Configuring secure shell (ssh) before installing products on HP-UX systems
Article ID: 100002080
Updated On:
Resolution
Configuringand enabling ssh
The sshprogram enables you to log into and execute commands on a remote system. sshenables encrypted communications and an authentication process between twountrusted hosts over an insecure network.
In thisprocedure, you first create a DSA key pair. From the key pair, you append thepublic key from the source system to the authorized_keys file on the targetsystems.
Read the sshdocumentation and online manual pages before enabling ssh. Contact youroperating system support provider for issues regarding sshconfiguration.
Visit theOpenSSH website that is located at: https://openssh.org to access onlinemanuals and other resources.
To createthe DSA key pair
1. On thesource system (system1), log in as root, and navigate to the rootdirectory.
system1# cd / 2. Togenerate aDSAkey pair on the source system, type the followingcommand:
system1# ssh-keygen -t dsa Systemoutput similar to the following is displayed:
Generatingpublic/private dsa key pair.
Enter filein which to save the key (//.ssh/id_dsa):
3. PressEnter to accept the default location of /.ssh/id_dsa.
4. When theprogram asks you to enter the passphrase, press the Enter key twice.
Enterpassphrase (empty for no passphrase):
Do not entera passphrase. Press Enter.
Enter samepassphrase again:
Press Enteragain.
5. Make surethe /.ssh directory is on all the target installation systems (system2 in thisexample). If that directory is not present, create it on all the target systemsand set the write permission to root only:
system2# cd / system2# mkdir /.ssh Change thepermissions of this directory, to secure it.
system2# chmod go-w /.ssh To appendthe public key from the source system to the authorized_keys fileon
thetarget system, using secure file transfer
1. Make surethe secure file transfer program (SFTP) is enabled on all the target
installationsystems (system2 in this example).
To enableSFTP, the /opt/ssh/etc/ssh/sshd_config file must contain the following
twolines:
PermitRootLoginyes
Subsystemsftp /usr/lib/ssh/sftp-server
2. If thelines are not there, add them and restart ssh.
system1# ps -ef | grep ssh root 1432 10 11:34:12 ? 0:00 /opt/ssh/sbin/sshd
system1# kill -9 1432 system1# /opt/ssh/sbin/sshd 3. From thesource system (system1), move the public key to a temporary file
on thetarget system (system2).
Use thesecure file transfer program.
In thisexample, the file name id_dsa.pub in the root directory is the name for thetemporary file for the public key.
Use thefollowing command for secure file transfer:
system1# sftp system2 If thesecure file transfer is set up for the first time on this system, output similarto the following lines is displayed:
Connectingto system2 ...
Theauthenticity of host 'system2 (10.182.00.00)'
can't beestablished. DSA key fingerprint is
fb:6f:9f:61:91:9d:44:6b:87:86:ef:68:a6:fd:88:7d.
Are you sureyou want to continue connecting (yes/no)?
4. Enteryes.
Outputsimilar to the following is displayed:
Warning:Permanently added 'system2,10.182.00.00'
(DSA) to thelist of known hosts.
root@system2password:
5. Enter theroot password of system2.
6. At thesftp prompt, type the following command:
sftp>put /.ssh/id_dsa.pub Thefollowing output is displayed:
Uploading/.ssh/id_dsa.pub to /id_dsa.pub
7. To quitthe SFTP session, type the following command:
sftp>quit 8. To beginthe ssh session on the target system (system2 in this example), type
thefollowing command on system1:
system1# ssh system2 Enter theroot password of system2 at the prompt:
password:
9. After youlog in to system2, enter the following command to append the id_dsa.pub file tothe authorization key file:
system2# cat /id_dsa.pub >> /.ssh/authorized_keys 10. Afterthe id_dsa.pub public key file is copied to the target system (system2), andadded to the authorized keys file, delete it.
To deletethe id_dsa.pub public key file, type the following command on system2:
system2# rm /id_dsa.pub 11. To logout of the ssh session, type the following command:
system2# exit 12. When youinstall from a source system that is also an installation target, also add thelocal system id_dsa.pub key to the local authorized_keys file. The installationcan fail if the installation source system is not authenticated.
To add thelocal system id_dsa.pub key to the local authorized_keys file, enter thefollowing command:
system1# cat /.ssh/id_dsa.pub >> /.ssh/authorized_keys 13. Run thefollowing commands on the source installation system. If your ssh session hasexpired or terminated, you can also run these commands to renew the session.These commands bring the private key into the shell environment and make the keyglobally available for the user root:
system1# exec /usr/bin/ssh-agent $SHELL system1# ssh-add Identityadded: //.ssh/id_dsa
Thisshell-specific step is valid only while the shell is active. You must executethe procedure again if you close the shell during the session.
To verifythat you can connect to a target system
1. On thesource system (system1), type the following command:
system1 #ssh -l root system2 uname -a
wheresystem2 is the name of the target system.
2. Thecommand should execute from the source system (system1) to the target system(system2) without the system requesting a passphrase or password.
3. Repeatthis procedure for each target system.
Issue/Introduction
Configuring secure shell (ssh) before installing products on HP-UX systems
Was this article helpful?
Yes
No
Powered by
