Ssh-keygen (Saving the key failed:)

NoLogic001 · October 29, 2015, 7:23am

Hi guys,

Anyone encountered the following error.

1.) all keys and passphrases worked on aix 7.1.2
2.) upgraded to aix 7.1.3sp5
3.) none of the keys / passphrases work anymore.
4.) when generating new keys without passphrase everything is ok.
5.) when generating keys with passphrase and ssh-keygen fails.
6.) did check all file and directory permissions.
7.) same error with rsa,dsa and ecdsa keys

Generating public/private dsa key pair.
Enter file in which to save the key (//.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Saving the key failed: //.ssh/id_dsa.

Any ideas?
Regards

neutronscott · October 29, 2015, 9:31am

Usually you'd get a line like:

Enter file in which to save the key (/home/mute/.ssh/id_rsa):

So it looks to me like your $HOME is unset and you can't save to //.ssh

NoLogic001 · October 29, 2015, 9:33am

I have tried to save it to /tmp as a example. Same issue.

agent.kgb · October 29, 2015, 3:40pm

I think it's because he did it under root user.

Did you try to run ssh -vvvv ? It can also help to stop ssh on the server side: stopsrc -s sshd and to run it manually in debug mode: /usr/sbin/sshd -D -ddd to see what happens.

MichaelFelt · October 29, 2015, 6:59pm

We assume it is root, because //.ssh/* is the same as /.ssh/*

Just to be sure:

the output of the commands:

id
ls -ld /.ssh //.ssh

print HOME: ${HOME}

and, ls -ls ${HOME}/.ssh/id_dsa

FYI: the dsa keys seem to be "the less desired" PKI keys these days. You also want to be sure you have an "rsa" key - of sufficient bits.

and the output of ssh-V will reveal how new/old your installed ssh/ssl software is.

NoLogic001 · October 30, 2015, 7:37am

Thanks guys, seems to be a bug in openssl on aix 7.1.3sp5.

agent.kgb · October 30, 2015, 3:40pm

where is the output of lslpp -L 'openssl.*' and emgr -l ?

MichaelFelt · November 1, 2015, 2:42pm

Seems unusual that a save file problem would have anything to do with a library. If the value could not be calculated - perhaps.

And to follow the line of agent.kgb - how about the output of

lslpp -L | grep openss

to get both openssh and openssl.

and do not forget the ifix listing: emgr -l

NoLogic001 · November 3, 2015, 4:40am

Hi,

Im sorry but had to revert back to 7.1.2 and are unable to provide any information you guys might need.

the package causing the problem it seems was openssl.base 1.0.1.513 on aix 7.1.3 .

curently running openssl.base 0.9.8.2500 on aix 7.1.2

openssh openssh.base.server6.0.0.6102 version did not change with upgrade so it cant be that.

As soon as encryption is applied to the keyfile it fails, hence why when no passphrase is added it works. Also, not any of our previously defined key were working.

When doing fresh vanilla installation everything works fine, but as soon as you upgrade the current running version and openssl.base 1.0.1.513 is being put back in the wheels comes off.

take openssl.base 1.0.1.513 out only and put back openssl.base 0.9.8.2500 and everything works fine again.

Thank you anyway.

agent.kgb · November 3, 2015, 4:57pm

I wish I had good news for you, but unfortunately you have to upgrade your OpenSSL and OpenSSH to the latest versions. This is the list of security vulnerabilities in your OpenSSL version:

CVE-2014-3566 - SSL protocol 3.0 uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a padding-oracle
attack.

CVE-2014-3567 - OpenSSL could allow remote attackers to cause a denial of service (memory consumption)
via crafted session ticket that triggers an integrity-check failure.

CVE-2014-3505 - OpenSSL could allow remote attackers to cause a denial of service
(application crash) via crafted DTLS packets that trigger an error condition.

CVE-2014-3506 - OpenSSL could allow remote attackers to cause a denial of service
(memory consumption) via crafted DTLS handshake messages that trigger memory
allocations corresponding to large length values.

