Secure Shell (SSH) in HP SIM

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for Linux

Managed system authentication

When HP SIM connects through SSH to a managed system, the SSH server on that system returns an

SSH host key that identifies that system. HP SIM must decide

if this key is acceptable and hence

authenticate the managed system. By default, HP SIM

.x accepts any key, which leave

HP SIM

open to certain types of network attack

such as a man

the

middle attack where an imposter

pretends to be the managed syst

em. You can configure HP SIM to protect against such attacks by

turning on SSH host key checking,

which causes

HP SIM to compare the key with a list of known

hosts.

The following

options are supported:



The key is saved the first time a connection is made.

On subsequent connections

the key must

match the saved value or the connection is refused. This option is open to a man

the

middle

attack the very first time a connection is made, but subsequently is very secure.

If keys are

ever changed, t

his option r

equires manual. For example, if the SSH server on the managed

system is reinstalled. HP SIM 4.x used this method.



The CMS accepts an SSH connection with any key, even if it is not in

known_hosts

. The

key is still saved in

known_hosts

the first time a conne

ction is made, but no key checking is

performed. This provides the easiest to manage solution, but is vulnerable to some attacks.

This

option

is similar to the default SSL option

that does not require

trusted certificates, which

is now the default setting

for HP SIM

.x.



The key must already exist in the known hosts file. The connection is refused if it is not in the

file. This option is the most secure but the hardest to maintain,

because

keys must be manually

added to the list of known hosts as n

ew sys

tems are added or when

keys are changed.

A tool in HP SIM

.x (

Options



Security



Credentials



Trusted sytems



SSH

Host

Keys

) enables you

to change this setting, to have keys loaded o

n first use, and to require them to

be preloaded. This tool

enables keys to

be imported or removed from the known hosts file.