Manualshelf

HP-UX Compartment Login Using Secure Shell (SSH)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
12345678910
2
Executive Summary
In many deployments where HP-UX Compartmentalization functionality is in use, users and
administrators must log in to a compartment directly. A recent update to the Security Containment
feature supports this by enabling you to set controls on those users who are allowed to login to a
service running in a specified compartment. This white paper describes how to use this enhancement
in conjunction with multiple instances of the Secure Shell Daemon (sshd) to provide an
access-restricted login service for each desired compartment.
Background
HP-UX Security Containment is a set of enhancements to the base HP-UX operating environment that
provide a greater degree of security and application isolation through user-space and kernel-enforced
access controls. HP-UX 11i Security Containment includes the following components that help mitigate
damages in the event of an application compromise:
Compartments
Compartments enable hosting of multiple applications or multiple instances of an application on a
single
operating system instance. Compartments isolate unrelated resources on a system to prevent
catastrophic system damage if one compartment is penetrated. When configured in a compartment,
an application (processes, binaries, data files, and communication channels used) has restricted
access to resources outside its compartment. This restriction is enforced by the HP-UX kernel and
cannot be overridden unless specifically configured to do so. If the application is compromised, it
cannot damage other parts of the system because it is isolated by the compartment configuration.
HP-UX Role-Based Access Control (HP-UX RBAC)
HP-UX Role-based Access Control (RBAC) is an alternative to the traditional "all-or-nothing" root user
model, which grants permissions to the root user for all operations and denies permissions to non-root
users for certain operations. HP-UX RBAC enables the distribution of administrative responsibilities
through the creation of roles with appropriate authorizations. It can also enable an application to run
in a specific compartment.
Configuring SSH for Compartment Login
Although you can use the compartment access restrictions with any multi-instance-capable login
service, it is expected that the primary use is with SSH. It is assumed that SSH is installed on the target
system as well as he HP-UX Compartment Login product, which is part of the ContainmentExt
B.11.31.01 bundle. This latter bundle enhances the pam_hpsec library to enable restrictions to
compartment access.
NOTE:
While this paper describes a manual process for configuring multiple
instances of sshd for directly logging in to a compartment, this
functionality is automated as part of the HP-UX Secure Resource Partitions
version 2 release. For more information on this feature, go to Software
Depot:
http://www.software.hp.com
To implement compartment login, associate a particular IP address with each compartment that a set
of users might log in to directly. Then, a separate instance of sshd starts in each network accessible