test

System Administration Guide, Volume 2

Administering Diffie-Hellman Authentication

A system administrator can implement policies that help secure the network. The level of security required will differ with each site. This section provides instructions for some tasks associated with network security.

How to Restart the Keyserver

  1. Become superuser.

  2. Verify whether the keyserv daemon (the keyserver) is running. 


    # ps -ef | grep keyserv
root  100 		   1		 16	  Apr 11 ?			   0:00 /usr/sbin/keyserv
root	2215   2211			 5  09:57:28 pts/0 0:00 grep keyserv

  3. Start the keyserver if it isn't running. 


    # /usr/sbin/keyserv

How to Set Up NIS+ Credentials for Diffie-Hellman Authentication

For detailed description of NIS+ security, see Solaris Naming Administration Guide.

To set up a new key for root on an NIS+ client:

  1. Become superuser.

  2. Edit the /etc/nsswitch.conf file and add the following line:


    publickey: nisplus

  3. Initialize the NIS+ client.


    # nisinit -cH hostname

    hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client machine.

  4. Add the client to the cred table by typing the following commands. 


    # nisaddcred local
# nisaddcred des

  5. Verify the setup by using the keylogin command.

    If you are prompted for a password, the procedure has succeeded.

Example--Setting Up a New Key for root on a NIS+ Client

The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client. 


# nisinit -cH pluto
NIS Server/Client setup utility.
This machine is in the North.Abc.COM. directory.
Setting up NIS+ client ...
All done.
# nisaddcred local
# nisaddcred des 
DES principal name : unix.earth@North.Abc.COM
Adding new key for unix.earth@North.Abc.Com (earth.North.Abc.COM.)
 
Network password: xxx <Press Return>
Warning, password differs from login password.
Retype password: xxx <Press Return>
 
# keylogin
Password:
#

To set up a new key for an NIS+ user:

  1. Add the user to the cred table on the root master server by typing the following command: 


    # nisaddcred -p unix.UID@domainname -P username.domainname. des

    Note that, in this case, the username-domainname must end with a dot (.)

  2. Verify the setup by logging in as the client and typing the keylogin command.

Example--Setting Up a New Key for an NIS+ User

The following example gives DES security authorization to user george.


# nisaddcred -p unix.1234@North.Abc.com -P george.North.Abc.COM. des
DES principal name : unix.1234@North.Abc.COM
Adding new key for unix.1234@North.Abc.COM (george.North.Abc.COM.)
 
Password:
Retype password:
 
# rlogin rootmaster -l george
# keylogin
Password:
#

How to Set Up NIS Credentials With Diffie-Hellman Authentication

To create a new key for superuser on a client:

  1. Become superuser on the client.

  2. Edit the /etc/nsswitch.conf file and add the following line:


    publickey: nis

  3. Create a new key pair by using the newkey command.


    # newkey -h hostname

    hostname is the name of the client.

Example--Setting Up an NIS+ Client to Use Diffie-Hellman Security

The following example sets up earth as a secure NIS client.


# newkey -h earth
Adding new key for unix.earth@North.Abc.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

To create a new key for a user:

  1. Log in to the server as superuser.

    Only the system administrator, logged in to the NIS+ server, can generate a new key for a user.

  2. Create a new key for a user.


    # newkey -u username

    username is the name of the user. The system prompts for a password. The system administrator can type a generic password. The private key is stored encrypted with the generic password.


    # newkey -u george
Adding new key for unix.12345@Abc.North.Acme.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

  3. Tell the user to log in and type the chkey -p command.

    This allows the user to re-encrypt their private key with a password known only to the user. 


    earth% chkey -p
Updating nis publickey database.
Reencrypting key for unix.12345@Abc.North.Acme.COM
Please enter the Secure-RPC password for george:
Please enter the login password for george:
Sending key change request to pluto...
#
    Note -

    The chkey command can be used to create a new key-pair for a user.

How to Share and Mount Files With Diffie-Hellman Authentication

Prerequisite

The Diffie-Hellman publickey authentication must be enabled on the network. See "How to Set Up NIS+ Credentials for Diffie-Hellman Authentication" and "How to Set Up NIS Credentials With Diffie-Hellman Authentication".

To share a file system with Diffie-Hellman authentication:

  1. Become superuser.

  2. Share the file system with Diffie-Hellman authentication. 


    # share -F nfs -o sec=dh /filesystem
To mount a file system with Diffie-Hellman authentication:

  1. Become superuser.

  2. Mount the file system with Diffie-Hellman authentication.


    # mount -F nfs -o sec=dh server:resource  mountpoint

    The -o sec=dh option mounts the file system with AUTH_DH authentication.