A Scenario - AIX ssh client to pSeries HMCThe ultimate objective - A script to run on AIX, that sends commands via ssh into the HMC to collect information about the HMC, the systems managed by the HMC, and the LPARs in those systems. Want this script to run without prompting for the password of the HMC user. Key elements of the solution:
- ssh server configuration already on the HMC
- Openssl RPM to be retrieved and installed on AIX client
- Openssh installp fileset to be retrieved and installed on AIX client
- aixuser on AIX client generates public and private keys (ssh-keygen)
- aixuser on AIX client transfers public key to user on HMC (scp)
- aixuser on AIX client runs script that sends ssh commands to HMC
- sample script
- Literature References
1. Openssl RPM retrieve and install on AIX clientGo to LINUX Toolbox for AIX Applications - Cryptograpic Content
Register yourself, and retrieve the following OpenSSL RPMS:
- openssl-0.9.6k-1.aix4.3.ppc.rpm (1.3MB)
- openssl-devel-0.9.6k-1.aix4.3.ppc.rpm (optional 1.14MB)
- openssl-doc-0.9.6k-1.aix4.3.ppc.rpm (optional 421KB)
Ignore that these have aix4.3 in their names. As root on AIX, place them in a directory (e.g., /usr/sys/inst.images) and install:
rpm -i openssl-0.9.6k-1.aix4.3.ppc.rpm
2. Openssh fileset retrieve and install on AIX clientGo to OpenSSH on AIX Images Project: Summary
Retrieve file openssh361p2_51.tar.Z (for AIX 5.1) or openssh361p2_52.tar.Z (for AIX 5.2) and place it in a directory (e.g., /usr/sys/inst.images). As root on AIX, do
cd /usr/sys/inst.images
uncompress ./openssh361p2_51.tar.Z
tar -xvf./openssh361p2_51.tar
inutoc .
smitty install
openssh.base.client 3.6.1.5200
openssh.base.server 3.6.1.5200
openssh.license 3.6.1.5200
openssh.man.en_US 3.6.1.5200
openssh.msg.EN_US 3.6.1.5200
openssh.msg.en_US 3.6.1.5200
Be sure to select yes to accept new license agreements.
3. aixuser on AIX client generates public and private keys (ssh-keygen)
Login to AIX client machine as the designated aixuser
mkdir /home/aixuser/.ssh
ssh-keygen -t rsa
ssh-keygen -t dsa
Allow the keys to be stored in the default file location (/home/aixuser/.ssh/id_rsa), and press just press enter for no passphrase at the passphrase prompts. After these commands run, you will have public and private rsa and dsa keys:
ls -l /home/aixuser/.ssh
total 40
-rw------- 1 aixuser staff 736 Oct 02 11:27 id_dsa
-rw-r--r-- 1 aixuser staff 602 Oct 02 11:27 id_dsa.pub
-rw------- 1 aixuser staff 963 Oct 02 11:28 id_rsa
-rw-r--r-- 1 aixuser staff 222 Oct 02 11:28 id_rsa.pub
Proper permissions here are 600 for the private key files, and 644 for public key files. Private keys are to be protected. Public key files will be transferred to servers that aixuser wants to login to.
4. aixuser on AIX transfers public keys to user on HMC
aixuser on AIX will login as hmcuser on HMC, then transfer his public keys from the AIX system to the HMC
ssh hmc.domain.com -l hmcuser (answer prompt for hmcuser'spassword.)
cd .ssh
scp -p aixuser@aix.domain.com:/home/aixuser/.ssh/*.pub .(answer prompt for aixuser's password).
cat *.pub >> ./authorized_keys2 (catenate aixuser's public keys ontohmcuser's authorized keys file)
Note:
At HMC code level 3.2.5 and above, the .ssh subdirectory for an HMC user is owned by root, and difficult to write keys into by the method above. Instead, do the following as aixuser on the aix system:
mykey=`cat $HOME/.ssh/id_rsa.pub`
ssh hmc.domain.com -l hmcuser mkauthkeys -a \"$mykey\"
5. aixuser runs script on AIX, which sends ssh commands to HMC
The script that follows is our example. aixuser answers prompt for passphrase required by keyfile, then script sends ssh commands to hmc machine specified.
#!/bin/ksh
#
# hmclook -m hmchostname -l hmcuser
#
#
hmc=
user=
key=
while getopts m:l: option
do
case $option in
m) hmc="$OPTARG";;
l) user="$OPTARG";;
esac
done
echo "HMC Information:"
echo ""
ssh $hmc -l $user 'date'
ssh $hmc -l $user 'hostname'
echo ""
ssh $hmc -l $user 'lshmc -n'
echo ""
ssh $hmc -l $user 'lshmc -r'
echo ""
ssh $hmc -l $user 'lshmc -v'
echo ""
echo "Managed systems/frames:"
ssh $hmc -l $user 'lssyscfg -r sys --all'
echo ""
echo "frame content - LPARS, profiles, etc.:"
for frame in `ssh $hmc -l $user "lssyscfg -r sys --all" | grep -v ^Name |awk '{print $1}'`
do
echo frame $frame:
ssh $hmc -l $user "lssyscfg -r lpar -m $frame --all"
echo ""
echo Memory in LPARs:
echo "allocated free lmb_size max min partition system partition_name"
ssh $hmc -l $user "lshwres -r mem -m $frame --all" | grep -v ^allocated
echo ""
for lpar in `ssh $hmc -l $user "lssyscfg -r lpar -m $frame --all" | grep -v ^Name | awk '{print $1}'`
do
ssh $hmc -l $user "lssyscfg -r prof -m $frame -p $lpar --all -z"
echo ""
done
done
6. Literature References
From http://www.redbooks.ibm.com
- Castro, et. al.,"Managing AIX Server Farms," SG24-6606-00, June 2002, Chapter 4.
- Barker, et. al.,"Effective System Management Using the IBM Hardware Management Console for pSeries," SG24-7038-00, August 2003, Chapter 9.
From http://www-106.ibm.com/developerworks (search for "authentication")- Common threads: OpenSSH key management, Part 1
- Common threads: OpenSSH key management, Part 2