Setting up secure script execution between SSH clients and the HMC

You must ensure that your script executions between SSH clients and the HMC are secure.

HMCs typically are placed inside the machine room where managed systems are located, so you might not have physical access to the HMC. In this case, you can remotely access it using either a remote Web browser or the remote command line interface.

To enable scripts to run unattended between an SSH client and an HMC, do the following:

1. Enable remote command execution. For more information, see Enabling and disabling HMC remote commands
2. On the client's operating system, run the SSH protocol key generator. To run the SSH protocol key generator, do the following:
   1. To store the keys, create a directory named $HOME/.ssh (either RSA or DSA keys can be used).
   2. To generate public and private keys, run the following command:
      • ssh-keygen -t rsa
      The following files are created in the $HOME/.ssh directory:

      • private key: id_rsa
      • public key: id_rsa.pub

      The write bits for both group and other are turned off. Ensure that the private key has a permission of 600.

3. On the client's operating system, use ssh and run the mkauthkeys command to update the HMC user's authorized_keys2 file on the HMC by using the following command:

   ssh hmcuser@hmchostname “mkauthkeys -–add '<the contents of $HOME/ .ssh/id_rsa.pub>' “ “

To delete the key from the HMC, can use the following command:

ssh hmcuser@hmchostname “mkauthkeys --remove 'joe@somehost' “

To enable password prompting for all hosts that access the HMC through ssh, use the scp command to copy the key file from the HMC: scp hmcuser@hmchostname:.ssh/authorized_keys2 authorized_keys2

Edit the authorized_keys2 file and remove all lines in this file. Then copy it back to the HMC: scp authorized_keys2 hmcuser@hmchostname:.ssh/authorized_keys2