LDAP-UX Client Services B.05.00 Administrator's Guide
Your public key has been saved in /opt/ssh/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
ab:92:ec:71:8e:24:b9:5e:b9:1e:26:60:50:84:b9:bb root@chef
The key's randomart image is:
+--[ RSA 4096]----+
| +o |
|o. |
|.. |
|o |
|.o S |
|o. . . . |
| .+.B.. . |
|E B+B . |
| .oo=.o |
+-----------------+
# ldaphostmgr -k /opt/ssh/etc/ssh_host_rsa_key.pub chef
bind-dn: uid=domadmin,ou=people,dc=mydomain,dc=example,dc=com
Password:
The public key(s) already exists in LDAP server, do you want
to replace it [y/n]? y
Notice that since root is required to run ssh-keygen and change the rsa key-pair for the host,
you might not be prompted with your default LDAP login (as shown with domadmin in the
other, previous examples), since root typically does not have an identity managed in the LDAP
directory server.
6.3.7 Changing keys for non-HP-UX hosts
Since ldaphostmgr cannot directly modify the key files for non-HP-UX hosts (since it is not
installed on those hosts), you must use a process similar to the one described in Section 6.3.3
(page 203), except that you must first delete the existing key before adding the new one. If you
do not do this, the following error occurs:
baker (): ldaphostmgr -k ^rsa router1.mydomain.example.com
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
ERROR: HST_UNTRUSTED_REMOTE_HOST:
DANGER: The identity of the host router1.mydomain.example.com appears to be
invalid. The key discovered for the remote host does not match that
already managed in the directory server. This can occur if an
attacker has set up a host to impersonate the true host. Or the key
for the remote host may have been legitimately changed. Or both
events may have occurred. ldaphostmgr will not directly replace this
key in the directory server. Using ldaphostmgr on the remote host,
instead of adding this key remotely, will avoid generating this
warning message. Or use ldaphostmgr to first delete the key in the
directory server for this host before attempting to replace it.
However, do not replace this key in the directory server without
using additional validation to verify the key for the remote host is
valid. Once this key is replaced in the directory server, it will be
trusted by all other LDAP-enabled ssh clients.
Host fingerprint: 24:de:77:0e:c2:7a:af:0c:9d:15:ca:a8:8f:bb:65:d7
LDAP fingerprint: 2e:fd:98:46:31:c7:fa:d9:a8:fd:61:02:bc:6b:2c:bb
You can delete and then add the key using the following process:
baker (): ldaphostmgr -k !rsa router1.mydomain.example.com
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
baker (): ldaphostmgr -k ^rsa router1.mydomain.example.com
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
WARNING: The identity of the host "router1.mydomain.example.com" could not be verified.
SSH key fingerprint: 24:de:77:0e:c2:7a:af:0c:9d:15:ca:a8:8f:bb:65:d7.
The SSH key for the remote host is unknown. This host's key is currently not
managed in the directory server and should be positively identified before
adding this key to the directory server. Once added, this key will be
trusted by all other LDAP-enabled ssh clients. Using ldaphostmgr on the
remote host, instead of adding this key remotely, will avoid generating
this warning message. Do you wish to trust this key (y/n)?: y
6.3 Managing keys in the directory server 205