test

System Administration Guide: Security Services

Administering Diffie-Hellman Authentication

A system administrator can implement policies that help secure the network. The level of security that is required differs with each site. This section provides instructions for some tasks that are associated with network security.

How to Restart the Keyserver

  1. Become superuser or assume an equivalent role.

  2. Verify whether the keyserv daemon is running. 


    # ps -ef | grep keyserv
root   100      1  16   Apr 11    ?         0:00 /usr/sbin/keyserv
root  2215   2211   5   09:57:28  pts/0     0:00 grep keyserv

  3. Start the keyserver if the process isn't running. 


    # /usr/sbin/keyserv

How to Set Up a root Key in NIS+ Credentials for Diffie-Hellman Authentication

For detailed description of NIS+ security, see System Administration Guide: Naming and Directory Services (FNS and NIS+).

  1. Become superuser or assume an equivalent role.

  2. Edit the /etc/nsswitch.conf file, and add the following line:


    publickey: nisplus

  3. Initialize the NIS+ client.


    # nisinit -cH hostname

    hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client machine.

  4. Add the client to the cred table by typing the following commands: 


    # nisaddcred local
# nisaddcred des

  5. Verify the setup by using the keylogin command.

    If you are prompted for a password, the procedure has succeeded.

Example—Setting Up a New Key for root on an NIS+ Client

The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client. 


# nisinit -cH pluto
NIS Server/Client setup utility.
This machine is in the North.Abc.COM. directory.
Setting up NIS+ client ...
All done.
# nisaddcred local
# nisaddcred des 
DES principal name : unix.earth@North.Abc.COM
Adding new key for unix.earth@North.Abc.Com (earth.North.Abc.COM.)
 
Network password: xxx Press Return
Warning, password differs from login password.
Retype password: xxx Press Return
 
# keylogin
Password:
#

How to Set Up a New User Key That Uses NIS+ Credentials for Diffie-Hellman Authentication

  1. Add the user to the cred table on the root master server by typing the following command: 


    # nisaddcred -p unix.UID@domain-name -P username.domain-name. des

    Note that, in this case, the username.domain-name must end with a dot (.)

  2. Verify the setup by logging in as the client and typing the keylogin command.

Example—Setting Up a New Key for an NIS+ User

The following example shows how DES authorization is given to a user who is named george.


# nisaddcred -p unix.1234@North.Abc.com -P george.North.Abc.COM. des
DES principal name : unix.1234@North.Abc.COM
Adding new key for unix.1234@North.Abc.COM (george.North.Abc.COM.)
 
Password:
Retype password:
 
# rlogin rootmaster -l george
# keylogin
Password:
#

How to Set Up a root Key by Using NIS Credentials With Diffie-Hellman Authentication

  1. Become superuser on the client or assume an equivalent role.

  2. Edit the /etc/nsswitch.conf file, and add the following line:


    publickey: nis

  3. Create a new key pair by using the newkey command.


    # newkey -h hostname

    hostname is the name of the client.

Example—Setting Up a New Key for root on a NIS Client

The following example shows how to set up earth as a secure NIS client.


# newkey -h earth
Adding new key for unix.earth@North.Abc.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

How to Create a New User Key That Uses NIS Credentials with Diffie-Hellman Authentication

  1. Log in to the server as superuser or assume an equivalent role.

    Only system administrators, when logged in to the NIS+ server, can generate a new key for a user.

  2. Create a new key for a user.


    # newkey -u username

    username is the name of the user. The system prompts for a password. You can type a generic password. The private key is stored in an encrypted form by using the generic password.


    # newkey -u george
Adding new key for unix.12345@Abc.North.Acme.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

  3. Tell the user to log in and type the chkey -p command.

    This command allows the user to re-encrypt his or her private key with a password known only to the user. 


    earth% chkey -p
Updating nis publickey database.
Reencrypting key for unix.12345@Abc.North.Acme.COM
Please enter the Secure-RPC password for george:
Please enter the login password for george:
Sending key change request to pluto...
#
    Note –

    The chkey command can be used to create a new key-pair for a user.

How to Share and Mount Files With Diffie-Hellman Authentication

Prerequisite

The Diffie-Hellman publickey authentication must be enabled on the network. See How to Set Up a root Key in NIS+ Credentials for Diffie-Hellman Authentication and How to Set Up a root Key by Using NIS Credentials With Diffie-Hellman Authentication.

To share a file system with Diffie-Hellman authentication:

  1. Become superuser or assume an equivalent role.

  2. Share the file system with Diffie-Hellman authentication. 


    # share -F nfs -o sec=dh /filesystem
To mount a file system with Diffie-Hellman authentication:

  1. Become superuser or assume an equivalent role.

  2. Mount the file system with Diffie-Hellman authentication.


    # mount -F nfs -o sec=dh server:resource  mountpoint

    The -o sec=dh option mounts the file system with AUTH_DH authentication.