LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

201

202

203

204

205

206

207

208

209

210

In this example, you must verify the fingerprint for the key before adding it to the directory

server.

A alternative way to change a remote key is to securely obtain the public key file for the remote

host and upload it using the file option as shown in the first example of Section 6.3.2 (page 201),

but without specifying the -a option.

6.3.8 Revoking or removing keys

If a key has been compromised, and you want to revoke it and reissue a new key, use the

previously described process for changing keys. If, on the other hand, you no longer want to

manage keys for a host, you can simply remove the sshPublicKey attribute from the host’s

entry using the -k option with the ! flag, as in the following example:

baker (): ldaphostmgr -k !all router1.mydomain.example.com

bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:

Password:

baker (): ldaphostlist -n router1.mydomain.example.com sshPublicKey

dn: cn=router1.mydomain.example.com,ou=Hosts,dc=mydomain,dc=example,dc=com

cn: router1.mydomain.example.com

ipHostNumber: 192.0.32.1

The ldaphostlist command shows that the sshPublicKey has been removed from the router1

entry.

If you only wish to remove a specific type, you can replace all with the key type (rsa, rsa1, or

dsa).

NOTE: If you are using the UpdateKeyFromLdap option in the ssh_config file, use of the

! flag does not remove cached instances of those keys. If a client has a cached version of a

compromised key, it is possible for that client to connect to an impostor host that is using the

compromised host key. If you want to remove keys or revoke keys for hosts, you must not enable

the UpdateKeysFromLdap option because when it is enabled, the ssh client tools will update

cached versions of changed keys, but only when a connection is made to the true host.

6.4 Managing key age

LDAP-UX B.05.00 provides the ability to track ssh key age and set advisory expiration dates for

ssh host keys. By default, ldaphostmgr adds key age information to the comment fields within

the ssh public key data when new keys are added or changed in the directory server.

ldaphostmgr can also use this same field to set advisory key expiration dates when new keys

are created or existing keys are changed.

Key age expiration information appears within the comment fields and between the BEGIN-KM

and END-KM tokens. For example:

brewer(): ldaphostlist -k -n "$(hostname)"

dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com

cn: brewer

cn: brewer.mydomain.example.com

ipHostNumber: 16.92.96.225

sshPublicKey: ssh-rsa AAAA...== BEGIN-KM creationtime=20100423234903Z END-KM

ldaphostmgr and ldaphostlist can be used to keep track of key age and expiration

information, which is described in the following sections.

206 Managing ssh host keys with LDAP-UX