Preparing the SSH client on an AIX host

When you use AIX® hosts, Secure Shell (SSH) logins are authenticated on the SAN Volume Controller cluster using the RSA-based authentication that is supported in the OpenSSH client available for AIX.

RSA-based authentication uses public-key cryptography to allow the encryption and decryption to use separate keys. Therefore, it is not possible to derive the decryption key from the encryption key. Initially, the user creates a public/private key pair for authentication purposes. The server (the SAN Volume Controller cluster in this case) knows the public key, and only the user (the AIX host) knows the private key. Because possession of the private key allows access to the cluster, the private key must be kept in a protected place. You can store the private key in the /.ssh directory on the AIX host with restricted access permissions.

When you use the AIX host to log into the SAN Volume Controller cluster, the SSH program on the SAN Volume Controller cluster sends the AIX host the key pair that it wants to use for authentication. The AIX server checks if this key is permitted, and if so, sends the SSH program that is running on behalf of the user a challenge. The challenge is a random number that is encrypted by the user's public key. The challenge can only be decrypted using the correct private key. The user's client (the AIX host) uses the private key to decrypt the challenge and prove that the user has the private key. The private key is not shown to the server (the SAN Volume Controller cluster) or to anyone who might be intercepting the transmissions between the AIX host and the SAN Volume Controller cluster.

Perform the following steps to set up an RSA key pair on the AIX host and the SAN Volume Controller cluster:

  1. Create an RSA key pair by issuing a command on the AIX host that is similar to the following command: 
    ssh-keygen -t rsa
    Tip: Issue the command from the $HOME/.ssh directory.
    This process generates two user named files. If you select the name key, the files are named key and key.pub. Where key is the name of the private key and key.pub is the name of the public key.
  2. Store the private key from this key pair on the AIX host, in the $HOME/.ssh directory, in the $HOME.ssh/identity file. If you are using multiple keys, all of the keys must appear in the identity file.
  3. Store the public key on the IBM® System Storage® Productivity Center or the master console of the SAN Volume Controller cluster. Typically this can be done with ftp; however, the IBM System Storage Productivity Center or the master console might have ftp disabled for security reasons, in which case an alternative method, such as secure copy is required. You can then use the SAN Volume Controller Console to transfer the public key to the cluster. Select an access level of either administrator or service.
You can now access the cluster from the AIX host using an SSH command similar to the following:
ssh admin@my_cluster

Where my_cluster is the name of the cluster IP. Always use admin as the SSH user name. The SAN Volume Controller software determines which user is logging in from the key they are using.

Refer to your client's documentation for SSH on your host system for more host specific details regarding this task.
Parent topic: Using the CLI
Related tasks
Adding SSH keys for hosts other than the IBM System Storage Productivity Center or the master console
Configuring a PuTTY session for the CLI
Storing the private SSH key in the SAN Volume Controller Console software
Related information
Secure Shell
Library | Support | Terms of use | Feedback
© Copyright IBM Corporation 2003, 2009. All Rights Reserved.