Manualshelf

HP-UX Compartment Login Using Secure Shell (SSH)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
12345678910
5
ListenAddress specifies the local addresses that the sshd listens on. The default is to listen on all
local addresses, but you must configure this parameter for the IP address associated with the
compartment that sshd is running in.
PidFile specifies the process ID that the particular instance of sshd is running under. The
location of this file must be different for each instance of sshd.
Example:
You plan to start two sshd instances in two different compartments: cmpt1 and cmpt2. Then, you
must have two copies of the configuration file, one for each compartment, as follows:
# cp /opt/ssh/etc/sshd_config /opt/ssh/etc/sshd_config_cmpt1
# cp /opt/ssh/etc/sshd_config /opt/ssh/etc/sshd_config_cmpt2
Every compartment has a dedicated physical or logical interface (IP address) for itself. To have one
sshd in every compartment, configure this IP address as the value for the ListenAddress
configuration parameter in the sshd configuration file.
Configure a unique file name for the PidFile configuration parameter in the sshd configuration
file. This file stores the process ID of the sshd.
In the /opt/ssh/etc/sshd_config_cmpt1 file, use the following value:
ListenAddress 192.1.1.10
PidFile /var/run/sshd_cmpt1.pid
In the /opt/ssh/etc/sshd_config_cmpt2 file, use the following value:
ListenAddress 192.1.1.11
PidFile /var/run/sshd_cmpt2.pid
See
Appendix B for a sample sshd configuration file.
Starting sshd in the Appropriate Compartment
After you create the compartments, and the configuration files are ready, start each instance of sshd
in the “right” compartment. HP recommends using HP-UX RBAC. For more information about HP-UX
RBAC, see the
References section.
In order to use RBAC and the privrun command to start sshd in a compartment, you must create
an entry to allow an appropriately authorized user to run sshd in the specified compartment.
Example:
An instance of sshd should be available to be started in two compartments: cmpt1 and cmpt2. Use
the cmdprivadm command to add an entry allowing any users with the authorization
(hpux.network.service.start, sshd) to run sshd in the specified compartment:
# cmdprivadm add cmd=/opt/ssh/sbin/sshd compartment=cmpt1 \
op=hpux.network.service.start obj=sshd
# cmdprivadm add cmd=/opt/ssh/sbin/sshd compartment=cmpt2 \
op=hpux.network.service.start obj=sshd
Now, any appropriately authorized user (by default, the user root has all the authorizations) can use
the privrun command to start sshd in the required compartment with its configuration file:
# privrun –c cmpt1 /opt/ssh/sbin/sshd –f /opt/ssh/etc/sshd_config_cmpt1
# privrun –c cmpt2 /opt/ssh/sbin/sshd –f /opt/ssh/etc/sshd_config_cmpt2