HPE Community
Operating System - HP-UX
1822585 Members
3665 Online
109643 Solutions
New Discussion юеВ

SRP compartment login for non-root users

 
GXW_1
Frequent Advisor

тАО01-15-2009 08:01 AM

тАО01-15-2009 08:01 AM

SRP compartment login for non-root users

Hi,

Can anyone point me in the right direction at some documentation or idiot-guide or anything about how to set up users so they can log in to compartments. I've set up a couple of compartments and SRP out of the box only seems to allow root access. I've added the ssh template to my compartments, and all the RBAC parms look OK to me (e.g. SRPlogin- etc), but does anyone know of a step-by-step guide of the minimum effort required to create the non-root user controls for a compartment. Ideally I'd like to do this with SRP commands rather than using the underlying products - unless I have to?

Whatever I try the non-root users seem to get SSH failed msgs.
0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

тАО01-15-2009 08:05 AM

тАО01-15-2009 08:05 AM

Re: SRP compartment login for non-root users

Shalom,

I would suggest that you set up special handling code in /etc/profile

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
GXW_1
Frequent Advisor

тАО01-16-2009 01:01 AM

тАО01-16-2009 01:01 AM

Re: SRP compartment login for non-root users

That sounds more like a workaround to me, than getting the product to work as intended. SRP is supposed to handle non-root users to allow them access to specific compartments, but I can't get any non-root user to log in to anything, not even the INIT compartment!
Has anyone ever done this and/or written it up?
I've got close using roleadm and authadm commands but can't quite seem to crack it.
Any specific guidance or examples or links to better docs than just the Admin Guide would be appreciated.
0 Kudos
Reply
VK2COT
Honored Contributor

тАО01-16-2009 02:48 AM

тАО01-16-2009 02:48 AM

Re: SRP compartment login for non-root users

Hello,

a) With compartment login feature enabled
with the default RBAC configuration, all
users not assigned to the RBAC Administrator
role are denied login access to the system.

b) By default, the Administrator role is
assigned only to the root user.

c) You must explicitly add permission for
additional users to login to the INIT
compartment by either adding additional
users to the RBAC Administrator role or by
creating and assigning users to an
additional RBAC role authorized to login to
the INIT compartment.

You can use the SRP login service to assign
login authorization to an HP-UX user group for specific SRP compartments.

Did you check the manual for
compartment_login? I cannot find it
from home.

I am not at work (weekend already started
in Australia), so I will try to get you
more information next week if time permits.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
GXW_1
Frequent Advisor

тАО01-16-2009 08:02 AM

тАО01-16-2009 08:02 AM

Re: SRP compartment login for non-root users

G'day VK2COT. Thanks for the reply.

Yes, I've read up on compartment_login, and also read through "Security Containment Admin Guide", and "Compartment Login using SSH White paper" (but even that has a disclaimer in it saying this is a manual process and you should really be using SRP - I just can't find this in the SRP guide).

The latter doc has the following hopeful example...

# roleadm add App1Role
# roleadm assign joe App1Role
# authadm assign App1Role hpux.security.compartment.login "C1"

I checked my config and that's pretty much what SRP does for you except it uses SRPlogin- instead of App1Role.

It says that should allow joe to SSH into C1 but I couldn't get that to work.
I was getting the following:

$ ssh comp1
The authenticity of host 'comp1 (192.168.5.120)' can't be established.
RSA key fingerprint is 98:6b:39:etc..
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.

However, I have now got it working. It appears that I DID have it set up right, It was my test that was invalid. I su'd to my test user then tried SSH to the compartment. That failed but it worked if I did this from root:

# ssh -l appuser2 comp1

I've no idea why that makes a difference but it does.

I'm confident that non-root user login will work now over SSH from a real NIC once I get that set up too.
Thanks for the replies anyway.
0 Kudos
Reply
VK2COT
Honored Contributor

тАО01-16-2009 01:46 PM

тАО01-16-2009 01:46 PM

Re: SRP compartment login for non-root users

Hello,

How did you su(1m) to a user:

/bin/su username

or

/bin/su - username

There is a big difference.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
GXW_1
Frequent Advisor

тАО01-19-2009 01:22 AM

тАО01-19-2009 01:22 AM

Re: SRP compartment login for non-root users

There may be, but in this case both forms produced the same error.

It appears that su'ing to the user followed by ssh with implicit userid does not go through the right code paths from a compartment login perspective.

What is needed is a) ssh -l or b) an ordinary ssh from an external interface.
0 Kudos
Reply
John_975
New Member

тАО02-02-2009 12:10 PM

тАО02-02-2009 12:10 PM

Re: SRP compartment login for non-root users

I suspect the problem is that when you created the SRP compartment you took defaults (which is perfectly reasonable) for the "login" service. SRP assign the login group (/etc/group) named "adm" to the RBAC role named SRPlogin-. So either you need to
1) assign users to the "adm" group, or
2) assign a different group to the role, or
3) mess with the rbac login rules

Of option 2. You can use the following srp command to assign the group "users" to this role:

srp -r -s login login_group=users

or the following RBAC command:
roleadm assign &users SRPlogin-

For option 3. You assign individual users the correct RBAC role without "messing" with login groups.

roleadm assign SRPlogin-

I hope this helps
-john
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.