- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Tightening up SSH for SIM
Server Management - Systems Insight Manager
1753530
Members
4730
Online
108795
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2010 06:02 PM
05-16-2010 06:02 PM
Tightening up SSH for SIM
We have an environment that has more than 2000 hosts.
While a few are Windows, the bulk are unix (i.e. Linux) proliant servers that are setup into compute farms of various forms.
All of these have PSP's and trap to HPSIM.
One problem I have is that there is no single owner of the hosts, they are owned in groups by several different parties. Because of this, there is a general security policy that prohibits various types of accounts including group and gloabl accounts. In general, service
accounts are quite OK if they conform to some rules. For example under Linux most accounts of this type have a login shell of /sbin/nologin which effectively prevents a user logging in externally.
But this is a problem. HPSIM uses SSH to run tasks on the clients etc. But if it attempts to run these under a global user account which has it's shell set to nologin, the SSH session is terminated (or appears to be). An alternative approach is to have different accounts on different hosts with different passwords but the management of all of this is painful to say the least.
There are other applications that do similar things but most of them seem to have remote agents which run the tasks under some local account like root or some other account. This sort of thing is also quite acceptable since it is not a general login therefore the range of things that can be done are tied down.
As far as HPSIM is concerned Can anyone suggest some way to let HPSIM get into these machines (I assume it will need to be via SSH) but not allow a user to SSH into the same host?
My inital thoughts were to do something like check that the orginating host was the CMS and only allow SSH from it and nowhere else and maybe even only if it was coming from mxdtf.
While a few are Windows, the bulk are unix (i.e. Linux) proliant servers that are setup into compute farms of various forms.
All of these have PSP's and trap to HPSIM.
One problem I have is that there is no single owner of the hosts, they are owned in groups by several different parties. Because of this, there is a general security policy that prohibits various types of accounts including group and gloabl accounts. In general, service
accounts are quite OK if they conform to some rules. For example under Linux most accounts of this type have a login shell of /sbin/nologin which effectively prevents a user logging in externally.
But this is a problem. HPSIM uses SSH to run tasks on the clients etc. But if it attempts to run these under a global user account which has it's shell set to nologin, the SSH session is terminated (or appears to be). An alternative approach is to have different accounts on different hosts with different passwords but the management of all of this is painful to say the least.
There are other applications that do similar things but most of them seem to have remote agents which run the tasks under some local account like root or some other account. This sort of thing is also quite acceptable since it is not a general login therefore the range of things that can be done are tied down.
As far as HPSIM is concerned Can anyone suggest some way to let HPSIM get into these machines (I assume it will need to be via SSH) but not allow a user to SSH into the same host?
My inital thoughts were to do something like check that the orginating host was the CMS and only allow SSH from it and nowhere else and maybe even only if it was coming from mxdtf.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP