Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
61626364656667686970
Input Data
SRP prompts for the following data. You can also specify a variable name and value in the
command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment”
(page 67).
sshd data path Specifies the compartment-specific target directory for sshd
configuration and key files.
Variable Name: data_path.
Default: /var/hpsrp/compartment_name/opt/ssh.
sshd executable path
The location of the executables for the HP-UX Secure Shell
product.
Variable Name: exec_path.
Default: /opt/ssh.
Configuration Data
SRP adds entries to the rules file for the SRP compartment to authorize read access to exec_path
and all access to data_path. SRP also adds entries for other SSH directories by including the
rules specified in the /opt/hpsrs/etc/cmpt/sshd.srp_incl file.
The ipfilter Service
Theipfilter service for the sshd template adds rules to allow inbound requests from any IP
address to the compartment sshd daemon to pass. You can also specify additional inbound
destination TCP port numbers for IPFilter pass rules.
Input Data
SRP prompts for the following data. You can also specify a variable name and value in the
command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment”
(page 67).
sshd port number Specifies the TCP port number on which the compartment sshd will
receive connection requests.
Variable Name: sshd_port.
Valid Input: A TCP port number in the range 1- 65535.
Default: 22, the IANA registered port number for SSH login.
Configuration Data
If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/
ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the
/etc/opt/ipf/ipf6.conf file.
SRP configures rules that allow inbound packets from any remote IP address to the compartment
IP address with the specified destination TCP port number. SRP also specifies the keep state
keywords to allow outbound responses for these packets.
SRP inserts these rules at the top of the IPFilter rules file and uses the quick keyword.
The IPFilter configuration file already contains rules from the base template to allow all outbound
TCP, UDP, and ICMP packets from the compartment IP address, as described in “Configuration
Data” (page 42).
62 Using the sshd Template