[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide


Administering NIS+ Keys

This section describes how to use the keylogin, chkey, and nisupdkeys commands to administer keys. (The nisaddcred command also performs some key-related operations.)

This section assumes that you have a basic understanding of the NIS+ security system, especially of the role that keys play in that system (see Chapter 7, Security for this information).

The keylogin Process

When a principal logs in, the login process prompts for a password. That password is used to pass the user through the login security gate and give the user access to the network. The login process also decrypts the user's private key stored in the user's home domain cred table and passes that private key to the keyserver. The keyserver then uses that decrypted private key to authenticate the user each time the user accesses an NIS+ object.

Normally, the only time the principal is asked to provide a password is at login. However, if the principal's private key in the cred table was encrypted with a password that was different from the user's login password, login cannot decrypt it using the login password at login time, and thus cannot provide a decrypted private key to the keyserver. (This most often occurs when a user's private key in the cred table was encrypted with a secure RPC password different from the user's login password. Note also that in this context, network password is sometimes used as a synonym for secure RPC password.)

To temporarily remedy this problem, the principal must perform a keylogin, using the keylogin command, after every login. (The -r flag is used with the keylogin command for the root user principal and to store the root user's key in /etc/.rootkey on a host.)

Note, however, that performing an explicit keylogin with the original password provides only a temporary solution that is valid for the current login session only. The private key in the cred table is still encrypted with a password other than the user's login password so the next time the user logs in, the problem recurs. To permanently solve this problem, run chkey to change the password used to encrypt the private key to the user's login password (see Changing Keys for an NIS+ Principal).

Changing Keys for an NIS+ Principal

You can change an NIS+ principal's public and private keys that are stored in the cred table using the chkey command. It does not affect the principal's entry either in the passwd table or in the /etc/passwd file.

Use the chkey command to do the following:

See the chkey command description for more information on these subjects.

Note: In an NIS+ environment, when you change your login password with any of the current administration tools or the passwd command, your private key in the cred table is automatically re-encrypted with the new password. Thus, you do not need to explicitly run chkey after a change of login password.

The chkey command interacts with the keyserver, the cred table, and the passwd table. To run chkey, you must first:

To use the chkey command to re-encrypt your private key with your login password, you first run keylogin using the original password. Then use chkey -p as shown in the following table, which illustrates how to perform a keylogin and chkey for a principal user:


Re-encrypting Your Private Key : Command Summary
Tasks Commands
Log in.

Sirius% login Login-name
Provide login password.

Password:
If login password and secure RPC password are different, perform a keylogin.

Sirius% keylogin
Provide the original password that was used to encrypt the private key.

Password: secure RPC password
Run chkey.

Sirius% chkey -p
 
Updating nisplus publickey database
Updating new key for 'unix.1199@Wiz.Com'.
Type the login password.

Enter login password: login-password
Type the login password again.

Retype password:
 
Done

Changing Root Keys of an NIS+ Principal

The following sections describe how to change the root keys of an NIS+ principal.

Changing Root Keys From Root Master

The following table shows how to change the keys for the root master server from the root master (as root).


Changing a Root Master's Keys: Command Summary
Tasks Commands
Create new DES credentials

rootmaster# nisaddcred des
Kill the NIS+ daemon

rootmaster# stopsrc -s rpc.nisd
Restart NIS+ daemon with no security

rootmaster# startsrc -s rpc.nisd -a "-S0"
Perform a keylogout (previous keylogin is not out of date).

rootmaster# keylogout -f
Update the keys in the directories served by the master

rootmaster# nisupdkeys dirs
Kill the NIS+ daemon

rootmaster# stopsrc -s rpc.nisd
Restart NIS+ daemon with default security

rootmaster# startsrc -s rpc.nisd
Perform a keylogin

rootmaster# keylogin

Where dirs are the directory objects you want to update (that is, the directory objects that are served by rootmaster).

In the first step of the process outlined in the previous table, nisaddcred updates the cred table for the root master, updates /etc.rootkey and performs a keylogin for the root master. At this point, the directory objects served by the master have not been updated and their credential information is now out of sync with the root master. The subsequent steps described in the table are necessary to successfully update all the objects.

Changing Root Keys From Another Machine

To change the keys for the root master server from another machine, you must have the required NIS+ credentials and authorization.

Remotely Changing Root Master Keys: Command Summary
Tasks Commands (on other machine)
Create the new DES credentials

nisaddcred -p secureRPCnetname \
  -P nisprincipal des
Update the directory objects

nisupdkeys dirs
Update /etc.rootkey

keylogin -r
Reinitialize othermachine as client

nisinit -c -H hostname

Where:

secureRPCnetname
Is the root machine's secure RPC netname. For example: unix.rootmaster@wiz.com (no dot at the end).

nisprincipal
Is the root machine's NIS+ principal name. For example, rootmaster.wiz.com. (a dot at the end).

dirs
Are the directory objects you want to update (that is, the directory objects that are served by rootmaster).

When running nisupdkeys, be sure to update all relevant directory objects at the same time with one command. Separate updates can result in an authentication error.

Changing the Keys of a Root Replica from the Replica

To change the keys of a root replica from the replica, use these commands:

replica# nisaddcred des
replica# nisupdkeys dirs

Where dirs are the directory objects you want to update (that is, the directory objects that are served by replica).

When running nisupdkeys, be sure to update all relevant directory objects at the same time with one command. Separate updates can result in an authentication error.

Changing the Keys of a Nonroot Server

To change the keys of a nonroot server (master or replica) from the server, use these commands:

subreplica# nisaddcred des
subreplica# nisupdkeys parentdir dirs

Where:

parentdir
Is the nonroot server's parent directory (that is, the directory containing subreplica's NIS+ server).

dirs
Are the directory objects you want to update (that is, the directory objects that are served by subreplica).

When running nisupdkeys, be sure to update all relevant directory objects at the same time with one command. Separate updates can result in an authentication error.

Updating Public Keys

The public keys of NIS+ servers are stored in several locations throughout the namespace. When new credential information is created for the server, a new key pair is generated and stored in the cred table. However, namespace directory objects still have copies of the server's old public key. The nisupdkeys command is used to update those directory object copies.


Updating a Public Key: Command Summary
Tasks Commands
Update all keys of all servers of the current domain (Wiz.Com).

rootmaster# /usr/lib/nis/nisupdkeys
Update keys of all servers supporting the Sales.Wiz.Com domain directory object.

Fetch Public key for server rootmaster.Wiz.Com.
    netname='unix.rootmaster@Wiz.Com'
 Updating rootmaster.Wiz.Com.'s public key.
    Public key: public-key
 salesmaster# nisupdkeys Sales.Wiz.Com
 
 (Screen notices not shown)
 
Update keys for a server named server7 in all the directories that store them.

rootmaster# nisupdkeys -H server7
Clear the keys stored by the Sales.Wiz.Com directory object.

rootmaster# nisupdkeys -C Sales.Wiz.Com
Clear the keys for the current domain directory object for the server named server7.

rootmaster# nisupdkeys -C -H server7

Updating IP Addresses

If you change a server's IP address, or add additional addresses (multihome), run nisupdkeys to update NIS+ address information.

To update the IP addresses of one or more servers, use the nisupdkeys command -a option, as shown in the following examples:


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]