- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Security Info
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2007 11:11 AM
12-21-2007 11:11 AM
Security Info
We run our Apps shutdown script [e.g. boxB] from DB server [e.g boxA] before the backup script using remote login[rlogin/rsh] without password. As per security audit it's a risk as the remote login is without the password. I am wondering is there any way we can make more secure? We should be able to do the following
1. Stop the application in boxB before the backup on BoxA
2. After backup completion start the application on BoxB
I appreciate your help.
Thx,
Abhijit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2007 11:18 AM
12-21-2007 11:18 AM
Re: Security Info
i think you are using remsh , using ssh fır connection will make your connection more secure.
Hasan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2007 04:55 PM
12-22-2007 04:55 PM
Re: Security Info
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2007 12:33 AM
12-24-2007 12:33 AM
Re: Security Info
so make sure that no other (personal) users are using this acounts, and to make sure that this user can not do anny thing els, you can use a restricted shell.
If you creat a shell that does the stop/start and than a exit, the user will never get a promt.....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2007 05:17 AM
12-24-2007 05:17 AM
Re: Security Info
In your environment with DB-server and Application servers, it is normal to grant the DB-server access to the AS's (and not the other way around) - in order to be able to do proper startup/shutdown for the entire Application.
---
Using ssh is very easy when you first have started using it. Availability depend on which UX release you have. You might need to download and install it separately.
You should use the SSH commands ssh, scp, sftp instead of rsh, rcp, ftp.
For login to the system you should forget telnet and rather use ssh. If you use a PC I can recommend the simple and easy Putty terminal emulator. Note that you normally tunnel X-display through the SSH connection - and this simplifies your DISPLAY setup.
(tunnel X using ssh: ssh -X user@host)
(tunnel X using Putty - separate config check value)
--- back to your question...
Config SSH:
Let's say you have a DB-user named {sid}adm
root@BoxA# su - {sid}adm
{sid}adm> ssh-keygen
Generating public/private rsa key pair.
Please be patient.... Key generation may take a few minutes
Enter file in which to save the key (/home/{sid}adm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/{sid}adm/.ssh/id_rsa.
Your public key has been saved in /home/{sid}adm/.ssh/id_rsa.pub.
The key fingerprint is:
15:7a:8e:c7:b7:3f:dd:c8:72:cb:b8:3f:ea:22:2b:85 {sid}adm@BoxA
{sid}adm> # backup copy of public key
{sid}adm> cp -p id_rsa.pub id{sid}adm.pub
{sid}adm> # backup copy of private key
{sid}adm> cp -p id_rsa id{sid}adm-privkey
NB! Do not enter a passphrase - as this would lead to a prompt for password.
The reason for backup copy - is to avoid being enforced to distribute new keys if someone should run ssh-keygen by mistake and overwrite your keys...
The ~/.ssh/id_rsa is the Private key for your {sid}adm user (and should be secured - default permission 600)
The id_rsa.pub is the Public part of this keypair, and is the key you must copy to BoxB. A host can use this key to verify that you are really {sid}adm from BoxA.
Configuring BoxB:
1)install SSH if not already present)
(nb! user can be any user you want to grant {sid}adm@BoxA access to without password)
user@BoxB> cd ~/.ssh/
user@BoxB> scp {sid}adm@BoxA:~/.ssh/id_rsa.pub ./id_{sid}adm_BoxA
user@BoxB> cat ./id_{sid}adm_BoxA >> ./authorized_keys
(nb! sometimes the file is named authorised_keys2)
Now you should be able to make a connection from {sid}adm@BoxA to user@BoxB
Try:
{sid}adm@BoxA> ssh user@BoxB ll
Check the syslog if you get errors.
Read manpages and documentation for defining security-levels for SSH.
---- Also keep in mind ----
If you run your DB-server in MC/SG cluster, you might need to generate a key (ssh-keygen) for each node, and add each of these keys to the user@BoxB's authorized_keys file.
Have a nice Christmas and a Happy New (secured) Year :-)
/Tor-Arne
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2007 09:15 AM
12-27-2007 09:15 AM
Re: Security Info
I really appreciate for all the suggestion.
I will work on the ssh[public/private key] which looks to me more secure than what we have now.
Thank you once again and wish a happy new year to you and your family.
With warm regards,
Abhijit