skiphost: Setting Up the ACL (SunScreen SKIP User's Guide, Release 1.1)

SunScreen SKIP User's Guide, Release 1.1

skiphost: Setting Up the ACL

The functionality of skiphost is the same as the skiptool GUI.

Use skiphost to list, add, and delete host, network, or nomadic (mobile) systems from the ACL, as well as to enable and disable SKIP. Without arguments, it lists the state of the SKIP interface and authorized or unauthorized hosts, networks, and nomadic systems for the default interface.

The ACL allows the user to configure which remote systems can obtain access to the local host and the type of access granted. Access control is usually based on the IP address of the remote host or by the remote system's key ID.

Remote systems can be specified either as individual hosts, networks, or nomadic systems.

Hosts are specified by their host name or IP address.

Networks of subnetworks are specified by a network address plus a mask similar to that used in subnetworking.

Nomadic systems can be specified in SKIP and in SKIP Version 1. They are specified by a key identifier (that is, any IP address with the key ID "x").

The order of processing ACL entries is as follows. A search is made for an ACL entry specifying the remote host. If one exists, it will be used.

If no entry containing the IP address can be found, then a search is made for a nomadic ACL entry containing the sender's key ID in the SKIP protocol header. If one is found and the packet is correctly authenticated, then the sender's IP address is stored for future reference.

If no corresponding ACL entry can be found for a remote system, the default is used. The default may be configured to allow access or to deny access. This method is similar to the method used by the IP when it is deciding how to route a packet to a destination (that is, host routes take precedence over network routes, and, in the absence of anything better, the default route is used).

When applying access control, the system treats the lists of authorized and excluded systems as a global list and always selects the best match.

A default entry can be specified to indicate all other hosts not specifically covered by other access-control entries.

Note -

Before you enable SKIP, any hosts needed for operation of the local system must be present in the ACL. Verify that any NFS file servers, NIS servers, or any local broadcast addresses for your network are on the ACL.

In order to set up SKIP, skiphost must be run multiple times: one time for each host being set up in the ACL, then one final time to enable SKIP.

See "Enabling SKIP" for information on enabling SKIP.

See the man pages for more detail.