CVE-2014-3507 - OpenSSL could allow remote attackers to cause a denial of service
(memory consumption) via zero-length DTLS fragments that trigger improper
handling of the return value of insert function.

CVE-2014-3508 - OpenSSL could allow context-dependent attackers to obtain sensitive information
from process stack memory by reading output from some functions when pretty
printing is used

CVE-2014-3510 - OpenSSL could allow remote DTLS servers to cause a denial of service
(NULL pointer dereference and client application crash) via a crafted
handshake message in conjunction with a (1) anonymous DH or
(2) anonymous ECDH ciphersuite.

CVE-2014-0195 - A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.

CVE-2014-0221 - By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

CVE-2014-0224 - An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a
Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic
from the attacked client and server.

CVE-2014-3470 - OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

12.CVE-2014-0076 - The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure
that certain swap operations have a constant-time behavior, which makes it easier
for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

---------- Post updated at 10:51 PM ---------- Previous update was at 10:49 PM ----------

oops, sorry, I think I forgot several more:

CVE-2015-0293 - Remote attackers can cause a Denial of Service (assertion failure and
daemon exit) via crafted CLIENT-MASTER-KEY message.

CVE-2015-0292 - Remote attackers can cause a Denial of Service (memory corruption) via
crafted base64 data that triggers a buffer overflow.

CVE-2015-0289 - Remote attackers can cause a Denial of Service (NULL pointer dereference
and application crash) by leveraging an application that processes arbitrary
PKCS#7 data and providing malformed data with ASN.1 encoding

CVE-2015-0288 - Remote attackers can cause a Denial of Service (NULL pointer dereference
and application crash) via an invalid certificate key

CVE-2015-0287 - Remote attackers can cause a Denial of Service (invalid write operation
and memory corruption) by leveraging an application that relies on ASN.1
structure reuse

CVE-2015-0286 - Remote attackers can cause a Denial of Service (invalid read operation and
application crash) via a crafted X.509 certificate to an endpoint that uses
the certificate-verification feature

CVE-2015-0209 - Remote attackers can cause a Denial of Service (memory corruption and application
crash) via a malformed Elliptic Curve (EC) private-key file that is improperly
handled during import

CVE-2015-0204 - OpenSSL allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks
and facilitate brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role.

CVE-2014-8275 - OpenSSL does not enforce certain constraints on certificate data, which allows remote
attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by
including crafted data within a certificate's unsigned portion

CVE-2014-3571 - OpenSSL allows remote attackers to cause a denial of service via a crafted DTLS message
that is processed with a different read operation for the handshake header than for the
handshake body

CVE-2014-3570 - OpenSSL does not properly calculate the square of a BIGNUM value, which might make it
easier for remote attackers to defeat cryptographic protection mechanisms via unspecified
vectors

---------- Post updated at 10:57 PM ---------- Previous update was at 10:51 PM ----------

your version of OpenSSH is pretty old and has some known security problems too. It is compiled with OpenSSL 0.9.8.x and if you want to use it, you can update OpenSSL to 0.9.8.2505 (I would recommend to do it ASAP), but not to 1.0.1.514.

MichaelFelt · November 3, 2015, 6:13pm

If I recall correctly, the *.2500 openssl packaging was FIPS certified- so these were not even standard 0.9.8 openssl copies.

As stated before, you need to update both openssl and openssh. I suspect the reason your ssh was not working is because the library yours is using is not the same as the openssl.0.9.8 that is included on openssl-1.0.1.5XX, i.e., it is not FIPS certified.

I will see if I can locate an openssh similiar to what you have - but I fear that will be near impossible now. I do have a version of openssh based on openssh-6.9p1, or even openssh-7.1p1 if you are interested.

