LDAP-UX Client Services B.05.00 Administrator's Guide
NOTE: Because this script runs in batch mode, you need to specify the LDAP host administrator’s
credentials in the LDAP_BINDDN and LDAP_BINDCRED environment variables before running
the script (or, alternatively, use the -E option to specify those values in a file.)
KNOWN_HOSTS_FILE="ssh_known_hosts"
### grep out comments and blank lines
grep -v -e "^[[:space:]]*$" -e "^[[:space:]]*#" \
"$KNOWN_HOSTS_FILE" > /tmp/myknownhosts$$
exec 4< /tmp/myknownhosts$$
while read pubkey <&4
do
hostname="$(echo "$pubkey" | cut -d" " -f 1)"
keydata="$(echo "$pubkey" | cut -d" " -f 2-)"
if ( /opt/ldapux/bin/ldaphostlist -n "$hostname" | grep -qi "^dn: " )
then
hostop="-m"
else
hostop="-a"
fi
echo "$keydata" > /tmp/keyfile$$
/opt/ldapux/bin/ldaphostmgr $hostop -X -f -k /tmp/keyfile$$ "$hostname"
done
rm -f /tmp/keyfile$$
rm -f /tmp/myknownhosts$$
6.3.5 Changing keys for HP-UX hosts
If you believe the private key for a host has been compromised, you can change the keys of that
host with ldaphostmgr. From that host, run the ldaphostmgr command with the -k option.
If the user has privilege to modify the sshPublicKey attribute, ldaphostmgr will elevate that
privilege to allow a non-root user to modify the host’s public and private key files /opt/ssh/
etc/ssh_host_rsa_key and /opt/ssh/etc/ssh_host_rsa_key.pub). ldaphostmgr
will also update the directory server with the new public keys for this host:
baker (): ldaphostmgr -k all baker
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
The public key(s) already exists in LDAP server, do you want
to replace it [y/n]? y
In this example, the all key-type was specified to change all the active key types for the host.
This will change all three key types (RSA, RSA1, and DSA) on the host and update those key types
on the directory server. If you only want to change one key type or manage just one key type in
the directory server, specify just that type (rsa1, rsa, or dsa) instead of all.
If the root user has already updated the keys for the remote host, you can use the same process
as described above.
6.3.6 Changing key size
To change the key size used on a host, you must first use ssh-keygen to change the key, and
then use ldaphostmgr to upload that key in the directory server. The following example shows
how to change the bit size of the RSA key. In the example, we are logged in as root on the host
chef:
# /opt/ssh/bin/ssh-keygen -b 4096 -t rsa -f /opt/ssh/etc/ssh_host_rsa_key
Generating public/private rsa key pair.
Please be patient.... Key generation may take a few minutes
/opt/ssh/etc/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /opt/ssh/etc/ssh_host_rsa_key.
204 Managing ssh host keys with LDAP-UX