Dynamic Host Configuration Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) service enables host systems to receive IP addresses and network configuration information. This information is provided at boot time from a network server. The Solaris DHCP service has been enhanced in several ways to enable the service to support larger numbers of clients:

• The Solaris DHCP server now uses multithreading to serve multiple clients simultaneously.

• A new data store that stores data in binary files can support larger numbers of clients with faster access than with the ASCII files and NIS+ data stores.

• Access to NIS+ data storage has been redesigned. The redesign supports server multithreading.

• Data access architecture has been changed to enable third parties to write code modules that enable the DHCP server to use any data service to store DHCP data.

In addition, the Solaris DHCP server now supports dynamic DNS updates. You can enable the DHCP service to update the DNS service with the host names of DHCP clients that request a specific host name.

The Solaris DHCP client can now be configured to request a specific host name.

For more information, see the System Administration Guide: IP Services.

Diskless Client Management

Diskless client management is available through the command line. You can manage diskless clients, list OS services for diskless clients, and manage patches on all existing diskless clients.

For information on diskless client management, see "Managing Diskless Clients (Tasks)" in System Administration Guide: Basic Administration.

Security Enhancements

The Solaris 9 release includes the following security enhancements.

Internet Key Exchange (IKE) Protocol

Internet Key Exchange (IKE) automates key management for IPsec. IKE replaces manual key assignment and refreshment on an IPv4 network. IKE enables the administrator to manage larger numbers of secure networks.

System administrators use IPsec to set up secure IPv4 networks. The in.iked daemon provides key derivation, authentication, and authentication protection at boot time. The daemon is configurable. The administrator sets up the parameters in a configuration file. After the parameters are set up, no manual key refreshment is required.

For further information, see "Internet Key Exchange" in System Administration Guide: IP Services.

Solaris Secure Shell

Secure Shell allows a user to securely access a remote host over an unsecured network. Data transfers and interactive user network sessions are protected from eavesdropping, session hijacking, and intermediary attacks. Solaris 9 Secure Shell supports SSHv1 and SSHv2 protocol versions. Strong authentication that uses public-key cryptography is provided. The X Window System and other network services can be tunneled safely over Secure Shell connections for additional protection.

The Secure Shell server, sshd, supports the monitoring and filtering of incoming requests for network services. The server can be configured to log the client host name of incoming requests and thus enhance network security. sshd uses the same mechanism that is used by the Tcp-wrappers 7.6 utility that is described in Freeware Enhancements.

For further information, see the sshd(1M), hosts_access(4), and hosts_options(4) man pages. See also "Using Solaris Secure Shell (Tasks)" in System Administration Guide: Security Services.

Kerberos Key Distribution Center (KDC) and Administration Tools

System administrators can improve system security by using Kerberos V5 authentication, privacy, and integrity. NFS is an example of an application that is secured with Kerberos V5.

The following list highlights the new features of Kerberos V5.

• Kerberos V5 Server - The server includes the following components:

  • Principal (user) administration system - Includes a centralized server for local and remote administration of principals and security policies. The system includes both a GUI and a CLI administration tool.

  • Key Distribution Center (KDC) - Uses the principal database information that was created by the administration server. Issues tickets for clients.

  • Principal database replication system - Duplicates the KDC database to a backup server.

• MIT and Microsoft Windows 2000 password change interoperability - Kerberos V5 passwords can now be changed from a Solaris client to an MIT Kerberos server and Microsoft Windows 2000.

• Tuned DES - Kerberos V5 kernel DES operations have been optimized for the Sun4u architecture.

• Kerberos-encrypted communications now supported with the Solaris core - An encryption module that supports Kerberos encrypted-communications is available in the Solaris 9 operating environment. Previously, an encryption module was available only on the Solaris Encryption Kit CD-ROM or through a web download.

• Addressless tickets - System administrators and users can now specify addressless tickets. This ability can be necessary in multihomed and NAT network environments.

• Kerberos V5 PAM module supports password aging - The pam_krb5 module supports password aging that is set in the KDC for each user principal.

For further information, see "Administering the Kerberos Database" in System Administration Guide: Security Services.

Secure LDAP Client

The Solaris 9 release includes new features for LDAP client-based security. A new LDAP library provides for SSL (TLS) and CRAM-MD5 encryption mechanisms. These encryption mechanisms enable customers to deploy methods for encryption over the wire between LDAP clients and the LDAP server.

The Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server 5.1) is the LDAP directory server. For further information on this server, see Networking Enhancements.

Encryption Modules for IPsec and Kerberos

Strong encryption for IPsec and Kerberos is included in the Solaris 9 release. Prior to this release, encryption modules were available only on the Solaris Encryption Kit CD-ROM or through a web download. A number of these algorithms are now in the Solaris 9 operating environment. These algorithms include 56-bit DES privacy support for Kerberos as well as 56-bit DES and 128-bit 3-key Triple-DES support for IPsec.

Note - Support for even stronger encryption is available on the Solaris Encryption Kit CD-ROM or through web download. IPsec supports the 128-bit, 192-bit, or 256-bit Advanced Encryption Standard (AES), and 32-bit to 448-bit Blowfish in 8-bit increments.

For information on IPsec support, see "IPsec (Overview)" in System Administration Guide: IP Services. For information on Kerberos support, see "Introduction to SEAM" in System Administration Guide: Security Services.

IP Security Architecture for IPv6

The IPsec security framework has been enhanced in the Solaris 9 release to enable secure IPv6 datagrams between machines. For the Solaris 9 release, only the use of manual keys is supported when using IPsec for IPv6.

Note - The IPsec security framework for IPv4 was introduced in the Solaris 8 release. The Internet Key Exchange (IKE) Protocol is available for IPv4.

For further information, see "IPsec (Overview)" in System Administration Guide: IP Services.

Role-Based Access Control (RBAC) Enhancements

Role-based access control (RBAC) databases can be managed through the Solaris Management Console graphical interface. Rights can now be assigned by default in the policy.conf file. In addition, rights can now contain other rights.

For further information on RBAC, see "Role-Based Access Control (Overview)" in System Administration Guide: Security Services. For information about the Solaris Management Console, see System Administration Tools.