There are noteable differences in the defaults with each new version starting with openssh-6.7p1 - FYI.

agent.kgb · November 3, 2015, 6:36pm

nope. there is a special FIPS-certified version based on 0.9.8 and it has numbers like 12.9.8.x

NoLogic001 · November 4, 2015, 1:29am

Ouch, that really doesn't sound great.
Although remember that IBM recommends only installing packages that is part of the official service packs. The openssh and openssl packages I mentioned are the ones available in the latest AIX release (aix 7.1.3sp5).

agent.kgb · November 4, 2015, 4:02am

Both openssh and openssl are still not part of the official AIX distribution. The newest version can be downloaded from IBM Web Download pack:

IBM AIX Expansion Pack and Web Download Pack

NoLogic001 · November 4, 2015, 6:20am

Hi,

I disagree, its been part of AIX for ages already.

MichaelFelt · November 4, 2015, 1:24pm

First of all - my bad re: the FIPS numbering - you are quite right.

re: part of AIX for ages - yes and no - imho. First it was not on the "bos" cd/dvd, later it was. However, even back when AIX 5.3 TL7 was released (openssh-*.4500) ssh and sshd did not link with openssl.base - they had internal aka static libraries they linked with).

Once upon a time AIX started releasing a version of OpenSSH that was based on openbsd (who are nice enough to maintain openssh) openssh-6.0p1

Hence on AIX

root@x072:[/]oslevel -s
ssh -V
7100-03-05-1524
root@x072:[/]ssh -V
OpenSSH_6.0p1, OpenSSL 1.0.1e 11 Feb 2013
root@x072:[/]lslpp -L | grep openss
  openssh.base.client     6.0.0.6103    C     F    Open Secure Shell Commands
  openssh.base.server     6.0.0.6103    C     F    Open Secure Shell Server
  openssl.base             1.0.1.513    C     F    Open Secure Socket Layer
  openssl.license          1.0.1.513    C     F    Open Secure Socket License

FYI: openssl.*.1.0.1.514 is the latest one I have seen as an installp. I have not looked for while for a later one. And I have quite a few versions of openssl (don't you love testing !!)

michael@x071:[/data/prj/AIX/openssl]ls -l                   
total 36
drwxr-xr-x 2 michael felt   4096 Jul 16 13:43 openssl-0.9.8.4
drwxr-xr-x 2 michael felt   4096 Jul 16 13:44 openssl-0.9.8.401-aix52
drwxr-xr-x 2 michael felt   4096 Jul 16 13:55 openssl-0.9.8.410
drwxr-xr-x 2 michael felt   4096 Jul 16 13:46 openssl-0.9.8.411
drwxr-xr-x 2 michael felt   4096 Jul 16 13:47 openssl-0.9.8.600
drwxr-xr-x 2 michael felt   4096 Jul 16 13:48 openssl-0.9.8.601
drwxr-xr-x 4 michael felt   4096 Jul 24 13:20 openssl-0.9.8.XXXX
lrwxrwxrwx 1 root    system   36 Jul 30 10:07 openssl-1.0.1.514 -> openssl-1.0.1.XXXX/openssl-1.0.1.514
drwxr-xr-x 3 michael felt   4096 Jul 24 14:21 openssl-1.0.1.XXXX
drwxr-xr-x 2 michael felt   4096 Jul 16 14:22 openssl-aix52

And in the details ...

