LDAP-UX Client Services B.05.00 Administrator's Guide
6.1.3 Permissions
The LDAP-UX host management tool (ldaphostmgr), which is used to manage ssh public keys
in the directory server, manipulates the aforementioned object classes and attributes. This tool
relies on the directory server to provide proper access control. To assure that only authorized
modifications to the host and public key information is performed, only a restricted set of
privileged users should be allowed to modify host information, including the sshPublickKey
attribute. If you have used the guided installation and, as part of that setup process, created a
new HP-UX Directory Server Instance, these access controls are automatically created (for more
information about the access controls established by the guided installation, see Section 2.3.2.3
(page 33)). Several sets of users are considered privileged enough to manipulate host information
in the directory server, including the DomainAdmins group, the HostAdmins group, or the
owners (owners are any users or members of a group that are listed in the owner attribute in
the host’s entry.) These users, or any user that has rights to manipulate the sshPublicKey
attribute for the host in the directory server will be granted permission on the HP-UX host to
change the ssh key pairs of the host. Normally the permission to modify the host’s public and
private ssh keys is restricted to the root user. However, the ldaphostmgr will elevate its privilege
to allow non-root users to modify a host’s public key if that user has permission to modify the
sshPublicKey attribute for the current host.
If a user runs the ldaphostmgr tool and attempts to change a host’s ssh key, ldaphostmgr
will verify if the user has the right to modify the sshPublicKey for that host. If the directory
server rejects this modification, ldaphostmgr will not elevate its privilege and not modify the
host’s ssh key.
6.1.4 Distributed management (manage from any host)
Remote management is an important feature of the ldaphostmgr tool. Specifically, if LDAP-UX
version B.05.00 or later is installed on a remote host that is part of the same LDAP-UX domain
(subscribes to the same LDAP-UX configuration profile) as the current host, it is possible to
remotely manage ssh keys on that host. As long as the current user has permissions to log in to
the remote host and to manipulate the sshPublicKey attribute, the ldaphostmgr tool can
change the key of any host in the LDAP-UX domain from any other host. This remote management
is handled within ldaphostmgr itself. The user need not remotely log in to the host to manage
it.
However, this means that any user with permission to manage the sshPublicKey attribute,
must also be a user with POSIX attributes attached (the posixAccount object class), such that the
HP-UX OS will allow remote login for this user. See Section 6.2.6 (page 199) for additional details
on setting up an ssh key manager account.
6.2 Setting up the key management domain
The first step in setting up an ssh key management domain is to establish the host and key data
repository. This repository must be an LDAP directory server and must meet the security
requirements previously defined, and explained in additional detail in the subsections that follow.
If you have not already targeted a directory server to act as this repository, you should consider
using the LDAP-UX guided installation (autosetup), which will automatically create a new
directory server instance, if desired. This directory server instance will create a default security
and management framework. For more information about the guided installation, see Section 2.3
(page 23).
The remaining subsections describe this process, summarized as follows:
• Identify a directory server and a location in that directory server where host and key data
will be stored.
• Assign and set up an SSL certificate for the directory server, so that trust can be established
between clients and the directory server.
196 Managing ssh host keys with LDAP-UX