LDAP-UX Client Services B.05.00 Administrator's Guide
If you specify the ! option, the specified key(s) is(are) removed
from the host entry in the directory server. The actual keys on the
host are not removed.
If you specify the ? option, the key(s) on the host are validated
against those found in the representative directory entry for the
specified host. This option is usually used on the local host, so that
the owner can verify that host key integrity as represented by the
directory server. Note that often the ? character can be interpreted
by the shell (man shells(4)), and therefore should be escaped or
enclosed in quotation marks.
When adding or modifying keys for a remote host, ldaphostmgr
attempts to connect to that remote host using ssh itself. However,
ssh itself may not be able to trust the identity of the remote host
if a local copy of the remote host’s key is not available in a local
known_hosts file or in the LDAP directory server. If the identity
of the remote host cannot be positively identified, ldaphostmgr
issues a WARNING and prompts for confirmation that the remote
key should be trusted. If the user chooses to trust the unidentified
host, ssh-keyscan is used to discover the remote public keys
and add/replace them in the directory server entry. Because
untrusted discovery is subject to man-in-the-middle or spoofing
attacks, this method for key discovery is not recommended unless
the key fingerprint can be validated.
Specifying the ^ option disables remote key management, and
indicates to ldaphostmgr that the remote host cannot be directly
managed by the solution. Instead, the result from a direct
ssh-keyscan should be used to discover the remote host’s public
keys. For example, an appliance that supports ssh, but does not
have HP-UX on it, cannot respond properly to remote management
commands. Again, ldaphostmgr issues a WARNING and
prompts for confirmation that the remote key should be trusted.
Because untrusted discovery is subject to unauthorized attacks,
this method for key discovery is not recommended unless the key
fingerprint can be validated.
NOTE: If the ^ flag is specified and the target is the local host,
ldaphostmgr simply takes the current public key(s) and uploads
them to the directory server. Since the keys on the local host are
considered trusted, a WARNING prompt is not displayed.
If the -X option is specified, ldaphostmgr does not prompt, and
fails without adding the keys to the directory entry, unless the -F
option is also specified. Use of ^, -X, and -F, or answering “yes”
to the “Untrusted Discovery:” prompt is not recommended as the
primary method for discovery of host keys unless an external and
validated transport method can be used to validate the integrity
of the updated keys. For example, if the user can create a trusted
session to the host (such as connecting to the physical console),
the ldaphostmgr -k ? command can be used to validate that
the keys of the host found in the directory server match that
specified in the /etc/opt/ssh/*.pub files.
Note that if a -k option is specified and the host being managed
is remote, a remote login to that host is required and performed
7.3 LDAP user and group management tools 271