Manualshelf

HP-UX Compartment Login Using Secure Shell (SSH)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
12345678910
4
Network Configuration Considerations
HP strongly recommends that every configured IP address have appropriate (separate) route
information. If this is not the case, the network subsystem uses the default (primary) interface for
routing, which can lead to unexpected behavior in network communication. It is possible to create
multiple default route entries that use the same gateway address, but specify a different local interface
(IP address). You can use the route(1m) command to add default route entries:
route add net default <gateway IP> 1 source <local system IP>
This creates an additional default route entry (IRE_GATEWAY) that uses the same gateway node, with
the same hop count of 1, but instead of using the primary address (which is always the default source
address chosen), you specify a different secondary address to be used for the source IP address. To
make this clear for your node configuration, you can set up your netconf file with explicit
ROUTE_SOURCE information for both or all of your default route entries.
In the above example, a default route entry might already exist for the primary interface 192.1.1.9.
But, you must create the default route entry (even with the same gateway node) for the other two
logical interfaces configured in the system. Create those entries, assuming that the gateway node is
192.1.1.1, as follows:
# route add net default 192.1.1.1 1 source 192.1.1.10
# route add net default 192.1.1.1 1 source 192.1.1.11
To define appropriate routing entries, set the value for the network parameter
ip_strong_es_model to 1 (strongest, for inbound and outbound delivery) or 2 (strong for
outbound only, not inbound). This setting helps ensure that routing choices are accurate based on
addressing. See ndd(1M) for more information about this network parameter. To set the value to 1,
do the following:
# ndd –set /dev/ip ip_strong_es_model 1
To make the above settings persistent across system reboot, set the value in the
/etc/rc.config.d/nddconf file. The following example shows how you can set the value in the
configuration file:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_strong_es_model
NDD_VALUE[0]=1
Configuring Multiple Instances of SSH
Now that you have made the changes to the compartment configuration allowing sshd to run
correctly, and associated a dedicated IP address, start multiple instances of sshd: one per desired
compartment. This is a two-step process, requiring that each instance of sshd be configured correctly,
and then started in the appropriate compartment.
Multi-intance sshd_config
The sshd configuration file defines various configuration parameters as keyword-argument pairs. The
default configuration file is /opt/ssh/etc/sshd_config, but a separate location (or instance) of
this file can be provided as a command-line option while starting sshd.
To start multiple instances of sshd, you must have a separate copy of this configuration file for every
compartment where secure shell daemon needs to be started. Modify the two parameters so that they
are compartment-specific: