Deutsche Bank
SSH Installation & Configuration
Version 1.0.0
16 February, 2016
Internal Use Only
Service Level 2 – Unix AIX
© Deutsche Bank AG, February 2016
This document is confidential and for internal use only. The information contained herein is the property of
Deutsche Bank AG and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or
transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise)
without the prior written permission of Deutsche Bank AG.
Service Level 2 Unix AIX
Introduction
This document is for use by Service Level Two staff and details the required installation
and configuration steps to implement ssh1. The document is split into four sections :1)
2)
3)
4)
Unix server installation/configuration.
Unix client installation/configuration.
PC client installation/configuration.
PC client use with Exceed.
Unix Server Installation/Configuration
1) Download the ssh1 package from http://www.infosec.db.com/engineering/unix_tools
and install it via the platform specific installation utility (e.g. installp, pkgadd etc). The
installation should automatically configure the sshd server daemon and start it up and
the following files should have been created :a)
b)
c)
d)
e)
/etc/ssh_config
/etc/sshd_config
/etc/ssh_host_key
/etc/ssh_host_key.pub
/etc/ssh_random_seed
# Text file containing client configuration options.
# Text file containing server configuration options.
# Binary file containing the private key for this host.
# Text file containing the public key for this host.
# Binary file containing the seed value to generate keys.
If these files are not present you will have to re-run the configuration utility to generate
them. This can be done from the command line via ...
# /usr/db/ssh/conf/post.sh
If all files are present you can invoke the sshd server daemon from the command line
via ...
# /usr/db/ssh/sbin/sshd
2) Since the Deutsche Bank supplied ssh package is not installed into the standard PATH
environment it will be necessary to create a number of symbolic links to ensure that all
components of the package can function correctly. Perform the following tasks in
order to achieve this :#
#
#
#
#
#
ln
ln
ln
ln
ln
ln
-s
-s
-s
-s
-s
-s
/usr/db/ssh/bin/scp /usr/bin/scp
/usr/db/ssh/bin/ssh /usr/bin/ssh
/usr/db/ssh/bin/ssh-add /usr/bin/ssh-add
/usr/db/ssh/bin/ssh-agent /usr/bin/ssh-agent
/usr/db/ssh/bin/ssh-askpass /usr/bin/ssh-askpass
/usr/db/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
Page 2 of 6
Service Level 2 Unix AIX
3) Optionally, you might like to tailor the /etc ssh_config and sshd_config files to provide
additional functionality or indeed restrict functionality of the ssh components. If you do
this, don't forget to stop and restart the sshd daemon.
Unix Client Installation/Configuration
The ssh client will have been installed along with the server installation if the previous
steps have been carried out. If you just have the client binary you would be advised to get
the complete package and install it before continuing. Also, ensure that the sshd daemon
is infact running on the remote system(s) that you wish to contact.
The ssh1 client programs (ssh & scp) can be used with either password prompting or RSA
key encryption (private key/public key), or indeed a mixture of both. In all instances
passwords are never sent out as clear text over the network.
To use plain password prompting you can simply invoke the ssh1 clients like so ...
$ ssh -l username host.fully.qualified.domain command
$ scp /local_file user@host.fully.qualified.domain:/remote_file
NOTE!
ssh and scp are synonymous with rsh and rcp.
If you want to use RSA key encryption you will need to perform the following tasks at the
various hosts :On the client machine ...
1) Run ssh-keygen to generate the identity and identity.pub private and public keys
respectively. These will be created in your ~/.ssh directory. Optionally, when the
keys are generated you can also specify a passphrase (password) to further encrypt
your public key. If you don't want to be prompted for a password just press enter at
this stage.
2) You must set 0700 permissions on ~/.ssh and 0600 permissions on ~/.ssh/* otherwise
authentication will fail.
On the remote machine ...
3) Copy your public key identity.pub to the remote host that you want to access and
append it to ~/.ssh/authorized_keys again making sure that permissions are 0700
and 0600 on the directory and file(s) respectively.
4) Establish your connection with the remote machine as in the examples above, only this
time the authentication method will be using RSA. If you did not specify a passphrase
in the key generation phase you will not be prompted for a password.
Page 3 of 6
Service Level 2 Unix AIX
In essence, it's just like having the usual remote ~/.rhosts (synonymous with
~/.ssh/authorized_keys) file but you also have a local private key file (~/.ssh/identity) as
well.
