Topic
3 replies Latest Post - ‏2012-02-29T13:20:04Z by MichaelGriffin
MichaelGriffin
MichaelGriffin
3 Posts
ACCEPTED ANSWER

Pinned topic Systems Director & RSA keys for access

‏2012-02-24T08:04:32Z |
Greetings

I am currently in the process of deploying and utilising Systems Director on AIX in our AIX/Linux arena and have tons to learn.

Currently we are forced to use passwords for access to each LPAR but these change regularly and having to update 200+ passwords is massive hindrance and I would prefer to use RSA ssh keys.

I have an option to configure RSA keys when looking at the LPAR info -> Security -> Configure access -> Create Key but it does not work. I have even tried removing the passphrase (bad idea) from the RSA key to no avail. The key works when using SSH from KSH command line.

The Systems Director documentation while verbose on some subjects has huge gaping voids in others, specifically on how to use RSA keys for SSH access and google has not been particularly helpful either.

I would appreciate any assistance or even pointers on how to get this working

Many thanx
Michael
Updated on 2012-02-29T13:20:04Z at 2012-02-29T13:20:04Z by MichaelGriffin
  • gcorneau
    gcorneau
    13 Posts
    ACCEPTED ANSWER

    Re: Systems Director & RSA keys for access

    ‏2012-02-27T19:29:55Z  in response to MichaelGriffin
    A general suggestion would be to use the Common Agent when managing AIX operating systems. Once access is granted there, the root password change will not affect the CAS capabilities.

    But since you're using Agentless (SSH), then have you tried this?

    https://www.ibm.com/developerworks/wikis/display/WikiPtype/Using+pre-shared+SSH+keys+for+agentless+authentication+for+AIX+managed+endpoints

    Of course, this only works if systems have unique SSH host keys. Duplicate SSH host keys will not work well with Systems Director.

    Glen Corneau
    IBM Power Systems Advanced Technical Skills
    • MichaelGriffin
      MichaelGriffin
      3 Posts
      ACCEPTED ANSWER

      Re: Systems Director & RSA keys for access

      ‏2012-02-28T12:55:15Z  in response to gcorneau
      Hi

      Thank you for your response.

      When I follow the instructions, the option for "Key Pair" is not available, only "User ID and Password".

      If I run :
      
      a00a006:/root# smcli lsinv -e RemoteServiceAccessPoint -n a00a006 | grep RemoteServiceAccessPoint.AccessInfo RemoteServiceAccessPoint.AccessInfo = http:
      //192.168.130.106/java/console RemoteServiceAccessPoint.AccessInfo = https:
      //192.168.130.106:5989/ RemoteServiceAccessPoint.AccessInfo = http:
      //a00a006:5335/ibm/console RemoteServiceAccessPoint.AccessInfo = https:
      //192.168.130.106:22/ a00a006:/root# smcli cfgcred -c RSA -U root -K /root/.ssh/id_rsa -P @a55w0rd -S root -W @a55w0rd -r https:
      //192.168.130.106:22/   RemoteServiceAccessPoint : https:
      //192.168.130.106:22/ Source User Principal    :root Source Identity ID       : 8DB04B02F94036B0892C57CEBD06E30C Target User Principal    : root Target Identity ID       : 8575C19E81D837EA94E7D3DF5BCF1EEB Registry ID              : FC99DC3F999C340A8C5157829B3E7648 Registry Type            : rsa_auth_registry   <Command Successful> Mapping Created with Mapping ID : 70CA35328F323FA9967B44A0B9D08ABC a00a006:/root#
      


      But still no key authentication. I tried using a dsa key and the X509 option. The X509 option shows on the list of credential type once I run the "smcli cfgcred -c X509 ....." command but still access (although when I deleted it and re-ran it did not show again).

      
      a00a006:/root# smcli cfgcred -c X509 -U root -K /root/.ssh/id_rsa -P @cadasf1 -S root -W @cadasf1 -r https:
      //192.168.130.106:22/ -A root   RemoteServiceAccessPoint : https:
      //192.168.130.106:22/ Source User Principal    :root Source Identity ID       : D93E3DFD6F353F61900D6B2D786B7DA6 Target User Principal    : root Target Identity ID       : F20AA9DF589E323E909EE1A6FC35C2D2 Registry ID              : 4A6AB4AD347339FEBCF1D37B678BB0BC Registry Type            : x509_auth_registry   <Command Successful> Mapping Created with Mapping ID : 641264536D07302BB75A733412F83A32 a00a006:/root#
      


      If the "Key pair" option had been previously deleted; is there something special that needs to be done to get it back again?

      I am loosing hair rapidly with System Director :)
      • MichaelGriffin
        MichaelGriffin
        3 Posts
        ACCEPTED ANSWER

        Re: Systems Director &#38; RSA keys for access

        ‏2012-02-29T13:20:04Z  in response to MichaelGriffin
        Using a new host that I had never discovered before, the "key pair" option appears under SSH -> Configure Credentials.

        Using the DSA key key as described in the URL above gives the following error :
        
        AVESEC102E Error: The request attempt failed. The credentials provided may be incorrect, or the individual service access points may not support request access. Try to verify connection and/or request access to the system to gain full access.
        


        When manually testing the key it works. I have also tried using a RSA key with the same error.

        I see in /var/adm/syslog that the SSH login failed because it is not using the SSH key pair and for security and automation our servers only allow root login via pre-defined SSH keys. Our root passwords also change regularly so having to change 200+ root passwords every week is not a feasible option.