Secure Shell (SSH) in HP Systems Insight Manager 5.1 and 5.2

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for Linux

mxglobalsettings

ld mx_dtf_ssh_bypass_user

mx_dtf_ssh_bypass_user = Administrator

Additional users can be added by separating the user names with commas and no

spaces.

Domain

accounts require two backslashes between the domain name and the user name, such as

domain

user

mxglobalsettings

mx_dtf_ssh_bypass_user=Administrator,Domain

SIM

HP SIM must be restarted after making changes to the bypass user.

w does HP SIM use SSH?

HP SIM acts like the SSH client described earlier. The main difference to an interactive SSH client is

that HP SIM must be preconfigured with appropriate keys, passwords, and rules on how to handle

security warnings. The following

sections discuss how HP SIM is configured and the file locations

used by HP SIM.

Managed system authentication

When HP SIM connects through SSH to a managed system, the SSH server on that system returns an

SSH host key that identifies that system. HP SIM

must decide if this key is acceptable and hence

authenticate the managed system. By default, HP SIM 5.x accepts any key, which does leave HP SIM

open to certain types of network attack such as a man in the middle attack where an imposter

pretends to be t

he managed system. You can configure HP SIM to protect against such attacks by

turning on SSH host key checking, causing HP SIM to compare the key with a list of known hosts.

Three options are supported:



The key is saved the first time a connection is ma

de. On subsequent connections the key must

match the saved value or the connection is refused. This option is open to a man

the

middle attack the very first time a connection is made, but subsequently is very secure. This

option requires manual inter

vention if keys are ever changed. For example, if the SSH server

on the managed system is reinstalled. HP SIM 4.x used this method.



The CMS accepts an SSH connection with any key, even if it is not in

known_hosts

. The

key is still saved in

known_hosts

he first time a connection is made, but no key checking is

performed. This provides the easiest to manage solution, but is vulnerable to some attacks.

This is similar to the default SSL option of not requiring trusted certificates, which is now the

defau

lt setting for HP SIM 5.x.



The key must already exist in the known hosts file. The connection is refused if it is not in the

file. This option is the most secure but the hardest to maintain, as keys must be manually

added to the list of known hosts as

new systems are added or whenever keys are changed.

A tool in HP SIM 5.x (

Options



Security



SSH Keys

) enables you to change this setting, to have

keys loaded on first use, and to require they be preloaded. This tool enables keys to be imported or

removed

from the known hosts file.