21 privilege elevation, Two-factor authentication, Enabling and disabling two-factor authentication – HP Systems Insight Manager User Manual

21 Privilege elevation

Privilege elevation enables users without root privileges to run tools requiring root privileges on
HP-UX, Linux, and VMware ESX managed systems. To use this feature with HP SIM, a privilege
elevation utility such as su, sudo, or Powerbroker must be installed on the managed system. Typically,
these utilities are used to sign in as a normal user, then when you want to run a program requiring
root, prefix the command line for that program with the privilege elevation utility's executable. For
example sudo rm /private/var/db/.setupFile. Some of these utilities can be configured
to prompt the user for a password before allowing root access.

For HP SIM to run tools on managed systems using privilege elevation, HP SIM must be configured
to know which user to use to sign in to the managed systems, how to prefix the command line that
it will run, and whether or not the privilege elevation utility will prompt for a password. This is
configured either from the First Time Wizard, or from the Options menu by selecting
Options

→Security→Privilege Elevation. You can configure different values of these settings for Unix

and Linux systems versus VMware ESX systems.

IMPORTANT:

Whenever privilege elevation is enabled, the other tools, which make use of

privilege elevation, must provide the privilege elevation password.

Once you have configured HP SIM to use privilege elevation, it determines if a tool needs privilege
elevation by looking at the tool's execute-as parameter. This is the user the tool should be run as
on the managed system. If this parameter is specified as root in the tool's tool definition file (tdef),
then HP SIM will invoke privilege elevation. If this parameter is not specified in the tdef, then HP
SIM defaults the value of execute-as to be the identity of the user invoking the tool within HP
SIM. If this user is logged in as root, then privilege elevation will also be used.

When HP SIM determines that privilege elevation should be used, it uses SSH to sign in to the
remote system with the user that was configured in the privilege elevation settings page (a specific
user, the user who is currently signed into HP SIM, or a user specified at runtime). If the user must
be specified at runtime, or if a password is required for privilege elevation, these prompts appear
on the Task Wizard page that collects any parameters necessary to run a tool. After HP SIM is
signed into the remote system through SSH, it invokes the command for the tool, prefixed by the
privilege elevation utility executable, and supplies the password if required.

Two-factor authentication

The two-factor authentication is an alternative technique that an full rights user can configure as a
logging mechanism for HP SIM. This signin technique offers a more secure communication than
the user name and password technique, as it requires two factors to sign in to the system. The two
factors are:

•

Smartcard

•

Personal Identification Number (PIN)

Two-factor authentication is applicable to HP SIM's web interface and is applicable to port 50000.

Enabling and disabling two-factor authentication

HP SIM uses user name and password mode of signin by default. The two-factor authentication
technique can be enabled or disabled from the GUI by selecting Options

→Security→Two-factor

Authentication

→Change Authentication Mechanism. The same can be configured through the

command line interface:

mxauthnconfig –m 0|1

After enabling or disabling two-factor authentication, the HP SIM service must be restarted for the
changes to take effect. Only one authentication technique will be enabled at a time. All users will
be authenticated based on the currently enabled authentication technique.

110

Privilege elevation