Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
61626364656667686970
67
and key files.
Variable Name: data_path.
Default: /var/hpsrp/compartment_name/opt/ssh.
sshd executable
path
The location of the executables for the HP-UX Secure Shell product.
Variable Name: exec_path.
Default: /opt/ssh.
11.1.1.2 Configuration Data
SRP adds entries to the rules file for the SRP compartment to authorize read access to exec_path
and all access to data_path. SRP also adds entries for other SSH directories by including the rules
specified in the /opt/hpsrp/etc/cmpt/sshd.srp_incl file.
11.1.2 The ipfilter Service
The ipfilter service for the sshd template adds rules to allow inbound requests from any IP
address to the compartment sshd daemon to pass. You can also specify additional inbound
destination TCP port numbers for IPFilter pass rules.
11.1.2.1 Input Data
SRP prompts for the following data. You can also specify a variable name and value in the command
line, as described in 13.1 Creating an SRP Compartment or Adding Data to a Compartment.
sshd port number
Specifies the TCP port number on which the compartment sshd will receive
connection requests.
Variable Name: sshd_port.
Valid Input: A TCP port number in the range 1- 65535.
Default: 22, the IANA registered port number for SSH login.
IPFilter port
numbers
Specifies the local TCP port numbers for IPFilter rules that allow inbound
packets.
Variable Name: ipf_tcp_ports.
Valid Input: One or more TCP port numbers each in the range 1- 65535,
separated by commas.
Default: 22. This is the IANA registered port number for SSH remote login.
11.1.2.2 Configuration Data
If the compartment address is an IPv4 address, SRP adds IPFilter rules to the
/etc/opt/ipf/ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter
rules to the /etc/opt/ipf/ipf6.conf file.
SRP configures rules that allow inbound packets from any remote IP address to the compartment IP
address with the specified destination TCP port numbers.
SRP inserts these rules at the top of the IPFilter rules file and uses the quick keyword.
The IPFilter configuration file already contains rules from the base template to allow all outbound
TCP, UDP, and ICMP packets from the compartment IP address, as described in
Configuration Data.
11.1.3 The provision Service
The provision service executes the script /opt/hpsrp/bin/util/secsh_setup to provision
(deploy) an sshd service in the SRP compartment.