LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
Trusting the ssh key repository requires that the identity of the directory server can be validated,
the data in the directory server cannot be modified by unauthorized users, and the data transmitted
between the client and the directory server is protected. The following three sections describe how
to establish this trust.
8.2.4 Validating directory server identity
Just as a web browser uses SSL and SSL CA certificates to identify the validity of a remote web
server when verifying that a user is sending credit card information to a legitimate organization
instead of an impostor, the LDAP directory server can use the same SSL protocol and certificates
to validate the identity of the directory server. To establish this trust, a directory server must have
a valid signed server certificate, and the client must have a copy of the public portion of that server
certificate, or a CA (Certificate Authority) certificate of the CA that signed the server’s certificate.
When using the guided installation script to create a new HP-UX Directory Server instance, LDAP-UX
automatically creates a CA certificate and server certificate for that directory server instance. The
CA certificate is deposited into an SD depot file that can be preinstalled on any HP-UX client. For
more information about this depot file see Section 2.3.2.3.3 (page 39). . If you have this depot
file, you can install this package on your host with the following command:
# /usr/sbin/swinstall -s hostname:/depot/name LDAPUX-DOMAIN-CA
If you have your own CA certificate (not created using the guided installation), you can install that
CA certificate in the /etc/opt/ldapux/cert8.db file as in the following example:
# more /tmp/mycacert.txt
-----BEGIN CERTIFICATE-----
MIIBlzCCAQCgAwIBAgICBKIwDQYJKoZIhvcNAQEFBQAwETEPMA0GA1UEAxMGQ0Fj
ZXJ0MB4XDTEwMDEwODIxNDA0OVoXDTIwMDEwODIxNDA0OVowETEPMA0GA1UEAxMG
Q0FjZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8yROkmsMiCIhgki2V
Sk3iJr2SXATnvp/Bmn5p9i2PVjlk63rvJFvyEDYM40TxZmArptMXq4WsfAy4fOMB
KY+yJKK53qc+fQ8k5YERL93RWugBs7SqVhNOtWRPZWcBUNHM7tCywtI1RzbZn8sp
hAOofPPiGVvmhUYrk05Y6UY07wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGhaRyvK
Qx5EoIVzE6iVdlEU0wopr33qVpHyEYoqDdziy0cLhqGbVKEzCaM83sdW7S9Cxe87
pr+31xbgJgXbO7kNP3cZytNcd1A7Grc0EmVb8yck+uWx7Oj2CYkac0DboWAn/uhU
hxbIaqFdC+gninQ9ECNEnUFt0hJ6SSNhYWUW
-----END CERTIFICATE-----
# /opt/ldapux/contrib/bin/certutil -A -d /etc/opt/ldapux -a -n "my CA Certificate" -a -t "CT,," < /tmp/mycacert.txt
Attempting to use ssh key management without using SSL provides little value, because if the
directory server can be impersonated, then the validity of the sshPublicKey attribute cannot be
trusted, and thus the identity of any remote ssh hosts cannot be validated.
Configuring the directory server with a server certificate also enables it to use SSL. This protocol
enables information in transit to be protected from eavesdropping, but even more importantly,
from tampering by a man-in-the-middle. Support for SSL meets two of the previous requirements to
assure integrity of the sshPublicKey. And when LDAP-UX is configured using the guided installation,
SSL is automatically configured. (For more information about the guided installation, see Section 2.3
(page 27).)
8.2.5 Authentication and access control
To assure its integrity, the sshPublicKey attribute must be protected from unauthorized
modification. LDAP directory servers have the inherent ability to authenticate users before allowing
access and to limit operations performed on the LDAP data with access-control policies.
As mentioned previously, any user with permission to modify the sshPublicKey attribute for a
particular host can also change the ssh key pair of that host using ldaphostmgr. This means that
permission to modify the sshPublicKey attribute must be restricted to trusted administrators. The
trust relationship between users and hosts is based on the ability to protect the integrity of the
sshPublicKey attribute in the directory server.
To allow for management of the sshPublicKey, you must grant rights to a group of administrators.
This process is different for each directory server deployment because access control features of
directory servers are different and have not yet been standardized. For the HP-UX Directory Server
(the Red Hat Directory Server and Sun Java Directory Server are similar), the ACI attribute must
8.2 Setting up the key management domain 263