LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

261

262

263

264

265

266

267

268

269

270

NOTE: Because this script runs in batch mode, you must specify the LDAP host administrator’s

credentials in the LDAP_BINDDN and LDAP_BINDCRED environment variables before running the

script (or, alternatively, use the -E option to specify those values in a file.)

KNOWN_HOSTS_FILE="ssh_known_hosts"

### grep out comments and blank lines

grep -v -e "^[[:space:]]*$" -e "^[[:space:]]*#" \

"$KNOWN_HOSTS_FILE" > /tmp/myknownhosts$$

exec 4< /tmp/myknownhosts$$

while read pubkey <&4

hostname="$(echo "$pubkey" | cut -d" " -f 1)"

keydata="$(echo "$pubkey" | cut -d" " -f 2-)"

if ( /opt/ldapux/bin/ldaphostlist -n "$hostname" | grep -qi "^dn: " )

then

hostop="-m"

else

hostop="-a"

echo "$keydata" > /tmp/keyfile$$

/opt/ldapux/bin/ldaphostmgr $hostop -X -f -k /tmp/keyfile$$ "$hostname"

done

rm -f /tmp/keyfile$$

rm -f /tmp/myknownhosts$$

8.3.5 Changing keys for HP-UX hosts

If you believe the private key for a host has been compromised, you can change the keys of that

host with ldaphostmgr. From that host, run the ldaphostmgr command with the -k option. If

the user has privilege to modify the sshPublicKey attribute, ldaphostmgr will elevate that

privilege to allow a nonroot user to modify the host’s public and private key files /opt/ssh/etc/

ssh_host_rsa_key and /opt/ssh/etc/ssh_host_rsa_key.pub). ldaphostmgr will

also update the directory server with the new public keys for this host:

baker (): ldaphostmgr -k all baker

bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:

Password:

The public key(s) already exists in LDAP server, do you want

to replace it [y/n]? y

In this example, the all key-type was specified to change all the active key types for the host. This

will change all three key types (RSA, RSA1, and DSA) on the host and update those key types on

the directory server. If you only want to change one key type or manage just one key type in the

directory server, specify just that type (rsa1, rsa, or dsa) instead of all.

If the root user has already updated the keys for the remote host, you can use the same process

as described previously.

8.3.6 Changing key size

To change the key size used on a host, you must first use ssh-keygen to change the key, and

then use ldaphostmgr to upload that key in the directory server. The following example shows

how to change the bit size of the RSA key. In the example, we are logged in as root on the host

chef:

# /opt/ssh/bin/ssh-keygen -b 4096 -t rsa -f /opt/ssh/etc/ssh_host_rsa_key

Generating public/private rsa key pair.

Please be patient.... Key generation may take a few minutes

/opt/ssh/etc/ssh_host_rsa_key already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /opt/ssh/etc/ssh_host_rsa_key.

8.3 Managing keys in the directory server 269