NIS+ and Trusted Sys
Home Up Who is running SUID NIS+ and Trusted Sys AAA Server Intro NIS+ Passwd Tbl umask NIS+ Support Kerberos Install Kerberos Config Boot Authenticator Shadow Password Bundle



Figure 2-5a

2.5.3 NIS+ and the Trusted System

HP-UX 11i Security, by Chris Wong, Prentice Hall PTR; ISBN: 0130330620


Chances are if you are running NIS+ it is because you have a need to run the systems in trusted-mode. NIS is not supported on trusted systems, only NIS+. To run a combination of both NIS+ and trusted-mode, first install and configure NIS+. After NIS+ is configured, run the "tsconvert" command to switch to trusted system mode on each server and client.

As a reminder, typically when running NIS+, the system users remain in the /etc/passwd file and all other non-system users are kept in a NIS+ table. The /etc/passwd file only contains a list of system users, such as root. The hashed password can be displayed by any user with access to the /etc/passwd file. Converting the system to trusted when running NIS+ will create the /tcb hierarchy and remove the hashed password from the /etc/passwd file. Remember: any time you trust the system or make trusted system changes, logon to the root account while you still have one open.

By converting the system to trusted, we have protected the system users hashed password from being readable by any user. This however, does not protect the regular users hashed passwords found in the NIS+ table. See Section 5.4.1: NIS+ and the password Table, for more details on this. Once the system is converted, all the features and functionality that is available with a trusted system is now available to all users.

The rpc.nisd process keeps the NIS+ table information synchronized across the namespace. The information found in the /tcb hierarchy must also be synchronized across the namespace. This is accomplished with the ttsyncd process.

Figure 2-5a demonstrates that the trusted system information for a user named jsmith was modified. The authorized login days and times were added. The timestamp on the user's trusted system file is 11:14. The information is replicated on the other server, with a timestamp of 11:17. The ttsyncd daemon is responsible for keeping trusted system information synchronized across multiple systems.

The ttsyncd daemon is started by editing the /etc/rc.config.d/comsec file. There is no flag in this file to set the time interval for synchronization. The daemon should run and synchronize continuously, needing the "-i0" option. Since no flag is currently available (November 2001) in the /etc/rc.config.d/comsec file to set the interval, you may need to edit the /sbin/init.d/comsec file to add the correct synchronization interval. Read the "man ttsyncd" page for more details. The ttsyncd daemon should be run on every NIS+ server. It does not run on NIS+ clients. The ttsyncd daemon keeps the UNIX passwords synchronized.

After converting a NIS+ system to trusted-mode, the user will be prompted to change their UNIX password upon their next logon.


 Copyright 2007 NEWFDAWG.COM All rights reserved.     Last modified: 02/03/07.