Secure shell protocol access control
First Claim
1. A method of providing fine-grained access for remote clients to secured resources of a computer system, said computer system having an user registry and an access control policy repository, said method comprising the steps of:
- suspending the establishment of a logical channel during Secure Shell session creation;
mapping a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
submitting said mapped identity to said Authentication Service;
receiving at least one credential from said Authentication Service, said credential binding said mapped identity to a set of fine-grained privileges;
catching and associating said credentials with said session key; and
performing a security policy approval responsive to a Secured Shell logical channel allocation request, said approval considering permissions set in said access control policy repository in comparison to said cached session key, ID and associated credentials.
1 Assignment
0 Petitions
Accused Products
Abstract
An enhanced Secure Shell (SSH) protocol having fine-grained access security policy management and enforcement. Via an authorization application programming interface (aznAPI), remote user protocol connections and sessions may be added to the protected object space of a policy management system so that a system administrator may set permissions to access or use a particular secured system resource for each user, and by groups of users. Thus, when a user accesses the system by Secure Shell, rather than having full, unlimited use and access to system resources once authenticated, the user is granted permission to access only the system resources allowed in the security policy or policies.
58 Citations
22 Claims
-
1. A method of providing fine-grained access for remote clients to secured resources of a computer system, said computer system having an user registry and an access control policy repository, said method comprising the steps of:
-
suspending the establishment of a logical channel during Secure Shell session creation;
mapping a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
submitting said mapped identity to said Authentication Service;
receiving at least one credential from said Authentication Service, said credential binding said mapped identity to a set of fine-grained privileges;
catching and associating said credentials with said session key; and
performing a security policy approval responsive to a Secured Shell logical channel allocation request, said approval considering permissions set in said access control policy repository in comparison to said cached session key, ID and associated credentials. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer readable medium encoded with software for providing fine-grained access for remote clients to secured resources of a computer system, said computer system having a user registry and an access control policy repository, said software when executed causing the computer system to preform the steps of:
-
suspending the establishment of a logical channel during a Secure Shell session creation;
mapping a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
submitting said mapped identity to said Authentication Service;
receiving at least one credential from said Authentication Service, said credential binding said mapped identity to a set of fine-grained privileges;
caching and associating said credentials with said session key; and
performing a security policy approval responsive to a Secure Shell logical channel allocation request, said approval considering permissions set in said access control policy repository in comparison to said cached session key, ID and associated credentials. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for providing fine-grained access for remote clients to secured resources of a computer, said computer having a user registry an access control policy repository, said system comprising:
-
a logical channel control configured to suspend the establishment of a logical during Secure Shell session creation;
an ID mapper adapted to map a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
a session key and a mapped user ID in a cache;
at least one credential bound to said mapped user ID and to said session key, said credentials including a set of fine-grained resource permissions set; and
a security policy approval service which, responsive to a Secure Shell logical channel allocation request adapted to consider said permissions set prior to allowing allocation of said logical channel. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A protocol stack communications system for a computer system, said computer system having a user registry and an access control policy repository, said communications system comprising:
-
a logical channel control configured to prohibit establishment of a logical channel during Secure Shell session creation;
an ID mapper adapted to map a user'"'"'s identity to an identity compatible with an Authorization Service and Access Control Policy Repository;
a session key and a mapped user ID stored in a computer cache;
a credential associated with said cached session key and said mapped user ID said credentials including a set of fine-grained resource permissions set; and
a security policy approval service which, responsive to a Secure Shell logical channel allocation adapted to consider said permissions set prior to allowing or disallowing allocation of said logical channel a security policy approval service adapted to consider said permissions set prior to allowing or disallowing allocation of said logical channel. - View Dependent Claims (20, 21, 22)
-
Specification