Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2842: How do you configure Centrify-Enabled Openssh to work with SRP A.02.02 on HPUX server?

Authentication Service ,  

12 April,16 at 11:09 AM

Applies to: All versions of Centrify-enabled OpenSSH on HPUX 11.31 Secure Resource Partition (SRP) version A.02.02

Not even root user is able to login to the SRP compartment when Centrify SSH is installed.

root@host[/root] # ssh -l root host03
Compartment access check failed: User is not authorized to login to the compartment associated with this network service.

Root login from the console is allowed.
Connection closed

SRP is like a logical host that has its own ssh directory under /var/hpsrp/<srpname>/opt/ssh and sshd_config file. 
SRP does not deliver different OS environments for each compartment; only one OS environment is available per host. For example, they share the same /etc/passwd file.  SRP compartments provide isolated execution environments for applications. (SRP can work with PRM and RBAC)

Each compartment has a compartment home directory tree, which is isolated from other compartments. But when logging in to one compartment, you can see the directory tree from init and other local SRP compartments as well.

Normally, when configured within a compartment, an application is allowed restricted access to resources (processes, binaries, data files, and communication channels used) outside of its own compartment. But it is not imposed. We can set rules to allow them to access those resources.

To summarize, SRP is basically a chroot account with the same kernel and the same adclient. The additional twist is each compartment may have its own interface (for IPSEC).  By default, /etc is shared, but /usr is read-only.  Each compartment has its own root file system. The sshd that was configured for SRP does not start, therefore root cannot login. 

This is a configuration issue for Centrify-Openssh.

The temporary solution is to uninstall CentrifyDC-Openssh, reconfigure the SRP sshd template and then root can login.

This will be fixed in future releases of Centrify-enabled OpenSSH