LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
8.1.3 Permissions
The LDAP-UX host management tool (ldaphostmgr), which is used to manage ssh public keys in
the directory server, manipulates the aforementioned object classes and attributes. This tool relies
on the directory server to provide proper access control.
To assure that only authorized modifications to the host and public key information is performed,
only a restricted set of privileged users should be allowed to modify host information, including
the sshPublickKey attribute. If you have used the guided installation and, as part of that setup
process, created a new HP-UX Directory Server Instance, these access controls are automatically
created (for more information about the access controls established by the guided installation, see
Section 2.3.2.3 (page 37)).
Several sets of users are considered privileged enough to manipulate host information in the
directory server, including the DomainAdmins group, the HostAdmins group, or the owners
(owners are any users or members of a group that are listed in the owner attribute in the host’s
entry.) These users, or any user that has rights to manipulate the sshPublicKey attribute for the
host in the directory server, will be granted permission on the HP-UX host to change the ssh key
pairs of the host. Normally, the permission to modify the host’s public and private ssh keys is
restricted to the root user. However, the ldaphostmgr will elevate its privilege to allow nonroot
users to modify a host’s public key if that user has permission to modify the sshPublicKey
attribute for the current host.
If a user runs the ldaphostmgr tool and attempts to change a host’s ssh key, ldaphostmgr will
verify if the user has the right to modify the sshPublicKey for that host. If the directory server
rejects this modification, ldaphostmgr will not elevate its privilege and not modify the host’s ssh
key.
8.1.4 Distributed management (manage from any host)
Remote management is an important feature of the ldaphostmgr tool. Specifically, if LDAP-UX
version B.05.00 or later is installed on a remote host that is part of the same LDAP-UX domain
(subscribes to the same LDAP-UX configuration profile) as the current host, it is possible to remotely
manage ssh keys on that host. As long as the current user has permissions to log in to the remote
host and to manipulate the sshPublicKey attribute, the ldaphostmgr tool can change the key
of any host in the LDAP-UX domain from any other host. This remote management is handled within
ldaphostmgr itself. The user need not remotely log in to the host to manage it.
However, this means that any user with permission to manage the sshPublicKey attribute, must
also be a user with POSIX attributes attached (the posixAccount object class), such that the HP-UX
OS will allow remote login for this user. For more information about setting up an ssh key manager
account, see Section 8.2.6 (page 264).
8.2 Setting up the key management domain
The first step in setting up an ssh key management domain is to establish the host and key data
repository. This repository must be an LDAP directory server and must meet the security requirements
previously defined, and explained in additional detail in the subsections that follow. If you have
not already targeted a directory server to act as this repository, you should consider using the
LDAP-UX guided installation (autosetup), which will automatically create a new directory server
instance, if desired. This directory server instance creates a default security and management
framework. For more information about the guided installation, see Section 2.3 (page 27).
The remaining subsections describe this process, summarized as follows:
• Identify a directory server and a location in that directory server where host and key data will
be stored.
• Assign and set up an SSL certificate for the directory server, so that trust can be established
between clients and the directory server.
8.2 Setting up the key management domain 261