Adams Systems Consultancy (Posts about SSH)

Using a Yubikey for AIX SSH login

Russell Adams — Fri, 15 Jan 2021 14:05:57 GMT

Yubikeys offer a highly secure method for managing your SSH key for logging into AIX. SSH keys are much stronger than passwords, but like passwords they must be protected. A Yubikey provides a superior method to securely store SSH private key material in a physical token and can mitigate common attacks on SSH agents.

Using SSH instead of su and sudo

Russell Adams — Tue, 29 Dec 2020 12:10:19 GMT

There are several ways to become root or another user in AIX. The most common is via su, and the second is via the open source sudo program. I recommend a third method, SSH to localhost.

AIX SFTP Best Practices

Russell Adams — Tue, 29 Dec 2020 11:30:59 GMT

SFTP is a functional part of SSH which replaces the behavior of FTP in a secure fashion. This is great on AIX for transferring files, batch job uploads and downloads, and much more secure using SSL on the wire and with a variety of authentication options.

Unfortunately when left in the default configuration, the SSH server on AIX allows all users to use SFTP to access any files on the system (subject to filesystem permissions). It's common to see my customers be surprised when an unprivileged application account can SFTP in with WINSCP and browse their entire systems.

AIX SSH Best Practices

Russell Adams — Tue, 22 Dec 2020 20:31:08 GMT

In recent years insecure and unencrypted protocols have been deprecated because they pose an unacceptable security risk on any network.

For daily usage systems administrators should use SSH to connect to AIX. SSH is encrypted on the wire and supports additional options for using secure keys instead of simple passwords. It completely replaces telnet and ftp, and all of the rsh tools.

IBM ships and supports their own OpenSSH compiled for AIX. I intend to review settings which should be configured in order to be secure.