Changing Keys for an NIS+ Principal
The chkey command changes an NIS+ principal's public and private keys that are stored in the cred table. It does not affect the principal's entry either in the passwd table or in the /etc/passwd file.
-
Generates new keys and encrypts the private key with the password. Run chkey with the -p option to re-encrypt the existing private key with a new password.
-
Generates a new Diffie-Hellman key pair and encrypts the private key with the password you provide. (Multiple Diffie-Hellman key pairs can exist for each principal.) In most cases, however, you do not want a new keypair, you want to re-encrypt your current existing private key with the new password. To do this, run chkey with the -p option.
See the man pages for more information on these subjects.
Note –
In an NIS+ environment, when you change your login password with any of the current administration tools or the passwd (or nispasswd) commands, your private key in the cred table is automatically re-encrypted with the new password for you. Thus, you do not need to explicitly run chkey after a change of login password.
The chkey command interacts with the keyserver, the cred table, and the passwd table. In order to run chkey, you:
-
Must have an entry in the passwd table of your home domain. Failure to meet this requirement will result in an error message.
-
Must run keylogin to make sure that the keyserver has a decrypted private key for you.
-
Must have modify rights to the cred table. If you do not have modify rights you will get a “permission denied” type of error message.
-
Must know the original password with which the private key in the cred table was encrypted. (In most cases, this your Secure RPC password.)
To use the chkey command to re-encrypt your private key with your login password, you first run keylogin using the original password, and then use chkey -p, as shown in Table 13–1 ,which illustrates how to perform a keylogin and chkey for a principal user:
Table 13–1 Re-encrypting Your Private Key : Command Summary|
Tasks |
Commands |
|---|---|
|
Log in. |
Sirius% login Login-name |
|
Provide login password. |
Password: |
|
If login password and Secure RPC password are different, perform a keylogin. |
Sirius% keylogin |
|
Provide the original password that was used to encrypt the private key. |
Password: Secure RPC password |
|
Run chkey. |
Sirius% chkey -p Updating nisplus publickey database Updating new key for 'unix.1199@Doc.com'. |
|
Enter login password. |
Enter login password: login-password |
|
Re-enter login password |
Retype password: |
- © 2010, Oracle Corporation and/or its affiliates