Previous Table of Contents Next


Restarting the Keyserver

The keyserv daemon must be running before Diffie-Hellman authentication can work properly. Normally, the keyserver is started at boot time by the rc2 script that runs the /etc/rc2.d/S71rpc script.

If the keyserv daemon dies or is not running on a system, use the following steps to restart it:

1.  Become superuser.
2.  Type ps -ef | grep keyserv and press Return. Check the output to verify that the keyserv daemon is not running.
3.  Type /usr/sbin/keyserv and press Return.

In the following example, the ps -ef command is used to verify that the keyserv daemon is not running, the keyserv daemon is restarted, and the ps -ef command is used again to verify that it is now running.

castle% su
Password:
castle# ps -ef | grep keyserv
  root   727   722  0 12:58:25 pts/3    0:00 grep keyserv
castle# /usr/sbin/keyserv
castle# ps -ef | grep keyserv
  root   729     1  0 12:58:46 ?        0:00 /usr/sbin/keyserv
  root   733   722  0 12:58:57 pts/3    0:00 grep keyserv
castle#

NOTE:  If you start the keyserv daemon when it is already running, the message /usr/sbin/keyserv: unable to create service is displayed.

Setting Up NIS+ Credentials for Diffie-Hellman Authentication

To set up Diffie-Hellman authentication for the NIS+ name service, you must set up a new key for both root and user accounts. This section describes how to set up a new key for these two accounts.

To set up a new key for root on an NIS+ client:

1.  Become superuser on the client.
2.  Edit the publickey entry in the /etc/nsswitch.conf file to read publickey: nisplus.
3.  Type nisinit -cH <hostname> and press Return to initialize the NIS+ client.
4.  Type nisaddcred local and press Return.
5.  Type nisaddcred des and press Return. The client is added to the cred table.
6.  When prompted, type the network password.
7.  When prompted, retype the network password.
8.  Type keylogin and press Return. If you are prompted for a password, the procedure succeeded.

The following example uses the host castle to set up seachild as an NIS+ client. You can ignore the warnings. The keylogin command is accepted, verifying that seachild is correctly set up as a secure NIS+ client.

#nisinit -cH castle
NIS Server/Client setup utility.
This machine is in the Castle.Abc.COM. directory.
Setting up NIS+ client ...
All done.

#nisaddcred local
#nisaddcred des
DES principal name: unix.seachild@Castle.Abc.COM
 (seachild.Castle.Abc,COM.)

Network password: xxx <Press Return>
Warning, password differs from login password.
Retype password: xxx <Press Return>

#keylogin
Password:
#

To set up a new key for an NIS+ user:

1.  On the root master server, type nisaddcred -p unix.<UID@domainname> -P <username.domainname.> des and press Return. Note that the username.domainname. must end with a dot (.).
2.  Rlogin to the root master server as the client, type keylogin, and press Return. If you are prompted for a password, the procedure succeeded.

The following example gives DES security authorization to user ray and connects to the system named rootmaster as login ray to check the connection.

#nisaddcred -p unix.1002@Castle.Abcv.COM -P ray.Castle.Abc.COM. des
DES principal name : unix.1002@ Castle.Abc.COM
Adding new key for unix.1002@Castle.Abc.Com (ray.Castle.Abc.COM.)

Password:
Retype password:

#rlogin rootmaster -l ray
#keylogin
Password:
#

Setting Up NIS Credentials for Diffie-Hellman Authentication

This section describes how to set up NIS credentials for Diffie-Hellman authentication. You must set up a new key for both root and user accounts.

To create a new key for superuser on a client:

1.  Become superuser on the client.
2.  Edit the publickey entry in the /etc/nsswitch.conf file to read publickey: nis.
3.  Type newkey -h <hostname> and press Return. This command creates a new key pair.
4.  When prompted, type the password.
5.  When prompted, retype the password.

The following example sets up seachild as a secure NIS client.

#newkey -h seachild
Adding new key for unix.seachild@Castle.Abc.COM
New Password:
Retype Password:
Please wait for the database to get updated...
Your new key has been successfully stored away
#

Only the system administrator who is logged into the NIS server can generate a new key for a user. To create a new key for a user:

1.  Log in to the NIS server as superuser.
2.  Type newkey -u <username> and press Return. The system prompts for a password. You can type a generic password.
3.  When prompted, type the password.
4.  When prompted, retype the password.
5.  Instruct the user to log in and type the chkey -p command.

The following example creates a newkey for user ray:

#newkey -u ray
Adding a new key for unix.1002@Castle.Abc.COM
New Password:
Retype password:
Please wait for the database to get updated...
Your new key has been successfully stored away.
#

seachild% chkey -p
Updating nis publickey database.
Reencrypting key for unix.1002@Castle.Abc.COM
Please enter the Secure-RPC password for ray:
Please enter the login password for ray:
Sending key change request to castle...
seachild%

Sharing and Mounting Files with Diffie-Hellman Authentication

Before you can share files from a server and mount file systems on clients with Diffie-Hellman authentication, the Diffie-Hellman publickey authentication must be enabled on the network.

To share a file system with Diffie-Hellman authentication:

1.  On the server, become superuser.
2.  Type share -F nfs -o sec_dh /<filesystem> and press Return.

To mount a file system with Diffie-Hellman authentication, specify the -o sec=dh option to the mount command:

1.  On the client, become superuser.
2.  Check to make sure the mount point is available. If not, type mkdir <directory-name> and press Return to create the mount point.
3.  Type mount -F nfs -o sec=dh <server>:<resource> <mountpoint> and press Return.


Previous Table of Contents Next