OpenSSL-1.0.0a on AIX v5.3

Well once again I find myself scrambling to get something done that was known but not well communicated during the project life-cycle.  So I need to update all managed AIX machines running v5.3 to include OpenSSL (openssl-1.0.0a to be exact) and once again my disdain for AIX rears it ugly head, which is represented by the Zombie to the left 🙂  Aside from my personal dislike of the Korn shell… Maybe I am not being fair to AIX as I don’t really work in an AIX optimal environment, taking full advantage of all of the great tools they do have (NIM, clustering, SAN, etc…).  But managing them as 1-off’s just plain stinks.  Suffice it to say that I would NOT recommend deploying a stand-alone AIX server in any circumstance as you cannot realize anything near it’s full potential.  Anyway, here is what I did to rectify the issue at hand.

# Install SSL on AIX 5.3.0.0
# get the rpm.rte package on the system
mkdir /opt/ssl4AIX
cd /opt/ssl4AIX
installp -qacXgd rpm.rte rpm.rte
# Grab the other packages and put them on the AIX system
# http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/download.html
rpm -ivh gcc-4.2.0-3.aix5.3.ppc.rpm
rpm -ivh libgcc-4.2.0-3.aix5.3.ppc.rpm
# Create a sym link – Check this first following RPM installs for correct PATHS
# find / -name libgcc_s.a
# /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.0/ppc64/libgcc_s.a
# /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.0/pthread/ppc64/libgcc_s.a
# /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.0/pthread/libgcc_s.a
# /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.0/libgcc_s.a
# Now make the link
ln -s /opt/freeware/lib/gcc/powerpc-ibm-aix5.3.0.0/4.2.0/libgcc_s.a /usr/lib/libgcc_s.a
#
gunzip openssl-1.0.0a.tar.gz
tar -xf openssl-1.0.0a.tar
cd openssl-1.0.0a
./Configure shared –prefix=/usr aix-gcc
make
make test
# If all goes well !!!
make install

Incidentally, you need an IBM account if you want to download these packages from http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/download.html… LOL

That stinks as well 😦

SUN-Jail – Solaris 10 convicted ! Part II Dammit… I forgot to lock the door !

OK… so hopefully you already went through Part I, but if not, this may not make much sense as I am not going to re-visit anything here.  This is for the mod_tls setup for ftps or ftpes if you are using filezilla… I was not familiar with the ftpes connection state, but now I am and so are you… I was using fireFTP and everything was working fine, but in the interest of testing more than what I use, I found this new tidbit of information 🙂

So lets first tweak the proftpd.conf file, add this to the bottom of the file:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                off
</IfModule>

Take note of the files referenced here.  Go ahead and create the log dir, def do this as you will need it if anything is not working… and then we can move on to making the key/cert.  Keep in mind that I am using webmin for the proftpd control and it allows you to apply changes following a save eliminating the need for a manual restart of proftpd 🙂

Make this dir, please make this or the key/cert command will whine like a bitty baby…

mkdir -p /etc/proftpd/ssl

Then make the key/cert:

openssl req -new -x509 -days 365 -nodes -out /etc/proftp /ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Make sure to answer all the posed questions:

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter  your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name  of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT  Department").
Common Name (eg, YOUR name) []: <--  Enter the Fully Qualified Domain Name of the system (e.g.  "server1.example.com").
Email Address []: <-- Enter your Email  Address.
And again now we are done.  Not too bad… right?  I set up a few test users to allow me to tail the log file and watch as they login to make sure I can see what is expected as well as what isn’t…
May 25 15:35:08 mod_tls/2.2.1[2020]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:08 mod_tls/2.2.1[2020]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:09 mod_tls/2.2.1[2020]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:35:10 mod_tls/2.2.1[2020]: Protection set to Private
May 25 15:35:26 mod_tls/2.2.1[2021]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:26 mod_tls/2.2.1[2021]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:27 mod_tls/2.2.1[2021]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
May 25 15:35:27 mod_tls/2.2.1[2021]: Protection set to Private
May 25 15:35:51 mod_tls/2.2.1[2022]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:52 mod_tls/2.2.1[2022]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:52 mod_tls/2.2.1[2022]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:36:33 mod_tls/2.2.1[2023]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:36:33 mod_tls/2.2.1[2023]: TLS/TLS-C requested, starting TLS handshake
May 25 15:36:33 mod_tls/2.2.1[2023]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)

		
	
			

SUN-Jail – Solaris 10 convicted ! Part I

OK… so a while back I did something about jails for FTP… Odd that I don’t even remember what it was for let-alone being to lazy to go back and look to make proper reference here.. but anyway, I have a successful and simple approach to doing this on Solaris 10 and seeing that I get ALOT of hits for my Solaris posts, this may in fact be another good destination. I went back to my tried and true buddy, webmin for this, with as little effort as possible.  I decided to use the ProFTPd module that comes (icon anyway) included with webmin for Solaris (which by the by, is also a default package on Sol 10) and packages from the sunfreeware site.  So lets get started with the required packages and some basic system tweaks you may or may not need:

