LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

191

192

193

194

195

196

197

198

199

200

data transmitted between the client and the directory server is protected. The following three

sections describe how to establish this trust.

6.2.4 Validating directory server identity

Just as a web browser uses SSL and SSL CA certificates to identify the validity of a remote web

server when verifying that a user is sending credit card information to a legitimate organization

instead of an impostor, the LDAP directory server can use the same SSL protocol and certificates

to validate the identity of the directory server. To establish this trust, a directory server must

have a valid signed server certificate, and the client must have a copy of the public portion of

that server certificate, or a CA (Certificate Authority) certificate of the CA that signed the server’s

certificate. When using the guided installation script to create a new HP-UX Directory Server

instance, LDAP-UX automatically creates a CA certificate and server certificate for that directory

server instance. The CA certificate is deposited into an SD depot file that can be pre-installed on

any HP-UX client. For more information about this depot file see Section 2.3.2.3.3 (page 35). . If

you have this depot file, you can install this package on your host with the following command:

# /usr/sbin/swinstall -s hostname:/depot/name LDAPUX-DOMAIN-CA

If you have your own CA certificate (not created using the guided installation), you can install

that CA certificate in the /etc/opt/ldapux/cert8.db file as in the following example:

# more /tmp/mycacert.txt

-----BEGIN CERTIFICATE-----

MIIBlzCCAQCgAwIBAgICBKIwDQYJKoZIhvcNAQEFBQAwETEPMA0GA1UEAxMGQ0Fj

ZXJ0MB4XDTEwMDEwODIxNDA0OVoXDTIwMDEwODIxNDA0OVowETEPMA0GA1UEAxMG

Q0FjZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yROkmsMiCIhgki2V

Sk3iJr2SXATnvp/Bmn5p9i2PVjlk63rvJFvyEDYM40TxZmArptMXq4WsfAy4fOMB

KY+yJKK53qc+fQ8k5YERL93RWugBs7SqVhNOtWRPZWcBUNHM7tCywtI1RzbZn8sp

hAOofPPiGVvmhUYrk05Y6UY07wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGhaRyvK

Qx5EoIVzE6iVdlEU0wopr33qVpHyEYoqDdziy0cLhqGbVKEzCaM83sdW7S9Cxe87

pr+31xbgJgXbO7kNP3cZytNcd1A7Grc0EmVb8yck+uWx7Oj2CYkac0DboWAn/uhU

hxbIaqFdC+gninQ9ECNEnUFt0hJ6SSNhYWUW

-----END CERTIFICATE-----

# /opt/ldapux/contrib/bin/certutil -A -d /etc/opt/ldapux -a -n "my CA Certificate" -a -t "CT,," < /tmp/mycacert.txt

Attempting to use ssh key management without using SSL provides little value, because if the

directory server can be impersonated, then the validity of the sshPublicKey attribute cannot

be trusted, and thus the identity of any remote ssh hosts cannot be validated.

Configuring the directory server with a server certificate also allows it to use the Secure Sockets

Layer protocol (SSL). This protocol allows information in transit to be protected from

eavesdropping, but even more importantly, from tampering by a man-in-the-middle. Support

for SSL meets two of the previous requirements to assure integrity of the sshPublicKey. And

when LDAP-UX is configured using the guided installation, SSL is automatically configured.

(For more information about the guided installation, see Section 2.3 (page 23).)

6.2.5 Authentication and access control

To assure its integrity, the sshPublicKey attribute must be protected from unauthorized

modification. LDAP directory servers have the inherent ability to authenticate users before

allowing access and to limit operations performed on the LDAP data with access-control policies.

As mentioned previously, any user with permission to modify the sshPublicKey attribute for

a particular host can also change the ssh key pair of that host using ldaphostmgr. This means

that permission to modify the sshPublicKey attribute must be restricted to trusted

administrators. The trust relationship between users and hosts is based on the ability to protect

the integrity of the sshPublicKey attribute in the directory server.

To allow for management of the sshPublicKey, you need to grant rights to a group of

administrators. This process is different for each directory server deployment because access

control features of directory servers are different and have not yet been standardized. For the

HP-UX Directory Server (the Red Hat Directory Server and Sun Java Directory Server are similar),

the ACI attribute must be used to define this policy. The following example shows how anyone

listed as an owner of a host, a Domain Administrator, or host administrator is allowed to modify

198 Managing ssh host keys with LDAP-UX