Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

241

242

243

244

245

246

247

248

249

250

Conﬁguring a System

Using Distributed Systems Administration Utilities

Chapter 3242

Security Conﬁguration

The command fanout tools support both remote shell (rsh or rcmd) and

ssh transports. Each requires speciﬁc security setup steps in order to

authorize the user initiating the command fanout operation to execute a

command on the remote target systems. The command fanout tools

require that the remote system not prompt for a password. Both rsh and

ssh transports must be preconﬁgured on each remote system to allow

non-interactive access. The following sections describe the required

setup steps to enable command fanout operations for each transport.

Remote Shell

Security Setup

When using the remote shell command transport, the local user must

have a $HOME/.rhosts ﬁle conﬁgured on each remote target system.

Refer to the rhosts (4) reference manpage for details on conﬁguring the

$HOME/.rhosts ﬁle.

ssh Security Setup ssh uses public host keys to authenticate remote hosts and supports

public key authentication to authenticate users. When users’ public keys

are properly conﬁgured on a set of remote systems, they can access those

systems without being prompted for a password. Manually conﬁguring

ssh for non-interactive access is a multistep process where ssh

conﬁguration ﬁles are edited on each system. The csshsetup tool greatly

simpliﬁes conﬁguring ssh trust relationships.

For example, when using the command fanout tools in a Serviceguard

cluster, you typically want to be able to issue commands from any

member and target any other member. This requires an n^2 distribution

of ssh public keys. Start by creating a text ﬁle listing the members the

cluster, one per line. Invoke csshsetup using this ﬁle. Note that this

command needs to be issued only once since it conﬁgures each member of

the cluster:

# csshsetup -r -f members_list.txt

The -r option instructs csshsetup to distribute the keys in a

round-robin or n^2 fashion. The user will be prompted for his password

on each remote host. csshsetup then automates the entire public key

distribution process.

Note that csshsetup is not speciﬁc to Serviceguard clusters; it can be

used for arbitrary groups of systems. Also, the trust relationship does not

have to bidirectional. Omit the -r option when setting up a one-way

trust relationship between the current host and a set of remote target

hosts. For additional details, refer to the csshsetup (1) reference

manpage.