Access to the hpss_server_acl program, hpssuser program, to the HPSS DB2 database, and to
all HPSS utility programs should be closely guarded. If an operator had permission to run these
tools, he could modify the type of authority granted to anyone by SSM. Note that access to the
database by many of these tools is controlled by the permissions on the /var/hpss/etc/mm.keytab
file.
Here is an example of using the hpss_server_acl utility to set up a client's permissions to be used when
communicating with the SSM server. Note that the default command should be used only when creating
the acl for the first time, as it removes any previous entries for that server and resets all the server's
entries to the default values:
% /opt/hpss/bin/hpss_server_acl
hsa> acl -t SSM -T ssmclient
hsa> show
hsa> default # Note: ONLY if creating acl for the first time
hsa> add user <username> <permissions>
hsa> show
hsa> quit
If the acl already exists, this command sequence gives user 'bill' operator access:
% /opt/hpss/bin/hpss_server_acl
hsa> acl -t SSM -T ssmclient
hsa> show
hsa> add user bill r--c--t
hsa> show
hsa> quit
Removing an SSM user or modifying an SSM user's security level won't take effect until that user
attempts to start a new session. This means that if an SSM user is removed, any existing SSM
sessions for that user will continue to work; access won't be denied until the SSM user attempts
to start a new SSM session. Likewise, if the SSM user's security level is changed, any existing
sessions for that user will continue to work at the old security level; the new security level access
won't be recognized until the SSM user starts a new SSM session).
3.3.2.3. User Keytabs (For Use with hpssadm Only)
A keytab is a file containing a user name and an encrypted password. The keytab file can be used by a
utility program to perform authentication without human interaction or the need to store a password in
plain text. Only the hpssadm utility supports access to SSM with a keytab. Each user who will run the
hpssadm utility will need access to a keytab. It is recommended that one keytab file per user be created
rather than one keytab containing multiple users.
Each keytab file should be readable only by the user for whom it was created. Each host from which the
hpssadm utility is executed must be secure enough to ensure that the user's keytab file cannot be
compromised. An illicit process which gained access to a Kerberos keytab file could gain the user's
credentials anywhere in the Kerberos realm; one which gained access to a UNIX keytab file could gain
the user's credentials at least on the System Manager host.
HPSS Management Guide November 2009
Release 7.3 (Revision 1.0) 37