michael@x071:[/data/prj/AIX/openssl]ls -l openssl-0.9.8.XXXX
total 308852
-rw-r--r-- 1 michael felt    6450493 Jul 16 14:23 61ssl98m.tar.Z
-rw-r--r-- 1 michael felt       1620 Jul 16 14:19 Readme-0.9.8.1800.txt
-rw-r--r-- 1 michael felt       3157 Jul 16 14:17 Readme-0.9.8.1801.txt
-rw-r--r-- 1 michael felt       4650 Jul 16 14:17 Readme-0.9.8.1802.txt
-rw-r--r-- 1 michael felt       1617 Jul 16 14:16 Readme-0.9.8.2400.txt
-rw-r--r-- 1 michael felt       1617 Jul 16 14:16 Readme-0.9.8.2500.txt
-rw-r--r-- 1 michael felt       1720 Jul 16 14:15 Readme-0.9.8.2501.txt
-rw-r--r-- 1 michael felt       2892 Jul 16 14:15 Readme-0.9.8.2502.txt
-rw-r--r-- 1 michael felt       4035 Jul 16 14:14 Readme-0.9.8.2503.txt
-rw-r--r-- 1 michael felt       4444 Jul 16 14:14 Readme-0.9.8.2504.txt
-rw-r--r-- 1 michael felt       5165 Jul 16 14:13 Readme-0.9.8.2505.txt
-rw-r--r-- 1 michael felt        423 Jul 16 14:10 Readme-1.0.1.500.txt
-rw-r--r-- 1 michael felt        422 Jul 16 14:10 Readme-1.0.1.501.txt
-rw-r--r-- 1 michael felt       3014 Jul 16 14:12 Readme-12.9.8.2501.txt
-rw-r--r-- 1 michael felt       4413 Jul 16 14:12 Readme-12.9.8.2502.txt
-rw-r--r-- 1 michael felt       5554 Jul 16 14:11 Readme-12.9.8.2503.txt
-rw-r--r-- 1 michael felt       5963 Jul 16 14:11 Readme-12.9.8.2504.txt
-rw-r--r-- 1 michael felt       6927 Jul 16 14:11 Readme-12.9.8.2505.txt
-rw-r--r-- 1 michael felt       2911 Jul 16 14:16 Readme-fips-12.9.8.2400.txt
-rw-r--r-- 1 michael felt       2911 Jul 16 14:13 Readme-fips-12.9.8.2500.txt
-rw-r--r-- 1 michael felt       2693 Jul 16 13:54 Readme-fips.12.9.8.1100.txt
-rw-r--r-- 1 michael felt       2937 Jul 16 13:54 Readme-fips.12.9.8.1101.txt
-rw-r--r-- 1 michael felt       3081 Jul 16 13:59 Readme-fips.12.9.8.1102.txt
-rw-r--r-- 1 michael felt       3648 Jul 16 14:23 Readme-fips.12.9.8.1104.txt
-rw-r--r-- 1 michael felt       4918 Jul 16 14:21 Readme-fips.12.9.8.1301.txt
-rw-r--r-- 1 michael felt       5131 Jul 16 14:21 Readme-fips.12.9.8.1302.txt
-rw-r--r-- 1 michael felt       2902 Jul 16 14:19 Readme-fips.12.9.8.1800.txt
-rw-r--r-- 1 michael felt       4502 Jul 16 14:18 Readme-fips.12.9.8.1801.txt
-rw-r--r-- 1 michael felt       5995 Jul 16 14:17 Readme-fips.12.9.8.1802.txt
-rw-r--r-- 1 michael felt       1358 Jul 16 13:55 Readme.0.9.8.1100.txt
-rw-r--r-- 1 michael felt       1662 Jul 16 13:56 Readme.0.9.8.1102.txt
-rw-r--r-- 1 michael felt       2226 Jul 16 14:23 Readme.0.9.8.1104.txt
-rw-r--r-- 1 michael felt       1413 Jul 16 14:23 Readme.0.9.8.1300.txt
-rw-r--r-- 1 michael felt       3556 Jul 16 14:21 Readme.0.9.8.1301.txt
-rw-r--r-- 1 michael felt       3795 Jul 16 14:20 Readme.0.9.8.1302.txt
-rw-r--r-- 1 michael felt       1591 Jul 16 13:50 Readme.0.9.8.802
-rw-r--r-- 1 michael felt       1542 Jul 16 13:51 Readme.0.9.8.803-AIX-5.3_6.1.txt
-rw-r--r-- 1 michael felt       1555 Jul 16 13:54 Readme.0.9.8.840-AIX-5.3_6.1.txt
-rw-r--r-- 1 michael felt       1242 Jul 16 13:49 Readme.9.8.801.txt
