SunVTS Security

SunVTS has two security mechanisms that you can choose from:

• Basic Security--a local file is maintained that lists the valid users, groups, and hosts that are permitted to use SunVTS. This level of security does not provide secure network authentication and should not be used in an environment where network security is an issue.

• SEAM Security--uses the Sun Enterprise Authentication Mechanism^TM (SEAM) to provide secure user authentication, data integrity and privacy, for transactions over networks using a Kerberos V5 technology.

The SunVTS installation process prompts you to specify which security mechanism you want to use. You must use one or the other, and the SEAM security implementation is the default if you press the return key through the installation questions.

Basic Security

The SunVTS user interface (vtsui, vtsui.ol,and vtstty) must connect to the SunVTS kernel (vtsk) before it can be used to control testing. The SunVTS kernel selectively accepts "connect to" requests from the SunVTS interface based on entries in the SunVTS_install_dir/bin/.sunvts_sec file. Connection permission is governed by three categories in this file as follows:

• HOSTS--if the requesting user is on a host that belongs to the HOSTS category, then this request is granted without any authentication.

• GROUPS--if the requesting user is a member in a group that is a member of GROUPS category, then the user interface will prompt the user for a password. The SunVTS kernel compares this password against the password database on the system under test (SUT). If the password does not match, or if the user is not on the list, then the connection is rejected.

• USERS--if the requesting user is a member of the USER category, then the user interface will prompt the user for a password. The SunVTS kernel compares this password against the password database on the SUT. If the password does not match, or the user is not on the list, then the connection is rejected.

A plus (+) entry in one of these categories means all hosts, groups, or users, are trusted.

The user password needed for authentication is the same password used to log in to the system under test.

The check for connection permission starts with the HOSTS category, then the GROUP category, and finally, the USERS category. A connection is granted as soon as the connection request matches an entry.

If a security file entry is invalid or if there is no entry in the file, all access except root is denied on the local machine. However, you can correct an entry in this file even while the SunVTS kernel is running.

When you specify the -e option while starting the SunVTS kernel, the kernel accepts "connect to" requests from any host, regardless of the entries in the .sunvts_sec file.

As of SunVTS 3.1, the .sunvts_sec file, by default, is configured for root on the system under test. All other "connect to" requests are rejected.

The .sunvts_sec file is bypassed if you enable the SEAM security.

The following shows the contents of the default .sunvts_sec file.

Code Example of the Security File (.sunvts_sec):

#This file should be <SunVTS 5.0 install directory>/bin/.sunvts_sec
#
#Any line beginning with a # is a comment line
#
# Trusted Hosts entry
# One hostname per line.
# A "+" entry on a line indicates that
ALL hosts are Trusted Hosts.
# No password authentication is done.
# The line with the label HOSTS: is required to have the
list of hosts
#
HOSTS:
#+
#host1
#host2
#
# Trusted Groups entry
# One groupname per line.
# A "+" entry on a line indicates that
ALL groups are Trusted Groups.
# User password authentication is done.
# The line with the label GROUPS: is required to have the
list of groups
#
GROUPS:
#group1
#
# Trusted Users entry
# One username per line.
# A "+" entry on a line indicates that
ALL users are Trusted Users.
# User password authentication is done.
# The line with the label USERS: is required to have the
list of users.
USERS:
root
#user1
#user2

SEAM Security

To use SEAM-based security with SunVTS, you must have the following:

• The complete SEAM 1.0.1 client/server application must be installed and running in your network environment.

• The systems for which you install SunVTS must have, at minimum, the SEAM 1.0.1 client software installed.

• Select the SEAM-based security (Kerberos V5) choice during the SunVTS installation.

Refer to the following documents for more information on SEAM: o Sun Enterprise Administration Mechanism 1.0.1 Guide o SEAM 1.0.1 Installation and Release Notes These documents are part of the Sun Enterprise Authentication Mechanism 1.0.1 AnswerBook Collection, and available at http://docs.sun.com. The SEAM software is part of the Solaris release.

The SunVTS SEAM security system is based on Kerberos V5 technology, which revolves around the concept of a ticket. A ticket is a set of electronic information that serves as identification for a user or a service. When you connect to another host through SunVTS, you transparently send a request for a ticket to a Key Distribution Center (KDC), which accesses a database to authenticate your identity. The KDC returns a ticket granting you permission to access the other machine. "Transparently" means that you do not need to explicitly request a ticket; it happens in the background as part of the remote connection. No user password is transmitted in the network. Only the authenticated client can get a ticket for a specific service; another client cannot gain access under an assumed identity.

If you choose to run SunVTS with SEAM security, use the following SEAM assignments:

• Principal--set to sunvts

• Complete Service Name--set to sunvts@host, where host is the fully qualified domain name of the host where the SunVTS kernel is running.

Controlling SunVTS Security

To Control SunVTS Security mode at Installation Time

The best time to establish the SunVTS security mode is during the SunVTS installation.

1. Decide which level of security you want to use with SunVTS.

   If you decide to use the SEAM security (highest level of security), make sure that your system is running SEAM.

2. Install SunVTS as described in "Installing SunVTS".

   The installation program asks you if you want SEAM security enabled. Answer accordingly:

   • Yes (the default)--The Kerberos SEAM security is enabled for SunVTS. No additional action is required to administer SunVTS security. SunVTS uses the authentication as defined in the SEAM software configuration in your network environment to grant and deny access to SunVTS. Do NOT select this security scheme if you do not have the SEAM software installed and configured in your network environment.

   • No--The basic security file is used, and SEAM is not enabled. When the installation is complete, you can access SunVTS as superuser on the system under test, or modify the .sunvts_sec file to authorize other users.

To Switch SunVTS Security After Installation

If you need to switch the security from SEAM to basic, or vice-versa, after you have installed SunVTS, follow these steps:

1. Become superuser.

2. Make sure that SunVTS is not started.

3. Change directories to the SunVTS binary directory:

   # cd /opt/SUNWvts/bin

   ---

   Note -

   If SunVTS is installed in a directory other than /opt, adjust your references accordingly.

   ---

4. With an editor, open the .sunvts_sec_gss file.

   This file contains one line that is appended with one of the following:

   • ON--indicates SEAM security is enabled.

   • OFF--indicates SEAM security is disabled, and basic security is used.

5. Change the ON (or OFF) value to the opposite value, save the change, and quit the editor.

   ---

   Note -

   The ON and OFF values are case sensitive. Make sure you specify them using capital letters.

   ---

6. Start SunVTS.

   The security mechanism that you specified is enabled.