compartment_login.5 (2010 09)

compartment_login(5) compartment_login(5)

How to Test a User Login to a Compartment

To test the login to a compartment, run multiple instances of login services in different compartments

with a dedicated IP address. For example, you can start more than one instance of

sshd in different

compartments with a dedicated IP address for each of the compartments.

For example, assume that one instance of

sshd is running in compartment C1 with IP address IP1 and

another instance of

sshd is running in compartment

C2 with IP address IP2. When a user with the

hpux.security.compartment.login, C1

authorization tries to connect to the

IP1 address, the

user will be allowed to login to

C1 compartment. When the same user tries to connect to the IP2

address, the user would be denied access.

Refer to the HP-UX Compartment Login Using Secure Shell (SSH) white paper on how to conﬁgure and

start multiple instances of Secure Shell Daemon (SSHD) in different compartments.

Security Restrictions

Users using compartment login must be assigned to roles that have the

hpux.security.compartment.login

authorization.

Administrators conﬁguring login compartments must have the authorizations that are required to use the

roleadm and authadm commands. See roleadm (1M) and authadm(1M).

Notes

Once the compartment login feature is enabled, unauthorized users would not be able to login to the sys-

tem using any of the login services (example:

sshd, inetd, xinetd), until the new authorization is

assigned to the user. This inability to login is true even for those login services running in the

init com-

partment. Refer to compartments (5) for more information about the

init compartment.

To selectively disable the compartment login feature for a login service, use

bypass_cmpt_restrict

which is explained in the pam_hpsec (5) manpage.

AUTHOR

compartment_login

was developed by HP.

FILES

/etc/cmpt/cmpt.conf

Compartment conﬁguration ﬁle used to enable or disable the compartment login feature.