drwxr-xr-x 2 michael felt       4096 Jul 24 13:21 openssl-0.9.8.1302
-rw-r--r-- 1 michael felt    6456887 Jul 16 14:20 openssl-0.9.8.1302.tar.Z
-rw-r--r-- 1 michael felt    6430789 Jul 16 14:19 openssl-0.9.8.1800.tar.Z
-rw-r--r-- 1 michael felt    6407523 Jul 16 14:17 openssl-0.9.8.1801.tar.Z
-rw-r--r-- 1 michael felt    6400451 Jul 16 14:16 openssl-0.9.8.1802.tar.Z
-rw-r--r-- 1 michael felt    6442513 Jul 16 14:16 openssl-0.9.8.2400.tar.Z
-rw-r--r-- 1 michael felt    6438535 Jul 16 14:15 openssl-0.9.8.2500.tar.Z
-rw-r--r-- 1 michael felt   10197469 Jul 16 14:15 openssl-0.9.8.2501.tar.Z
-rw-r--r-- 1 michael felt   10206027 Jul 16 14:14 openssl-0.9.8.2502.tar.Z
-rw-r--r-- 1 michael felt   10189176 Jul 16 14:14 openssl-0.9.8.2503.tar.Z
-rw-r--r-- 1 michael felt   17713505 Jul 16 14:13 openssl-0.9.8.2504.tar.Z
drwx------ 2  435159 417786     4096 Jul 16 14:28 openssl-0.9.8.2505
-rw-r--r-- 1 michael felt   10196756 Jul 16 14:13 openssl-0.9.8.2505.tar.Z
-rw-r--r-- 1 michael felt    7810255 Jul 16 14:21 openssl-fips-12.9.8.1302.tar.Z
-rw-r--r-- 1 michael felt    7777095 Jul 16 14:19 openssl-fips-12.9.8.1800.tar.Z
-rw-r--r-- 1 michael felt    7778075 Jul 16 14:18 openssl-fips-12.9.8.1801.tar.Z
-rw-r--r-- 1 michael felt    7785833 Jul 16 14:17 openssl-fips-12.9.8.1802.tar.Z
-rw-r--r-- 1 michael felt    7742959 Jul 16 14:16 openssl-fips-12.9.8.2400.tar.Z
-rw-r--r-- 1 michael felt    7777855 Jul 16 14:12 openssl-fips-12.9.8.2500.tar.Z
-rw-r--r-- 1 michael felt   12193100 Jul 16 14:12 openssl-fips-12.9.8.2501.tar.Z
-rw-r--r-- 1 michael felt   12219453 Jul 16 14:12 openssl-fips-12.9.8.2502.tar.Z
-rw-r--r-- 1 michael felt   12189522 Jul 16 14:11 openssl-fips-12.9.8.2503.tar.Z
-rw-r--r-- 1 michael felt   19710221 Jul 16 14:11 openssl-fips-12.9.8.2504.tar.Z
-rw-r--r-- 1 michael felt   12198169 Jul 16 14:10 openssl-fips-12.9.8.2505.tar.Z
-rw-r--r-- 1 michael felt    7715223 Jul 16 13:54 openssl-fips.12.9.8.1100.tar.Z
-rw-r--r-- 1 michael felt    7699778 Jul 16 13:54 openssl-fips.12.9.8.1101.tar.Z
-rw-r--r-- 1 michael felt    7703907 Jul 16 13:59 openssl-fips.12.9.8.1102.tar.Z
-rw-r--r-- 1 michael felt    7687487 Jul 16 14:23 openssl-fips.12.9.8.1104.tar.Z
-rw-r--r-- 1 michael felt    7819049 Jul 16 14:21 openssl-fips.12.9.8.1301.tar.Z
-rw-r--r-- 1 michael felt    6335431 Jul 16 13:56 openssl.0.9.8.1100.tar.Z
-rw-r--r-- 1 michael felt    6330255 Jul 16 13:55 openssl.0.9.8.1101.tar.Z
-rw-r--r-- 1 michael felt    6323679 Jul 16 13:56 openssl.0.9.8.1102.tar.Z
-rw-r--r-- 1 michael felt    6329549 Jul 16 14:22 openssl.0.9.8.1104.tar.Z
-rw-r--r-- 1 michael felt    6445169 Jul 16 14:21 openssl.0.9.8.1301.tar.Z
-rw-r--r-- 1 michael felt    6679931 Jul 16 13:49 openssl.0.9.8.802.tar.Z
-rw-r--r-- 1 michael felt    6679411 Jul 16 13:51 openssl.0.9.8.803-AIX-5.3_6.1.tar.Z
-rw-r--r-- 1 michael felt    6710648 Jul 16 13:53 openssl.0.9.8.840-AIX5.3_6.1.tar.Z
-rw-r--r-- 1 michael felt    6680723 Jul 16 13:49 openssl.9.8.801.tar.Z

