AIX SSH Best Practices

In recent years insecure and unencrypted protocols have been deprecated because they pose an unacceptable security risk on any network.

For daily usage systems administrators should use SSH to connect to AIX. SSH is encrypted on the wire and supports additional options for using secure keys instead of simple passwords. It completely replaces telnet and ftp, and all of the rsh tools.

IBM ships and supports their own OpenSSH compiled for AIX. I intend to review settings which should be configured in order to be secure.

Disable insecure services

I always recommend to my customers that any unused services be disabled in /etc/inetd.conf, this includes telnet and ftp. Remember that even if there was a problem with network services, the administrator can still login as root on the system console via HMC. There is little threat of being locked out.

All insecure services can be disabled with one command:

cat /etc/inetd.conf | awk '/^[^#]/ {print "chsubserver -d -v",$1,"-p",$3}'

This will print a series of commands to disable all the (insecure) services that are still enabled. The commands can be copied and pasted into a script to run, or piped to sh -xe. Then be sure to refresh inetd with refresh -s inetd.

Alternatively consider not running inetd at all. A typical AIX system with only secure services will disable everything inetd runs! This can be disabled and the running daemon stopped with a single undocumented command:

chrctcp -S -d inetd

This stops the service and edits /etc/rc.tcpip to comment out the command to launch inetd during startup.

Methods for testing SSH changes

All of the key files for SSH are in /etc/ssh/. These are included in mksysb backups and include sensitive files like your host keys which identify the system to SSH clients. I recommend making copies of the configuration files while making changes, and then testing those changes with a second SSH daemon.

As a reference, the original sshd configuration file is stored in /usr/lpp/openssh.base/inst_root/etc/ssh/sshd_config.

So let's start with a making a copy of the sshd configuration to test with as root:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.test

Now we can edit /etc/ssh/sshd_config.test without interrupting users who are logged in. After editing the copied configuration file, we can test the changes at the command line:

/usr/sbin/sshd -t -f /etc/ssh/sshd_config.test

That will confirm that the configuration is valid and contains no major errors. With that working updated configuration, we can launch a second sshd on a separate port for testing. I chose 2022, but any open port will do:

/usr/sbin/sshd -D -d -f /etc/ssh/sshd_config.test -p 2022

Here the sshd will launch in the foreground and wait for a single connection. It will log to the screen details of the connection, and will not return to the command prompt until after the connection is closed.

This allows you to test changes made to the ssh configuration. Login with your preferred SSH client and make sure to use the different port. If you need to make multiple attempts to connect, you'll have to restart the second sshd after each one.

Once the changes are confirmed, we should make a backup of the running sshd configuration and copy in the new. Finally we can restart the system sshd with the new configuration:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%Y%m%d_%H%M)

cp /etc/ssh/sshd_config.test /etc/ssh/sshd_config

stopsrc -s sshd ; sleep 5 ; startsrc -s sshd

It's important to note that this can be done without kicking users off. Typically this is a non-disruptive because each user spawns their own process, and we are restarting the main sshd which serves the port. The new configuration will apply to new logins.

There is little chance of being locked out. Keep you existing login open while you test. If there is a problem, login on the system console via the HMC.

Locking down the SSH configuration

The following are a list of options that are important to consider in your SSH configuration on AIX. These options are not disabled by default, and I recommend turning them off. They strongly apply to environments with applications requiring users to login via SSH.

AllowAgentForwarding no

This defaults to yes, and should be disabled by changing to

no. Agent forwarding is used to relay authentication from host to host when performing multiple hops with SSH. Users should not be doing this on an AIX system, though systems administrators might.

AllowTcpForwarding no

This defaults to yes, and should be disabled by changing to

no. TCP forwarding via SSH can allow any SSH user to relay arbitrary ports with the system and is commonly used to bypass firewalls!

PermitRootLogin maybe?

OpenSSH defaults this to no, while IBM sets it to yes. It may be

that root logins must be allowed, and you should carefully consider it in your environment. This can also be set to prohibit-password to allow root login via SSH key only. I recommend setting this to no, and then logging in with an administrator account [1] and becoming root from there.

The following options are enabled by default, and have value in remaining enabled.

PasswordAuthentication yes

Most end users will expect to login with a password. Clearly strong

password policies should be in place. This is the most common way to access the system. If this is disabled, only keys will be used for any login.

PermitEmptyPasswords no

No account should ever allow login without a password. SSH can

enforce that. Even for service accounts, it is insecure to ever allow passwordless authentication into any account.

GatewayPorts no

Do not allow forwarded ports to be opened on any public network

interface. This could be used to bypass firewalls and should be disabled.

X11Forwarding no

This should be disabled unless explicitly needed for X11

applications (ie: Oracle installers). Administrators could have this enabled, but generally it's best left disabled for everyone.

PermitUserEnvironment no

SSH can transmit environment variables to setup during login. This

should not be allowed as it can be a vector for mischief.

PermitTunnel no

Do not enable TUN style packet forwarding. Users should never need

this and it's important to have disabled to prevent bypassing firewalls.

Finally be aware that all Match directives in your SSH configuration must be at the END of the file!

Force SSH users into their application

SSH is a powerful suite of tools, including ssh for login, ssh for running remote commands, scp for copying files, and sftp for FTP style file transfer. If you serve a terminal application for users, you must take extra steps to disable all other features and force the users to login and only use the intended application!

Setting the login profile for the user is not enough. If a user can run a command via ssh, it will bypass their login profile. This is a potential backdoor to allow users a command line instead of being locked into a menu or application!

I recommend locking the users in the main SSH configuration file and in their profile. To do so, in the $HOME/.profile be sure to call exec $APPLICATION. For instance:

# User's .profile, replace this
export DB=Prod
/opt/application/path/appmenu

# With this
export DB=Prod
exec /opt/application/path/appmenu

The exec command causes the shell process to be replaced by the application process, instead of spawning a new process for the application. Spawning a new process could allow the user to potentially return to the shell when the application exits. Often there is additional scripting logic or trap statements to try and prevent returning to the shell prompt. Using exec when the application exits, the user will be immediately disconnected from the system.

Second in the sshd configuration we can specify that the user may only ever run the login shell. This forces them to run the .profile and enter the application. By forcing the command, this prevents remote command execution, scp, and sftp.

The following snippet for /etc/ssh/sshd_config uses the Match directive to match all non-root and non-admin users. The shell syntax is tricky because to make ksh spawn a login shell, you must start it in a process named -ksh. Perl is available on AIX and can accomplish this:

Match User *,!root,!admin
  ForceCommand /usr/bin/perl -e 'exec {"/usr/bin/ksh"} "-ksh"'

Now your users should be able to login to their application, but not exit to a shell prompt, run any remote commands, or transfer files.