|Previous||Table of Contents||Next|
The keyserv daemon must be running before Diffie-Hellman authentication can work properly. Normally, the keyserver is started at boot time by the rc2 script that runs the /etc/rc2.d/S71rpc script.
If the keyserv daemon dies or is not running on a system, use the following steps to restart it:
In the following example, the ps -ef command is used to verify that the keyserv daemon is not running, the keyserv daemon is restarted, and the ps -ef command is used again to verify that it is now running.
castle% su Password: castle# ps -ef | grep keyserv root 727 722 0 12:58:25 pts/3 0:00 grep keyserv castle# /usr/sbin/keyserv castle# ps -ef | grep keyserv root 729 1 0 12:58:46 ? 0:00 /usr/sbin/keyserv root 733 722 0 12:58:57 pts/3 0:00 grep keyserv castle#
NOTE: If you start the keyserv daemon when it is already running, the message /usr/sbin/keyserv: unable to create service is displayed.
To set up Diffie-Hellman authentication for the NIS+ name service, you must set up a new key for both root and user accounts. This section describes how to set up a new key for these two accounts.
To set up a new key for root on an NIS+ client:
The following example uses the host castle to set up seachild as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that seachild is correctly set up as a secure NIS+ client.
#nisinit -cH castle NIS Server/Client setup utility. This machine is in the Castle.Abc.COM. directory. Setting up NIS+ client ... All done. #nisaddcred local #nisaddcred des DES principal name: unix.seachild@Castle.Abc.COM (seachild.Castle.Abc,COM.) Network password: xxx <Press Return> Warning, password differs from login password. Retype password: xxx <Press Return> #keylogin Password: #
To set up a new key for an NIS+ user:
The following example gives DES security authorization to user ray and connects to the system named rootmaster as login ray to check the connection.
#nisaddcred -p unix.1002@Castle.Abcv.COM -P ray.Castle.Abc.COM. des DES principal name : unix.1002@ Castle.Abc.COM Adding new key for unix.1002@Castle.Abc.Com (ray.Castle.Abc.COM.) Password: Retype password: #rlogin rootmaster -l ray #keylogin Password: #
This section describes how to set up NIS credentials for Diffie-Hellman authentication. You must set up a new key for both root and user accounts.
To create a new key for superuser on a client:
The following example sets up seachild as a secure NIS client.
#newkey -h seachild Adding new key for unix.seachild@Castle.Abc.COM New Password: Retype Password: Please wait for the database to get updated... Your new key has been successfully stored away #
Only the system administrator who is logged into the NIS server can generate a new key for a user. To create a new key for a user:
The following example creates a newkey for user ray:
#newkey -u ray Adding a new key for unix.1002@Castle.Abc.COM New Password: Retype password: Please wait for the database to get updated... Your new key has been successfully stored away. # seachild% chkey -p Updating nis publickey database. Reencrypting key for unix.1002@Castle.Abc.COM Please enter the Secure-RPC password for ray: Please enter the login password for ray: Sending key change request to castle... seachild%
Before you can share files from a server and mount file systems on clients with Diffie-Hellman authentication, the Diffie-Hellman publickey authentication must be enabled on the network.
To share a file system with Diffie-Hellman authentication:
To mount a file system with Diffie-Hellman authentication, specify the -o sec=dh option to the mount command:
|Previous||Table of Contents||Next|