Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
DES Encryption With Secure NFS
Diffie-Hellman Authentication and Secure RPC
Implementation of Diffie-Hellman Authentication
Administering Secure RPC (Task Map)
Administering Authentication With Secure RPC (Tasks)
How to Restart the Secure RPC Keyserver
How to Set Up a Diffie-Hellman Key for an NIS+ Host
How to Set Up a Diffie-Hellman Key for an NIS+ User
How to Set Up a Diffie-Hellman Key for an NIS Host
19. Using Oracle Solaris Secure Shell (Tasks)
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
By requiring authentication for use of mounted NFS file systems, you increase the security of your network.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
# svcs \*keyserv\* STATE STIME FMRI disabled Dec_14 svc:/network/rpc/keyserv
# svcadm enable network/rpc/keyserv
This procedure should be done on every host in the NIS+ domain. After root has run the keylogin command, the server has GSS-API acceptor credentials for mech_dh and the client has GSS-API initiator credentials.
For a detailed description of NIS+ security, see System Administration Guide: Naming and Directory Services (NIS+).
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Add the following line to the /etc/nsswitch.conf file:
publickey: nisplus
# nisinit -cH hostname
where hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client system.
Type the following commands:
# nisaddcred local # nisaddcred des
If you are prompted for a password, the procedure has succeeded.
# keylogin Password:
Example 16-1 Setting Up a New Key for root on an NIS+ Client
The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client.
# nisinit -cH pluto NIS Server/Client setup utility. This system is in the example.com. directory. Setting up NIS+ client ... All done. # nisaddcred local # nisaddcred des DES principal name : unix.earth@example.com Adding new key for unix.earth@example.com (earth.example.com.) Network password:<Type password> Warning, password differs from login password. Retype password: <Retype password> # keylogin Password: <Type password> #
This procedure should be done on every user in the NIS+ domain.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Type the following command:
# nisaddcred -p unix.UID@domain-name -P username.domain-name. des
Note that, in this case, the username.domain-name must end with a dot (.).
Example 16-2 Setting Up a New Key for an NIS+ User
In the following example, a key for Diffie-Hellman authentication is given to the user jdoe.
# nisaddcred -p unix.1234@example.com -P jdoe.example.com. des DES principal name : unix.1234@example.com Adding new key for unix.1234@example.com (jdoe.example.com.) Password: <Type password> Retype password:<Retype password> # rlogin rootmaster -l jdoe % keylogin Password: <Type password> %
This procedure should be done on every host in the NIS domain.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Add the following line to the /etc/nsswitch.conf file:
publickey: nis
# newkey -h hostname
where hostname is the name of the client.
Example 16-3 Setting Up a New Key for root on an NIS Client
In the following example, earth is set up as a secure NIS client.
# newkey -h earth Adding new key for unix.earth@example.com New Password: <Type password> Retype password:<Retype password> Please wait for the database to get updated... Your new key has been successfully stored away. #
This procedure should be done for every user in the NIS domain.
Before You Begin
Only system administrators, when logged in to the NIS master server, can generate a new key for a user.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
# newkey -u username
where username is the name of the user. The system prompts for a password. You can type a generic password. The private key is stored in an encrypted form by using the generic password.
This command allows users to re-encrypt their private keys with a password known only to the user.
Note - The chkey command can be used to create a new key pair for a user.
Example 16-4 Setting Up and Encrypting a New User Key in NIS
In this example, superuser sets up the key.
# newkey -u jdoe Adding new key for unix.12345@example.com New Password: <Type password> Retype password:<Retype password> Please wait for the database to get updated... Your new key has been successfully stored away. #
Then the user jdoe re-encrypts the key with a private password.
% chkey -p Updating nis publickey database. Reencrypting key for unix.12345@example.com Please enter the Secure-RPC password for jdoe:<Type password> Please enter the login password for jdoe: <Type password> Sending key change request to centralexample...
This procedure protects shared file systems on an NFS server by requiring authentication for access.
Before You Begin
Diffie-Hellman public key authentication must be enabled on the network. To enable authentication on the network, do one of the following:
The System Administrator role includes the File System Management profile. To create the role and assign the role to a user, see Configuring RBAC (Task Map).
# share -F nfs -o sec=dh /filesystem
where filesystem is the file system that is being shared.
The -o sec=dh option means that AUTH_DH authentication is now required to access the file system.
# mount -F nfs -o sec=dh server:filesystem mount-point
Is the name of the system that is sharing filesystem
Is the name of the file system that is being shared, such as opt
Is the name of the mount point, such as /opt
The -o sec=dh option mounts the file system with AUTH_DH authentication.