Secure Shell (SSH) in HP Systems Insight Manager 5.1 and 5.2

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for Linux

a copy of this public key. The SSH client uses the user’s private key to encrypt a message sent to the

SSH server. The SSH server uses the user’s public key to decrypt this message. If this is successful, the

user is authenticated because th

e message must have been sent by a client with access to the private

key.

Host Based

authentication is very similar to the user public key authentication, and is also based on

public and private keys. In this case, separate keys are not used for each us

er. Instead, a single key

pair is used to authenticate the SSH client system and the SSH server trusts the client as to the identity

of the individual users. The SSH client uses the client system’s private key to encrypt a message to the

server, and the S

SH server uses the public key for that client system (host) to decrypt the message. If

this is successful, the user supplied by the client is authenticated. HP SIM 5.x utilizes this

authentication method in addition to public key authentication.

Password

authentication uses the familiar mechanism to authenticate a user. The user name and

password are sent over the encrypted channel to the SSH server, which authenticates the user using

the supplied password. HP SIM 5.x also supports this method.

The di

agram below shows how the key files are used by the SSH server and client.

SSH Client SSH Server

SSH Server keys

User auth

(public key)

Known Hosts

(public key)

User Keys

Ssh_known_hosts

(public key)

Host Keys

SSH Server on Windows

–

differences

While HP

UX and most Linux distributions usually ship with SSH or OpenSSH already installed, the

same is not true of Window

based operating systems. HP SIM provides a version of OpenSSH to be

used on Windows systems. This is installed along with the rest of the HP SIM software when being

installed on a Windows platform (thereafter called the CMS). For managed systems, it can

installed from the Management CD, downloaded from the HP SIM website

(

http://www.hp.com/go/hpsim

) or deployed from HP SIM to other Windows systems. Functionality

has been added to HP SIM for improved deploymen

t to all Windows systems.

SSH was originally implemented for UNIX

like operating systems and is part of OpenBSD. OpenSSH

is an outgrowth of that effort. To easily port it to be used on Windows systems, an emulation layer

called Cygwin is used. Cygwin prov

ides a UNIX emulation layer so that UNIX software can be easily

ported to Windows. It also includes well

known security problems. For example, it creates world

readable data structures to emulate UNIX processes. The potential exists for a non

administrator

user

on the managed system to interfere with tasks run on that system. To make OpenSSH more secure, the

version distributed with HP SIM contains a modified Cygwin compatibility layer that restricts access to

these data structures to members of the Adminis

trator’s group. The OpenSSH version shipped with HP

SIM only allows Windows Administrators to log into the Windows system by way of SSH. Further,