Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
271272273274275276277278279280
is not available on all platforms. To enable a heterogeneous data center to participate in central
ssh key management, you might need to distribute keys to nonHP-UX hosts. The following is a
sample script that, with platform dependent modifications, can be used to periodically retrieve an
update public key list to store in the host’s ssh_known_hosts file. It could be run as a periodic
“cron” job (see the crontab(1M) manpage).
A perl script is required to help parse the LDAP host entries. This perl script uses the perl-ldap
perl module, which is common on most UNIX and Linux platforms:
#!/usr/bin/perl
use Net::LDAP::LDIF;
use Net::LDAP::Entry;
use strict;
my $infilename = shift || die "Input LDIF file name required";
my $ldif = Net::LDAP::LDIF->new( $infilename, "r", onerror => 'undef' );
while( not $ldif->eof() ) {
my $entry = $ldif->read_entry ( );
if ( $ldif->error() ) {
print "Error msg: ", $ldif->error(), "\n";
print "Error lines:\n", $ldif->error_lines(), "\n";
} else {
my @names = $entry->get_value("cn");
my @keys = $entry->get_value("sshPublicKey");
foreach my $name (@names) {
foreach my $key (@keys) {
print "$name $key\n"
}
}
}
}
$ldif->done();
The input to this script is an LDIF file, which must be obtained through the ldapsearch command,
also available on most platforms. Note that the connection to the directory server should be made
with SSL, to make sure the client has some assurance that it is not communicating with an impostor
directory server. The following example is for the ldapsearch command available with LDAP-UX.
Your ldapsearch command might require slightly different parameters:
ldapsearch -Z -P CACertPath -b "ou=hosts,dc=mydomain,dc=example,dc=com” \
-h hostname "(&(objectclass=iphost)(sshpublickey=*))" \
cn sshpublickey > allhostkeys.ldif
To create the known_hosts file, send the output of ldapsearch into the preceding script. If you
named the preceding perl script makeKnownHosts.pl, you would then use:
makeKnownHosts.pl allhostkeys.ldif > ssh_known_hosts
8.6 Distributing keys to nonHP-UX hosts 275