Diagnosis Guide

Enhanced Security Option

PSSP 3.4 provides the option of running your RS/6000 SP system with an enhanced level of security, called Restricted Root Access (RRA). This function removes the dependency PSSP has to internally issue rsh and rcp commands as a root user from a node. When this function is enabled, PSSP does not automatically grant authorization for a root user to issue rsh and rcp commands from a node. If you enable this option, some procedures may not work as documented. For example, to run HACMP an administrator must grant the authorizations for a root user to issue rsh and rcp commands that PSSP would otherwise grant automatically.

In AIX 4.3.1, the AIX Remote Command suite was enhanced to support Kerberos Version 5 authentication through DCE. These commands include rsh, rcp, rlogintelnet, and ftp. For SP migration purposes, the AIX remote commands, rsh and rcp, were enhanced to call an SP-supplied Kerberos Version 4 set of rsh and rcp routines. Therefore, the AIX commands /usr/bin/rsh and /usr/bin/rcp (also in /bin/rsh and /bin/rcp) on the SP system support the following authentication methods:

• Kerberos Version 5 (through DCE)
• Kerberos Version 4
• Standard AIX

The previously supplied remote commands are no longer shipped with PSSP. The /usr/lpp/ssp/rcmd/bin/rsh and /usr/lpp/ssp/rcmd/bin/rcp commands are now symbolic links to the AIX commands /usr/bin/rsh and /usr/bin/rcp respectively.

Things to be aware of when using Restricted Root Access (RRA)

When using Restricted Root Access, check this list of potential problems and restrictions:

1. RRA cannot be selectively applied to some nodes on an SP system. If RRA is activated, it takes effect for all nodes.
2. RRA requires that all nodes be a level PSSP 3.2 or higher.
3. After switching to RRA mode, it is advisable to manually verify all authorization files to ensure that no unwanted entries remain.
4. For the use of multiple Boot/Install servers, see Action 5 - Check for multiple Boot/Install servers in RRA mode, secure shell mode, or with AIX Authorization for Remote Commands set to none.
5. HACMP/ES installation and configuration requires manual updates to authorization files when running in RRA mode
6. If running without RRA, and without a Kerberos authorization file, and then RRA is enabled, an empty .klogin file is created. This will prevent anyone from being able to rlogin or telnet to the node. This will effectively prevent the system administrator from accessing the SP system other than through the control workstation.
7. GPFS, IBM Virtual Shared Disk, The IBM Virtual Shared Disk perspective, and HACMP/ES will not start if RRA is enabled.
8. Do not distribute the etc/sysctl.conf file from the control workstation to the nodes when running in RRA mode.
9. Always run the sysctld daemon with the same port number (6680 recommended) across the entire SP system. When using RRA mode, critical PSSP functions rely on sysctl and failures will occur if there is a mismatch in the port number.
10. When running with HACWS, the spsitenv command cannot be used to enable the RRA mode from the backup control workstation. Once RRA has been enabled, the system administrator must manually copy the updated .rhosts and .klogin file from the control workstation to the backup control workstation

Using secure remote commands instead of AIX rsh and rcp commands

PSSP 3.4 provides the ability to remove the dependency that PSSP has on the AIX rsh and rcp commands issued as root, on the control workstation as well as on nodes, by enabling the use of a secure remote command method. It is the system administrator's responsibility to choose the secure remote command software and install it on the control workstation. This software must be installed and running, and the root user must have the ability to issue remote commands to the nodes and control workstation without being prompted for a password or passphrase, before the secure remote command facility is enabled for PSSP. All nodes must be at PSSP 3.2 or later releases before you can enable a secure remote command method.

When using the secure remote commands, the Restricted Root Access (RRA) must also be enabled, limiting the use of remote commands to secure remote commands from the control workstation to the nodes. When this function is enabled, PSSP will use the secure remote command methods enabled for all remote command calls, no longer relying on the AIX rsh and rcp commands.

A public key must be generated for the root ID on the contorl workstation and the boot/install server nodes, and installed on each node, along with the secure remote command software, to ensure that root can issue remote commands from the control workstation and any boot/install server nodes, to the other system nodes, without being prompted for a password or passphrase. Also, either StrictHostNameChecking must be disabled, or the system administrator must generate the known_hosts file such that the PSSP installation process can run without prompting from hostname checking.

To enable the secure remote command method, choose one of these options:

• Issue the spsitenv rcmd_pgm=secrshell dsh_remote_cmd=/bin/ssh remote_copy_cmd=/bin/scp command.
• Invoke smit and update the Site Information Menu to indicate that you want to run with secure remote commands, and specify where the executables are located.

See Step 28 in PSSP: Installation and Migration Guide. The PSSP 3.4 system defaults to using rsh and rcp, and the bin/rsh and bin/rcp executables for remote commands.

PSSP uses three environment variables that can be set by the user, to determine whether the AIX rsh and rcp commands, or a secure remote command method, are in effect. The user can use these environment variables to override the SDR settings for PSSP commands.

It is important to keep these environment variables consistent and pointing to the remote command method that you wish to use. If all three environment variables are null, the default is:

• RCMD_PGM=rsh
• DSH_REMOTE_CMD=/bin/rsh
• REMOTE_COPY_CMD=/bin/rcp

If RCMD_PGM=secrshell and both DSH_REMOTE_CMD and REMOTE_COPY_CMD are null, the default is:

• RCMD_PGM=secrshell
• DSH_REMOTE_CMD=/bin/ssh
• REMOTE_COPY_CMD=/bin/scp

In addition, in PSSP 3.4 you have the ability to set Authorization for AIX Remote Commands to "none" when secure remote commands are enabled. When this is set, PSSP code will not automatically grant authorization for the root user to issue the rsh and rcp commands for a node or the control workstation. Instead, all PSSP remote commands will be run using the secure remote command method enabled. In order to set AIX Authorization for Remote Commands to "none" on any SP system partition , PSSP 3.4 must be installed on all nodes of that partition.

If "none" is enabled, certain functions and procedures may not work as documented. See PSSP: Administration Guide for enabling secure remote commands and the "none" option. Also, see Action 21 - Check installation with secure remote command option enabled for possible problems determination and resolution of secure remote command problems.