A system administrator can implement policies that help secure the network. The level of security required will differ with each site. This section provides instructions for some tasks associated with network security.
Become superuser.
Verify whether the keyserv daemon (the keyserver) is running.
# ps -ef | grep keyserv root 100 1 16 Apr 11 ? 0:00 /usr/sbin/keyserv root 2215 2211 5 09:57:28 pts/0 0:00 grep keyserv |
Start the keyserver if it isn't running.
# /usr/sbin/keyserv |
For detailed description of NIS+ security, see Solaris Naming Administration Guide.
Become superuser.
Edit the /etc/nsswitch.conf file and add the following line:
publickey: nisplus |
Initialize the NIS+ client.
# nisinit -cH hostname |
hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client machine.
Add the client to the cred table by typing the following commands.
# nisaddcred local # nisaddcred des |
Verify the setup by using the keylogin command.
If you are prompted for a password, the procedure has succeeded.
The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client.
# nisinit -cH pluto NIS Server/Client setup utility. This machine is in the North.Abc.COM. directory. Setting up NIS+ client ... All done. # nisaddcred local # nisaddcred des DES principal name : unix.earth@North.Abc.COM Adding new key for unix.earth@North.Abc.Com (earth.North.Abc.COM.) Network password: xxx <Press Return> Warning, password differs from login password. Retype password: xxx <Press Return> # keylogin Password: # |
Add the user to the cred table on the root master server by typing the following command:
# nisaddcred -p unix.UID@domainname -P username.domainname. des |
Note that, in this case, the username-domainname must end with a dot (.)
Verify the setup by logging in as the client and typing the keylogin command.
The following example gives DES security authorization to user george.
# nisaddcred -p unix.1234@North.Abc.com -P george.North.Abc.COM. des DES principal name : unix.1234@North.Abc.COM Adding new key for unix.1234@North.Abc.COM (george.North.Abc.COM.) Password: Retype password: # rlogin rootmaster -l george # keylogin Password: # |
Become superuser on the client.
Edit the /etc/nsswitch.conf file and add the following line:
publickey: nis |
Create a new key pair by using the newkey command.
# newkey -h hostname |
hostname is the name of the client.
The following example sets up earth as a secure NIS client.
# newkey -h earth Adding new key for unix.earth@North.Abc.COM New Password: Retype password: Please wait for the database to get updated... Your new key has been successfully stored away. # |
Log in to the server as superuser.
Only the system administrator, logged in to the NIS+ server, can generate a new key for a user.
Create a new key for a user.
# newkey -u username |
username is the name of the user. The system prompts for a password. The system administrator can type a generic password. The private key is stored encrypted with the generic password.
# newkey -u george Adding new key for unix.12345@Abc.North.Acme.COM New Password: Retype password: Please wait for the database to get updated... Your new key has been successfully stored away. # |
Tell the user to log in and type the chkey -p command.
This allows the user to re-encrypt their private key with a password known only to the user.
earth% chkey -p Updating nis publickey database. Reencrypting key for unix.12345@Abc.North.Acme.COM Please enter the Secure-RPC password for george: Please enter the login password for george: Sending key change request to pluto... # |
The chkey command can be used to create a new key-pair for a user.
The Diffie-Hellman publickey authentication must be enabled on the network. See "How to Set Up NIS+ Credentials for Diffie-Hellman Authentication" and "How to Set Up NIS Credentials With Diffie-Hellman Authentication".
Become superuser.
Share the file system with Diffie-Hellman authentication.
# share -F nfs -o sec=dh /filesystem |