ldaphostmgr.1m (2010 09)
l
ldaphostmgr(1M) ldaphostmgr(1M)
-I Adds/modifies additional information about the host:
entityVersion=$(/usr/bin/uname -sr)
entityModel=$(/usr/bin/model)
On ADS, instead of entityVersion, the operatingSystem, and operatingSystemVer-
sion attributes will be used. entityModel will not be defined in an ADS environ-
ment.
Note that if a
-I option is specified and the host being managed is remote, a remote
login to that host will be required and performed by
ldaphostmgr to discover that
information. This means that when the LDAP credentials are specified (through
the prompt or
LDAP_BINDDN), those credentials must also represent a POSIX
account, such that a remote login to that host can be performed using that identity.
-I on a remote host will fail if LDAP-UX (version > B.05.00) is not installed on that
host.
-k [[!|?|ˆ]keytype][-e days_to_expiration]
Can be used to add, change, remove or validate
ssh key(s) for the host. keytype is
optional and is either a key-string as defined in the
-t option of the ssh-keygen
man page (currently defined as rsa1
, rsa, and dsa), the key-string all,orisa
file path name that references a file that contains keys for the host. The key-file for-
mat is the same as a host-key file (such as found in
/etc/opt/ssh/ssh*.pub
),
except that more than one key may be specified, on separate lines. If a key-file is
specified, the key(s) found in the key-file are simply added/modified in the host
entry, without validation of the actual keys used on the host. The
!, ?, and
ˆ con-
trols do not apply when using a key-file.
When adding or modifying keys (neither the
! nor ? controls are specified) and key-
type is one of the specified keystrings (not a key-file path), then for the specified key
type (or all key types):
• If the key of that type exists on the host, but does not yet exist in the directory
server entry for this host, then that key will be added to the directory server
entry for the host.
• If the key of that type does not exist on the host, a new key on the host will be
created, and that key will be added to the directory server entry for this host. If
the host entry already contains a key of the same type, that key will be replaced
in the entry with the newly created key.
• If the key of that type exists on both the host and in the host’s directory server
entry, then ldaphostmgr will change the current key of that type on the host
and then replace that key in the host’s directory server entry.
ldaphostmgr
prompts for confirmation before changing an existing key on the host, unless the
-X option is specified (in which case, the key will not be changed unless
-F is
also specified.)
If the
! option is specified, the specified key(s) are removed from the host entry in
the directory server. The actual keys on the host are not removed. If the ? option
is specified, the key(s) on the host are validated against those found in the represen-
tative directory entry for the specified host. This option is usually used on the local
host, so that the owner can verify that the host key integrity as represented by the
directory server. Note also that often the ? character can be interpreted by the shell
(man shells(4)), and thus should be escaped or quoted.
When adding or modifying keys for a remote host,
ldaphostmgr will attempt to
connect to that remote host using ssh itself. However, ssh itself may not be able
to trust the identity of the remote host if a local copy of the remote host’s key is not
available in a local known_hosts file or in the LDAP directory server. If the iden-
tity of the remote host cannot be positively identified, ldaphostmgr will issue a
WARNING and prompt for confirmation that the remote key should be trusted. If
the user chooses to trust the un-identified host, ssh-keyscan will be used to dis-
cover the remote public keys, and those keys will be added/replaced in the directory
server entry. Because untrusted discovery is subject to a man-n-the-middle or
spoofing attack, this method for key discover is not recommended unless the key
fingerprint can be validated.
4 Hewlett-Packard Company − 4 − HP-UX 11i v3: June 2010 Web Release