Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (NIS+) |
Part I About Naming and Directory Services
Part II NIS+ Setup and Configuration
4. Configuring NIS+ With Scripts
5. Setting Up the NIS+ Root Domain
8. Configuring an NIS+ Non-Root Domain
10. NIS+ Tables and Information
12. Administering NIS+ Credentials
14. Administering Enhanced NIS+ Security Credentials
Transitioning NIS+ to a New Public Key-Based Security Mechanism
Configuring NIS+ Security Mechanisms
Creating New NIS+ Security Mechanism Credentials
New NIS+ Security Mechanism Credentials - Example
Adding New Keys to NIS+ Directory Objects
Adding New Public Keys to NIS+ Directory Objects - Example
Configuring NIS+ Servers to Accept New Security Mechanism Credentials
Configuring NIS+ Servers to Accept New Security Mechanism Credentials - Example
Configuring NIS+ Machines to Use New Security Mechanism Credentials
Configuring NIS+ Machines to Use New Security Mechanism Credentials - Examples
Manually Refresh NIS+ Directory Objects - Example NETNAMER
Changing the Password Protecting New NIS+ Credentials
Change Password Protecting New NIS+ Credentials - Example
Configuring NIS+ Servers to Accept Only New Security Mechanism Credentials
Configuring NIS+ Servers to Accept Only New Security Mechanism Credentials - Example
Removing Old Credentials From the NIS+ cred Table
Removing Old Credentials From the NIS+ cred Table - Example
15. Administering NIS+ Access Rights
16. Administering NIS+ Passwords
18. Administering NIS+ Directories
20. NIS+ Server Use Customization
23. Information in NIS+ Tables
Common NIS+ Namespace Error Messages
When converting from a lower grade security mechanism to a higher one, the maximum security benefit is achieved by configuring the NIS+ servers to only accept credentials of the new higher grade security mechanism type. Do this only after the servers have been successfully configured to authenticate by using the old and the new mechanism.
Before configuring any system to authenticate by using the new mechanism exclusively, the cached directory objects must be refreshed to include the keys for the new mechanism and verified with nisshowcache.
Run nisauthconf(1m) on each NIS+ server and reboot. In this example, the NIS+ server will be configured to only accept authentication of dh640-0 credentials.
server# nisauthconf dh640-0 server# /etc/reboot
Optionally, the directory objects can now be updated to remove the old public keys. This should be done from the master server and nisupdkeys(1m) should be run once for each directory served by the servers authenticating only with the new security mechanism. In this example, the directories to be updated are doc.com, org_dir.doc.com., and groups_dir.doc.com.
masterserver# nisupdkeys doc.com. (screen notices not shown) masterserver# nisupdkeys org_dir.doc.com. (screen notices not shown) masterserver# nisupdkeys groups_dir.doc.com.