Question & Answer
Question
When working on the HMC you might find the need to create scripts that require password less authentication between an LPAR and HMC. You might also want to ensure that your script executions between SSH clients and the HMC are secure.
Cause
Without configuring ssh keys the HMC will prompt the user for a password.
Answer
To enable scripts to run unattended between an SSH client and an HMC, do the following:
- Enable remote command execution. For more information, see Enabling and disabling HMC remote commands
- On the client's operating system (not the HMC), run the SSH protocol key generator. To run the SSH protocol key generator, do the following:
- To store the keys, create a directory named $HOME/.ssh (either RSA or DSA keys can be used).
- To generate public and private keys, run the following command:
ssh-keygen -t rsa- You will be prompted for file location and passphrase. These can be left blank to use the default.
- The following files are created in the $HOME/.ssh directory:
- private key: id_rsa
- public key: id_rsa.pub
- The write bits for both group and other are turned off. Ensure that the private key has a permission of 600.
- On the client's operating system, use ssh and run the mkauthkeys command to update the HMC user's authorized_keys2 file on the HMC by using the following command:
ssh hmcuser@hmchostname “mkauthkeys -–add '<the contents of $HOME/.ssh/id_rsa.pub as a string>' “
On setup is now complete. See the below example:
{skylab} > ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):
//.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:uRl1zvXDmFs+WEPX8gZdgslM/28vhuAPJJSsdW+HWBI root@skylab
The key's randomart image is:
+---[RSA 2048]----+
| E+.o |
| . . .=.. .|
| = o . .oo|
| + o = .+.+|
| . S + =..=.|
| . X.o *o +|
| o.+.o+=oo|
| ..o++o.|
| .o..o.|
+----[SHA256]-----+
{skylab} > cd /.ssh
{skylab} > ls -al
total 80
drwx------ 2 root system 4096 Aug 03 2021 .
drwxr-xr-x 31 root system 4096 Apr 08 12:15 ..
-rw-r--r-- 1 root system 396 Aug 14 2018 authorized_keys
-rw-r--r-- 1 root system 396 Aug 14 2018 authorized_keys2
-rw------- 1 root system 668 Aug 14 2018 id_dsa
-rw-r--r-- 1 root system 601 Aug 14 2018 id_dsa.pub
-rw------- 1 root system 1679 May 25 12:48 id_rsa
-rw-r--r-- 1 root system 393 May 25 12:48 id_rsa.pub
-rw-r--r-- 1 root system 488 Apr 12 08:40 known_hosts
-rw-r--r-- 1 root system 397 Jun 22 2015 tmp_authorized_keys2
{skylab} > cat id_rsa.pub
ssh-rsa AABBB3NzaC1yc2EAAAADAQABAAABAQCjkxDKo94rdVl/p1WFFZU8e2sw2d4oWYuop9h9s74DGuzvhYq90TTTwhJK0iwC/wBthSRM89OgpEX8TBBv2Cy/nmlqJD+uHqy/JqjU7lrI0DRX45ILs5JN2XTquI+FHUtqbyNytFFHXGKPt7XE81/rMwwwOrKTwDcgQj/SEZsg0yQ4E5z/+Sl7L3jgvUgld3QmEvpGA5x63bfVj+c1uJC0UDxpoj9o3Rb3+cmYSJo70M9dVaApG1Oi+jNlyHpAZDrOl24Vxs1r/K/VqRHJ3er8LunTknPBken7FF0OqSKyvHQX8JO4D3wfbD92YVAuHlwi092cKHH3Qgin/wlmkuZX root@skylab
{skylab} > ssh [email protected]
Warning: Permanently added '9.17.x.x' (ECDSA) to the list of known hosts.
[email protected]'s password:
{skylab} > 8TBBv2Cy/nmlqJD+uHqy/JqjU7lrI0DRX45ILs5JN2XTquI+FHUtqbyNytFFHXGKPt7XE81/rMwwwOrKTwDcgQj/SEZsg0yQ4E5z/+Sl7L3jgvUgld3QmEvpGA5x63bfVj+c1uJC0UDxpoj9o3Rb3+cmYSJo70M9dVaApG1Oi+jNlyHpAZDrOl24Vxs1r/K/VqRHJ3er8LunTknPBken7FF0OqSKyvHQX8JO4D3wfbD92YVAuHlwi092cKHH3Qgin/wlmkuZX root@skylab'" <
[email protected]'s password:
{skylab} > ssh hscr[email protected]
Last login: Wed May 25 09:24:45 2022 from 9.211.x.x
Note: You may need to manually login to the HMC once via SSH to add the host to your $HOME/.ssh/known_hosts file. Otherwise you might be prompted to add the fingerprint for the server to known_hosts ( breaking any scripts ).
If you wish to delete the keys from the HMC, you can do the following:
From the client LPAR run:
ssh hmcuser@hmchostname “mkauthkeys --remove 'joe@somehost'“
Then to re-enable password prompting for all hosts that access the HMC through ssh, use the scp command to copy the key file from the HMC:
scp hmcuser@hmchostname:.ssh/authorized_keys2 authorized_keys2
Edit the authorized_keys2 file and remove all lines in this file. Then copy it back to the HMC:
scp authorized_keys2 hmcuser@hmchostname:.ssh/authorized_keys2
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SGJ5K6","label":"Hardware Management Console V7"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"ARM Case Number":"TS009453229","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSOQ2E","label":"Hardware Management Console V10"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SGGSNP","label":"Hardware Management Console V9"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SGBR3L","label":"Hardware Management Console V8"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 June 2022
UID
isg3T1011085