Secure Shell (SSH) in HP SIM

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for Linux

Host b

ased

authentication is very similar to the user public key authentication, and is also based on

public and private keys.

In this case, separate keys are not used for each user

. Instead, a single key

pair is used to authenticate the SSH client system and the SSH server trusts the client as to the ide

ntity

of the individual users.

The SSH client uses the client system’s private key to encrypt a message to the

server, and the SSH

server uses the public key for that client system (host) to decrypt the message. If

this is successful, the user supplied b

y the client is authenticated.

HP SIM 5.x utilizes this

authentication method in addition to public key authentication.

Password

aut

hentication uses the familiar mec

hanism to authenticate a user.

The user name and

password are sent over the encrypted channel to the SSH server, which authenticates the use

r using

the supplied password.

HP SIM

.x also supports this method.

The

followin

g figure

shows how the key files are used by the SSH server and client.

SSH Client SSH Server

SSH Server keys

User auth

(public key)

Known Hosts

(public key)

User Keys

Ssh_known_hosts

(public key)

Host Keys

SSH Server on Windows

–

ifferences

While HP

UX and most Linux distributions usually ship with SSH or OpenSSH already installed,

the

same is not true of Windows

ope

rating systems. HP SIM provides a version of OpenSSH used

for

Windows systems. This

version

is installed along with the rest of the HP SIM software on a Windows

platform (called the CMS). For managed systems, it can be installed from the Management CD,

dow

nloaded from the HP SIM website (

http://www.hp.com/go/hpsim

)

or deployed from HP SIM to

other Windows systems. HP SIM

includes functionality

for improved deployment to all Windows

systems.

SSH was originally im

plemented for UNIX

like operating systems and is part of OpenBSD. OpenSSH

is an outgrowth of that effort. To easily port it to Windows systems, an emulation layer called Cygwin

is used. Cygwin provides a UNIX emulation layer so that UNIX software can be ea

sily ported to

Windows. It also includes well

known security problems. For example, it creates world

readable data

structures to emulate UNIX processes.

The potential exists for a non

administrator user on the managed

system to interfere with tasks run on t

hat system. To make OpenSSH more secure, the version

distributed with HP SIM contains a modified Cygwin compatibility layer that restricts access to these

data structures to members of the Administrator’s group. The OpenSSH version shipped with HP SIM

allo

only

Windows Administrators to log in

to the Windows system

using

SSH.

omain users must

be direct member

s of the Administrators group.

embership of domain groups is not checked.

Cygwin mounts

To find certain OpenSSH files, you must determine where t

hey are stored. The UNIX files of concern

are

/etc/passwd

/etc/group

, and

/home/<username>

. To see the complete listing for Linux

and HP

UX and where they are located for Windows,

see

Directory lo

cation of various SSH files