LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

271

272

273

274

275

276

277

278

279

280

checkhostip yes

### CCD NOTE:

### The following keyword-argument pairs are configured in LDAP server.

### If you want to add local configurations to this file, add above the

### "CCD NOTE" line. Anything added manually below this line will be

### gone at next LDAP update.

# Keyword-argument pairs defined in LDAP server global entry:

updatekeyfromldap no

useldaphostkey yes

The central configuration service (ldapconfd) can be used to centrally manage other ssh and

sshd parameters. For example, once ssh host keys are managed in a directory server, users

connected to hosts managed with LDAP-UX will always have access to the public key for remote

hosts. In that case, users should not be prompted about whether they would like to accept keys

that have not been verified. So you could consider enabling the strict-host-key-checking feature of

ssh (meaning users would not be prompted if an unknown key is discovered). As an example, the

following could be added to the global configuration policy DN:

serviceConfigParam: ssh/client/ssh_config:strictHostKeyChecking yes

Values configured in the global policy will override those defined in the local configuration. For

example, if the local ssh_config file defines “strictHostKeyChecking ask”, but the

central configuration is defined as described previously, then the “strictHostKeyChecking

ask” is commented out by ldapconfd, and a “strickHostKeyChecking yes” is added to

the CCD section of the ssh_config file.

8.5.1 Overriding central configuration

There are two ways to override the global configuration on a specific host:

• Disable ldapconfd on that specific host. To completely disable ldapconfd, modify the

/etc/opt/ldapux/ldapconfd.conf file by setting the enable_ldapconfd parameter

to zero:

enable_ldapconfd 0

• Set a host-specific policy. For example, if the global policy for strictHostKeyChecking

is set to yes, and you want to set it to ask for a specific host, you can add a

serviceConfigParam to the host entry, using either the ldapentry or ldaphostmgr

tool. For example, use the following command to enable the ask policy on the “brewer”

system (assuming Central Configration policy has not been previously set for this host):

baker (): ldaphostmgr -A objectclass=networkService \

-A "serviceConfigParam=ssh/client/ssh_config:strictHostKeyChecking yes" brewer

bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:

Password:

baker (): ldaphostlist -n brewer serviceConfigParam

dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com

cn: brewer

cn: brewer.mydomain.cup.hp.dom

ipHostNumber: 192.0.32.11

serviceConfigParam: ssh/client/ssh_config:strictHostKeyChecking yes

With ldapentry, just specify the name of the host to edit, as follows:

baker (): ldapentry -m hosts brewer

Then once in the editor established by ldapentry, simply add the networkService object

class and the serviceConfigParam as shown in the preceding example.

8.6 Distributing keys to nonHP-UX hosts

The integrated ability to automatically use LDAP as an ssh key repository is available in HP Secure

Shell A.05.50 or later. If you plan on using LDAP central ssh key management in a heterogeneous

environment, your ssh applications on other platforms might not be able to discover those keys in

the directory server. While the sshPublicKey attribute is used by other ssh implementations, it

274 Managing ssh host keys with LDAP-UX (HP directory servers only)