Authentication is a way to restrict access to specific users when these users access a remote machine. Authentication can be set up at both the machine level and the network level. Once a user gains access to a remote machine, authorization is a way to restrict operations that the user can perform on the remote system. The following table lists the types of authentications and authorizations that can help protect your machines on the network against unauthorized use.
Table 2–5 Types of Authentication and Authorization for Remote Access
Type |
Description |
Where to Find Information |
---|---|---|
LDAP and NIS+ |
The LDAP directory service and the NIS+ name service can provide both authentication and authorization at the network level. |
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) and System Administration Guide: Naming and Directory Services (FNS and NIS+) |
Remote login commands |
The remote login commands enable users to log in to a remote machine over the network and use its resources. The remote login commands are rlogin, rcp, ftp. If you are a “trusted host,” authentication is automatic. Otherwise, you are asked to authenticate yourself. | |
Secure RPC |
Secure RPC improves the security of network environments by authenticating users who make requests on remote machines. You can use either the UNIX, DES, or Kerberos authentication system for Secure RPC. | |
|
Secure RPC can also be used to provide additional security to the NFS environment. An NFS environment with secure RPC is called Secure NFS. | |
DES encryption |
The Data Encryption Standard (DES) encryption functions use a 56-bit key to encrypt a secret key. | |
Diffie-Hellman authentication |
This authentication method is based on the ability of the sending machine to use a common key to encrypt the current time. The receiving machine decrypts the common key. The machine then checks the time against its current time. | |
Kerberos |
Kerberos uses DES encryption to authenticate a user when logging in to the system. |
See How to Configure a Master KDC for an example. |
If you do not want to run Secure RPC, a possible substitute is the Solaris “privileged port” mechanism. A privileged port is assigned with a port number of less than 1024. After a client system has authenticated the client's credential, the client builds a connection to the server by using the privileged port. The server then verifies the client credential by examining the connection's port number.
Non-Solaris clients, however, might be unable to communicate by using the privileged port. If the clients cannot communicate over the port, you see an error message that is similar to the following:
“Weak Authentication NFS request from unprivileged port” |