HP-UX Server (SSH)
Connector name |
|
Connector type | PSLang script, |
Type (UI field value) | HP-UX Server (SSH) |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
The agthpux connector can be used to discover SSH public and authorized keys for accounts on HP-UX servers. This connector can be used to manage temporary SSH trust relationships when granting privileged access to accounts on HP-UX servers.
Note
SSH public key files being added/removed from HP-UX servers must have the comment removed from the file.
The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):
expire password
check password expiry
administrator reset password
administrator reset+expire password
unlock account *
Note
The unlock account operation is only supported if the HP-UX server is using Trusted Computing Base (TCB) account database files. The unlock account operation will not be supported if Trusted computing enabled? is disabled, see Limitations of untrusted HP-UX servers for additional information.
user verify password
verify+reset password
create account
delete account
disable account
enable account
expire account
create group
delete group
add user to group
delete user from group
check account enabled
check account expiry
check account lock
get server information
unexpire account
List:
accounts
attributes
groups
members
For a full list and explanation of each connector operation, see Connector operations.
See also
Secure Shell for details about agtssh .
Targeting the HP-UX Server system
For each HP-UX Server system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):
Type is HP-UX Server (SSH) (Legacy).
Address uses options described in the table below.
The full list of target parameters is explained in Target system options.
Option | Description |
|---|---|
Options marked with a | |
Script file | Must be set to agthpux.psl (key: script) |
Server | The IP address/domain name of the HP-UX Server server. (key: server) |
Trusted computing enabled? | Select:
See Limitations of untrusted HP-UX servers. (key: tcp) |
Enable SSH public and authorized key discovery | Default is false, select this option to list all SSH public and authorized keys on the server. SSH key files must be in OpenSSH format and must be less than 100,000 KB (by default) in order to be listed. To change the file size limit, modify the maximum file size to parse in unix-sshkey.psl . (key: discoverkeys) |
Privilege escalation type | Select:
If the sudo password is configured to be different than the log-in password, add another set of credentials for sudo and select the System password option. The Administrator ID can be arbitrary. This is the default setting.
(key: privEscType) |
Advanced | |
Port | TCP Port number. Default is 22. (key: port) |
Compression | Select to enable data compression for SSH connections. Default is false. (key: compression) |
Action for host keys | Select AllowAppend (default) or DenyUnmatch. For new targets, AllowAppend is recommended. AllowAppend connects to SSH hosts whose public host keys have been previously recorded and have not been changed, and to SSH hosts whose keys have not been previously recorded. It will reject SSH hosts whose keys were previously recorded but have changed. DenyUnmatch only connects to SSH hosts whose public host keys have been previously recorded and have not been changed. It will reject SSH hosts whose keys have not been previously recorded or were previously recorded but have changed. (key: hostkeys) |
Host keys file | Specify the name of the public host key file. It must be located in the \<instance>\script\ directory. The file consists of a KVGroup with an entry that contains the host information as the key and the hostkey as the value. This information can be extracted from the PuTTY registry entries (HKEY_CURRENT_USER \Software\SimonTatham\PuTTY\SshHostKeys) where "Name" corresponds to the key and "Data" corresponds to the value. (key: file) |
Authentication key file | This attribute can be assigned to the administrator’s private key. This key must have a passphrase assigned which will be entered into the credential password field. Managing of this passphrase is not supported. (key: authkey) |
Timeout for connection | Amount of time the connector will wait for a response. (key: timeout) |
Enable SSH v1? | To enable SSH connection via SSH protocol version 1. (key: enable_ssh_1) |
Enable on reset | Default is "false", which maintains an account’s status (enabled/disabled) after a password reset. Select this option to also enable accounts with password reset. This option is only available if trusted computing is enabled. (key: EnableOnReset) |
Enter the filenames (comma delimited) to get the public keys from. Must be in the user’s /.ssh directory | The public key files to list from the server. Default is "id_rsa.pub,id_dsa.pub". (key: pubkeyfiles) |
Delete all matching keys upon access revocation | Default is true, deselect this option to remove only one copy of the specified public key upon access revocation. (key: delallkeys) |
