System Administration Guide: Naming and Directory Services (NIS+)

NIS+ Login Phase – Detailed Description

    When a principal logs into the system the following steps are automatically performed:

  1. The keylogin program is run for the principal. The keylogin program gets the principal's encrypted private key from the cred table and decrypts it using the principal's login password.

    Note –

    When a principal's login password is different from his or her Secure RPC password, keylogin cannot decrypt it and the user starts getting “cannot decrypt” errors or the command fails without a message. For a discussion of this problem, see Secure RPC Passwords and the Login Password Problem in NIS+.

  2. The principal's decrypted private key is passed to the keyserver which stores it for use during the request phase.

    Note –

    The decrypted private key remains stored for use by the keyserver until the user does an explicit keylogout. If the user simply logs out (or goes home for the day without logging out), the decrypted private key remains stored in the server. If someone with root privileges on a user's machine switched to the user's login ID, that person would then have use of the user's decrypted private key and could access NIS+ objects using the user's access authorization. Thus, for added security, users should be cautioned to perform an explicit keylogout when they cease work. If they also log out of the system, all they need do is log back in when they return. If they do not explicitly log out, they will have to perform an explicit keylogin when they return to work.