LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

201

202

203

204

205

206

207

208

209

210

# buffer size for hpn to non-hpn connections

# HPNBufferSize 2048

# Cipher 3des

# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

# EscapeChar ~

# Tunnel no

# TunnelDevice any:any

# PermitLocalCommand no

# Turn on/off Visual Fingerprinnt Display mode

# VisualHostKey no

checkhostip yes

### CCD NOTE:

### The following keyword-argument pairs are configured in LDAP server.

### If you want to add local configurations to this file, add above the

### "CCD NOTE" line. Anything added manually below this line will be

### gone at next LDAP update.

# Keyword-argument pairs defined in LDAP server global entry:

updatekeyfromldap no

useldaphostkey yes

The central configuration service (ldapconfd) can be used to centrally manage other ssh and

sshd parameters. For example, once ssh host keys are managed in a directory server, users

connected to hosts managed with LDAP-UX will always have access to the public key for remote

hosts. In that case, users should not be prompted about whether they would like to accept keys

that have not been verified. So you could consider enabling the strict-host-key-checking feature

of ssh (meaning users would not be prompted if an unknown key is discovered). As an example,

the following could be added to the global configuration policy DN:

serviceConfigParam: ssh/client/ssh_config:strictHostKeyChecking yes

Values configured in the global policy will override those defined in the local configuration. For

example, if the local ssh_config file defines “strictHostKeyChecking ask”, but the

central configuration is defined as above, then the “strictHostKeyChecking ask” is

commented out by ldapconfd, and a “strickHostKeyChecking yes” is added to the CCD

section of the ssh_config file.

6.5.1 Overriding central configuration

There are two ways to allow overriding the global configuration on a specific host:

• Disable ldapconfd on that specific host. To completely disable ldapconfd, modify the

/etc/opt/ldapux/ldapconfd.conf file by setting the enable_ldapconfd parameter

to zero:

enable_ldapconfd 0

• Set a host-specific policy. For example, if the global policy for strictHostKeyChecking

is set to yes, and you want to set it to ask for a specific host, you can add a

serviceConfigParam to the host entry, using either the ldapentry or ldaphostmgr

tool. For example, use the following command to enable the ask policy on the “brewer”

system (assuming Central Configration policy has not been previously set for this host):

baker (): ldaphostmgr -A objectclass=networkService \

-A "serviceConfigParam=ssh/client/ssh_config:strictHostKeyChecking yes" brewer

bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:

Password:

baker (): ldaphostlist -n brewer serviceConfigParam

dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com

cn: brewer

cn: brewer.mydomain.cup.hp.dom

ipHostNumber: 192.0.32.11

serviceConfigParam: ssh/client/ssh_config:strictHostKeyChecking yes

With ldapentry, just specify the name of the host to edit, as follows:

baker (): ldapentry -m hosts brewer

6.5 Centrally managing ssh configuration 209