A system administrator can implement policies that help secure the network. The level of security that is required differs with each site. This section provides instructions for some tasks that are associated with network security.
Become superuser or assume an equivalent role.
Verify whether the keyserv daemon (the keyserver) is running.
# ps -ef | grep keyserv root 100 1 16 Apr 11 ? 0:00 /usr/sbin/keyserv root 2215 2211 5 09:57:28 pts/0 0:00 grep keyserv |
Start the keyserver if it isn't running.
# /usr/sbin/keyserv |
For detailed description of NIS+ security, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Become superuser or assume an equivalent role.
Edit the /etc/nsswitch.conf file, and add the following line:
publickey: nisplus |
Initialize the NIS+ client.
# nisinit -cH hostname |
hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client machine.
Add the client to the cred table by typing the following commands:
# nisaddcred local # nisaddcred des |
Verify the setup by using the keylogin command.
If you are prompted for a password, the procedure has succeeded.
The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client.
# nisinit -cH pluto NIS Server/Client setup utility. This machine is in the North.Abc.COM. directory. Setting up NIS+ client ... All done. # nisaddcred local # nisaddcred des DES principal name : unix.earth@North.Abc.COM Adding new key for unix.earth@North.Abc.Com (earth.North.Abc.COM.) Network password: xxx Press Return Warning, password differs from login password. Retype password: xxx Press Return # keylogin Password: # |
Add the user to the cred table on the root master server by typing the following command:
# nisaddcred -p unix.UID@domain-name -P username.domain-name. des |
Note that, in this case, the username.domain-name must end with a dot (.)
Verify the setup by logging in as the client and typing the keylogin command.
The following example shows DES security authorization being given to a user that is named george.
# nisaddcred -p unix.1234@North.Abc.com -P george.North.Abc.COM. des DES principal name : unix.1234@North.Abc.COM Adding new key for unix.1234@North.Abc.COM (george.North.Abc.COM.) Password: Retype password: # rlogin rootmaster -l george # keylogin Password: # |
Become superuser on the client or assume an equivalent role.
Edit the /etc/nsswitch.conf file, and add the following line:
publickey: nis |
Create a new key pair by using the newkey command.
# newkey -h hostname |
hostname is the name of the client.
The following example shows how to set up earth as a secure NIS client.
# newkey -h earth Adding new key for unix.earth@North.Abc.COM New Password: Retype password: Please wait for the database to get updated... Your new key has been successfully stored away. # |
Log in to the server as superuser or assume an equivalent role.
Only system administrators, when logged in to the NIS+ server, can generate a new key for a user.
Create a new key for a user.
# newkey -u username |
username is the name of the user. The system prompts for a password. You can type a generic password. The private key is stored in an encrypted form using the generic password.
# newkey -u george Adding new key for unix.12345@Abc.North.Acme.COM New Password: Retype password: Please wait for the database to get updated... Your new key has been successfully stored away. # |
Tell the user to log in and type the chkey -p command.
This command allows the user to re-encrypt his or her private key with a password known only to the user.
earth% chkey -p Updating nis publickey database. Reencrypting key for unix.12345@Abc.North.Acme.COM Please enter the Secure-RPC password for george: Please enter the login password for george: Sending key change request to pluto... # |
The chkey command can be used to create a new key-pair for a user.
The Diffie-Hellman publickey authentication must be enabled on the network. See How to Set Up a Key in NIS+ Credentials for Diffie-Hellman Authentication and How to Set Up a root Key by Using NIS Credentials With Diffie-Hellman Authentication.
Become superuser or assume an equivalent role.
Share the file system with Diffie-Hellman authentication.
# share -F nfs -o sec=dh /filesystem |