HP-UX vPars and Integrity VM V6.3 Administrator Guide
Instead of using secsetup, SSH keys can be generated manually on the systems by using the
ssh-keygen command. The ssh-keygen command generates, manages, and converts
authentication keys for SSH. For information about manual SSH key generation, see the
ssh-keygen command HP-UX manpage.
12.3.3.1 Troubleshooting SSH key setup
If SSH is installed on both the source and the target system, you can run the ssh command on the
source host to establish a connection with the target host without providing password. This ability
ensures that SSH keys are set up between the two hosts. If SSH keys are not set up, the
hpvmmigrate command displays an error message indicating that the SSH setup must be verified.
If the secsetup script does not work correctly, verify the permissions on root / to ensure that
superusers have write permissions. For example,
# 11 -d /
drwxr-xr-x 20 root root 8192 Apr 29 06:25 /
If the root directory of the VSP has different permissions than displayed in the example, use the
chmod command to correct them.
# chmod 755 /
If a VSP is reinstalled at some point after using the secsetup script to configure SSH keys, you
might receive warning messages from ssh commands about keys changed, or bad keys in your
known_hosts file. In this case, use the ssh-keygen -R hostname command to remove
obsolete keys from the known_hosts file, and then use the secsetup command again to configure
new keys.
If you set up SSH security between VSPs before adding the conventional —hpvm-migr host alias
to the /etc/hosts file and you do not run secsetup command on the host-alias addresses, the
hpvmmigrate command fails with the message, Incorrect initial message, when it
attempts to use the conventional host alias.
A workaround is to run SSH once manually (for example, ssh <hostname>-hpvm-migr date)
and enter yes to the question about whether or not you must continue. This action adds
<hostname>-hpvm-migr to the list of known hosts, and subsequent hpvmmigrate commands
find the proper host key.
12.3.3.2 Using a third-party SSH
The hpvmmigrate command uses HP-UX native SSH command for secure communication between
VSPs. To use an incompatible SSH command with the hpvmmigrate command, make sure your
version of SSH is set up for host-based authentication without requiring interactive passwords.
Then, set the SSHEXECPATH environment variable (in /etc/rc.config.d/hpvmconf) to invoke
a command or shell script similar to the one provided in alt_ssh_example.
Customize alt_ssh_example script for use in your environment, with your version of SSH to
translate all the HP-UX SSH specific options to run your alternate SSH command, and to achieve
similar behavior. The command or shell script must have permissions similar to a real ssh executable
-- it must be writable only by the file owner. The hpvmmigrate command expects to use the HP-UX
ssh command as in the following:
ssh -e none -o BatchMode=yes -T -x target-host-alias exec hpvmmigrate -#
See the alt_ssh_example comments for explanations of the -e, -o, -T, and -x options. With
an alternate version of SSH, you might not need some of the HP-UX specific options; or, there might
be different options that achieve the same effect; or, perhaps some alternate SSH configuration
mechanism can be used eliminating the need for some of the HP-UX specific SSH options.
12.3 VSP and VM configuration considerations 211