LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

201

202

203

204

205

206

207

208

209

210

Then once in the editor established by ldapentry, simply add the networkService object

class and the serviceConfigParam as shown in the preceding example.

6.6 Distributing Keys to Non-HP-UX hosts

The integrated ability to automatically use LDAP as an ssh key repository is available in HP

Secure Shell A.05.50 or higher. If you plan on using LDAP central ssh key management in a

heterogeneous environment, your ssh applications on other platforms might not be able to

discover those keys in the directory server. While the sshPublicKey attribute is used by other

ssh implementations, it is not available on all platforms. To allow a heterogeneous data center

to participate in central ssh key management, you might need to distribute keys to non-HP-UX

hosts. The following is a sample script that, with platform dependent modifications, can be used

to periodically retrieve an update public key list to store in the host’s ssh_known_hosts file.

It could be run as a periodic “cron” job (see the crontab(1M) manpage).

A perl script is required to help parse the LDAP host entries. This perl script uses the perl-ldap

perl module, which is common on most UNIX and Linux platforms:

#!/usr/bin/perl

use Net::LDAP::LDIF;

use Net::LDAP::Entry;

use strict;

my $infilename = shift || die "Input LDIF file name required";

my $ldif = Net::LDAP::LDIF->new( $infilename, "r", onerror => 'undef' );

while( not $ldif->eof() ) {

my $entry = $ldif->read_entry ( );

if ( $ldif->error() ) {

print "Error msg: ", $ldif->error(), "\n";

print "Error lines:\n", $ldif->error_lines(), "\n";

} else {

my @names = $entry->get_value("cn");

my @keys = $entry->get_value("sshPublicKey");

foreach my $name (@names) {

foreach my $key (@keys) {

print "$name $key\n"

}

$ldif->done();

The input to this script is an LDIF file, which must be obtained through the ldapsearch

command, also available on most platforms. Note that the connection to the directory server

should be made with SSL, to make sure the client has some assurance that it is not communicating

with an impostor directory server. The following example is for the ldapsearch command

available with LDAP-UX. Your ldapsearch command might require slightly different

parameters:

ldapsearch -Z -P CACertPath -b "ou=hosts,dc=mydomain,dc=example,dc=com” \

-h hostname "(&(objectclass=iphost)(sshpublickey=*))" \

cn sshpublickey > allhostkeys.ldif

To create the known_hosts file, send the output of ldapsearch into the above script. If you

named the above perl script makeKnownHosts.pl, you would then use:

makeKnownHosts.pl allhostkeys.ldif > ssh_known_hosts

210 Managing ssh host keys with LDAP-UX