Secure Shell (SSH) in HP Systems Insight Manager 5.1 and 5.2
16
Here is an example of a
known_
hosts
file displaying two entries:
192.103.1.21 ssh
-
dss
AAAAB3NzaC1kc3MAAACBAM8yDS/qQI8pqwavOcXat4ygJFSsX1SNqXvW7sKzYrYF0k1
wk9LyUyHdnTVI8MRRQYZpOsR+UFqhHz2/emADlNSvlL2mHtd5yUbz/QKWT6ikAX7lxe
Pg1HtcDvFfLoPG8k0uENvQgb1Exfzbdf9+CpoyG0QFnrWns+xYzBW3FbpXAAAAFQCH
O
IKdwA0A1qNNHPKbbCCnzOg3+wAAAIAeGMN7NuaR72bHGe9pgBd9vBh3MX/Jdh8aptFR
Tl0cj4U/0aMa5WU4z/dL9N/8/GmgGxHr1VAJjF4TaIyC0HsM7/t16TunDHr9OFddsWg
RCP3UBA28xwLI/enCuORTwcyW0M+SMMOPcPgDd74OOGN+gK107sSstMNn9ooOAGnw5A
AAAIBQwoqfiDV6Zmp+v0XO+TWr12Hta2u8ZeeWfoM1ZeQnSUyRuv0C
f1vcUFS6BeFlI
X+b7+zqtZfFP3xQTgMHk7Uf3t1NJHBSr9kI4Te3Mdj2WLClcMnEMPPqoa5w5+5GGGBC
+zPqT2t6ZZ8rqo3Hf8vJwUZvQfZrrWi5hGQa6/snnA==
Ovpc129.rse.hp.com,192.87.137.243 ssh
-
dss
AAAAB3NzaC1kc3MAAACBALuFgiIFPeNLJw7o4/wup7Qal8qZSRJWVe/oZb7BR9haLA9
oc5yhDv07a1xHgyAzkg3gh
doVk70QbMye44DTP4VHPzM1CQ4jSVRC8+l9sPvMPlCfAl
am66c15GInVytqExcD5zTu1wSp44oJne0yFJ9XcGLcNGP+x4wa7D2C3Mr/AAAAFQDDV
P1Kn8pJMvbq46/T86T1uMZ0QQAAAIEAk/qa4eyxlmWoPO2GxEPv9+LP1KNM2YzfZuJF
AgV6XWTbaEHYh8uDsgpjddTDi4Yu49u5xIdS1+bFjb72WQKZj46EH4BTddUNTUYVHUp
kGgwJDB8ie
+jJCkqJg8wJexDJquK+EGAYYkitLpUoVUHKTFxXiX4DxfK7cv+IDZ7UAJ
AAAACAcK7VcmEBCqcgGNJXhsj1laM1ujDfxXgCzXjMdotMkib8Ye1vp3hc2MuN6BVz7
OeJTsopFTEj2J86SoT9zIl9qPO/rm3FrCIm/8VuDVezcpVIS7TyrSQWbdQwVmeAJX/u
TIJB48suUDrjlF/bsUfM1naU/kZFSwnMo09Pa+mJ/uI=
Note:
There can be
more than one key for a system in the known_hosts file. It can be listed by IP
address, short DNS name, and fully qualified DNS name. Only the first key identified during the
transaction is read. If incorrect, the connection is rejected.
Client Public Key
Authentication
For public key client authentication as used by HP SIM, a key pair is created and stored in the
C:
\
Program Files
\
HP
\
Systems Insight Manager
\
config
\
sshtools
directory. The
private key never leaves the client. It is used during authentication
to decode messages that the
remote SSH server encodes with the matching public key. The public key is not used by the SSH
client. It is stored here so that it can be copied to remote systems. The public key is appended to the
authorized_keys2
file for a g
iven user on the remote managed system. This is the list of keys that
is checked by the SSH server when a remote login is being requested using public key authentication.
If the key being presented by HP SIM is listed in the file, the SSH server uses it t
o encrypt a challenge
to return to HP SIM; the SSH server enables the user to sign in provided the response to the challenge
is correct. If the public key is not present, the public key authentication fails.
While the
authorized_keys2
file can be maintaine
d manually, HP SIM provides the
mxagentconfig utility to maintain this file.
Host
-
Based Authentication
Two files in the SSH server configuration directory (for example,
C:
\
Program
Files
\
OpenSSH
\
etc
) are used to configure host
-
based authentication. The f
ile,
shosts.equiv,
is a list of host names that are accepted for host
-
based authentication, for example, the DNS name of
each CMS that can manage this system. The file,
ssh_known_hosts,
is a list of public keys for
these host CMS systems.
Passwd and grou
p files
For Windows systems the passwd file is located in the
C:
\
Program Files
\
OpenSSH
\
etc
directory. After the SSH session is established between the SSH client and the SSH server, the SSH
client transmits the login user name to the SSH server. For each
user name allowed to use SSH, there
must be an entry in the
passwd
file. If a user name is not listed in the password file but tries to login,
the connection fails with a permission denied authentication error.
The following example passwd file contains t
hree lines for three different users: local administrator
MyAdmin, local user SIM, and user joe from domain mydomain: