LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
8.3.1 Configuring ssh and sshd to use LDAP-managed keys
On each HP-UX client that is to use LDAP-based ssh public keys, you must install version A.05.50
or later of the HP Secure Shell product and LDAP-UX version B.05.00 or later. HP Secure Shell
A.05.50 or later is enabled to use the LDAP directory server for public key validation and is
dependent on APIs provided in LDAP-UX B.05.00.
You must configure the ssh toolset to use LDAP. To do this, configure the following two new
parameters in the ssh_config file:
• UseLdapHostKey
Directs the ssh client tools (ssh, scp, sftp) to use the LDAP repository to discover a remote host’s
public key, if that key is not already found in the known_hosts file.
• UpdateKeyFromLdap
Directs the ssh client tools to update the known_hosts file if the key for the specified host
does not exist or is incorrect. The key from the LDAP directory server is assumed to be correct,
based on the previously described trust agreements between the ssh client and the directory
server. If the local user has a key that does not match the one found in the directory server
file, the ssh client replaces it in the user’s personal known_hosts file. Using the
UpdateKeyFromLdap option enables the user’s known_hosts file to act as a local cache
for the information in the directory server.
NOTE: If you want the ability to revoke or remove keys for hosts (in case those keys are
compromised), do not enable the UpdateKeyFromLdap option. See Section 8.3.8 (page 271) for
additional information.
In the sshd_config file, only the UseLdapHostKey option is available. This option has the same
effect as in the ssh_config file. It is used when administrators want to configure host-based
authentication, using the HostBasedAuthentication option. In this case, sshd uses the LDAP directory
server to validate the identity of a remote host on an incoming connection. (See Section 8.2.5
(page 263)).
With LDAP-UX B.05.00 or later, it is possible to centrally manage ssh and sshd configuration
parameters using the LDAP-UX central configuration service; for more information, see Section 8.5
(page 272).
After completing this step, you have completed the setup process and can now begin to manage
keys for hosts using the steps described in the following subsections.
8.3.2 Adding keys for HP-UX hosts
Use the -k option of the ldaphostmgr command to add or manage public keys for hosts. There
are several ways to add or change ssh public keys in the directory server using this option. This
section and the sections that follow describe these various methods.
If you use the guided installation when configuring LDAP-UX on a host, during the configuration
process the current host and its RSA public key are automatically added to the directory server.
You can display the entry for the current host using the following commands:
chef(): ldaphostlist -k -n "$(hostname)"
dn: cn=chef,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: chef
cn: chef.mydomain.example.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAAB...== BEGIN-KM creationtime=20100413173637Z END-KM
Notice in the preceding command sequence that keys managed by ldaphostmgr have an
extended field within the comment structure of the public key data. This extended field can be used
to determine key age and keep track of expiration information if desired. See Section 8.4.2
(page 272) for additional information.
266 Managing ssh host keys with LDAP-UX (HP directory servers only)