LDAP-UX Client Services B.05.00 Administrator's Guide

fingerprint: b4:2f:45:c2:b0:17:a2:7b:a0:a7:88:61:a9:36:f2:4c. The SSH
key for the remote host is unknown and is not trusted.
If you remotely log in to the host, and can positively identify the host, you can add the host using
ldaphostmgr as originally demonstrated. Or, if you have the ssh public key of the remote host
in a local known_hosts file, the above message will not be displayed. If you can positively
identify the fingerprint of the remote host, you can answer yes (y) to the WARNING message.
Key fingerprints for the local host can be displayed using the ssh-keygen command:
baker (): ssh-keygen -l -f /opt/ssh/etc/ssh_host_rsa_key.pub
2048 b4:2f:45:c2:b0:17:a2:7b:a0:a7:88:61:a9:36:f2:4c /opt/ssh/etc/ssh_host_rsa_key.pub (RSA)
6.3.3 Adding keys for non-HP-UX hosts or devices
Not all hosts and devices that support the ssh protocol in your network will be HP-UX systems.
You can use LDAP-UX and the LDAP directory server to manage keys for those hosts, but to
assure key integrity, an out-of-band process is required to verify the public key of those devices.
There are two methods to do this. In the first method, the public key for a remote device can be
provided directly to ldaphostmgr in a file:
chef (): ldaphostmgr -a -k /tmp/router1_ssh_host_rsa_key.pub router1.mydomain.example.com
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
chef (): ldaphostlist -k -n router1.mydomain.example.com
dn: cn=router1,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: router1.mydomain.example.com
ipHostNumber: 192.0.32.1
sshPublicKey: ssh-rsa AAAAB...== BEGIN-KM creationtime=20100427000132Z END-KM
The file provided to ldaphostmgr must contain the ssh public key for the remote host/device,
and be in the ssh standard public key file format, as found in the /opt/etc/ssh/
ssh_host_rsa_key.pub file. This format contains the following three fields separated by
spaces: key-type, base64-key, and comments.
The second method is to let ldaphostmgr automatically discover the public key for the remote
host/device. In this case, the -k option is used with the ^ flag:
chef (): ldaphostmgr -a -k ^rsa router2.mydomain.example.com
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
WARNING: The identity of the host "router2.mydomain.example.com" could not be verified.
SSH key fingerprint: 74:ed:80:36:f9:3f:30:29:11:43:31:ea:27:3f:3b:13.
The SSH key for the remote host is unknown. This host's key is currently not
managed in the directory server and should be positively identified before
adding this key to the directory server. Once added, this key will be
trusted by all other LDAP-enabled ssh clients. Using ldaphostmgr on the
remote host, instead of adding this key remotely, will avoid generating
this warning message. Do you wish to trust this key (y/n)?: y
chef (): ldaphostlist -k -n router2.mydomain.example.com
dn: cn=router2.mydomain.example.com,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: router2.mydomain.example.com
ipHostNumber: 192.0.32.2
sshPublicKey: ssh-rsa AAAAB...UlQ== BEGIN-KM creationtime=20100427000942Z END-KM
However, with this method, and as indicated by the WARNING prompt, ldaphostmgr has no
means to verify the validity of the remote host’s or device’s public key. An out-of-band method
must be used to verify the key fingerprint before accepting the key for the specified device, unless
other means are available to assure the trust between the local host and the remote host or device.
6.3.4 Adding keys in a batch
You might already be managing and distributing an ssh known_hosts file, such as the one
found at /opt/ssh/etc/ssh_known_hosts. This file contains four fields: host-name,
key-type, base64-key, and comments. However, the host-name field may be . If your
ssh_known_hosts file does not have host names, then use the following shell script to add all
the keys from the ssh_known_hosts file to the directory server automatically.
6.3 Managing keys in the directory server 203