I am performing some work for a small business that has no IT staff. They contract out work from time to time for their IT needs.
What they would like to do is grant access to an AIX 5.3 server for some external customers to perform some application testing. They are running Active Directory and do not want to set up temporary users for the testing purpose. They don't want to accidentally allow users access to other resources other than the AIX server. They are running a T1 line that comes into a switch. They have asked me to provide access to the server. I have some admin experience but only at a beginner to intermediate level. I am looking for a very good option. Here are some of the ideas I have.
1) Attach the server in front of the firewall by connecting it directly to the switch. (Not sure if I can get a static IP though. Not sure what the T1 line allows) I know they have at least one static IP from the T1 provider.
2) Keep the server behind the firewall and use some kind of software like Itivity to grant access to server. But would still have to set up AD accounts.
3) Have them purchase cable and set up a separate network that does not tie into AD. However, I am not sure how I would grant access from the internet, since the IP will be behind the firewall and be a 192.168.x.xx number.
4) Purchase another router and create a secondary network and place the server into the new network. Still don't know how I grant access from the internet because of the 192.168 ip address.
The company wants to keep the server secure as well as proprietary information on other servers. They are very hesitant about setting up external accounts in AD and would prefer direct access to the server that does not involve AD.
Any help would be greatly appreciated it.
There are accounts/users needed to access the AIX servers by ssh sessions. There is no way around. If they don't want temp users in LDAP, they need local users. There is only those two ways.
If they decide to use LDAP users for access, they have to use the following bold marked attribute in their LDAP:
hostsallowedlogin SEC_LIST hostsallowedlogin m
If they use another name for this attribute in their MetaDirectory, it has to be changed accordingly in /etc/security/ldap/2307user.map or whatever map file for users is being pointed at in ldap.cfg at
userattrmappath:/etc/security/ldap/2307user.map
As you can see this attribute is a multi value attribute (m). They have to add in that attribute all the hostnames (the actual names you get on the AIX hosts when you type in the command hostname) that should be allowed to login to. It is a simple filter that works well. The AIX hosts have need a LDAP client up and running, connected to their MetaDirectory (LDAP-server) of course. The config etc. is for AIX LDAP, not openLDAP.
If they have chosen to leave LDAP out at all - they simply need a local account on the boxes that are being used.
For the network thingy, keep all servers behind the firewall for sure and set up a rule that ssh protocl connections from a specific host for a specific host after successful authentication of course is allowed. If the authentication thing at firewall level is a problem, you have at least the authentication against the AIX hosts.
Without using LDAP, how would the external users get access to the server? I believe setting up local accounts only allows users within the lan to access the server, but not from the internet. The external users do not have access to our network and may be at various locations.
When you use the term LDAP, are you referring to Active Directory, which is essentially an LDAP, or are you referring to running LDAP on the AIX server. Your sample gives me the impression that I will need to install LDAP on the server.
Oh, maybe I got on the wrong track when I read "Active Directory" in conjunction with user accounts, sorry for confusing you.
If you don't use LDAP, forget about it. It is a protocol through which a repository/DB/MetaDirectory is being accessed for lot's of informations, especially personalized and authentication information etc.
To grant them access to an AIX box via ssh, they will need a local system account. Afaik there is no way around.
To get them access to your network, which is essentially to reach the AIX box, you could set up VPN. They install a VPN-client on their workstations and dial in to your network, authenticating themselves with a username and a password. If this is granted, your firewall rules should apply so they can access the AIX box via ssh (port 22) for example, having to authenticate against the AIX box too, of course.
Which software is needed on your side as VPN server etc. I do not know, but there should be plenty guides on the web how to set up such a thing. Afaik there is Linux software for that purpose as well network hardware available from different manufacturers, Cisco etc. that has a serving applications for VPN built in.