[SargentSpang]

I use the latest openssl from the Linux toolkit, currently 0.9.7g and openssh fromt he Sourceforge openssh on AIX project, version 4.1. Both of these appear to be very stale and have had no update for some time (a year or so I think) and there are vulnerabilities about fixed in later openssl/openssh releases.

What does everyone do ssh wise at their shops? Do you compile or do you purchase a third party solution or, like me, wait for IBM to update the openssl in the toolkit and whoever looks after the sourceforge project to release a new compile??

Thanks,

Sam

[alexisl]

I wait for IBM, mostly because I don't know of any needed upgrades unless they tell me, even then it may not directly apply to me (I am not in a clustered environment). Sometimes even if they have an upgrade it is good to wait, as was the case with TL5 and us Oracle users (still haven't upgraded to TL5 because I am not sure if they have everything fixed with the patch). I am just trying not to make my job turn into a nightmare, which can happen very quickly around here.

[steevojb]

Hi There

I use the latest from the AIX toolbox (openssl) and SSH from the AIX install CD's (these are updated with ML/TL levels)

openssl-0.9.7g-1

openssh.base.client 4.1.0.5300 COMMITTED Open Secure Shell Commands
openssh.base.server 4.1.0.5300 COMMITTED Open Secure Shell Server

Unless I receive notification of a specific issue or experience problems, they stay at the level when installed.

HTH

Steve

[rzs0502]

I've always preferred Darren Tuckers OpenSSH for AIX:
Darren Tucker's OpenSSH Page

Latest release is openssh-4.3p2-1

I used to use the Sourceforge project's package but found that it ignores AIX's rlogin=false setting.
The workaround is change the sshd_config's PermitRootLogin = No

[capeme]

Is there anyway around the need to generate a key and still use ssh?
If not, do you generate it as root?

[pedz]

I always compile my own stuff. So, now you have about five replies each with a different approach.

If you make it yourself, the make file has something to create the key file. I've always done it root but I don't think it matters as long as you can put them in the right place(s).

[capeme]

Does any one actualy know if you can get around generating a key nad still be able to use ssh?? Be able to get aroudn the password request??maybe make it automatic???

[pedz]

I'm not clear what you are wanting here.

I'm going to guess that you are trying to ssh from host A to host B (but if that is not really your question, please give us more details of what you want to do).

There are a couple of options.

1) When you do the ssh-keygen to create your public and private key, you do not have to give a password. If you do not, then it will not ask you for the password to access you private keys. (Your public keys are public). I have personally never tried this. So I may be all wet but that is my interpretation of the man pages.

2) You can use ssh-agent. You start ssh-agent up and it detachs. Then you add keys to the agent. When you ssh from host A to host B, instead of asking you for the password, ssh asks the agent. I have a shell function. (I happen to use bash, but you can do the same type of thing with ksh.) In the function I look for ~/.ssh/ssh-agent. If it is there, I read it. Then I do a kill -0 of the ssh agent pid. The kill will return without an error if the process is still alive and it will error off it the process is dead. If it is dead, I start up ssh-agent and then call ssh-add.

I can help more if you need details or you can look at ssh-keygen, ssh-agent, and ssh-add.

Hope this helps

[capeme]

yes I am going from host a to host b via ssh and am trying to learn if there is a way to get around having to gen a key at all. I want to script this process and want to use ssh.

[pedz]

Somehow you have to get host b to trust host a. ssh and sshd can use /etc/hosts.equiv and ~/.rhosts just like rlogin. But you still have the problem of getting these in place before you run your script. I have not used this method. You might need to generate the host keys but I'm not sure of that either.

I see in my sshd_config file an option named PermitEmptyPasswords. If it is an option to set up an initial account with no password, you might explore that path as well.

Also, it might be better to ask this on a ssh specific forum or mailing list.

If you want, send me a private message with your email address and we can collaborate quicker that way. I still have more questions as to what and why you are trying to do.