Calculate SHA1 hashes of discovered public and authorized keys | Default is true, deselect this option to turn off calculation of hashes for public and authorized keys. (key: makekeyhashes) |
Unprivileged and password management operations only | The passwdAccessOnly option is useful for Bravura Pass and Bravura Privilege implementations where only passwords on Unix systems need to be managed. When configuring for passwdAccessOnly with sudo escalation, the sudoer file can be secured down to one command: /usr/bin/passwd . With this authorization, the Modification of the sudoer file would look something like the following example for the psadmin user: psadmin ALL=(ALL) /usr/bin/passwd (key: passwdAccessOnly) |
Max read timeout | The maximum time the connector will read data. Default is 6 seconds. (key: maxReadTimeout) |
Max write timeout | The maximum time the connector will write data. Default is 20 seconds. (key: maxWriteTimeout) |
Max read size | The maximum data read size. Default is 16384 characters. (key: maxReadSize) |
Max read lines | The maximum number of lines to read. Default is 50000 lines. (key: maxReadLines) |
Trace Logging | Provides detailed multiline logging for connectors. Default is None. Other options include Low, Medium, and High. (key: trace) |
Note
The EnableOnUnlock attribute is disabled for all HP-UX Server target systems. This means that enabling an account will never also unlock an account.
The Trace Logging option provides detailed multi-line logging for the connectors and exposes a way to engage trace logging to a file. Trace logging are things that are generally multi-line such as input/output kvg options, http request/response data, and generally verbose data for diagnosing and troubleshooting issues. It provide a simple mechanism to redirect multi-lined information to an output file.
A trace log file is created within the <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory and has a format of trc-<connector-name>-<unix-time>-<process-id>.log.
The Trace Logging option can be found in the advanced section when modifying the target system address configuration page for individual target systems. It can be set to the following values:
None | Default value. Log no trace information and no trace log file is created. |
Low | Contains kvgroup data for the Input KVG and for the Output KVG. |
Medium | Telemetry data for Http Post/Get request/response data. |
High | Not yet used, to be implemented in a future release. |
(key: trace)
Limitations of untrusted HP-UX servers
If Trusted computing enabled? is disabled:
EnableOnUnlock, enable/disable account, and unlock account operations are not supported.
Since there is no control over unlock/enable, password reset will always unlock/enable accounts. Enable and unlock are the same operation in this case.
The isLocked operation will always return "not locked".
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts on HP-UX Server.
Consult the documentation included with your specific application to learn how to create an account to use as a template in Bravura Identity . You can then add account attributes to determine how new accounts should be created based on the template account’s parameters.
Note
Bravura Security Fabric still requires a template account, even though attributes may or may not be copied from the template account, for example, if the configured action for all account attributes is Set.
Handling account attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select HP-UX Server (SSH) (Legacy) from the Manage the system > Resources > Account attributes > Target system type menu.
This section describes the pseudo-attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on a HP-UX Server.
_skeldir This pseudo-attribute is used for specifying the source directory when creating the home directory for a new account. By default, this pseudo-attribute is ignored on account creation and Bravura Security Fabric uses the system’s skeleton directory as the source.
To specify a different source directory, configure skeldir and set the value to either:
TEMPLATE - to copy the structure and contents of the template account’s home directory
A valid path to a directory - to copy the structure and contents of an existing directory on the target
_deleteHomeDir There are three possible options for deleting the user’s home directory when the account is deleted off the system:
always- delete the home directory when the account is deleted.whensafe- only delete the home directory if it matches the user name and no other accounts use it.never- keep the home directory when the account is deleted.
Bravura Security Fabric will not delete the home directory if the account is not the owner. If no action is defined for _deleteHomeDir , the default action is never.
_archiveHomeDir Specifies a valid path on the target where the account’s home directory will be archived when the account is deleted.
If an invalid path was specified or no action is defined for _archiveHomeDir , the account’s home directory will not be archived.