit 1G 3600
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
LogLevel INFO
PermitRootLogin without-password
MaxAuthTries 4
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
UsePAM yes
AllowTcpForwarding no
PermitUserEnvironment no
ClientAliveInterval 3600
ClientAliveCountMax 3
PidFile /var/run/sshd.pid
Banner /etc/ssh/ssh_banner
Subsystem       sftp    /usr/sbin/sftp-server
AllowUsers *
AllowGroups *
DenyUsers nobody
DenyGroups ftpusers monitor
kexalgorithms  -*sha1,*sha1-*
macs -*sha1,*sha1-*

SSH problems

Add known_hosts

SSH connections are very slow, about 4 seconds, bad keys are available on the known_host file. Remove this file and start from scratch.

Automaticaly accept entries into known_hosts 

#  ssh -o StrictHostKeyChecking=accept-new $i uname

Add timeout

If an host doesn't answer, the timeout will stop the connexion 

#  ssh -o ConnectTimeout=10 $i uname

Boost ssh connection

Add a socket for many connections on the same host 

[root@aix001]/root> ssh -M -S /tmp/sockets -o ControlPersist=5m lnx203 exit
[root@aix001]/root> time ssh lnx203 exit
real   0m0.43s
user   0m0.12s
sys    0m0.01s

[root@aix001]/root> time ssh -S /tmp/sockets lnx203 exit
real   0m0.03s
user   0m0.00s
sys    0m0.00s

Bad cipher or MAC

I can specify the cipher and the MAC: 

ssh <user@ip> -c aes256-cbc -m hmac-sha1

no matching host key type found

Error with sha1 keys 

[root@aixa001]/root/scripts> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USERID@10.0.1.11
Unable to negotiate with 10.0.1.11 port 22: no matching host key type found. Their offer: ssh-rsa

[root@aixa001]/root/scripts> ssh -o HostKeyAlgorithms=+ssh-rsa USERID@10.0.1.11
The authenticity of host '10.0.1.11 (10.0.1.11)' can't be established.
RSA key fingerprint is SHA256:fEia4p8Ylxxxxxxxxxxxxxxx23gMy3Iq0bmtmk/1Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.1.11' (RSA) to the list of known hosts.
(USERID@10.0.1.11) Enter login password:

You can also add some paramters into /etc/ssh/ssh_config, or for a specific user ~/.ssh/config
Ex for the error Their offer: ssh-dss

~/.ssh/config 

Host my.host.com *.myinsecure.net 10.0.1.*
    HostkeyAlgorithms +ssh-dss
    PubkeyAcceptedKeyTypes +ssh-dss
    KexAlgorithms diffie-hellman-group1-sha1

Or in command line 

ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.com

Disable SSH prompt

Using commad line: 

[root@aix001]/root> ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR aix002

Using a user config file: for a specific user create a file into home directory's .ssh/config, or for all users into /etc/ssh/ssh_config (LogLevel can also be QUIET : no error) 

StrictHostKeyChecking no 
UserKnownHostsFile /dev/null 
LogLevel ERROR

Error: hostfile_replace_entries

Error: 

[root@aix001]/root> ssh server001
update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted

Resolution 

[root@aix001]/root> ssh-keyscan -H server001 >> ~/.ssh/known_hosts
# server001 SSH-2.0-OpenSSH_8.1
# server001 SSH-2.0-OpenSSH_8.1
# server001 SSH-2.0-OpenSSH_8.1
# server001 SSH-2.0-OpenSSH_8.1

Edit a file on a remote host

Use ssh command with -t option

SCP Connection closed

Use the option -O tells SCP to use legacy SCP protocol for file transfers 

[root@aix001]/root/scripts# scp  count_path.sh padmin@vios01:/tmp
scp: Connection closed
[root@aix001]/root/scripts# scp -O  count_path.sh padmin@vios01:/tmp
count_path.sh                                        100% 1972     1.9MB/s   00:00

Note: Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol.

List ciphers and Macs on client

  • Ciphers: ssh -Q cipher
  • MACs: ssh -Q mac
  • KexAlgorithms: ssh -Q kex
  • PubkeyAcceptedKeyTypes: ssh -Q key

You can also remotely probe a ssh server for its supported ciphers with recent nmap versions: 

# nmap --script ssh2-enum-algos -sV -p <port> <host>
[root@vios]/etc/ssh# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

[root@vios]/etc/ssh# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

Connection slow

Check using ssh -vvv <hostname>, if it hangs on 

debug1: Next authentication method: gssapi-with-mic

Change the following parameter in the file /etc/ssh/sshd_config 

  GSSAPIAuthentication no

FIXME On some new Linux versions, check also the files located in the folder /etc/ssh/sshd_config.d/

aix/aix_ssh_howto.txt · Last modified: 2025/01/15 23:25 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki