Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
231232233234235236237238239240
Configuring a System
Using Distributed Systems Administration Utilities
Chapter 3236
using syslog-ng’s global setting “time_reopen(<seconds>)”. See the
syslog-ng open source reference manual (/opt/dsau/doc/syslog-ng)
for details.
ssh Port
Forwarding to a
Serviceguard
Cluster Log
Consolidator
When using ssh port forwarding with a Serviceguard cluster as the log
consolidation server, a special ssh configuration is required.
In general, using ssh port forwarding requires that the log consolidation
server perform a key exchange with the log forwarding client.
Specifically, the ssh public key for the remote log forwarding client must
be added to the consolidation server’s authorized keys file. Also, the
fingerprint for the log consolidation server is added to the log forwarding
client’s /.ssh/known_hosts file. The client log forwarder is a trusted
system after this key exchange, and the consolidation server does not
need to prompt for any ssh passwords at this point.
Since the consolidation server is a package, it can potentially run on
every member of the cluster. This key exchange between the remote log
forwarding client and a cluster member must be replicated for each
cluster member. Each cluster member has to establish the same trust
relationship to the log forwarding clients.
A problem can arise with the log forwarding client’s known_host
fingerprints. When using a package’s relocatable IP address for the
initial ssh key exchange, the client will have the adoptive node’s
fingerprint added to his local /.ssh/known_hosts file. When the
package fails over and the ssh connection is re-established, the new
adoptive node will have a different fingerprint and ssh will detect this as
a man-in-the-middle attack and refuse to re-establish the ssh tunnel.
In order to prevent this, each cluster member must look like the same
system from the perspective of the log forwarding clients. This can be
achieved by having each cluster member use an identical host key. The
ssh host keys are located in /opt/ssh/etc and contained in the
following files:
ssh_host_key
ssh_host_key.pub
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub