ldaphostmgr.1m (2010 09)
l
ldaphostmgr(1M) ldaphostmgr(1M)
If ˆ is specified, this control is used to disable remote key management, and indi-
cate to ldaphostmgr that the remote host cannot be directly managed by the solu-
tion. And instead, the result from a direct
ssh-keyscan should be used to dis-
cover the remote host’s public keys. For example, an appliance that supports
ssh,
but does not have HP-UX on it, cannot respond properly to remote management
commands. Again,
ldaphostmgr will issue a WARNING and prompt for
confirmation if the remote key should be trusted. Because untrusted discovery is
subject to a man-n-the-middle or spoofing attack, this method for key discover is not
recommended unless the key fingerprint can be validated.
Note: if the
ˆ flag is specified and the target the local host,
ldaphostmgr will sim-
ply take the current public key(s) and upload them to the directory server. Since the
keys on the local host are considered trusted, a WARNING prompt will not be
displayed.
If the
-X option is specified,
ldaphostmgr will not prompt and fails without
adding the keys to the directory entry, unless the
-F option is also specified. Use of
^, -X and -F
or answering "yes" to the Un-trusted Discovery: prompt is not
recommended as the primary method for discovery of host keys unless external and
validated transport method can be used to validate the integrity of the updated
keys. For example, if the user can create a trusted session to the host (such as con-
necting to the physical console), the
ldaphostmgr -k ? command can be used to
validate if the keys of the host found in the directory server match those that are
specified in the /etc/opt/ssh/*.pub
files.
Note that if a
-k option is specified and the host being managed is remote, a remote
login to that host will be required and performed by ldaphostmgr to modify the
remote keys. This means that when the LDAP credentials are specified (through
the prompt or LDAP_BINDDN), those credentials must also represent a POSIX
account, such that a remote login to that host can be performed by ldaphostmgr
using that identity. The -k option is not supported with ADS.
The
-e days-to-expire option is only allowed when the
-k option is specified.
To keep track of when keys were originally generated,
ldaphostmgr adds a
unique management-string to the comment field of the public key. The
management-string begins with BEGIN-KM and ends with END-KM. This field is
an extensible attribute/value array, which contains at least the creationtime attri-
bute, which identifies when the key was created. In addition, when the
-e
option is
specified, the expirationtime attribute can also be added. Discovery of hosts with
expired keys can be performed with the
-k option of the ldaphostlist (1M) com-
mand. Combined use of ldaphostlist and ldaphostmgr can be used to keep
expired keys up-to-date. Refer to the -k option for additional information.
-m Modifies an existing host entry.
The
-a (add) , -d (delete), and -m (modify) options are mutually exclusive. The -m
option is the default if none of these three options is specified.
-O owner Specifies the owner of the host. If the HP-UX Directory Server was installed using
the LDAP-UX Guided Installation process, access control instructions are created
such that the owner of the host will be granted administrative rights to manage
data about the host, as well as change the ssh keys for the host. The owner can be
specified as either an individual or a group, as follows:
[
!]DN
[!]user:user_name
[!]group:group_name
Where user_name is a Unix account name and group_name is a Unix group name,
that is maintained in the LDAP directory server.
If the optional
! (ASCII 33) character is specified, the resulting user or group is
removed as an owner of the host.
The
-O option may be specified more than once.
If
! is specified by itself, all values of the owner attribute will be removed from this
entry. Note that removing all owner attributes from an entry is not recommended,
HP-UX 11i v3: June 2010 Web Release − 5 − Hewlett-Packard Company 5