When you invoke the Remote Agent through SSH, the Remote Agent uses the jexec wrapper to invoke the Java Virtual Machine. This wrapper is a native executable that is owned by root and that has the setuid bit set. This file has the same group ID as the user that you used to install the Remote Agent and it gives execute permission to the group. Additionally, the file is stored in a directory that is called protect that is owned by the user you used to install the Remote Agent. The file gives execute permission only to the user that owns the Remote Agent. This prevents any other user from being able to execute the jexec wrapper.
You must ensure that the file permissions on jexec and protect are not accidentally changed at any point.
To further tighten security for jexec, make any or all of the following changes:
The JVM executables, usually shell scripts, must be owned by root or the user that owns the application and do not give write permissions to any other users or groups. If you install the JRE with the N1 Grid Service Provisioning System 5.0, ensure that all the files in N1SPS5.0-home/common/jre are owned by the user that owns the application and do not give write access to any other users or groups.
The user ID of the user that owns the application must only be allowed to log in using SSH. When logging in using SSH, only public-key authentication should be allowed. The /N1SPS5.0-home/.ssh directory should not give any permissions to any other users or groups.
The SSH server can be configured to allow only public key authentication by ensuring that the etc/sshd_config file contains the following line to disable password authentication.
PasswordAuthentication no |
Ensure that the etc/sshd_config file does not have lines that contain RhostsRSAAuthentication, because this is not allowed by default. Also, ensure that RSAAuthentication, if present, is set to yes, the default.
You can further tighten security on the Remote Agent by editing the /N1SPS5.0-home/.ssh/authorized_keys2 file and prefixing the following text to the line that contains the public key of the Master Server.
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty |
The sshd(1M) man page offers additional details.