System Administration Guide: Security Services

ProcedureHow to Set Up a Diffie-Hellman Key for an NIS+ Host

This procedure should be done on every host in the NIS+ domain. After root has run the keylogin command, the server has GSS-API acceptor credentials for mech_dh and the client has GSS-API initiator credentials.

For a detailed description of NIS+ security, see System Administration Guide: Naming and Directory Services (NIS+).

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Enable the publickey table in the name service.

    Add the following line to the /etc/nsswitch.conf file:

    publickey: nisplus
  3. Initialize the NIS+ client.

    # nisinit -cH hostname

    where hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client system.

  4. Add the client to the cred table.

    Type the following commands:

    # nisaddcred local
    # nisaddcred des
  5. Verify the setup by using the keylogin command.

    If you are prompted for a password, the procedure has succeeded.

    # keylogin

Example 16–1 Setting Up a New Key for root on an NIS+ Client

The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client.

# nisinit -cH pluto
NIS Server/Client setup utility.
This system is in the directory.
Setting up NIS+ client ...
All done.
# nisaddcred local
# nisaddcred des 
DES principal name :
Adding new key for (
Network password:<Type password>
Warning, password differs from login password.
Retype password: <Retype password>
# keylogin
Password:        <Type password>