So, from memory, the .2500 was OpenSSL-0.9.8z and the latest I have here (.2505) would be 0.9.8.ze

If you want the "latest" - may I "offer" OpenSSH-6.0p1 or OpenSSH-7.1p1?

AIX 5.3 TL7
root@x064:[/]ssh -V
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006

installp -d /data/prj/AIX/openssl/*514 -aYc openssl.base

...
Pre-installation Failure/Warning Summary
----------------------------------------
Name Level Pre-installation Failure/Warning
-------------------------------------------------------------------------------
openssl.base 1.0.1.514 Already installed

Like I said - the openssh from way back when did not use the openssl package.

From my aixtools openssh page: OpenSSH - AIXTOOLS The latest and greatest (can be installed in parallel - it does reconfigure the SRC system)

Before:

root@x064:[/]odmget -q subsysname=sshd SRCsubsys

SRCsubsys:
        subsysname = "sshd"
        synonym = ""
        cmdargs = "-D"
        path = "/usr/sbin/sshd"
        uid = 0
        auditid = 0
        standin = "/dev/console"
        standout = "/dev/console"
        standerr = "/dev/console"
        action = 1
        multi = 0
        contact = 2
        svrkey = 0
        svrmtype = 0
        priority = 20
        signorm = 15
        sigforce = 9
        display = 1
        waittime = 20
        grpname = "ssh"

After:

root@x064:[/]type ssh
ssh is /opt/bin/ssh
root@x064:[/]ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.1e 11 Feb 2013

root@x064:[/]odmget -q subsysname=sshd SRCsubsys

SRCsubsys:
        subsysname = "sshd"
        synonym = ""
        cmdargs = "-D"
        path = "/opt/sbin/sshd"
        uid = 0
        auditid = 0
        standin = "/dev/console"
        standout = "/dev/console"
        standerr = "/dev/console"
        action = 1
        multi = 0
        contact = 2
        svrkey = 0
        svrmtype = 0
        priority = 20
        signorm = 15
        sigforce = 9
        display = 1
        waittime = 20
        grpname = "ssh"

Install comand:

root@x064:[/]installp -a -d /data/aixtools/tools aixtools.openbsd.openssh.rte
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...

WARNINGS
--------
  Problems described in this section are not likely to be the source of any
  immediate or serious failures, but further actions may be necessary or
  desired.

  Conflicting Versions of Filesets
  --------------------------------
  The following filesets are conflicting versions of filesets for which there
  are multiple versions on the installation media.  Since a specific version
  was not selected, the newest installable version has been selected.

    aixtools.openbsd.openssh.rte 6.8.0.1601   # 1525 0625 1338
    aixtools.openbsd.openssh.rte 7.1.0.1601   # 1537 0917 1039
    aixtools.openbsd.openssh.rte 6.8.1.1601   # 1541 1016 0754
    aixtools.openbsd.openssh.rte 6.9.1.1601   # 1541 1016 0753
    aixtools.openbsd.openssh.rte 6.9.0.1601   # 1537 0917 0928

  << End of Warning Section >>

SUCCESSES
---------
  Filesets listed in this section passed pre-installation verification
  and will be installed.

