As part of my SAP training at I've been allowed onto the IBM RS/6000s that run AIX 4.3.3 and the SAP system. Other than initial set up and dealing with any printer queue problems we don't actually do much with the systems at the operating system level on a day to day basis. This is very good as they are pretty primitive to say the least. Compared with something modern like Debian GNU/Linux, AIX is really scary, it's so primitive.
AIX is pain, highness. Anyone who tells you differently is an IBM salesdroid.
Re:AIX
ajt on 2005-02-07T13:01:28
In my limited experience to date, all I can say is that it's strange. From what I can glean from various places, IBM are gradually phasing AIX out, and phasing Linux in. For better or worse AIX is only now really there for existing customer until they can migrate to Linux. The last verson had lots of Linux features to ease the transition, and the new "cheap" Power systems run only on Linux.
AIX 4.3.3 is obsolete. AIX 5.3 is latest. Comparing a no longer supported AIX to a modern Debian is like comparing DOS 2.11 or AT&T Unix System III to Mac OS X
AIX 5.3 lets one assign fractional processors to logical partitions (LPARs). Not very useful if you only run one OS image per rack, but very useful in a business environment. AIX does have RPM-like features and is designed to be easy to administer
Bill
Re:Don't base opninion on 433
ajt on 2005-02-13T11:48:53
I didn't know it was unsupported, but it's what the SAP system runs on. That system will be upgraded to a AIX 5.x eventually. You know how companies are, very conservative about change and all that.
I've generally heard "nice but odd" comments about AIX. It's supposed to be quite powerful and robust, but quite divergent from other Unix/Linux versions. What freaked me out the most was the default use of unsecured telnet, ftp and rsh/rlogin, rather than ssh, and the primitive nature of the Korn shell when compared to Bash.
I suppose if you know more, especially regarding SAP, you can configure it to be secure, rather than the default insecure state. Even the test 5.x system didn't have SSH enabled, and was running insecure protocols by default.
There could also be a cultural difference, on a Red Hat course I went on recently, the people with a Linux back ground wouldn't dream of using Telnet or the r tools, to that group, SSH was the default. Those with a Unix background were use to Telnet and the r tools, and to them SSH was advanced and they didn't know or use it.
Re:Don't base opninion on 433
n1vux on 2005-02-14T02:23:45
Sorry to hear your SAP course was on a bad example system. It's probably paid for, so there's a budgetary disincentive to upgrade. Well-managed AIXen stay current and stay secure.Yes, there is a cultural difference, and the conservative "don't break what works" is part of it. Korn Shell was the hot new shell back when AIX forked off System V, SSH wasn't invented yet, and the holes in the r* Berklix tools hadn't been explored yet. RedHat established their standard toolbox much more recently, and has a culture of change. However, RedHat Enterprise Advanced Server and Debian take flack in the Linux community for not embracing change fast enough
... Some of us AIXers use OpenSSH regularly at work and at home. The insecure protocols probably still ship with AIX from the vendor, but they don't have to be deployed and don't have to be started.
The other cultural difference is that big corps with fancy firewalls between internal subnets feel that internal networks are secured and trusted so see no problem with passwords in the clear on the lan
... but then object to people keeping passwords under the keyboard. Goofy thinking, but recurring and predictable. Re:Don't base opninion on 433
ajt on 2005-02-14T09:03:18
You are probably right, once a system works comapnies won't touch it, even if it's got security holes you could drive a bus through. If you point out holes you're a trouble maker, and if you don't mention it to an auditor in a direct question you get sacked - though you shouldn't volunteer it unquestioned.
I suppose that once you establish your "unix" culture, it's hard to change it again. Having said that there is also a culture of charging extra for the upgrade from unsecured to secured, rsh/telnet is in the basic Solaris courses, SSH was/is only in the advanced ones. I don't know what the Linux equivalent is, but I'm sure there is something that they charge for that later systems will include by default.
RHEL and Debian may be a little conservative, but at the moment they do seem to be stable and secure, and as long as something earthshattering doesn't come along I suppose it's worth staying where you are. However once the dust has settled, I think it's time to shift, and people like SAP should remove rsh from their default installs and move over to ssh.
I know exactly what you mean about inside being safe. I once had an argument with someone over the use of rsh/telnet on an intranet, he said because we were all behind a Firewall (running on Windows), we could use telnet/rsh with impunity. I then asked: if that is the case why are all the Windows systems password protected, and rotation and lock out enforced? In the end I really freaked out when I discovered that the notebook systems remember the users username and password for the VPN by default!.
While you can be secure, most of the time I think it's just smoke and mirrors...
