Creating a Level 2 DES Security System
Creating a Level 2 DES security system requires a number of steps that depend upon your system configuration. The following sections describe how to set up your system to have Level 2 DES security for systems using /etc, NIS, and NIS+ name services.
How to Create Level 2 DES Security for Systems Using /etc Name Service
-
On each system that runs the sadmind daemon, edit the /etc/inetd.conf file.
Change this line (or one similar to this):
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
to:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
-
On each system that runs the sadmind daemon, set the /etc/nsswitch.conf entry for publickey to files.
Change this entry (or one similar to this):
publickey: nis [NOTFOUND=return] files
to:
publickey: files
-
Create credentials for all group 14 users and all of the systems that will run sadmind -S 2.
-
Log in as root to one of the systems that will run sadmin -S 2.
-
Run the following command for each user that will run AdminSuite.
# newkey -u username
Note -You must run this command even for users who are not in group 14. If you are not in group 14 and do not have credentials, you are not a user according to sadmind; you will not be able to run any methods, even those that do not require root. You will have to supply the user's password to the newkey program.
-
Run the following command for every host that you have configured to run secure sadmind.
# newkey -h hostname
You will have to provide the root password for each of these hosts to the newkey program.
-
Copy the /etc/publickey file on this system to each of the hosts (put this file in /etc/publickey).
This file contains all the credentials for each user and each host.
Note -Do not run newkey on each of the systems. This seems to create a different public/private key pair, and the public key will not be valid across the network. You must create this file on one machine and then copy it to all the others.
-
As root, enter the following command on each system to put root's private key in /etc/.rootkey.
# keylogin -r
By doing this, you will not have to keylogin as root on every system every time you want to run admintool; this creates an automatic root keylogin at boot time.
-
-
Create an /etc/netid file for each user and each system; put this file on all of the systems.
-
For each user in the publickey file, create an entry in /etc/netid that looks like the following:
unix.uid@domainname uid: uid: gid,gid, ...
-
List every group that this user is a member of; sadmind -S 2 and files check netid rather than /etc/group to determine group 14 membership.
-
For each host in the publickey file, create an entry in /etc/netid that looks like the following:
unix.hostname@domainname 0:hostname
-
Copy this file to every system in /etc/netid.
-
-
Reboot all of the machines.
-
On each system that you want to run the application on, log in and then keylogin. (You must be a member of group 14.)
After the keylogin, you can safely log out; your key is stored in the keyserv daemon until you explicitly keylogout or the system reboots.
How to Create Level 2 DES Security for Systems Using NIS Name Service
-
On each system that runs the sadmind daemon, edit the /etc/inetd.conf file.
Change this line (or one similar to this):
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
to:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
-
On each system that runs the sadmind daemon, set the /etc/nsswitch.conf entry for publickey to nis.
Change this entry (or one similar to this):
publickey: nis [NOTFOUND=return] files
to:
publickey: nis
-
Create credentials for all group 14 users and all of the systems that will run sadmind -S 2.
-
Log in as root on the NIS server.
-
Run the following command for each user that will run AdminSuite.
# newkey -u username -s files
Note -You must run this command even for users who are not in group 14. If you are not in group 14 and do not have credentials, you are not a user according to sadmind; you will not be able to run any methods, even those that do not require root. You will have to supply the user's password to the newkey program.
-
Run the following command for every host that you have configured to run secure sadmind.
# newkey -h hostname
You will have to provide the root password for each of these hosts to the newkey program.
-
Copy the /etc/publickey file on this system to the source file that is specified in /var/yp/Makefile; remake and push the nis maps.
# cd /var/yp; make
-
-
Verify that you are a member of group 14 in the group/nis maps.
-
Login as root.
-
Change directories to the source file specified in /var/yp/Makefile.
-
Manually edit the group file and add yourself to group 14, just as you did in the /etc/group file.
-
Change directories to /var/yp and run make.
# cd /var/yp; make
You should see the group map pushed; a message appears indicating that this action has occurred.
Note -The security system looks in the NIS maps for your group14 access and will fail if you do not have group14 specified there, regardless if your /etc/nsswitch.conf file has group files nis.
When sadmind is running in -S 2 mode, it uses the publickey entry to determine which name service to look at for user credentials. When the entry in /etc/nsswitch.conf is nis, it looks in the nis group map to ensure that the user is a member of group 14.
-
-
As root, enter the following command on each system to put root's private key in /etc/.rootkey.
# keylogin -r
By doing this, you will not have to keylogin as root on every system every time you want to run AdminSuite; this creates an automatic root keylogin at boot time.
-
To ensure that the nscd gets flushed, reboot all of the workstations.
-
On each system that you want to the application to run on, log in and then keylogin. (You must be a member of group 14.)
After the keylogin, you can safely log out; your key is stored in the keyserv daemon until you explicitly keylogout or the system reboots.
How to Create Level 2 DES Security for Systems Using NIS+ Name Service
-
On each system that runs the sadmind daemon, edit the /etc/inetd.conf file.
Change this line:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
to:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
-
On each system that runs the sadmind daemon, set the /etc/nsswitch.conf entry for publickey to nisplus.
Change this entry (or one similar to this):
publickey: nisplus [NOTFOUND=return] files
to:
publickey: nisplus
-
Log in as root on the NIS+ master server; create credentials for all group 14 users and all of the systems that will run sadmind -S 2.
-
Log in as root on the NIS+ master server; add all of the users for the AdminSuite to the NIS+ group 14 using the following command.
# nistbladm -m members=username,username...[name-sysadmin],group.org_dir
Note -The use of this function replaces the current member list with the one that is input; therefore, you must include all members you wish to be a part of group 14.
-
As root, add all of the users for the AdminSuite to the NIS+ admin group.
# nisgrpadm -a admin username
Verify that the NIS_GROUP environmental variable is set to admin.
-
On all the workstations that you intend to run the admintool, enter the following command.
# keylogin -r
-
Reboot all of the workstations; verify that the nscd gets flushed.
-
On each system that you want to the application to run on, log in and then keylogin. (You must be a member of group 14.)
After the keylogin, you can safely log out; your key is stored in the keyserv daemon until you explicitly keylogout or the system reboots.
- © 2010, Oracle Corporation and/or its affiliates