Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
3.  Using Authentication Services (Tasks) Administering Diffie-Hellman Authentication How to Set Up a Key in NIS+ Credentials for Diffie-Hellman Authentication Example--Setting Up a New Key for root on a NIS+ Client   Previous   Contents   Next 
   
 

How to Set Up a New User Key That Uses NIS+ Credentials for Diffie-Hellman Authentication

  1. Add the user to the cred table on the root master server by typing the following command: 

    # nisaddcred -p unix.UID@domain-name -P username.domain-name. des

    Note that, in this case, the username.domain-name must end with a dot (.)

  2. Verify the setup by logging in as the client and typing the keylogin command.

Example--Setting Up a New Key for an NIS+ User

The following example shows DES security authorization being given to a user that is named george.

# nisaddcred -p unix.1234@North.Abc.com -P george.North.Abc.COM. des
DES principal name : unix.1234@North.Abc.COM
Adding new key for unix.1234@North.Abc.COM (george.North.Abc.COM.)
 
Password:
Retype password:
 
# rlogin rootmaster -l george
# keylogin
Password:
#

How to Set Up a root Key by Using NIS Credentials With Diffie-Hellman Authentication

  1. Become superuser on the client or assume an equivalent role.

  2. Edit the /etc/nsswitch.conf file, and add the following line:

    publickey: nis

  3. Create a new key pair by using the newkey command.

    # newkey -h hostname

    hostname is the name of the client.

Example--Setting Up an NIS+ Client to Use Diffie-Hellman Security

The following example shows how to set up earth as a secure NIS client.

# newkey -h earth
Adding new key for unix.earth@North.Abc.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

How to Create a New User Key That Uses NIS Credentials with Diffie-Hellman Authentication

  1. Log in to the server as superuser or assume an equivalent role.

    Only system administrators, when logged in to the NIS+ server, can generate a new key for a user.

  2. Create a new key for a user.

    # newkey -u username

    username is the name of the user. The system prompts for a password. You can type a generic password. The private key is stored in an encrypted form using the generic password.

    # newkey -u george
Adding new key for unix.12345@Abc.North.Acme.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

  3. Tell the user to log in and type the chkey -p command.

    This command allows the user to re-encrypt his or her private key with a password known only to the user. 

    earth% chkey -p
Updating nis publickey database.
Reencrypting key for unix.12345@Abc.North.Acme.COM
Please enter the Secure-RPC password for george:
Please enter the login password for george:
Sending key change request to pluto...
#

    Note - The chkey command can be used to create a new key-pair for a user.

How to Share and Mount Files With Diffie-Hellman Authentication

Prerequisite

The Diffie-Hellman publickey authentication must be enabled on the network. See "How to Set Up a Key in NIS+ Credentials for Diffie-Hellman Authentication" and "How to Set Up a root Key by Using NIS Credentials With Diffie-Hellman Authentication".

To share a file system with Diffie-Hellman authentication:

  1. Become superuser or assume an equivalent role.

  2. Share the file system with Diffie-Hellman authentication.

    # share -F nfs -o sec=dh /filesystem

To mount a file system with Diffie-Hellman authentication:

  1. Become superuser or assume an equivalent role.

  2. Mount the file system with Diffie-Hellman authentication.

    # mount -F nfs -o sec=dh server:resource  mountpoint

    The -o sec=dh option mounts the file system with AUTH_DH authentication.

PAM (Overview)

The Pluggable Authentication Module (PAM) framework lets you "plug in" new authentication technologies without changing system entry services such as login, ftp, telnet, and so on. You can also use PAM to integrate UNIX login with other security mechanisms like DCE or Kerberos. Mechanisms for account, session, and password management can also be "plugged in" by using this framework.

Benefits of Using PAM

The PAM framework allows you to choose any combination of system entry services (ftp, login, telnet, or rsh, for example) for user authentication. Some benefits that PAM provides are as follows:

  • Flexible configuration policy

    • Per application authentication policy

    • The ability to choose a default authentication mechanism

    • Multiple passwords on high-security systems

  • Ease of use for the end user

    • No retyping of passwords if they are the same for different mechanisms

    • The ability to use a single password for multiple authentication methods with the password-mapping feature, even if the passwords that are associated with each authentication method are different

    • The ability to prompt the user for passwords for multiple authentication methods without having the user enter multiple commands

  • The ability to pass optional parameters to the user authentication services

 		 
 
  Previous   Contents   Next