JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Overview of Secure RPC

NFS Services and Secure RPC

Kerberos Authentication

DES Encryption With Secure NFS

Diffie-Hellman Authentication and Secure RPC

Implementation of Diffie-Hellman Authentication

Administering Authentication With Secure RPC (Tasks)

Administering Secure RPC (Task Map)

How to Restart the Secure RPC Keyserver

How to Set Up a Diffie-Hellman Key for an NIS Host

How to Set Up a Diffie-Hellman Key for an NIS User

How to Share NFS Files With Diffie-Hellman Authentication

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Administering Authentication With Secure RPC (Tasks)

By requiring authentication for use of mounted NFS file systems, you increase the security of your network.

Administering Secure RPC (Task Map)

The following task map points to procedures that configure Secure RPC for NIS, and NFS.

Task
Description
For Instructions
1. Start the keyserver.
Ensures that keys can be created so that users can be authenticated.
2. Set up credentials on an NIS host.
Ensures that the root user on a host can be authenticated in an NIS environment.
3. Give an NIS user a key.
Enables a user to be authenticated in an NIS environment.
4. Share NFS files with authentication.
Enables an NFS server to securely protect shared file systems using authentication.

How to Restart the Secure RPC Keyserver

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

  1. Verify that the keyserv daemon is running.
    # svcs \*keyserv\*
    STATE    STIME   FMRI
    disabled Dec_14  svc:/network/rpc/keyserv
  2. Enable the keyserver service if the service is not online.
    # svcadm enable network/rpc/keyserv

How to Set Up a Diffie-Hellman Key for an NIS Host

This procedure should be done on every host in the NIS domain.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

  1. If the default naming service is not NIS, add the publickey map to the naming service.
    1. Verify that the value of config/default for the naming service is not nis.
      # svccfg -s name-service/switch listprop config
      config                       application
      config/value_authorization   astring       solaris.smf.value.name-service.switch
      config/default               astring       files
      config/host                  astring       "files nis dns"
      config/printer               astring       "user files nis"

      If the value of config/default is nis, you can stop here.

    2. Set the naming service for publickey to nis.
      # svccfg
      # svccfg -s name-service/switch setprop config/publickey = astring: "nis"
      # svccfg -s name-service/switch:default refresh
    3. Confirm the publickey value.
      # svccfg
      # svccfg -s name-service/switch listprop
      config                       application
      config/value_authorization   astring       solaris.smf.value.name-service.switch
      config/default               astring       files
      config/host                  astring       "files nis dns"
      config/printer               astring       "user files nis"
      config/publickey             astring       nis

      On this system, the value of publickey is listed because it differs from the default, files.

  2. Create a new key pair by using the newkey command.
    # newkey -h hostname

    where hostname is the name of the client.

Example 18-1 Setting Up a New Key for root on an NIS Client

In the following example, earth is set up as a secure NIS client. The administrator is assigned the Name Service Security rights profile.

# newkey -h earth
Adding new key for unix.earth@example.com
New Password:   <Type password>
Retype password:<Retype password>
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

How to Set Up a Diffie-Hellman Key for an NIS User

This procedure should be done for every user in the NIS domain.

Before You Begin

Only system administrators, when logged in to the NIS master server, can generate a new key for a user. The administrators must be assigned the Name Service Security rights profile.

  1. Become an administrator with the required security attributes.

    For more information, see How to Use Your Assigned Administrative Rights.

  2. Create a new key for a user.
    # newkey -u username

    where username is the name of the user. The system prompts for a password. You can type a generic password. The private key is stored in an encrypted form by using the generic password.

  3. Tell the user to log in and type the chkey -p command.

    This command allows users to re-encrypt their private keys with a password known only to the user.


    Note - The chkey command can be used to create a new key pair for a user.


Example 18-2 Setting Up and Encrypting a New User Key in NIS

In this example, superuser sets up the key.

# newkey -u jdoe
Adding new key for unix.12345@example.com
New Password:   <Type password>
Retype password:<Retype password>
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

Then the user jdoe re-encrypts the key with a private password.

% chkey -p
Updating nis publickey database.
Reencrypting key for unix.12345@example.com
Please enter the Secure-RPC password for jdoe:<Type password>
Please enter the login password for jdoe:     <Type password>
Sending key change request to centralexample...

How to Share NFS Files With Diffie-Hellman Authentication

This procedure protects shared file systems on an NFS server by requiring authentication for access.

Before You Begin

Diffie-Hellman public key authentication must be enabled on the network. To enable authentication on the network, complete How to Set Up a Diffie-Hellman Key for an NIS Host.

You must become an administrator who is assigned the System Management rights profile to perform this task. For more information, see How to Use Your Assigned Administrative Rights.

  1. On the NFS server, share a file system with Diffie-Hellman authentication.
    # share -F nfs -o sec=dh /filesystem

    where filesystem is the file system that is being shared.

    The -o sec=dh option means that AUTH_DH authentication is now required to access the file system.

  2. On an NFS client, mount a file system with Diffie-Hellman authentication.
    # mount -F nfs -o sec=dh server:filesystem mount-point
    server

    Is the name of the system that is sharing filesystem

    filesystem

    Is the name of the file system that is being shared, such as opt

    mount-point

    Is the name of the mount point, such as /opt

    The -o sec=dh option mounts the file system with AUTH_DH authentication.