OpenSSH on AIX / News: Recent posts

Openssh-5.0 which support tcp-wrapper now available for download for AIX 5.3 and AIX 6.1. The pre-requisite openssl is available for download at : https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp.

AIX5.3
----------
Release : openssh-5.0_r2
File : openssh-5.0_tcpwrap.tar.Z

AIX6.1:
----------
Release : openssh-5.0_r2
File : openssh-5.0-aix61_tcpwrap.tar.Z

OpenSSH -4.7 version is now available for download for AIX 5.2,5.3 and 6.1. The pre-requisite openSSL is available for download at:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

OpenSSL is the pre-requisite for openSSH. You can download the openssl from the following site.

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

This includes the security bug fix, auditing in ssh, chroot feature. Check the README.txt along with this tar file.

The installp images include changes for the following:
1)The 4.5p1 version of the code from http://www.openssh.org
2)Optional Kerberos V authentication support
3)National Language Support (NLS) enablement
4)NLS translated message catalogue images

This version of Openssh is compiled with Openssl-0.9.8d which is available as installp package on AIX media. Soon it will be made availabe on IBM website so that users can download.

The installp images include changes for the following:
1)The 4.5p1 version of the code from http://www.openssh.org
2)Optional Kerberos V authentication support
3)National Language Support (NLS) enablement
4)NLS translated message catalogue images

OpenSSH 4.3p2 for AIX is affected by two
remotely exploitable denial of sevice vulnerabilities. First, CVE-2006-4924
allows a remote attacker to cause CPU
comsumption when sshd is configured
to allow the SSH verson 1 protocol.
Second, CVE-2006-5051 allows a remote
attacker to cause sshd to crash.
If sshd is configured to allow GSSAPI
based authentication, the attacker may execute arbitrary code. This fileset includes fix for the above vulnerabilities.... read more

The installp images include changes for the following:
1)The 4.3p2 version of the code from http://www.openssh.org
2)Optional Kerberos V authentication support
3)National Language Support (NLS) enablement
4)NLS translated message catalogue images

The installp images include changes for the following:
1)The 4.1p1 version of the code from http://www.openssh.org
2)Optional Kerberos V authentication support
3)National Language Support (NLS) enablement
4)NLS translated message catalogue images

Before using OpenSSH, you will need the OpenSSL cryptographic library on your system. You can download the rpm image for the OpenSSL library from: https://www6.software.ibm.com/dl/aixtbx/aixtbx-i?S_PKG=dlaixww&S_TACT=&S_CMP= .(Quick, 3 minute registration is required).

The installp images include changes for the following:
1)The 3.8.1p1 version of the code from http://www.openssh.org
2)Optional Kerberos V authentication support
3)National Language Support (NLS) enablement
4)NLS translated message catalogue images

OpenSSH 3.8.1p1 binaries are now available for AIX 5.1,5.2 & 5.3. This release contains the source code patches to the www.openssh.org code to add:

1. Optional Kerberos V authentication support

2. National Language Support (NLS) enablement

3. NLS translated message catalogue images

4. Fix for "logout" on ssh: With this version of
openssh, you will be able to use "logout" to exit from the ssh login shell. You need to set
"UsePrivilegeSeparation= No" in the sshd_config file.... read more

OpenSSH 3.7.1p2 binaries are now available for AIX 5.1 & 5.2. This release contains the source code patches to the www.openssh.org code to add:

-National Language Support (NLS) enablement
-Darren Tucker's password expiry patch
-Optional Kerberos V authentication

In order to protect against the scenario described in CERT advisory TA04-078A, we recommend you install OpenSSL version 0.9.6m or later on your systems. For more information on this advisory, go to: <br>http://www.us-cert.gov/cas/techalerts/TA04-078A.html <br> You can get the newest OpenSSL images at <br> https://www6.software.ibm.com/dl/aixtbx/aixtbx-i?S_PKG=dlaixww&S_TACT=&S_CMP= <br>Note: The rpm images for OpenSSL on AIX 4.3.3 are no longer maintained. To use the most recent version of OpenSSL, be sure to download the OpenSSL rpm images for AIX 5.1. The AIX 5.1 rpm image will work on all levels of AIX that are 5.1 and higher.

