Secure Shell (SSH) in HP Systems Insight Manager 5.1 and 5.2
18
have sufficient rights to obtain the SID for the user being added. A local user has sufficient rights to
add other local users, but a domain account must be used if domain users are to be added. If in
doubt, run sshuser without the
-
f option to view the output of the command.
Mxagentconfig
mxagentconfig
is used to configure the managed system to allow SSH access from the CMS.
Different options are available to set up user public key, host
-
based authentication, or to validate an
ex
isting configuration. An option is also available to remove entries from the CMS
known_hosts
file.
mxagentconfig
-
a
-
n <managed system>
-
u <username> [
-
p <password>]
This option configures user
-
based public key authentication on the specified managed s
ystem. It
places the public key (
.dtfSshKey.pub
) of the HP SIM CMS in the user’s
authorized_keys2
file.
First, mxagentconfig opens an SSH connection to the specified managed system. This means that SSH
has to be already installed on the managed system.
If the specified system is a Windows system, then
the user must already have been added to the passwd file. See the
sshuser
section. The SSH server
uses password authentication to validate the specified user. A secure ftp (sftp)
channel is then opened
to allow file access to the managed system.
The user’s home directory is examined for the .
ssh
subdirectory. If it does not exist, it is created.
Then mxagentconfig checks for the existence of the
authorized_keys2
file. If it exis
ts,
mxagentconfig appends the public key of the CMS (
.dtfSshKey.pub
) to this file. If the file does not
exist, it is created with the public key of the CMS as its first entry. At this point, the user is configured
for public key authentication on the manag
ed system.
mxagentconfig
-
a
-
n <managed system>
-
u <username> [
-
p <password>]
–
o
host
This option configures host
-
based authentication on the managed system. It requires that SSH be
installed on the target system and, if the target is a Windows system, th
e user must be included in the
passwd file. It connects to the managed system using password authentication and then uses sftp, as
described above. Then it updates the files in the SSH configuration directory on the managed system:
it adds the public key
to the
ssh_known_hosts
file and adds the CMS name to the list of accepted
hosts in the
shosts.equiv
file.
mxagentconfig
-
c
-
n <managed system>
-
u <username>
This version of the command does not configure the managed system but instead verifies that SSH
ac
cess is correctly configured for the specified user. This command will return success if the
passwd
file allows SSH access for the specified user, the public key has been correctly set up for user or host
based authentication, and the user is a member of
the system’s Administrators group. An error is
reported if host key checking is enabled and the host key does not match the value in the
known_hosts
file. This command does not verify password authentication.
C:
\
> mxagentconfig
-
c
–
n brian06.cup.hp.com
-
u myadmin
myadmin@brian06.cup.hp.com: success
mxagentconfig
-
r
-
n <managed system>
This version of the command removes the specified host from the
known_hosts
file. This command
uses the DNS server to find all versions of the system name and removes the
m from the file.
Mxnodesecurity
The
mxnodesecurity
utility is used to store user names and passwords on the CMS for use when
accessing managed systems. It is used for all management protocols, and has been extended to
support SSH password authentication
. As previously mentioned, user or host key authentication is
preferred and provides benefits over password authentication. Use this command if you are unable to
configure key
-
based authentication using
mxagentconfig
.