LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
how to set a key that should be considered expired in 2 years. If the key already exists in the
directory server, you are prompted to replace it with a new key, if you so choose.
chef (): ldaphostmgr -k rsa -e 730 chef
bind-dn [uid=domadmin,ou=People,dc=cup,dc=hp,dc=com]:
Password:
The public key(s) already exists in LDAP server, do you want
to replace it [y/n]? y
To display the key expiration date, use ldaphostlist with the -k option:
chef (): ldaphostlist -k -n chef
dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com
cn: chef
cn: chef.cup.hp.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAAB... BEGIN-KM ... expirationtime=20120426204647Z END-KM
8.4.2 Key auditing
To display hosts with expired keys or keys that are older than a specified age, use the -k option
of ldaphostlist. To display keys that are older than a specific age, use the -k option followed
by the number of days preceded by a dash. For example, to show keys that were created over 1
year ago, use the following command:
baker (): ldaphostlist -k -365
dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com
cn: chef
cn: chef.cup.hp.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAAB3... BEGIN-KM creationtime=20090426204647Z ... END-KM
If you are setting expiration information in keys, you may also use the -k option of ldaphostlist
to display hosts with keys that have expired or will expire within a specified number of days. In
this case, specify the -k age option without the preceding dash. For example, to display keys that
have already expired or will expire within the next 20 days, use the following:
baker (): ldaphostlist -k 20
dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com
cn: chef
cn: chef.cup.hp.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAAB3... BEGIN-KM ... expirationtime=20100515195500Z END-KM
NOTE: The preceding examples assume the commands were run on May 27th, Midnight UTC,
2010, which is represented by 20100427000000Z.
8.5 Centrally managing ssh configuration
In order to enable ssh key management on hosts, the ssh_config file, and optionally the
sshd_config file, must be configured with the UseLdapHostKey parameter, and optionally
the UdateKeyFromLdap parameter. To mitigate the management costs of changing these
configuration files on all hosts, you may configure LDAP-UX to centrally manage the parameters
of these files using the LDAP-UX central configuration service, provided by ldapconfd. Support
for ldapconfd is limited to managing HP Secure Shell configuration, as documented in this
section.
To do this, you must create a global configuration policy. Do this by first specifying the location
of a global configuration policy in the LDAP-UX configuration profile. Then create a configuration
policy entry using the configurableService object class and the serviceConfigParam
attributes. The preceding schema for the Central Configuration service is defined in the /etc/
opt/ldapux/schema/ldapux5.0.xml file delivered with LDAP-UX B.05.00. You can install
that schema on your directory server using the ldapschema tool, described in Section 9.5.3
(page 361). That schema is automatically installed if you use the guided installation.
Use the ldapentry tool to modify the LDAP-UX Configuration profile. For example:
272 Managing ssh host keys with LDAP-UX (HP directory servers only)