Privileges, Login security, Ssh key administration – HP Integrated Lights-Out 2 User Manual
Page 44: Privileges login security
The iLO 2 firmware iLO 2 can be configured to use a directory to authenticate and authorize its
users. This configuration enables a virtually unlimited number of users, and easily scales to the
number of Lights-Out devices in an enterprise. Additionally, the directory provides a central point
of administration for Lights-Out devices and users, and the directory can enforce a stronger password
policy. iLO 2 enables you to use local users, directory users, or both.
Two configuration options are available:
•
To use a directory that has been extended with HP Schema, see
directory integration” (page 136)
•
To use the directory default schema (schema-free), see
“Setting up Schema-free directory
Privileges
The iLO 2 firmware enables the administrator to control user account access to iLO 2 functions
through the use of privileges. When a user attempts to use a function, the iLO 2 system verifies
that the user has the privilege before the user is allowed to perform the function.
Each feature available through iLO 2 can be controlled through privileges, including Administer
User Accounts, Remote Console Access, Virtual Power and Reset, Virtual Media, and Configure
iLO 2 Settings. Privileges for each user can be configured on the User Administration page of the
Administration tab.
Login security
iLO 2 provides several login security features. After an initial failed login attempt, iLO 2 imposes
a delay of five seconds. After a second failed attempt, iLO 2 imposes a delay of 10 seconds. After
the third failed attempt, and any subsequent attempts, iLO 2 imposes a delay of 60 seconds. All
subsequent failed login attempts cycles through these values. An information page appears during
each delay. This continues until a valid login is completed. This feature assists in defending against
possible dictionary attacks against the browser login port.
The iLO 2 firmware saves a detailed log entry for failed login attempts, which imposes a delay of
60 seconds.
SSH key administration
The iLO 2 firmware enables you to authorize up to four SSH keys at one time on the SSH Key tab.
The SSH Key tab also displays the owner (if any keys are authorized) of each authorized SSH key.
Multiple keys can belong to a single user.
To add an authorized key to iLO 2, the public key path must be submitted to iLO 2. The key file
must contain the user name after the end of the key. iLO 2 associates each key with a local user
account. If the local account does not exist or if it is deleted, the key is invalid (the key is not listed
if the local account does not exist).
Alternatively, you can authorize SSH keys for an HP SIM server by running the mxagentconfig tool
from the HP SIM server and specifying the address and user credentials for iLO 2. See your HP
SIM documentation for more details.
To authorize a new key:
1.
In the iLO 2 interface, click Administration>Security>SSH Key.
2.
Click Browse, and locate the key file.
3.
Click Authorize Key.
You can view or delete any previously authorized key by selecting the key, and clicking View
Selected Key or Delete Selected Key. The View Selected Key and Delete Selected Key buttons only
appear when SSH keys are installed.
44
Configuring iLO 2