PC Client Installation/Configuration
There are a number of client packages for ssh1 and depending on what you would like to
do you might be advised to use a specific package. For Windows 9x/NT I would suggest
the use of the Freeware package 'Tera Term Pro' which can be downloaded from the
following source:http://ftp.cs.stanford.edu/pub/ttssh/current.zip
Teraterm with the Tttssh add-on would appear to be a very useful package. It has a
windows gui to establish an ssh connection with a remote host and it also allows for
tunneling of X11 via the ssh connection.
It has file transfer capabilities of Kermit,
Xmodem, Zmodem, B-Plus and Quick-VAN and Xmodem can be quite easily implemented
on AIX by installing the bos.net.ate lpp.
To install the Ttermpro client software, create an installation directory e.g.
C:\> mkdir "C:\Program Files\Ttermpro"
Then unzip the current.zip file to the target directory. You might like to create a shortcut to
the "ttssh.exe" binary or alternatively add a menu item to refer to this.
Next, you will need to configure ttermpro for the services that you require. To do this,
launch the client program and cancel the 'New Connection' dialog box.
1) Select 'Setup->SSH' and order the ciphers into the following order: 3DES, DES,
BLOWFISH. Disable IDEA and RC4 by placing them below the '<ciphers below this
line are disabled>' line
2) Select 'Setup->SSH Authentication' and define the Username and authentication
method that is to be used. Use Plain password, (a misnomer since the password will
actually be encrypted by ssh at the client), if you don't have an RSA key; Use RSA if
you have a private/public key pair that has been generated by the ssh-keygen
program; Use Rhosts if you have a host private/public key pair which will also have
been generated by the ssh-keygen program.
3) Select 'Setup->SSH Forwarding' and check the box for X11 if you are intent upon
tunneling X via this ssh connection. You can also use port forwarding for other
connections that you might want to access.
4) Select 'Setup->TCP/IP' and add a list of hosts that you might wish to connect to via this
ssh connection making sure that you connect to port 22. You might also want to
remove all other definitions so as to make it clear to see what connections are
available.
5) Select 'Setup->General' and make sure that the default port is set to TCP/IP and that
the language reflects your own personal preference.
Page 4 of 6
Service Level 2 Unix AIX
6) Select 'Setup->Save Setup' and save your preferences to you desired location. The
default file is 'teraterm.ini' which is located in the install directory.
Close down the application and restart it, this time establishing a connection to the desired
host.
NOTE!
If you want to use RSA authentication, refer to steps 3 & 4 from the 'Unix
Client Installation/Configuration' section.
Once connected and having satisfied the login authentication requirements you will have
in effect a terminal emulation window. If you are forwarding X through ttssh and you have
your local X server started you can lauch X client applications which will be displayed at
your local host. Please note that there is no need to setup your DISPLAY environment
variable or setup xhost/xauth authentication as again this is all done automagically for you.
Note! If you do not have a full XDM or CDE Xsession to a unix host which implies
that your local X server is already running you will need to configure and run a local
X server in passive mode to allow remote X clients to attach to. This can be done
quite easily and instructions on how to do so can be found below.
File Transfer
As mentioned above, file transfer can be achieved by four different mechanisms that are
in-built to ttermpro. The 'Xmodem' protocol is supported on AIX and I would suggest that
this method be used, however the choice is yours.
To use Xmodem is quite simple. From terminal window at the unix end
$ xmodem –s <filename>
$ xmodem -r <filename>
# To send a file
# To receive a file.
At the PC end, via the ttermpro initial gui window
Select 'File->Transfer->Xmodem->Receive' and type in the filename in the dialog box or
use the 'Browse' facility.
Select 'File->Transfer->Xmodem->Send' and type in the filename in the dialog box or
again use the 'Browse' facility.
The file transfer progress will be displayed.
Page 5 of 6
Service Level 2 Unix AIX
PC Client Use with Exceed
If you are not running a full XDM or CDE session from a remote server to you local PC
host then it is most likely that you will not have a local X server running. In order for
remote X clients to be displayed at your PC screen an X server must be running. The
following details how to configure Exceed to run a passive X server that will enable remote
clients to connect and be displayed as required.
Create a file called 'passive.ses' containing the following stanza:[Xsession]
Desc=
Interval=2
Count=0
RunXServ=1
StartUp Menu=1
[Server]
Window=2
Startup=1
ReStart=1
Host=
Configuration File=
Next, create a shortcut containing the following stanza:Target:
Start in:
Shortcut key:
Run:
"C:\Program Files\Exceed\Xsession.exe"
{Path-to}\passive.ses
"C:\Program Files\Exceed"
None
Minimised
Now you can launch the passive local X server via the shortcut.
Page 6 of 6