Authentication and Authorization for Remote Access (System Administration Guide: Security Services)

System Administration Guide: Security Services

Authentication and Authorization for Remote Access

Authentication is a way to restrict access to specific users when these users access a remote machine. Authentication can be set up at both the machine level and the network level. Once a user gains access to a remote machine, authorization is a way to restrict operations that the user can perform on the remote system. The following table lists the types of authentications and authorizations that can help protect your machines on the network against unauthorized use.

Table 2–5 Types of Authentication and Authorization for Remote Access


Type	Description	Where to Find Information
LDAP and NIS+	The LDAP directory service and the NIS+ name service can provide both authentication and authorization at the network level.	System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) and System Administration Guide: Naming and Directory Services (FNS and NIS+)
Remote login commands	The remote login commands enable users to log in to a remote machine over the network and use its resources. The remote login commands are `rlogin`, `rcp`, `ftp`. If you are a “trusted host,” authentication is automatic. Otherwise, you are asked to authenticate yourself.	“Accessing Remote Systems (Tasks)” in System Administration Guide: Resource Management and Network Services
Secure RPC	Secure RPC improves the security of network environments by authenticating users who make requests on remote machines. You can use either the UNIX, DES, or Kerberos authentication system for Secure RPC.	Overview of Secure RPC
	Secure RPC can also be used to provide additional security to the NFS environment. An NFS environment with secure RPC is called Secure NFS.	NFS Services and Secure RPC
DES encryption	The Data Encryption Standard (DES) encryption functions use a 56-bit key to encrypt a secret key.	DES Encryption
Diffie-Hellman authentication	This authentication method is based on the ability of the sending machine to use a common key to encrypt the current time. The receiving machine decrypts the common key. The machine then checks the time against its current time.	Diffie-Hellman Authentication
Kerberos	Kerberos uses DES encryption to authenticate a user when logging in to the system.	See How to Configure a Master KDC for an example.

Using Privileged Ports Between Solaris Systems

If you do not want to run Secure RPC, a possible substitute is the Solaris “privileged port” mechanism. A privileged port is assigned with a port number of less than 1024. After a client system has authenticated the client's credential, the client builds a connection to the server by using the privileged port. The server then verifies the client credential by examining the connection's port number.

Non-Solaris clients, however, might be unable to communicate by using the privileged port. If the clients cannot communicate over the port, you see an error message that is similar to the following:

“Weak Authentication
NFS request from unprivileged port”