How to ssh from HMC to a client LPAR w/o passwd? 3

[khalidaaa]

Hi All,

I managed to configue a passwordless access from all my LPARs to the HMC but now i'm looking for the other way around (which is accessing LPARs from HMC without using passwords)

I can't even run the ssh-keygen on the HMC for some reason! It always shouts for an access denied error message!

Any one how is having this working?

I need to run a script that is located in one of the LPARs from HMC!

Regards,
Khalid

 

[unixfreak]

Just generate the key pair on one of the LPARs and move the private key over. Should work fine. If you're really paranoid about security you should put it on a CD to transfer it so the private key isn't on the network

 

[khalidaaa]

Thanks unixfreak for your comment!

I tried this but i couldn't pass the keys for some reason! whenever i try to copy the keys from the LPAR to the HMC i get an error of permission denied!

All my lpars are using the same .ssh directory so all of them can access each other with no password! I want to do the same for the HMC but couldn't be able to do the copy!

I was trying this command:

scp .ssh/* hscroot@hmc:~/.ssh

I doesn't work!

Regards,
Khalid

 

[unixfreak]

How about 'scp .ssh/* hscroot@hmc:~' ? Might be permissions on .ssh/ . Can you actually ssh to the ssh and log in?

Or try the CD method if stuck...

 

[khalidaaa]

No i can't cd to the .ssh as i'm in a trusted shell i guess!

I've never tried using CDs on the HMC other than the DVD backup! Would i be able to access the CD from within the trusted shell?

Regards,
Khalid

 

[TSch]

Hi there,

there's an important step you have to perform ...

For HMC Version 7.x:
---------------------
- Login to the HMC Graphical Console using hscroot
- Select "HMC Management"
- Select "Remote Command Execution"
- Check the box to "Enable Remote Command Execution Using the ssh facility
- Select "ok"

For HMC Version 6.x:
---------------------
- There should be the same option somewhere under "HMC Management" -> "HMC Configuration"


Regards
Thomas

 

[khalidaaa]

Thanks Thomas!

I think this is enabled in our HMC but i will double check later! Nice comment!

I won't be able to do this until Sunday unfortunately as i'm away on holiday for now!

Regards,
Khalid

 

[TSch]

Hi khalid,

Maybe I got one more thing for you that could be of some help:

Create a file called authorized_keys2 and put the key into that file.

next try the following:

scp -p authorized_keys2 hscroot@HMC-IP:/home/hscroot/.ssh/authorized_keys2

After that you should be able to login to HMC without password ...

Regards
Thomas

 

[TSch]

oops ...
Wrong way ...
Just saw you are trying to login TO a client FROM HMC ...

 

[khalidaaa]

Oh yeah ~/ I already have this working!

 

[unixfreak]

You should be able to cat keyfile > .ssh/autho... even if you're in a restricted shell.

CDs are easy, just mount /dev/cd0 I think. Type 'help' to find the right command. It mounts under /media I think. Can't check right now.

 

[khalidaaa]

Thanks unixfreak!

Never thought of cat!

 

[p5wizard]

No can do I'm afraid...

The restricted shell on HMC does not allow redirection. It's a pain, you probably need a PESH password to get to root and install the key that way. You get the PESH password from IBM support. They need the HMC serialno for that so have lshmc -v output at hand when you call.


HTH,

p5wizard

 

[khalidaaa]

Opps too bad!

I think i will have to think of other ways to do what's in mind!

Thanks all for your effort in helping me! Stars all around.

Regards,
Khalid

 

[unixfreak]

Does dd work?

 

[p5wizard]

You wish!

There's no dd command available in the restricted shell session for user hscroot. It's a well protected linux-based black box device...

no shell escape in commands
no cd-ing
cd / chars in command lines allowed
no . in $PATH
no redirection
...

There are (or maybe were?) a few back doors that I won't go into here - after all it's just a linux OS - but you're liable to loose whatever "unsupported" customization you've done that way on a HMC upgrade/fix install...



HTH,

p5wizard

 

[unixfreak]

Boot it from a Knoppix CD - that'll sort you out

 

[p5wizard]

Closing remark from my previous post above still holds...


HTH,

p5wizard

 

[biblio93]

for information and i'm working this
Note:
At HMC code level 3.2.5 and above, the .ssh subdirectory for an HMC user is owned by root, and difficult to write keys into by the method above. Instead, do the following as aixuser on the aix system:
mykey=`cat $HOME/.ssh/id_rsa.pub`
ssh hmc.domain.com -l hmcuser mkauthkeys -a \"$mykey\"

 

[khalidaaa]

Thanks biblio for your comment! The problem is that i'm out of country for now so i won't be able to try this till mid of December!

I will let you know the results once i try it

Thanks again.

Regards,
Khalid