System Administration Guide: Security Services
Previous Next

Administering Authentication With Secure RPC

By requiring authentication for use of mounted NFS file systems, you increase the security of your network.

How to Restart the Secure RPC Keyserver

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Verify that the keyserv daemon is running.
    # svcs \*keyserv\*
    STATE    STIME   FMRI
    disabled Dec_14  svc:/network/rpc/keyserv
  3. Enable the keyserver service if the service is not online.
    # svcadm enable network/rpc/keyserv

How to Set Up a Diffie-Hellman Key for an NIS+ Host

This procedure should be done on every host in the NIS+ domain. After root has run the keylogin command, the server has GSS-API acceptor credentials for mech_dh and the client has GSS-API initiator credentials.

For a detailed description of NIS+ security, see System Administration Guide: Naming and Directory Services (NIS+).

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Enable the publickey table in the name service.

    Add the following line to the /etc/nsswitch.conf file:

    publickey: nisplus
  3. Initialize the NIS+ client.
    # nisinit -cH hostname

    where hostname is the name of a trusted NIS+ server that contains an entry in its tables for the client system.

  4. Add the client to the cred table.

    Type the following commands:

    # nisaddcred local
    # nisaddcred des
  5. Verify the setup by using the keylogin command.

    If you are prompted for a password, the procedure has succeeded.

    # keylogin
    Password:
Example 16-1 Setting Up a New Key for root on an NIS+ Client

The following example uses the host pluto to set up earth as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that earth is correctly set up as a secure NIS+ client.

# nisinit -cH pluto
NIS Server/Client setup utility.
This system is in the example.com. directory.
Setting up NIS+ client ...
All done.
# nisaddcred local
# nisaddcred des 
DES principal name : unix.earth@example.com
Adding new key for unix.earth@example.com (earth.example.com.)
Network password:<Type password>
Warning, password differs from login password.
Retype password: <Retype password>
# keylogin
Password:        <Type password>
#

How to Set Up a Diffie-Hellman Key for an NIS+ User

This procedure should be done on every user in the NIS+ domain.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Add the user to the cred table on the root master server.

    Type the following command:

    # nisaddcred -p unix.UID@domain-name -P username.domain-name. des

    Note that, in this case, the username.domain-name must end with a dot (.).

  3. Verify the setup by logging in as the client and typing the keylogin command.
Example 16-2 Setting Up a New Key for an NIS+ User

In the following example, a key for Diffie-Hellman authentication is given to the user jdoe.

# nisaddcred -p unix.1234@example.com -P jdoe.example.com. des
DES principal name : unix.1234@example.com
Adding new key for unix.1234@example.com (jdoe.example.com.)
Password:       <Type password>
Retype password:<Retype password>
# rlogin rootmaster -l jdoe
% keylogin
Password:       <Type password>
%

How to Set Up a Diffie-Hellman Key for an NIS Host

This procedure should be done on every host in the NIS domain.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Enable the publickey map in the name service.

    Add the following line to the /etc/nsswitch.conf file:

    publickey: nis
  3. Create a new key pair by using the newkey command.
    # newkey -h hostname

    where hostname is the name of the client.

Example 16-3 Setting Up a New Key for root on an NIS Client

In the following example, earth is set up as a secure NIS client.

# newkey -h earth
Adding new key for unix.earth@example.com
New Password:   <Type password>
Retype password:<Retype password>
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

How to Set Up a Diffie-Hellman Key for an NIS User

This procedure should be done for every user in the NIS domain.

Before You Begin

Only system administrators, when logged in to the NIS master server, can generate a new key for a user.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Create a new key for a user.
    # newkey -u username

    where username is the name of the user. The system prompts for a password. You can type a generic password. The private key is stored in an encrypted form by using the generic password.

  3. Tell the user to log in and type the chkey -p command.

    This command allows users to re-encrypt their private keys with a password known only to the user.


    Note - The chkey command can be used to create a new key pair for a user.


Example 16-4 Setting Up and Encrypting a New User Key in NIS

In this example, superuser sets up the key.

# newkey -u jdoe
Adding new key for unix.12345@example.com
New Password:   <Type password>
Retype password:<Retype password>
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

Then the user jdoe re-encrypts the key with a private password.

% chkey -p
Updating nis publickey database.
Reencrypting key for unix.12345@example.com
Please enter the Secure-RPC password for jdoe:<Type password>
Please enter the login password for jdoe:     <Type password>
Sending key change request to centralexample...

How to Share NFS Files With Diffie-Hellman Authentication

This procedure protects shared file systems on an NFS server by requiring authentication for access.

Before You Begin

Diffie-Hellman public key authentication must be enabled on the network. To enable authentication on the network, do one of the following:

  1. Become superuser or assume a role that includes the System Management profile.

    The System Administrator role includes the System Management profile. To create the role and assign the role to a user, see Configuring RBAC (Task Map).

  2. On the NFS server, share a file system with Diffie-Hellman authentication.
    # share -F nfs -o sec=dh /filesystem

    where filesystem is the file system that is being shared.

    The -o sec=dh option means that AUTH_DH authentication is now required to access the file system.

  3. On an NFS client, mount a file system with Diffie-Hellman authentication.
    # mount -F nfs -o sec=dh server:filesystem mount-point
    server

    Is the name of the system that is sharing filesystem

    filesystem

    Is the name of the file system that is being shared, such as opt

    mount-point

    Is the name of the mount point, such as /opt

    The -o sec=dh option mounts the file system with AUTH_DH authentication.

Previous Next