LDAP-UX Client Services B.05.00 Administrator's Guide
6.3.1 Configuring ssh and sshd to use LDAP-managed keys
On each HP-UX client that is to use LDAP-based ssh public keys, you must install version A.05.50
or higher of the HP Secure Shell product and LDAP-UX version B.05.00 or later. HP Secure Shell
A.05.50 or higher is enabled to use the LDAP directory server for public key validation and is
dependent on APIs provided in LDAP-UX B.05.00.
You must configure the ssh toolset to use LDAP. To do this, configure the following two new
parameters in the ssh_config file:
• UseLdapHostKey
Directs the ssh client tools (ssh, scp, sftp) to use the LDAP repository to discover a remote
host’s public key, if that key is not already found in the known_hosts file.
• UpdateKeyFromLdap
Directs the ssh client tools to update the known_hosts file if the key for the specified host
does not exist or is incorrect. The key from the LDAP directory server is assumed to be
correct, based on the previously described trust agreements between the ssh client and the
directory server. If the local user has a key that does not match the one found in the directory
server file, the ssh client replaces it in the user’s personal known_hosts file. Using the
UpdateKeyFromLdap option allows the user’s known_hosts file to act as a local cache
for the information in the directory server.
NOTE: If you want the ability to revoke or remove keys for hosts (in case those keys are
compromised), do not enable the UpdateKeyFromLdap option. See Section 6.3.8 (page 206) for
additional information.
In the sshd_config file, only the UseLdapHostKey option is available. This option has the
same effect as in the ssh_config file. It is used when administrators want to configure host-based
authentication, using the HostBasedAuthentication option. In this case, sshd uses the LDAP
directory server to validate the identity of a remote host on an incoming connection. (See
Section 6.2.5 (page 198)).
With LDAP-UX B.05.00 or later, it is possible to centrally manage ssh and sshd configuration
parameters using the LDAP-UX central configuration service; for more information, see Section 6.5
(page 207).
After completing this step, you have completed the setup process and can now begin to manage
keys for hosts using the steps described in the following subsections.
6.3.2 Adding keys for HP-UX hosts
Use the -k option of the ldaphostmgr command to add or manage public keys for hosts.
There are several ways to add or change ssh public keys in the directory server using this option.
This section and the sections that follow describe these various methods.
If you use the guided installation when configuring LDAP-UX on a host, during the configuration
process the current host and its RSA public key are automatically added to the directory server.
You can display the entry for the current host using the following commands:
chef(): ldaphostlist -k -n "$(hostname)"
dn: cn=chef,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: chef
cn: chef.mydomain.example.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAAB...== BEGIN-KM creationtime=20100413173637Z END-KM
Notice in the above command sequence that keys managed by ldaphostmgr have an extended
field within the comment structure of the public key data. This extended field can be used to
determine key age and keep track of expiration information if desired. See Section 6.4.2 (page 207)
for additional information.
6.3 Managing keys in the directory server 201