Planning Volume 2, Control Workstation and Software Environment

Understanding which security services software to acquire

Your choices determine which security services software you need to obtain in addition to the AIX and PSSP software, where it is to be installed and configured, and at what point in the process. The PSSP implementation of Kerberos V4 authentication comes with the PSSP software and the authenticated remote commands come with AIX. You have to plan to obtain, install, and configure any other security services software that you choose to use. |Neither the secure remote command, the DCE, nor the Kerberos V5 |software comes with AIX or PSSP.

|You need to obtain, install, and configure any secure remote command |software that you want to use. PSSP 3.4 was tested with OpenSSH |version 2.9p1 using the default install configuration and with |StrictHostKeyChecking no. The following must be true for |your secure remote command process to work: |

• |It conforms to the IETF Secure Shell protocol.
• |The secure remote commands can be run by the PSSP system management as |root from the control workstation to the nodes without prompts for a password |or passphrase. This normally means the following: |
  • |The root public key generated on the control workstation is installed on |the control workstation and all the nodes. An example of this is given |in /usr/lpp/ssp/samples/script.cust file.
  • |The root public key generated on a boot-install server (BIS) node is |installed on the control workstation, the BIS node, and on all the nodes it |serves. An example of this is given in |/usr/lpp/ssp/samples/sysctl/firstboot.cmds file.
  • |A known_host file has been generated on the control workstation |and the BIS nodes for all nodes or the StrictHostKeyChecking |variable is disabled to ensure that the PSSP scripts and commands are not |prompted for passwords or passphrases. Prompting to the scripts will |cause a hang. |
• |The BIS node still has rsh and rcp |authorization for root access to NIM. See Boot-install servers. |

See the discussion about setting up your secure remote command environment in the book PSSP: Installation and Migration Guide. See also the dsh command in the book PSSP: Command and Technical Reference.

To use DCE or Kerberos V5, you will have to do the following before you begin to install and configure PSSP:

1. Obtain the server software and licenses.
2. Have AIX installed and operating on the control workstation.
3. Have the DCE core server software installed, configured, and operational.
4. Have the control workstation operational in the DCE cell as a client or a server.
5. Place the DCE client software in the lppsource file on the control workstation.

The SP system installation scripts support the automatic installation and configuration of DCE clients and of the PSSP implementation of Kerberos V4 servers and clients. You are fully responsible for planning, installing, configuring, and operating any other security services software that you might choose to use.

There are many ways to use DCE, both internal and external to PSSP. Consider the following:

• When the set of SP trusted services authentication methods include DCE, then DCE V3.1 for AIX is required for both servers and clients. The base DCE client services are required on the SP control workstation, if it is not a server, and on the nodes in partitions in which DCE is enabled as an authentication method.

  |If you want to run PSSP DCE administration commands on a cell |administrator workstation remote from the SP system, you need to install the |ssp.clients file set and its prerequisites on that cell |administrator workstation.

• When the SP trusted services authentication methods do not include DCE (your choice is compat or none), then DCE is not used by SP trusted services. In that case:
  • If you use DCE only for authentication within the AIX remote commands, a minimum level of DCE 2.2 is required.
  • If you use DCE only for authentication within DFS or some other non-SP-specific services, including locally developed custom DCE applications, then you can use whatever version of DCE is appropriate.