Your browser does not allow storing cookies. We recommend enabling them.


Management Agent on Unix

On Unix, the Sysmonitor process (ssh-mgmt-sysmonitor) performs the Management Agent tasks. The client also needs an ICB (Initial Configuration Block) file at the installation time to connect to the management system.

Sysmonitor (ssh-mgmt-sysmonitor) carries out the following tasks:

  • starts other processes and restarts them if they crash

  • logs all restarts and controls the restart rate

  • kills other processes if it is itself killed

  • passes command-line options to other processes

  • connects to Management Agent (based on the ICB file), handles all restarts related to the management connection

  • handles encryption and authentication of packets (host-to-host protection [3DES+SHA1] and link protection [TLS])

  • passes system information to the Management Agent (OS, OS version, etc.)

  • performs the Management Agent software updates and uninstallations

  • performs updates and uninstallations for the managed Tectia software

  • searches for installed Secure Shell (client) binaries (ssh, ssh1, ssh2) from /usr/local/bin, /usr/bin, /bin, /usr/pkg/bin, /usr/opt/bin, /opt/bin, /opt/ssh2/bin (on HP-UX), finds out the vendor, version number, the SSH product package (workstation vs. server) and the license code, and reports them to the Management Agent

  • installs /var/run/sshmgmt-temp-log, (on HP-UX /var/opt/ssh-mgmt/sshmgmt-temp-log), into /etc/syslogd.conf, and reads log messages from there, and rotates this file daily, or whenever it exceeds one megabyte (this is used to extract Secure Shell related log messages and to send them to the Management Agent)

  • sends host public-key information to the Management Agent, and allows the Management Agent to manipulate (add, update, delete, query) the known hosts (public key) database

  • allows the Management Agent to update system-wide Secure Shell configuration file(s), restarts Secure Shell servers, and reverts to the old configuration if Secure Shell servers do not start

Hostname Resolution Mechanism

The hostname of a managed host is detected by the Management Agent, which reports the hostname to the Management Server. The Management Agent determines the fully qualified domain name (FQDN), trying to find a globally resolvable hostname (compared to what the host reports as its name), because this is important for host key naming and distribution.

The hostname resolution can be configured using the /etc/opt/ssh-mgmt/agent/agent-sysinfo.dat file on managed hosts. Instructions on configuration options are included in the comments of the file.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now