Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
51525354555657585960
SSH User Session
On the SSH server, the administrator creates a TPM-protected SSH server key pair:
# tpmcreate -s /etc/opt/tcs/mySSHKeyblob
The administrator uses the elfdump and file utilities to determine the TPM OpenSSL engine
library for sshd:
# elfdump -L /usr/sbin/sshd | grep libcrypto
2 Needed libcrypto.so.0
# file /usr/sbin/sshd
/usr/sbin/sshd: ELF-64 executable object file - IA64
Based on Table 5-1 (page 44), this sshd binary needs the library
/opt/tcs/lib/hpux64/engines/libtpm.so.0.
The administrator adds the following entry to the end of the existing sshd configuration file,
/opt/ssh/etc/sshd_config:
EngineHostRSAKey /etc/opt/tcs/mySSHKeyblob
The administrator copies the sample TCS OpenSSL configuration file to the default location used
by sshd, /opt/ssh/etc/server.cnf:
# cp /etc/opt/tcs/openssl.cnf /opt/ssh/etc/server.cnf
The value for dynamic_path in the sample TCS OpenSSL configuration file
(/opt/tcs/lib/hpux64/engines/libtpm.so.0) is the library required for sshd in this
installation, so the administrator does not have to modify the OpenSSL configuration file.
On the server, the administrator stops and restarts sshd:
# /sbin/init.d/secsh stop; /sbin/init.d/sechsh start
The administrator also configures authentication on the server for client users, as described in
the HP-UX Secure Shell product documentation. This is the same as the procedure used to
configure client users when TCS is not installed.
SSH Tunnels for Mail Services
The administrator can extend the configuration in “SSH User Session” (page 60) to use SSH to
protect connections from a client to mail servers. The client reads mail from the POP3 server
using port 110 and sends mail to the SMTP server using port 25. On the client, the administrator
configures the mail application to read mail from port 110 on the local host, and to send mail to
port 25 on the local host.
On the server, the administrator configures the sshd on the POP3 and SMTP servers (this may
be the same system) to use TCS as shown in “SSH User Session” (page 60). The administrator
also configures authentication on the server for the client user (root in this example), as described
in the HP-UX Secure Shell product documentation.
On the client, the administrator establishes the following SSH tunnels:
# ssh -f -L 110:pop3serv:110 -l root -N pop3server
# ssh -f -L 25:smtpserv:25 -l root -N smtpserver
Where pop3serv is the name of the POP3 server and smtpserv is the name of the SMTP server.
Backing Up Keys
Key backup is a two step process for TCS RSA key pairs used with SSH:
1. Back up the TCS RSA key pair. These are the key blob files created by tpmcreate and you
can back them up as you would any other files, using any file backup utility.
2. Back up and restore the TPM key hierarchy using the tpmadm command. For more
information see “Creating and Restoring TPM Key Backup Files” (page 31).
60 Using TCS RSA Keys with HP-UX Secure Shell