sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Naming and Directory Services (FNS and NIS+) 

Previous Previous     Contents     Index     Next Next
Chapter 13

Administering NIS+ Keys

This chapter describes NIS+ keys and how to administer them.

Note - Some NIS+ security tasks can be performed more easily with Solstice AdminSuite tools if you have them available.

Note - NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)). For more information, visit http://www.sun.com/directory/nisplus/transition.html.

NIS+ Keys

NIS+ keys are used to encrypt NIS+ related information.

This chapter assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that keys play in that system (see Chapter 11, NIS+ Security Overview, for this information).

For a complete description of NIS+ key-related commands and their syntax and options, see the NIS+ man pages. (The nisaddcred command also performs some key-related operations. See Chapter 12, Administering NIS+ Credentials for more information.)

Keylogin

When a principal logs in, the login process prompts for a password. That password is used to pass the user through the login security gate and give the user access to the network. The login process also decrypts the user's private key stored in the user's home domain cred table and passes that private key to the keyserver. The keyserver then uses that decrypted private key to authenticate the user each time the user accesses an NIS+ object.

Normally, this is the only time the principal is asked to provide a password. However, if the principal's private key in the cred table was encrypted with a password that was different from the user's login password, login cannot decrypt it using the login password at login time, and thus cannot provide a decrypted private key to the keyserver. (This most often occurs when a user's private key in the cred table was encrypted with a Secure RPC password different from the user's login password.)

Note - In this context, network password is sometimes used as a synonym for Secure RPC password.

To temporarily remedy this problem, the principal must perform a keylogin, using the keylogin command, after every login. (The -r flag is used to keylogin the superuser principal and to store the superuser's key in /etc/.rootkey on a host.)

For a principal user

keylogin

For a principal machine (only once)

keylogin -r

Note, however, that performing an explicit keylogin with the original password provides only a temporary solution good for the current login session only. The private key in the cred table is still encrypted with a password different than the user's login password so the next time the user logs in the problem will reoccur. To permanently solve this problem, the user must run chkey to change the password used to encrypt the private key to the user's login password (see Changing Keys for an NIS+ Principal).

Changing Keys for an NIS+ Principal

The chkey command changes an NIS+ principal's public and private keys that are stored in the cred table. It does not affect the principal's entry either in the passwd table or in the /etc/passwd file.

The chkey command:

  • Generates new keys and encrypts the private key with the password. Run chkey with the -p option to re-encrypt the existing private key with a new password.

  • Generates a new Diffie-Hellman key pair and encrypts the private key with the password you provide. (Multiple Diffie-Hellman key pairs can exist for each principal.) In most cases, however, you do not want a new keypair, you want to re-encrypt your current existing private key with the new password. To do this, run chkey with the -p option.

See the man pages for more information on these subjects.

Note - In an NIS+ environment, when you change your login password with any of the current administration tools or the passwd (or nispasswd) commands, your private key in the cred table is automatically re-encrypted with the new password for you. Thus, you do not need to explicitly run chkey after a change of login password.

The chkey command interacts with the keyserver, the cred table, and the passwd table. In order to run chkey, you:

  • Must have an entry in the passwd table of your home domain. Failure to meet this requirement will result in an error message.

  • Must run keylogin to make sure that the keyserver has a decrypted private key for you.

  • Must have modify rights to the cred table. If you do not have modify rights you will get a "permission denied" type of error message.

  • Must know the original password with which the private key in the cred table was encrypted. (In most cases, this your Secure RPC password.)

To use the chkey command to re-encrypt your private key with your login password, you first run keylogin using the original password, and then use chkey -p, as shown in Table 13-1 ,which illustrates how to perform a keylogin and chkey for a principal user:

Table 13-1 Re-encrypting Your Private Key : Command Summary

Tasks

Commands

Log in.

Sirius% login Login-name

Provide login password.

Password:

If login password and Secure RPC password are different, perform a keylogin.

Sirius% keylogin

Provide the original password that was used to encrypt the private key.

Password: Secure RPC password

Run chkey.

Sirius% chkey -p
Updating nisplus publickey database
Updating new key for 'unix.1199@Doc.com'.

Enter login password.

Enter login password: login-password

Re-enter login password

Retype password:

Changing the Keys

The following sections describe how to change the keys of an NIS+ principal.

Note - Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in Updating Client Key Information.

Changing Root Keys From Root

Table 13-2, shows how to change the keys for the root master server from the root master (as root):

Table 13-2 Changing a Root Master's Keys: Command Summary

Tasks

Commands

Create new DES credentials

rootmaster#
nisaddcred des

Find the Process ID of rpc.nisd

rootmaster# ps -e | grep rpc.nisd

Kill the NIS+ daemon

rootmaster# kill pid

Restart NIS+ daemon with no security

rootmaster# rpc.nisd -S0

Perform a keylogout (previous keylogin is now out of date).

rootmaster# keylogout -f

Update the keys in the directories served by the master

rootmaster# nisupdkeys dirs

Find the Process ID of rpc.nisd

rootmaster# ps -e | grep rpc.nisd

Kill the NIS+ daemon

rootmaster# kill pid

Restart NIS+ daemon with default security

rootmaster# rpc.nisd

Perform a keylogin

rootmaster# keylogin

Where:

  • pid is the process ID number reported by the ps -e | grep rpc.nisd command.

  • dirs are the directory objects you wish to update. (That is, the directory objects that are served by rootmaster.)

In the first step of the process outlined in Table 13-2, nisaddcred updates the cred table for the root master, updates /etc/.rootkey and performs a keylogin for the root master. At this point the directory objects served by the master have not been updated and their credential information is now out of synch with the root master. The subsequent steps described in Table 13-2 are necessary to successfully update all the objects.

Note - Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in Updating Client Key Information.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2002 Sun Microsystems