Setting up ssh to run commands on the Hardware Management Console without being prompted for a password.

Question & Answer

Question

When working on the HMC you might find the need to create scripts that require password less authentication between an LPAR and HMC. You might also want to ensure that your script executions between SSH clients and the HMC are secure.

Cause

Without configuring ssh keys the HMC will prompt the user for a password.

Answer

To enable scripts to run unattended between an SSH client and an HMC, do the following:

Enable remote command execution. For more information, see Enabling and disabling HMC remote commands
On the client's operating system (not the HMC), run the SSH protocol key generator. The command is also available on the HMC, but the default location of /home/$user/.ssh is not writeable. To run the SSH protocol key generator on a client, do the following:
1. To store the keys, create a directory named $HOME/.ssh (either RSA or DSA keys can be used).
2. To generate public and private keys, run the following command:
```
ssh-keygen -t rsa
```
- You will be prompted for file location and passphrase. These can be left blank to use the default.
- The following files are created in the $HOME/.ssh directory:
  - private key: id_rsa
  - public key: id_rsa.pub
- The write bits for both group and other are turned off. Ensure that the private key has a permission of 600.
On the client's operating system, use ssh and run the mkauthkeys command to update the HMC user's authorized_keys2 file on the HMC by using the following command:

ssh hmcuser@hmchostname "mkauthkeys -–add '<the contents of $HOME/.ssh/id_rsa.pub as a string>'"

On setup is now complete. See the below example:

{skylab} > ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):
//.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:uRl1zvXDmFs+WEPX8gZdgslM/28vhuAPJJSsdW+HWBI root@skylab
The key's randomart image is:
+---[RSA 2048]----+
|          E+.o   |
|       . . .=.. .|
|        = o . .oo|
|       + o = .+.+|
|      . S + =..=.|
|       . X.o *o +|
|        o.+.o+=oo|
|          ..o++o.|
|           .o..o.|
+----[SHA256]-----+

{skylab} > cd /.ssh

{skylab} > ls -al
total 80
drwx------    2 root     system         4096 Aug 03 2021  .
drwxr-xr-x   31 root     system         4096 Apr 08 12:15 ..
-rw-r--r--    1 root     system          396 Aug 14 2018  authorized_keys
-rw-r--r--    1 root     system          396 Aug 14 2018  authorized_keys2
-rw-------    1 root     system          668 Aug 14 2018  id_dsa
-rw-r--r--    1 root     system          601 Aug 14 2018  id_dsa.pub
-rw-------    1 root     system         1679 May 25 12:48 id_rsa
-rw-r--r--    1 root     system          393 May 25 12:48 id_rsa.pub
-rw-r--r--    1 root     system          488 Apr 12 08:40 known_hosts
-rw-r--r--    1 root     system          397 Jun 22 2015  tmp_authorized_keys2

{skylab} > cat id_rsa.pub
ssh-rsa AABBB3NzaC1yc2EAAAADAQABAAABAQCjkxDKo94rdVl/p1WFFZU8e2sw2d4oWYuop9h9s74DGuzvhYq90TTTwhJK0iwC/wBthSRM89OgpEX8TBBv2Cy/nmlqJD+uHqy/JqjU7lrI0DRX45ILs5JN2XTquI+FHUtqbyNytFFHXGKPt7XE81/rMwwwOrKTwDcgQj/SEZsg0yQ4E5z/+Sl7L3jgvUgld3QmEvpGA5x63bfVj+c1uJC0UDxpoj9o3Rb3+cmYSJo70M9dVaApG1Oi+jNlyHpAZDrOl24Vxs1r/K/VqRHJ3er8LunTknPBken7FF0OqSKyvHQX8JO4D3wfbD92YVAuHlwi092cKHH3Qgin/wlmkuZX root@skylab

{skylab} > ssh hscroot@9.17.x.x
Warning: Permanently added '9.17.x.x' (ECDSA) to the list of known hosts.
hscroot@9.17.x.x's password:

{skylab} > 8TBBv2Cy/nmlqJD+uHqy/JqjU7lrI0DRX45ILs5JN2XTquI+FHUtqbyNytFFHXGKPt7XE81/rMwwwOrKTwDcgQj/SEZsg0yQ4E5z/+Sl7L3jgvUgld3QmEvpGA5x63bfVj+c1uJC0UDxpoj9o3Rb3+cmYSJo70M9dVaApG1Oi+jNlyHpAZDrOl24Vxs1r/K/VqRHJ3er8LunTknPBken7FF0OqSKyvHQX8JO4D3wfbD92YVAuHlwi092cKHH3Qgin/wlmkuZX root@skylab'"                                     <
hscroot@9.17.x.x's password:

{skylab} > ssh hscroot@9.17.x.x
Last login: Wed May 25 09:24:45 2022 from 9.211.x.x

Note: You may need to manually login to the HMC once via SSH to add the host to your $HOME/.ssh/known_hosts file. Otherwise you might be prompted to add the fingerprint for the server to known_hosts ( breaking any scripts ).

If you wish to delete the keys from the HMC, you can do the following:

From the client LPAR run:

ssh hmcuser@hmchostname “mkauthkeys --remove 'joe@somehost'“

Then to re-enable password prompting for all hosts that access the HMC through ssh, use the scp command to copy the key file from the HMC:

scp hmcuser@hmchostname:.ssh/authorized_keys2 authorized_keys2

Edit the authorized_keys2 file and remove all lines in this file. Then copy it back to the HMC:

scp authorized_keys2 hmcuser@hmchostname:.ssh/authorized_keys2

*Cross-reference information*
Product	Component	Platform	Version
Hardware Management Console V10	Hardware Management Console	Platform Independent	All Versions
Hardware Management Console V7	Hardware Management Console	Platform Independent	All Versions
Hardware Management Console V8	Hardware Management Console	Platform Independent	All Versions
Hardware Management Console V9	Hardware Management Console	Platform Independent	All Versions

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGJ5K6","label":"Hardware Management Console V7"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"ARM Case Number":"TS009453229","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSOQ2E","label":"Hardware Management Console V10"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGGSNP","label":"Hardware Management Console V9"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGBR3L","label":"Hardware Management Console V8"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Was this topic helpful?

Document Information

More support for:
Hardware Management Console V7

Component:
Hardware Management Console

Software version:
All Versions

Document number:
670159

Modified date:
27 August 2024

UID

isg3T1011085

IBM Support

Tips