July 06, 2015
OpenSSH with LibreSSL is now available. I have tested LibreSSH on AIX 5.3 TL7, AIX 6.1 TL7 and AIX 7.1 TL3 and it works on all of them. The starting point in each case is that openssl.base and openssh.base were also installed. The special behavior is that aixtools.libressl.openssh copies the config files and keys from /etc/ssh to /var/openssh/etc and "downgrades" the ciphers and Key Exchange Algorithms (KexAlgorithms) so that they are equivalent (more on that later). This is to be sure you have connectivity with your current clients after installation. Note: the SRC subsystem for sshd is also modified to start "LibreSSH".
root@x065:[/]lslpp -L | grep ssh
openssh.base.client 18.104.22.16801 C F Open Secure Shell Commands
openssh.base.server 22.214.171.12401 C F Open Secure Shell Server
root@x065:[/]lslpp -L aixtools.libressl.openssh.rte
Fileset Level State Type Description (Uninstaller)
126.96.36.1991 C F 1525 0623 1416
Note the release (vrmf) number. The original openssh-6.8p1 was linked to an unofficial version of LibreSSL (v2.1.6) as aixtools.libressl.openssh 188.8.131.521. I left the 1601 part "as is" - with the 16 representing the letter 'p' as the 16th letter of the alphabet and the 01 as the '1'. In short, 'p1' becomes '1601'. So the number I felt most at ease with updating was the remaining '0' (zero) to signify that it needs the newest LibreSSL.
Back to ciphers: For years, the default ciphers have included the so-called 'cbc' ciphers. CBC is Cipher Block Chaining
and has been in the news recently as part of the problem with POODLE
. The short message is CBC ciphers and SSL3/TLS1.0/TLS1.1 need to go.
Starting with the release of OpenSSH-6.7p1 the OpenSSH developers at openbsd.org did the following
"Changes since OpenSSH 6.6
Potentially incompatible changes
* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
I have a very old client - and so I experienced the "potential" right away. Specifically, I added the following to "sshd_config" to support my old client while I look for a new client that works as nicely as my old one from ssh.com when they still provided software to the general public (now only, sadly, B2B):
######### Add old ciphers to support AIX at version 6.0 and lower #############
# The dafaults starting with OpenSSH 6.7 are:
# older clients may need an older cipher, e.g.
# ciphers aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour
# KEX Key Exchange algorithms
# default from openssh 6.7 are:
# firstname.lastname@example.org,diffie-hellman-group-exchange-sha256,# diffie-he
# an older kex are: none,KexAlgorithms diffie-hellman-group1-sha1
I hope you will give these new versions a test drive - maybe even removing the additional lines that restore the old default behavior.
And if you leave the AIX version installed, and uninstall what I am calling "LibreSSH," it will restore the old SRC sshd settings!
Where? Thought you would never ask!
LibreSSL is at: http://www.aixtools.net/index.php/libreSSL
LibreSSH is at: http://www.aixtools.net/index.php/libreSSH
Posted July 06, 2015 | Permalink