Setting up secure script execution between SSH clients and the HMC
You must ensure that your script executions between Secure Shell (SSH) clients and the Hardware Management Console (HMC) are secure.
HMCs typically are placed inside the server room where managed systems are located, so you might not have physical access to the HMC. In this case, you can remotely access it using either a remote web browser or the remote command line interface.
To enable scripts to run unattended between an SSH client and an HMC, complete the following steps:
- Enable remote command execution. For more information, see Enable Remote Command Execution.
- On the client's operating system, run the SSH protocol key generator. To run the SSH protocol
key generator, complete the following steps:
- To store the keys, create a directory that is named $HOME/.ssh (either RSA or DSA keys can be used).
- To generate public and private keys, run the following command:
- ssh-keygen -t rsa
The following files are created in the $HOME/.ssh directory:- private key: id_rsa
- public key: id_rsa.pub
The write bits for both group and other are turned off. Ensure that the private key has a permission of 600.“
- On the client's operating system, use ssh and run the
mkauthkeys
command to update the HMC user's authorized_keys2 file on the HMC by using the following command:ssh hmcuser@hmchostname mkauthkeys -–add <the contents of $HOME/.ssh/id_rsa.pub>
Note: Double quotes (“) are used in commands to ensure that the remote shell can properly process the command. For example:ssh "mkauthkeys hscuser@somehmchost --add 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa+Zc8+hn1+ TjEXu640LqnVNB+UsixIE3c649Cgj20gaVWnFKTjcpWVahK/duCLac/zteMtVAfCx7/ae2g5RTPu7FudF2xjs4r+NadVXhoIqmA53a NjE4GILpfe5vOF25xkBdG9wxigGtJyOKeJHzgnElP7RlEeOBijJDKo5gGE12NVfBxboChm6LtKnDxLi9ahhOYtLlFehJr6pV/lMAEu Lhd6ax1hWvwrhf/h5Ym6J8JbLVL3EeKbCsuG9E4iN1z4HrPkT5OQLqtvC1Ajch1ravsaQqYloMTWNFzM4Qo5O3fZbLc6RuJjtJv8C5t 4/SZUGHZxSPnQmkuii1z9hxt hscpe@vhmccloudvm179'"
To delete the key from the HMC, you can use the following command:
ssh hmcuser@hmchostname mkauthkeys --remove joe@somehost
To enable passwords that prompts for all hosts that access the HMC through SSH, use the
scp
command to copy the key file from the HMC: scp
hmcuser@hmchostname:.ssh/authorized_keys2 authorized_keys2
Edit the authorized_keys2 file and remove all lines in this file and then, copy it back to the HMC: scp authorized_keys2 hmcuser@hmchostname:.ssh/authorized_keys2