Authorization Protocols

Two authorization protocols are supported in this version of the Solaris operating environment: MIT-MAGIC-COOKIE-1 and SUN-DES-1. They differ in the authorization data used. The protocols are similar in the access control mechanism used. The MIT-MAGIC-COOKIE-1 protocol that uses the user-based mechanism is the default in the Solaris operating environment.

MIT-MAGIC-COOKIE-1

The MIT-MAGIC-COOKIE-1 authorization protocol was developed by the Massachusetts Institute of Technology. At server startup, a magic cookie is created for the server and the user who started the system. On every connection attempt, the user's client sends the magic cookie to the server as part of the connection packet. This magic cookie is compared with the servers' magic cookie. The connection is allowed if the magic cookies match, or denied if they do not match.

SUN-DES-1

The SUN-DES-1 authorization protocol, developed by Sun Microsystems, is based on Secure Remote Procedure Call (RPC) and requires Data Encryption Standard (DES) support. The authorization information is the machine-independent netname, or network name, of a user. This information is encrypted and sent to the server as part of the connection packet. The server decrypts the information and, if the netname is known, allows the connection.

This protocol provides a higher level of security than the MIT-MAGIC-COOKIE-1 protocol. No other user can use your machine-independent netname to access a server, but another user can use the magic cookie to access a server.

This protocol is available only in libraries in the Solaris 1.1 and compatible environments. Any applications built with static libraries cannot use this authorization protocol.

Allowing Access When Using SUN-DES-1 describes how to allow another user access to your server by adding that person's netname to your server's access list.

Changing the Default Authorization Protocol

You can change the default authorization protocol, MIT-MAGIC-COOKIE-1, to SUN_DES-1, the other supported authorization protocol, or to no user-based access mechanism at all. You can change the default authorization protocol by editing the Xsun line in the /usr/dt/config/Xservers file. For example, to change the default from MIT-MAGIC-COOKIE-1 to SUN-DES-1, add the -auth sun-des option to the Xsun command by editing the following line in the /usr/dt/config/Xservers file.

:0  Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner -auth sun-des 

If you must run the Solaris operating environment without the user-based access mechanism, add the -noauth option to the Xsun command by editing the following line in the /usr/dt/config/Xservers file.

:0  Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner -noauth

By using the -noauth option, you weaken security. It is equivalent to running Solaris software with the host-based access control mechanism only. The server inactivates the user-based access control mechanism. Anyone who can run applications on your local machine is allowed access to your server.