Please login or register. August 20, 2019, 03:05:33 AM

Author Topic: openssh 6.7p1 for AIX 5.3 and AIX 6.1  (Read 5330 times)

0 Members and 1 Guest are viewing this topic.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1139
  • Karma: +0/-0
openssh 6.7p1 for AIX 5.3 and AIX 6.1
« on: January 27, 2015, 05:09:29 PM »
Read the article here - but basically, the latest version of openSSH packaged for AIX is here.

This is packaged to exist side-by-side with IBM provided openssh.

AIXTools openssh is in
Code: [Select]
/opt/bin while AIX package lives in
Code: [Select]
/usr/bin.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1139
  • Karma: +0/-0
Re: openssh 6.7p1 for AIX 5.3 and AIX 6.1
« Reply #1 on: January 29, 2015, 03:16:56 PM »
I was checking whether this could be used as a replacement for the IBM packaged openssh and the answer is yes.

You will need to make a few adjustments however, especially when depending on/using older versions of ssh/putty/rsync. First, get it to point at the existing ssh and sshd config files (aixtools.openssh uses /var/openssh/etc rather than /etc/ssh)
Code: [Select]
# cd /var/openssh
# mv etc etc.orig
# ln -s /etc/ssh etc
# /opt/sbin/sshd -d -4

Here is the connect info when using an old version of PUTTY - AFTER I have found out what needed to be changed
Code: [Select]
debug1: no match: PuTTY_Release_0.58
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: permanently_set_uid: 202/201 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes256-cbc hmac-sha1 none [preauth]
debug1: kex: server->client aes256-cbc hmac-sha1 none [preauth]
debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]

The happy line here is the last one - KEX - Key Exchange - done. Now the communication is encrypted and the connection continues.

BEFORE the corrections I was getting something like this:
Code: [Select]
debug1: no match: PuTTY_Release_0.58
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: permanently_set_uid: 202/201 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
no matching cipher found: client aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com [preau
th]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 5046412

However - when I first tried my favorite ssh program (from 2001-2002) I could not connect. I decided to start testing with putty - which turns out to also be quite old (version 0.58 from 2007)

First attempt was not 'happy'
Code: [Select]
debug1: no match: PuTTY_Release_0.58
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: permanently_set_uid: 202/201 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
no matching cipher found: client aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator
.liu.se,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-
cbc server aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com [preau
th]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 5177382

I was worried that maybe the sshd program was broken - despite having passed all tests during the build. Trying from another AIX host with standard ssh as well as downloading the latest putty (v0.63) confirmed that it was working. Just not with old versions.

We are all aware of the news from last year with BLEAD and POODLE that we need to be careful. I was thinking it might be something like that - but I would still love to keep using my old/ancient programs at home.

The diagnosis: starting with openssh-6.7 the CBC ciphers have been removed due to their weakness compared to the CTR ciphers (see
Vulnerability Note VU#958563 SSH CBC vulnerability[url]. Further searching gave me this hint: add
Code: [Select]
ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc to /etc/ssh/sshd_config

Once I had done that putty-0.58 worked fine, but my older program still refused. Now I was getting:
Code: [Select]
debug1: no match: 3.2.9 SSH Secure Shell for Windows
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: permanently_set_uid: 202/201 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes128-cbc hmac-sha1 none [preauth]
debug1: kex: server->client aes128-cbc hmac-sha1 none [preauth]
Unable to negotiate a key exchange method [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 4980960

I was blind to the wall of text - later I noticed the actual message:
Code: [Select]
Unable to negotiate a key exchange method [preauth]
Re-reading the man page for sshd_config I saw there is a paragraph on
Code: [Select]
KexAlgorithms
               Specifies the available KEX (Key Exchange) algorithms.
               Multiple algorithms must be comma-separated.  The
               supported algorithms are:

               curve25519-sha256@libssh.org

               diffie-hellman-group1-sha1
After adding
Code: [Select]
kexalgorithms diffie-hellman-group1-sha1 to /etc/ssh/sshd_config now all my programs (and I) are happy.

Now my /etc/ssh/sshd_config has this 'snippet'
Code: [Select]
#LogLevel INFO

# Authentication:

ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

# Macs hmac-md5,hmac-sha1

kexalgorithms diffie-hellman-group1-sha1


#LoginGraceTime 2m

In short, I am sure this package can be used to replace IBM ssh. The last bits I leave to you - or ask if you wish! Basically, remove the IBM openssh and then either add ssh to /etc/inetd.conf - OR - use the command mkssys to add the new program into SRC control.