Universal Command Server for UNIX - UACL Example

Universal Command Server for UNIX

The following set of rules permit services for the subnet 10.20.30 and denies all other connections unless an X.509 certificate is presented that maps to certificate ID operations.

ucmd_access     10.20.30.,*,*,allow,auth
ucmd_access     ALL,*,*,deny,auth

ucmd_cert_access  operations,*,allow,auth
ucmd_cert_access  *,*,deny,auth


When no certificate is presented that maps to a certificate ID, the following set of rules effectively permit connections from any host but has limited access from host 10.20.30.40 to user TS1004 on that host.

  • No host can execute commands as local user root.
  • User TS1004 on host 10.20.30.40 can execute commands as local user tsup1004 without providing the password.
  • Users TS1004 from host 10.20.30.40 can execute commands as any local user by providing the local user password.

When a certificate is presented that maps to a certificate ID, certificate ID joe can request local user ID tsup1004 without a password.

  • Certificate ID joe is allowed to execute commands with any other local user ID with a password.
  • Certificate ID operations cannot run anything.
  • All other certificate IDs can execute commands with any user ID except for root with a password.
ucmd_access     10.20.30.40,TS1004,tsup1004,allow,noauth
ucmd_access     10.20.30.40,TS1004,*,allow,auth
ucmd_access     10.20.30.40,*,*,deny,auth
ucmd_access     ALL,*,root,deny,auth

ucmd_cert_access   joe,tsup1004,allow,noauth
ucmd_cert_access   joe,*,allow,auth
ucmd_cert_access   operations,*,deny,auth
ucmd_cert_access   *,root,deny,auth

Components

Universal Command Server for UNIX