Secure Shell (SSH) in HP SIM
Note:
The
sshuser
utility
is a new utility included with the OpenSSH supplied by
HP SIM
6
.x and replaces the
mxpasswd
command previously available.
This utility was not supplied with previous version
s
of OpenSSH from HP. If
not present on the managed system
,
you can copy it
from the HP SIM
installation directory (
C:
\
Program Files
\
HP
\
Systems Insight
Manager
\
lbin
\
sshuser.exe
).
For example, the following command permits SSH access for user joe in the Windows domain
MyDomain:
sshuser
–
u joe
–
d MyDomain
–
f "C:
\
Program Files
\
OpenSSH
\
etc
\
passwd"
This command adds the following entry to the end of the
passwd
file:
mydomain
\
joe:unused_by_nt/2000/xp:9159:513:JOE,U
-
mydomain
\
joe,S
-
1
-
5
-
21
-
27163274
-
143742939
-
1512734326
-
9159:/cygdrive/C/Documents and
Settings/hpsimssh:/bi
n/switch
The domain name is included with the user, to remove any conflicts between users from different
domains with the same name. The home directory specified is hpsimssh rather than the user’s real
home directory because this user has never logged in
t
o this system before and does not have a real
home directory assigned by Windows. The home directory specified here is used to locate the ssh
keys for user authentication; as the same keys are used by HP SIM for all users, a common home
directory sshuser c
an be used.
Sshuser also ensures that the
passwd
file only contains a single entry for a given user. It removes
duplicate entries for the given user.
Sshuser must be run by an administrator of the system, and (for
the
HP implementation of OpenSSH
on Wi
ndows) only administrators can be given SSH access. In addition, the user running sshuser must
have sufficient rights to obtain the SID for the user being added. A local user has sufficient rights to
add other local users, but
you must have
a domain accoun
t if
you want to add
domain users. If in
doubt, run sshuser without the
-
f option to view the command
output
.
Mxagentconfig
The
mxagentconfig
command
is used to configure the managed system to allow SSH access from
the CMS. Different options are availab
le to set up
the
user public key, host
-
based authentication, or
to validate an existing configuration. An option is also available to remove entries from the CMS
known_hosts
file.
mxagentconfig
-
a
-
n <managed system>
-
u <username> [
-
p <password>]
This o
ption configures user
-
based public key authentication on the specified managed system. It
places the public key (
.dtfSshKey.pub
) of the HP SIM CMS in the user’s
authorized_keys2
file.
First,
mxagentconfig
opens an SSH connection to the specified managed
system. This means that
SSH
must
be already installed on the managed system. If the specified system is a Windows system,
then the user must already have been added to the
passwd
file. See the
sshuser
section. The SSH
server uses
password authentication to validate the specified user. A secure ftp (sftp) channel is then
opened to allow file access to the managed system.
The user’s home directory is examined for the .
ssh
subdirectory. If it does not exist, it is created.
Then
mxag
entconfig
checks for the existence of the
authorized_keys2
file. If it exists,
mxagentconfig
appends the public key of the CMS (
.dtfSshKey.pub
) to this file. If the file does
not exist, it is created with the public key of the CMS as its first entry. At th
is point, the user is
configured for public key authentication on the managed system.