Centrally managed impersonation

US 8,677,446 B2
Filed: 09/30/2010
Issued: 03/18/2014
Est. Priority Date: 03/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising:

receiving, at the central server, a request action from a user requesting connection to the at least one remote machine, the request action including at least a first command and at least a second command;

authenticating, at the central server, the user;

retrieving, at the central server, an impersonation policy for the user to act on the at least one remote machine, the impersonation policy specifying first privileges for executing at least the first command on the at least one remote machine on behalf of the user and second privileges for executing at least the second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges;

connecting to the at least one remote machine including relying on the trust relationship between the central server and the at least one remote shell daemon running on the at least one remote machine;

sending the impersonation policy for the user, including the first privileges and the second privileges, to the at least one remote shell daemon; and

returning a response to the user, the response indicating execution, or lack thereof, by the at least one remote shell daemon of at least the first command and at least the second command, based on the first privileges and the second privileges, respectively.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and computer readable media for centrally managed impersonation are described. Examples include a system having a central server and a remote shell daemon running on a remote machine, wherein a trust relationship is established between the central server and the remote shell daemon. Examples also include a method wherein a user sends the management system a request to act upon a remote machine. The management system determines whether the user is authenticated for the requested action. Upon authentication, the management system identifies an impersonation policy based on user profile and the remote machine. The management system connects to the remote machine, impersonates an elevated privilege account if required, and executes the user action on the remote machine.

8 Citations

View as Search Results

21 Claims

1. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising:
- receiving, at the central server, a request action from a user requesting connection to the at least one remote machine, the request action including at least a first command and at least a second command;
  
  authenticating, at the central server, the user;
  
  retrieving, at the central server, an impersonation policy for the user to act on the at least one remote machine, the impersonation policy specifying first privileges for executing at least the first command on the at least one remote machine on behalf of the user and second privileges for executing at least the second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges;
  
  connecting to the at least one remote machine including relying on the trust relationship between the central server and the at least one remote shell daemon running on the at least one remote machine;
  
  sending the impersonation policy for the user, including the first privileges and the second privileges, to the at least one remote shell daemon; and
  
  returning a response to the user, the response indicating execution, or lack thereof, by the at least one remote shell daemon of at least the first command and at least the second command, based on the first privileges and the second privileges, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17, 18)
- - 2. The method of claim 1, wherein the act of retrieving an impersonation policy comprises retrieving a policy that defines one or more records, wherein each of the one or more records corresponds to at least one of the first and second commands and an elevated privilege account on the at least one remote machine.
  - 3. The method of claim 1, wherein the act of retrieving an impersonation policy comprises retrieving a policy that defines one or more records, wherein at least one of the one or more records corresponds to at least one of the first and second commands and an account with reduced privileges on the at least one remote machine.
  - 4. The method of claim 1 further comprising logging an impersonation event on the central server, if at least one of the first and second commands uses an elevated privilege to execute on the at least one remote machine.
  - 5. The method of claim 1, wherein the act of connecting to the at least one remote machine comprises:
    - creating a connection between the central server and the at least one remote shell daemon running on the at least one remote machine; and
      
      spawning a remote shell daemon instance where the user is connected through a default account.
  - 6. The method of claim 1, wherein the act of authenticating the user includes authenticating user access to the at least one remote machine and determining, via an access control system, whether the user has access to the at least one remote machine.
  - 7. The method of claim 6, wherein the act of determining whether the user has access to the at least one remote machine comprises using an application username and password.
  - 8. The method of claim 6, wherein the act of authenticating the user includes authenticating user access to the at least one remote machine using the access control system including using a role based access control system.
  - 9. The method of claim 1, wherein the first and second privileges for the first and second commands, respectively, include command-specific privileges for the user.
  - 10. The method of claim 1, wherein:
    - the first privileges for executing the first command specified in the impersonation policy include an elevated privilege for allowing execution of the first command by the at least one remote shell daemon running on the at least one remote machine, andthe second privileges for executing the second command specified in the impersonation policy include a reduced privilege for disallowing execution of the second command by the at least one remote shell daemon running on the at least one remote machine.
  - 11. The method of claim 1, wherein the impersonation policy includes default privileges for connecting to the at least one remote machine and elevated privileges for inheriting one or more commands on the at least one remote machine including at least one of the first and second commands.
  - 12. The method of claim 1, further comprising:
    - receiving a response from the at least one remote machine for each of the first and second commands executed with an elevated privilege.
  - 16. A computer system for managing one or more computer resources, comprising:
    - a processor;
      
      an operator display coupled to the processor;
      
      a storage subsystem coupled to the processor; and
      
      a software module stored in the storage subsystem, the software module comprising instructions that when executed by the processor cause the processor to perform the method of claim 1.
  - 17. A programmable storage device having programmed instructions stored thereon for causing a programmable control device to perform a method according to claim 1.
  - 18. A networked computer system comprising a plurality of computers communicatively coupled, at least one of the plurality of computers programmed to perform at least a portion of the method of claim 1 wherein the entire method of claim 1 is performed collectively by the plurality of computers.

13. A method for managing impersonation by an impersonation management system having a central server and at least one remote shell daemon running on at least one remote machine, wherein the central server and the at least one remote shell daemon have a trust relationship, the method comprising,accepting, at the at least one remote machine, a connection request for action from the central server on behalf of a user;
- receiving, at the at least one remote machine, an impersonation policy specifying first privileges for executing at least a first command on the at least one remote machine on behalf of the user and second privileges for executing at least a second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges;
  
  receiving, at the at least one remote machine, a user action including at least one of the first command and the second command;
  
  determining whether the user action requires an elevated privilege to execute at least one of the first command and the second command;
  
  identifying the elevated privilege based on the impersonation policy if determined;
  
  impersonating an account with the elevated privilege if identified;
  
  executing the user action including at least one of the first command and the second command with the elevated privilege if identified; and
  
  sending a response to the central server.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13 further comprising removing impersonation data from the at least one remote machine.
  - 15. The method of claim 13 further comprising parsing the impersonation policy.

19. A networked impersonation management system, comprising:
- a remote machine having a remote shell daemon running on the remote machine; and
  
  a central server having;
  
  a processing unit configured to accept a request to act on the remote machine, the request including at least a first command and at least a second command,an authentication unit, coupled to the processing unit, configured to manage access to the impersonation management system,an impersonation unit, coupled to the processing unit, configured to manage connections to the remote machine to impersonate an elevated privilege account based on an impersonation policy specifying first privileges for executing at least the first command on the at least one remote machine on behalf of a user and second privileges for executing at least the second command on the at least one remote machine on behalf of the user, the second privileges being different than the first privileges, anda storage device, coupled to the processing unit, for storing configuration settings of the authentication unit and the impersonation unit.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19, wherein the authentication unit comprises a role based access control system.
  - 21. The system of claim 19, wherein the remote shell daemon comprises:
    - a receiving unit configured to receive an impersonation policy and one or more user actions from the central server; and
      
      an impersonation control system configured to impersonate as an elevated privilege account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BMC Software Incorporated (KKR & Co., Inc.)
Original Assignee
BMC Software Incorporated (KKR & Co., Inc.)
Inventors
De Peuter, Geert, Solin, David
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
TRAN, TRI MINH

Application Number

US12/895,490
Publication Number

US 20110239275A1
Time in Patent Office

1,265 Days
Field of Search

726/1, 726/4
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Centrally managed impersonation

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Centrally managed impersonation

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links