test

Solstice AdminSuite 2.3 Administration Guide

How to Create Level 2 DES Security for Systems Using /etc Name Service

  1. On each system that runs the sadmind daemon, edit the /etc/inetd.conf file.

    Change this line (or one similar to this):


    100232/10	tli	rpc/udp wait root /usr/sbin/sadmind sadmind

    to:


    100232/10	tli	rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

  2. On each system that runs the sadmind daemon, set the /etc/nsswitch.conf entry for publickey to files.

    Change this entry (or one similar to this):


    publickey:	nis [NOTFOUND=return] files

    to:


    publickey:	files

  3. Create credentials for all group 14 users and all of the systems that will run sadmind -S 2.

    1. Log in as root to one of the systems that will run sadmin -S 2.

    2. Run the following command for each user that will run AdminSuite.


      # newkey -u username
      Note -

      You must run this command even for users who are not in group 14. If you are not in group 14 and do not have credentials, you are not a user according to sadmind; you will not be able to run any methods, even those that do not require root. You will have to supply the user's password to the newkey program.

    3. Run the following command for every host that you have configured to run secure sadmind.


      # newkey -h hostname

      You will have to provide the root password for each of these hosts to the newkey program.

    4. Copy the /etc/publickey file on this system to each of the hosts (put this file in /etc/publickey).

      This file contains all the credentials for each user and each host.

      Note -

      Do not run newkey on each of the systems. This seems to create a different public/private key pair, and the public key will not be valid across the network. You must create this file on one machine and then copy it to all the others.

    5. As root, enter the following command on each system to put root's private key in /etc/.rootkey.


      # keylogin -r

      By doing this, you will not have to keylogin as root on every system every time you want to run admintool; this creates an automatic root keylogin at boot time.

  4. Create an /etc/netid file for each user and each system; put this file on all of the systems.

    1. For each user in the publickey file, create an entry in /etc/netid that looks like the following:


      unix.uid@domainname	uid: uid: gid,gid, ...

    2. List every group that this user is a member of; sadmind -S 2 and files look to netid rather than /etc/group to determine group 14 membership.

    3. For each host in the publickey file, create an entry in /etc/netid that looks like the following:


      unix.hostname@domainname			0:hostname

    4. Copy this file to every system in /etc/netid.

  5. Reboot all of the machines.

  6. On each system that you want to run the application on, log in and then keylogin. (You must be a member of group 14.)

    After the keylogin, you can safely log out; your key is stored in the keyserv daemon until you explicitly keylogout or the system reboots.