How to Set Up a Diffie-Hellman
Key for an NIS+ Host
This procedure should be done on every host in the NIS+ domain. After root has run the keylogin command, the server has GSS-API acceptor credentials for mech_dh and the client has GSS-API initiator credentials.
For a detailed description of NIS+ security, see System Administration Guide: Naming and Directory Services (NIS+).
-
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
-
Enable the publickey table in the name service.
Add the following line to the /etc/nsswitch.conf file:
publickey: nisplus
-
Initialize the NIS+ client.
# nisinit -cH hostname
where hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client system.
-
Add the client to the cred table.
Type the following commands:
# nisaddcred local # nisaddcred des
-
Verify the setup by using the keylogin command.
If you are prompted for a password, the procedure has succeeded.
# keylogin Password:
Example 16–1 Setting Up a New Key for root on an NIS+ Client
The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client.
# nisinit -cH pluto NIS Server/Client setup utility. This system is in the example.com. directory. Setting up NIS+ client ... All done. # nisaddcred local # nisaddcred des DES principal name : unix.earth@example.com Adding new key for unix.earth@example.com (earth.example.com.) Network password:<Type password> Warning, password differs from login password. Retype password: <Retype password> # keylogin Password: <Type password> # |
- © 2010, Oracle Corporation and/or its affiliates