Manualshelf

Safe and Powerful: Security in HP-UX System Management Homepage (SMH)

ManualsBrandsHP ManualsSoftwareHP-UX System Administration
12345678910
7
User. After operating system groups are added, the operating system administrator can add
operating system users into these operating system groups.
Each SMH access level can be assigned up to five operating system groups. The SMH
installation enables you to assign the operating system groups to SMH. SMH will not allow
adding an operating system group if the specified operating system group is not defined in
the operating system.
The accounts used for SMH need not have elevated access on the host operating system. Any
SMH user with administrative privilege can specify operating system user groups to each
access level of SMH. As a result, all accounts in each operating system user group have
access to SMH specified in the User Groups window.
Kerberos authentication
Administrative access to SMH can be controlled by setting up an SMH User Group, which in
turn maps to a UNIX Group. The UNIX Group can be a group local to the HP-UX system or
can be a group that is maintained in a Directory Service such as Active Directory (as long as
Kerberos and LDAP-UX are installed and configured on the HP-UX system).
Once the Kerberos Authentication is configured, along with SMH User Group, users can
login to SMH as themselves and will have Administrative authority. There would be no reason
to login to SMH directly as root.
SMH uses the sysmgthp’ service. Since this service is not configured in pam.conf by default
the PAM engine will use the OTHER service, which does not have pam_krb5 configured. By
adding the following to pam.conf you can login to SMH as a user defined in Active
Directory, after configuring the users group in Settings -> System Management Homepage ->
Security -> User Groups.
sysmgthp auth required libpam_hpsec.so.1
sysmgthp auth sufficient libpam_krb5.so.1
sysmgthp auth required libpam_unix.so.1 try_first_pass
sysmgthp account required libpam_hpsec.so.1
sysmgthp account sufficient libpam_krb5.so.1
sysmgthp account required libpam_unix.so.1
Timeout variables
The SMH configuration is based on environment variables and tags that are set by the
/opt/hpsmh/lbin/envvars, /opt/hpsmh/conf.common/smhpd.xml and
/opt/hpsmh/conf/timeout.conf files. To change the default configuration, you can
modify the files to properly set the value of the variables and tag. Table 1: SMH
Configuration Timeout Variables describes the variables. These variables can also be set
through the GUI interface in SMH version A.3.0.0 and later.