Secure shell protocol access control

US 6,851,113 B2
Filed: 06/29/2001
Issued: 02/01/2005
Est. Priority Date: 06/29/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing fine-grained access for remote clients to secured resources of a computer system, said computer system having an user registry and an access control policy repository, said method comprising the steps of:

suspending the establishment of a logical channel during Secure Shell session creation;

mapping a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;

submitting said mapped identity to said Authentication Service;

receiving at least one credential from said Authentication Service, said credential binding said mapped identity to a set of fine-grained privileges;

catching and associating said credentials with said session key; and

performing a security policy approval responsive to a Secured Shell logical channel allocation request, said approval considering permissions set in said access control policy repository in comparison to said cached session key, ID and associated credentials.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enhanced Secure Shell (SSH) protocol having fine-grained access security policy management and enforcement. Via an authorization application programming interface (aznAPI), remote user protocol connections and sessions may be added to the protected object space of a policy management system so that a system administrator may set permissions to access or use a particular secured system resource for each user, and by groups of users. Thus, when a user accesses the system by Secure Shell, rather than having full, unlimited use and access to system resources once authenticated, the user is granted permission to access only the system resources allowed in the security policy or policies.

58 Citations

View as Search Results

22 Claims

1. A method of providing fine-grained access for remote clients to secured resources of a computer system, said computer system having an user registry and an access control policy repository, said method comprising the steps of:
- suspending the establishment of a logical channel during Secure Shell session creation;
  
  mapping a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
  
  submitting said mapped identity to said Authentication Service;
  
  receiving at least one credential from said Authentication Service, said credential binding said mapped identity to a set of fine-grained privileges;
  
  catching and associating said credentials with said session key; and
  
  performing a security policy approval responsive to a Secured Shell logical channel allocation request, said approval considering permissions set in said access control policy repository in comparison to said cached session key, ID and associated credentials.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as set forth in claim 1 wherein said step of caching a said credential is performed by a user authentication service of a Secured Shell communications protocol stack.
  - 3. The method as set forth in claim 1 wherein said step of associating said credentials with said cached session key and ID is performed from a user authentication layer of a Secure Shell communications protocol stack.
  - 4. The method as set forth in claim 1 wherein said step of performing a security policy approval is performed from a connection layer of a Secured Shell protocol stack.
  - 5. The method as set forth in claim 1 wherein said step of generating a set of user credentials binding user ID to a set of privileges is preformed via an Authorization Application Programming Interface.
  - 6. The method as set forth in claim 1 wherein said step of performing a security policy approval is performed via an Authorization Application Programming Interface.

7. A computer readable medium encoded with software for providing fine-grained access for remote clients to secured resources of a computer system, said computer system having a user registry and an access control policy repository, said software when executed causing the computer system to preform the steps of:
- suspending the establishment of a logical channel during a Secure Shell session creation;
  
  mapping a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
  
  submitting said mapped identity to said Authentication Service;
  
  receiving at least one credential from said Authentication Service, said credential binding said mapped identity to a set of fine-grained privileges;
  
  caching and associating said credentials with said session key; and
  
  performing a security policy approval responsive to a Secure Shell logical channel allocation request, said approval considering permissions set in said access control policy repository in comparison to said cached session key, ID and associated credentials.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer readable medium as set forth in claim 7 wherein said software for caching a session key and ID is executable from a transport layer of a Secured Shell communications protocol stack.
  - 9. The computer readable medium as set forth in claim 7 wherein said software for associating said credentials with said cached session key and ID is executable from a user authentication layer of a Secure Shell communications protocol stack.
  - 10. The computer readable medium as set forth in claim 7 wherein said software for performing a security policy approval is executable from a connection layer of a Secure Shell communications protocol stack.
  - 11. The computer readable medium as set forth in claim 7 wherein said software for generating a set of user credentials which bind a user ID to a set of privileges is executable via an Authorization Application Programming Interface.
  - 12. The computer readable medium as set forth in claim 7 wherein said software for performing a security policy approval is executable via an Authorization Application Programming Interface.

13. A system for providing fine-grained access for remote clients to secured resources of a computer, said computer having a user registry an access control policy repository, said system comprising:
- a logical channel control configured to suspend the establishment of a logical during Secure Shell session creation;
  
  an ID mapper adapted to map a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
  
  a session key and a mapped user ID in a cache;
  
  at least one credential bound to said mapped user ID and to said session key, said credentials including a set of fine-grained resource permissions set; and
  
  a security policy approval service which, responsive to a Secure Shell logical channel allocation request adapted to consider said permissions set prior to allowing allocation of said logical channel.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system as set forth in claim 13 wherein said session key and ID are modifiable from transport layer of a Secure Shell communications protocol stack.
  - 15. The system as set forth in claim 13 wherein said credential association with a session key and mapped ID is adapted to be created by a user authentication layer of a Secure Shell communications protocol stack.
  - 16. The system as set forth in claim 13 wherein said security policy approval service is accessible from a connection layer of a Secured Shell communications protocol stack.
  - 17. The system as set forth in claim 13 wherein said credentials comprise a credentials created via an Authorization Application Programming Interface.
  - 18. The system as set forth in claim 13 wherein said security policy approval service is accessible via an Authorization Application Programming Interface.

19. A protocol stack communications system for a computer system, said computer system having a user registry and an access control policy repository, said communications system comprising:
- a logical channel control configured to prohibit establishment of a logical channel during Secure Shell session creation;
  
  an ID mapper adapted to map a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
  
  a session key and a mapped user ID stored in a computer cache;
  
  a credential associated with said cached session key and said mapped user ID said credentials including a set of fine-grained resource permissions set; and
  
  a security policy approval service which, responsive to a Secure Shell logical channel allocation adapted to consider said permissions set prior to allowing or disallowing allocation of said logical channel a security policy approval service adapted to consider said permissions set prior to allowing or disallowing allocation of said logical channel.
- View Dependent Claims (20, 21, 22)
- - 20. The communications system as set forth in claim 19 further comprising a transport layer service which is adapted to create and deposit said session key and ID into computer cache.
  - 21. The communications system as set forth in claim 19 further comprising a user authentication layer service which is adapted to obtain a credential from an authentication service, and to associate said credential with said cached session key and mapped user ID.
  - 22. The communications system as set forth in claim 19 further comprising a connection layer service adapted to obtain an policy approval decision from an authorization service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hemsath, David Kurt
Primary Examiner(s)
An, Meng-Al T.
Assistant Examiner(s)
Wu, Qing-Yuan

Application Number

US09/895,120
Publication Number

US 20030005178A1
Time in Patent Office

1,313 Days
Field of Search

718/104, 713/182, 713/200, 713/201, 709/302, 380/49
US Class Current

718/104
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/168   above the transport layer

Secure shell protocol access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure shell protocol access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links