NIS+ Transition Guide

Selecting Credentials

NIS+ provides two types of credential: LOCAL and DES.

Note -

In this manual, the term, DES credentials, applies to the extended 640-bit Diffie-Hellman keys as well as to the original 192-bit Diffie-Hellman (default) key length. In the cred table, the extended keys use designations such as DH640-0, rather than the DES keyword. See nisauthconf(1M) for information about using longer keys.

All NIS+ principals need at least one of these credentials. When the namespace is running at security level 2 (the default), all NIS+ principals (clients) must have DES credentials in their home domains. In addition, all users (not workstations) must have LOCAL credentials in their home domains and in every other domain for which they need login access.

To determine the credential needs of your namespace, consider the:

NIS+ principals can be users or the superuser identity on the client workstation. See Figure 3-1.

Figure 3-1 NIS+ Principals


When you determine the credentials you need to create, make sure you know which type of principal needs the credential. For instance, when you set up an NIS+ client with the nisclient script, you create credentials for both the workstation and for the user. Unless credentials for the user are also created, the user only has the access rights granted to the nobody class. This can work very well. But if you don't give any access rights to the nobody class, the namespace won't be available to users.