LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

201

202

203

204

205

206

207

208

209

210

NOTE: Key expiration data is merely advisory. It is provided to allow the ldaphostlist tool

to display hosts with keys that are considered expired. HP Secure Shell tools do not reject or take

other actions when a key’s state is considered expired.

6.4.1 Setting advisory key expiration dates

To set key expiration information, use the -e option on ldaphostmgr, and specify the number

of days (from the current date) when the key is considered expired. The following example shows

how to set a key that should be considered expired in 2 years. If the key already exists in the

directory server, you are prompted to replace it with a new key, if you so choose.

chef (): ldaphostmgr -k rsa -e 730 chef

bind-dn [uid=domadmin,ou=People,dc=cup,dc=hp,dc=com]:

Password:

The public key(s) already exists in LDAP server, do you want

to replace it [y/n]? y

To display the key expiration date, use ldaphostlist with the -k option:

chef (): ldaphostlist -k -n chef

dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com

cn: chef

cn: chef.cup.hp.com

ipHostNumber: 16.92.96.225

sshPublicKey: ssh-rsa AAAAB... BEGIN-KM ... expirationtime=20120426204647Z END-KM

6.4.2 Key Auditing

To display hosts with expired keys or keys that are older than a specified age, use the -k option

of ldaphostlist. To display keys that are older than a specific age, use the -k option followed

by the number of days preceded by a dash. For example, to show keys that were created over 1

year ago, use the following command:

baker (): ldaphostlist -k -365

dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com

cn: chef

cn: chef.cup.hp.com

ipHostNumber: 16.92.96.225

sshPublicKey: ssh-rsa AAAAB3... BEGIN-KM creationtime=20090426204647Z ... END-KM

If you are setting expiration information in keys, you can also use the -k option of ldaphostlist

to display hosts with keys that have expired or will expire within a specified number of days.

In this case, specify the -k age option without the preceding dash. For example, to display keys

that have already expired or will expire within the next 20 days, use the following:

baker (): ldaphostlist -k 20

dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com

cn: chef

cn: chef.cup.hp.com

ipHostNumber: 16.92.96.225

sshPublicKey: ssh-rsa AAAAB3... BEGIN-KM ... expirationtime=20100515195500Z END-KM

NOTE: The above examples assume the commands were run on May 27th, Midnight UTC,

2010, which is represented by 20100427000000Z.

6.5 Centrally managing ssh configuration

In order to enable ssh key management on hosts, the ssh_config file, and optionally the

sshd_config file, must be configured with the UseLdapHostKey parameter, and optionally

the UdateKeyFromLdap parameter. To mitigate the management costs of changing these

configuration files on all hosts, you can configure LDAP-UX to centrally manage the parameters

of these files using the LDAP-UX central configuration service, provided by ldapconfd. Support

for ldapconfd is limited to managing HP Secure Shell configuration, as documented in this

section.

6.5 Centrally managing ssh configuration 207