The installp images include changes for the following:
1)The 3.6.1p2 version of the code from http://www.openssh.org
2)Darren Tucker patched functionality for password expiry
3)Optional Kerberos V authentication support
4)National Language Support (NLS) enablement
5)NLS translated message catalogue images
6)Pluggable Authentication Module (PAM) was NOT compiled into the 3.6 version of the images
7)Use of /dev/urandom for entropy (for the AIX 5.2 images)... read more

A new CERT advisory (CA-2003-26) was issued for OpenSSL on 10/1/2003. For more info on the vulnerability, go to http://www.cert.org/advisories/CA-2003-26.html <p>Versions 3.5 and higher of OpenSSH no longer import the ASN.1 algorithm from OpenSSL, which is the source of the OpenSSL vulnerability. If you are using OpenSSH 3.5 or higher, you are safe from this vulnerability.

The Portable OpenSSH developers announced on 9/23/2003 that there are several vulnerabilities in the PAM code for OpenSSH versions 3.7.1p1 and below. The images from this website, however, are not compiled with PAM enabled and are not vulnerable.

For more information on the Portable OpenSSH security advisory (sshpam.adv), go to:
http://www.openssh.com/txt/sshpam.adv

Images that have been patched against CERT vulnerability CA-2003-24, known as the "OpenSSH buffer management bug" (announced on 9/16/2003 and revised on 9/17/2003), are now available for AIX 5.1 and AIX 5.2. The names of these images are:
openssh361p2_51_patch.tar.Z, and
openssh361p2_52_patch.tar.Z, respectively.

These images are built with the Open Source code for version 3.6.1p2 of OpenSSH.

OpenSSH 3.6.1p2 binaries are now available for AIX 5.1 & 5.2. This release contains the source code patches to the www.openssh.org code to add:

1)National Language Support (NLS) enablement
2)Optional Kerberos V authentication

Note: Simon Wilkinson's GSSAPI patch will need to be applied before 3.6.1p2_kerb.tar.Z

The installp images include changes for the following:
1)The 3.6.1p2 version of the code from http://www.openssh.org
2)Darren Tucker patched functionality for password expiry
3)Optional Kerberos V authentication support
4)National Language Support (NLS) enablement
5)NLS translated message catalogue images
6)Pluggable Authentication Module (PAM) was NOT compiled into the 3.6 version of the images
7)Use of /dev/urandom for entropy... read more

The installp images include changes for the following:
1) The 3.6.1p2 version of the code from http://www.openssh.org
2) Darren Tucker patched functionality for password expiry
3) Optional Kerberos V authentication support
4) National Language Support (NLS) enablement
5) NLS translated message catalogue images

UPDATE: Darren Tucker's patch for the display of /etc/nologin is now included in version 3.6.1p2 in the install package named "openssh361p2_51_nologin.tar.Z"

This vulnerability pertains to "remote client address restriction
circumvention" included in releases up to (and including) 3.6.1.

The AIX version of the code is from openssh.org. The vendor recommendation is the following:

Enable 'VerifyReverseMapping' on the sshd server.

In our estimation, this vulnerability does not pose an imminent
threat; however, it permits a greater-than-expected level of access to
a security control in your infrastructure.... read more

The images available from this website are not vulnerable. See the following from the mailing
list.
----------------------------------------------------------------------
<openssh-unix-dev@mindrot.org> , <openssh-unix-announce@mindrot.org>
1. Systems affected:
Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).... read more

OpenSLL recently made security advisory announcements (Klima-Pokorny-Rosa & timing attacks in the RSA Blinding -see http://www.openssl.org\). If you are using the AIX Toolbox build of the
OpenSSL image, it is recommended that you visit the AIX Toolbox 'cryptographic content' site at:

http://www6.software.ibm.com/dl/aixtbx/aixtbx-p

and update to the latest image, 0.9.6g-3 images.

The 0.9.6g-3 images on this site represent the 0.9.6g OpenSSL image PLUS
the patches for the security exposures.

OpenSSL recently made a security advisory announcement (see www.openssl.org ).
If you are using the AIX Toolbox build of the OpenSSL image, it is
recommended that you visit the AIX Toolbox "cryptographic content" site at:

http://www6.software.ibm.com/dl/aixtbx/aixtbx-p
and update to the 0.9.6g images there.

The 0.9.6g image on this site represents the 0.9.6g OpenSSL image PLUS
the patch for the security exposure. In other words, although the version
number does not match the very latest available 0.9.6i or 0.9.7a levels
seen on openssl.org, the security patch itself has been included in the
Toolbox 0.9.6g image.