Centrally managed impersonation
First Claim
1. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising:
- receiving, at the central server, a request action from a user requesting connection to the at least one remote machine, the request action including at least a first command and at least a second command;
authenticating, at the central server, the user;
retrieving, at the central server, an impersonation policy for the user to act on the at least one remote machine, the impersonation policy specifying first privileges for executing at least the first command on the at least one remote machine on behalf of the user and second privileges for executing at least the second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges;
connecting to the at least one remote machine including relying on the trust relationship between the central server and the at least one remote shell daemon running on the at least one remote machine;
sending the impersonation policy for the user, including the first privileges and the second privileges, to the at least one remote shell daemon; and
returning a response to the user, the response indicating execution, or lack thereof, by the at least one remote shell daemon of at least the first command and at least the second command, based on the first privileges and the second privileges, respectively.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and computer readable media for centrally managed impersonation are described. Examples include a system having a central server and a remote shell daemon running on a remote machine, wherein a trust relationship is established between the central server and the remote shell daemon. Examples also include a method wherein a user sends the management system a request to act upon a remote machine. The management system determines whether the user is authenticated for the requested action. Upon authentication, the management system identifies an impersonation policy based on user profile and the remote machine. The management system connects to the remote machine, impersonates an elevated privilege account if required, and executes the user action on the remote machine.
8 Citations
21 Claims
-
1. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising:
-
receiving, at the central server, a request action from a user requesting connection to the at least one remote machine, the request action including at least a first command and at least a second command; authenticating, at the central server, the user; retrieving, at the central server, an impersonation policy for the user to act on the at least one remote machine, the impersonation policy specifying first privileges for executing at least the first command on the at least one remote machine on behalf of the user and second privileges for executing at least the second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges; connecting to the at least one remote machine including relying on the trust relationship between the central server and the at least one remote shell daemon running on the at least one remote machine; sending the impersonation policy for the user, including the first privileges and the second privileges, to the at least one remote shell daemon; and returning a response to the user, the response indicating execution, or lack thereof, by the at least one remote shell daemon of at least the first command and at least the second command, based on the first privileges and the second privileges, respectively. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17, 18)
-
-
13. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising,
accepting, at the at least one remote machine, a connection request for action from the central server on behalf of a user; -
receiving, at the at least one remote machine, an impersonation policy specifying first privileges for executing at least a first command on the at least one remote machine on behalf of the user and second privileges for executing at least a second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges; receiving, at the at least one remote machine, a user action including at least one of the first command and the second command; determining whether the user action requires an elevated privilege to execute at least one of the first command and the second command; identifying the elevated privilege based on the impersonation policy if determined; impersonating an account with the elevated privilege if identified; executing the user action including at least one of the first command and the second command with the elevated privilege if identified; and sending a response to the central server. - View Dependent Claims (14, 15)
-
-
19. A networked impersonation management system, comprising:
-
a remote machine having a remote shell daemon running on the remote machine; and a central server having; a processing unit configured to accept a request to act on the remote machine, the request including at least a first command and at least a second command, an authentication unit, coupled to the processing unit, configured to manage access to the impersonation management system, an impersonation unit, coupled to the processing unit, configured to manage connections to the remote machine to impersonate an elevated privilege account based on an impersonation policy specifying first privileges for executing at least the first command on the at least one remote machine on behalf of a user and second privileges for executing at least the second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges, and a storage device, coupled to the processing unit, for storing configuration settings of the authentication unit and the impersonation unit. - View Dependent Claims (20, 21)
-
Specification