  Selected Filesets
  -----------------
  aixtools.openbsd.openssh.rte 7.1.1.1601     # 1541 1016 0755

  << End of Success Section >>

+-----------------------------------------------------------------------------+
                   BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
    1  Selected to be installed, of which:
        1  Passed pre-installation verification
  ----
    1  Total to be installed

+-----------------------------------------------------------------------------+
                         Installing Software...
+-----------------------------------------------------------------------------+

installp:  APPLYING software for:
        aixtools.openbsd.openssh.rte 7.1.1.1601

+-------OpenSSH CONFIG Checking for Ciphers and KeyExchanges -----------------+
Creating host keys if required.
/var/openssh/etc/ssh_host_key already exists, skipping.
/var/openssh/etc/ssh_host_dsa_key already exists, skipping.
/var/openssh/etc/ssh_host_rsa_key already exists, skipping.
Generating public/private ecdsa key pair.
Your identification has been saved in /var/openssh/etc/ssh_host_ecdsa_key.
Your public key has been saved in /var/openssh/etc/ssh_host_ecdsa_key.pub.
The key fingerprint is:
SHA256:yGRoPkLu9zDHi9xmGwJepAhhcI2clKxdEe6R7y7Xx1A root@x064
The key's randomart image is:
+---[ECDSA 256]---+
|+=o=oo           |
|.o*.oo           |
|.o..B o          |
|o+.* * .  E      |
|. = = + S.       |
| o + +  .        |
|  o = =. o       |
|   o.X+o. o      |
|    o=*. .       |
+----[SHA256]-----+
Generating public/private ed25519 key pair.
Your identification has been saved in /var/openssh/etc/ssh_host_ed25519_key.
Your public key has been saved in /var/openssh/etc/ssh_host_ed25519_key.pub.
The key fingerprint is:
SHA256:+SzJ9nletCi7Pg8kG1zttB8penJ53vQY7iEqUT5yrDU root@x064
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|           .     |
|          . o    |
|       . o.o . . |
|        S+. + +  |
|       .oOE. * o |
|        **Bo* B .|
|       .oo.X.* *.|
|         oB*o.= o|
+----[SHA256]-----+

0513-044 The sshd Subsystem was requested to stop.
0513-071 The sshd Subsystem has been added.
0513-059 The sshd Subsystem has been started. Subsystem PID is 319700.
Finished processing all filesets.  (Total time:  5 secs).

+-----------------------------------------------------------------------------+
                                Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
aixtools.openbsd.openssh.rt 7.1.1.1601      USR         APPLY       SUCCESS
aixtools.openbsd.openssh.rt 7.1.1.1601      ROOT        APPLY       SUCCESS

Note: OpenSSH-7.1p1 is NOT my favorite as there are many changes to the default behavior with regard to root logins. If you are not using PKI for root login (of course you are not using passwords) - then you will not have any issues. However, if you are - you may prefer the OpenSSH-6.0p1 (aixtools.openbsd.openssh-6.9.1.1601 packaging).

Hope this very long read actually helps !!!

IMPORTANT

Should you use my packaging - the key config files are copied from /etc/ssh to /var/openssh/etc - check out the files there and compare them. I have also setup the uninstall to restore the default AIX settings should you decide to not use it after all (i.e., they can co-exist side-by side)

root@x064:[/]ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.1e 11 Feb 2013
root@x064:[/]/usr/bin/ssh -V
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006
root@x064:[/]oslevel -s
5300-07-00-0000

NoLogic001 · November 11, 2015, 1:52am

thank you Michael,

let me do some testing and get back to you.

Regards