I started out making a repo dir under /export/home as it is a large one on these systems:

mkdir /export/home/sunfreeware

cd /export/home/sunfreeware

For whatever reason, the default $PATH for Solaris 10 is as bare as it comes, leaving out lots of cool, already installed tools, like wget for example. I created a .profile and added this PATH:

PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/sfw/bin:/usr/local/sbin

This covers everything I found useful without absolutes (and without actually knowing where the f’ it is !!!)…

Here is a listing of what I needed: (You may or may not need all of these)

gcc-3.4.6-sol10-x86-local.gz
make-3.81-sol10-x86-local.gz
openssl-1.0.0-sol10-x86-local.gz
proftpd-1.3.2-sol10-x86-local.gz
rssh-2.3.2-sol10-x86-local.gz

So lets quickly grab these…

cd /export/home/sunfreeware (in case you were not there already 🙂 )

for i in gcc-3.4.6-sol10-x86-local.gz make-3.81-sol10-x86-local.gz   openssl-1.0.0-sol10-x86-local.gz proftpd-1.3.2-sol10-x86-local.gz rssh-2.3.2-sol10-x86-local.gz; do wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/$i; done

Then gunzip them:

for i in `ls`; do gunzip $i; done

The pkgadd them:

for i in `ls`; do pkgadd -d $i; done (You will need to answer at least the creation of the /usr/local/bin dir if it is not already there and the default ‘ALL’ question for each recursion)

Before you get yourself all in a tizzy… lets stop the defalt FTP service:

svcadm disable network/ftp

OK… now lets install webmin:

webminsetup (see how handy our PATH has been so far… 🙂 )

Answer the questions however you like… and wallah… Done 🙂

Now we need to make a few tweaks to the ProFTPd settings:

So you may have to click on this pic to see the line to which I am referring but in any event you want to uncomment this line so that ALL users are jailed to their defined home dir… and let me tell you that this is as easy as that process gets.  There is one other designation we need to make to ensure this takes place but it is in fact a radio button, so nothing overly complex there.  I also made the usual permissions changes on the user dirs to ensure the most security possible and a few other changes… well lets look at that step one by one shall we…

OK, so as you can see (from the wget up above) I grabbed rssh, a restricted shell.  Weather or not any of this is actually necessary is highly speculative, but I will at least illustrate what I did.

/usr/local/etc/rssh.conf

allowsftp <– This is all I wanted to allow

# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /export/home/chroot <– Make this whatever you are jailing your users to

You will also need to make an entry in /etc/shells (and create it if it is not there):

/usr/local/bin/rssh

ftptest:x:104:100:FTP Test User:/export/home/chroot/ftptest:/usr/local/bin/rssh

# id ftptest
uid=104(ftptest) gid=100(ftptest)

drwx——   2 ftptest ftptest      512 May 20 15:17 ftptest

From the main module screen simply select the “Files and Directories” option to open the module.  I should mention that we are already in the ProFTPd module at this point so if you are not there, simply click on the “Servers” link in the top left and then select “ProFTPD Server” and you will be at this very page.  Take note of where things are in Webmin as surely you will want to go back and make lots of additional amendments to whatever else you have running on the system.

All we are looking at here is making sure that you restrict the user to their home directory. This may be kind of obvious, but make sure you START the service as well… It can be done from any module.  Up in the right corner you will see a “Start ProFTPd Service” button… click it.  I would also run a few commands from the console just to see what you have going on as well maybe you just should have some understanding outside of a graphical environment of what is really taking place here.  So lets run some simple commands shall we???

# ps -ef |grep ftp
ftptest2  4951  4430   0 10:38:45 ?           0:00 /usr/local/sbin/proftpd
nobody  4430     1   0 10:20:35 ?           0:00 /usr/local/sbin/proftpd
root  5193  4197   0 12:43:10 pts/2       0:00 grep ftp

Make sure you don’t see anything other than the proftpd service running… (remember we stopped the default ftp service earlier right??? )

# /usr/local/sbin/proftpd -vv
– mod_tls/2.2.1: compiled using OpenSSL version ‘OpenSSL 0.9.8k 25 Mar 2009’ headers, but linked to OpenSSL version ‘OpenSSL 0.9.8n 24 Mar 2010’ library
ProFTPD Version: 1.3.2 (stable)
Scoreboard Version: 01040002
Built: Wed May 13 16:36:46 EDT 2009

Loaded modules:
mod_tls/2.2.1
mod_md5fs.c
mod_readme.c
mod_auth_pam/1.1
mod_ident/1.0
mod_facts/0.1
mod_delay/0.6
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/0.8.3
mod_auth_unix.c
mod_xfer.c
mod_core.c

And that’s it 🙂 Go and test it to ensure you have achieved the expected results:

This is exactly what I was expecting. Make sure you cannot move out of this dir and you are all set… 🙂

So this is all fine and dandy, but who wants to use regular FTP?  I would hope no one in a business environment anyway… Part II deals with using the mod_tls module packaged with proftpd.  For whatever reason, it was actually a pretty big pain in the a$$ to get this whole thing working…