Services for UNIX
Services for UNIX |
|
Services for UNIX Password Synchronization sends password updates over the network as either plaintext or encrypted text. The plaintext method should only be used when security is not a concern. The encrypted method uses Triple DES encryption, described later in the chapter.
If the plaintext option is chosen, rlogin is used to change the password on the UNIX computer. The Password Synchronization service uses a login with root privileges to access the passwd command and update a user's UNIX password. The .rhosts file must contain the necessary computer names, the full host names (not the alias) of the Windows NT computer, and root. The /etc/hosts file must contain the necessary host name to IP address mappings. If you are using a Sun Sparcstation, you must modify the /etc/default/login file and disable the console-only root login.
Note
NIS and NIS+ are not supported by rlogin. If your network uses NIS or NIS+, you must use the encrypted password synchronization scheme.
If the encrypted text option is chosen, the UNIX system administrator must copy the ssod program available on the Services for UNIX product CD onto the UNIX-based computer. The program must be installed as a daemon and must be configured to start when the computer is started. This daemon is responsible for opening a port and waiting for the password notification from the Windows NT–based computer. The system administrator must choose the encryption key and add it to the ssod.config file on the UNIX-based computer, as well as to the Windows NT-based computer using the Windows NT–to–UNIX Password Synchronization Service Administrator.
Services for UNIX includes versions of the binary files of ssod for Solaris, Digital UNIX, and HP-UX.
Each UNIX host in a pod must use the same encryption key. The encryption key must meet the following requirements:
This section provides some examples of UNIX files used by Services for UNIX Password Synchronization.
The file /etc/passwd contains user information. Each user entry contains seven colon-separated fields:
login-id: password:UID:GID:user_information:home-directory:shell
The login-id field contains the name the user enters at the login prompt. The password field can either contain the encrypted password or a special marker if the password is stored in /etc/shadow (which is only accessible to root users). The UID field contains the user's ID number. The GID field contains the ID number of the group of which the user is a member. The user_information field is used for additional information about the user which may be necessary. The home-directory field contains the absolute path for the user's home directory. The shell field indicates the program that runs when the user logs in. If desired, a specific shell can be indicated in this field (for example, /usr/bin/ksh for Korn shell or /usr/bin/sh for Bourne shell).
The file /etc/shadow contains information about the user's password and is only accessible by the superuser. It has nine colon-separated fields:
login-id:password:lastchg:min:max:warn:inactive:expire:flag
The login-id field is the name the user enters at the login prompt. The password field contains the encrypted password. The lastchg field contains the number of days from January 1, 1970 to the date of the last password change. The min field contains the minimum number of days required between password changes. The max field contains the maximum number of days that the password is valid. The warn field contains the number of days that the user receives a warning message about password expiration. The inactive field contains the number of days that a user is allowed to be inactive. The expire field contains the last day that the login can be used. The flag field is not currently used.
The file /etc/group contains group information. Each entry contains four colon-separated fields:
group-name:password:group-ID:list-of-names
The group-name field identifies the group. The password field can contain an optional, encrypted password. The group-ID field contains the numerical ID for the group. The list-of-names field contains the names (comma-separated) of all the members of the group.
The file /etc/hosts lists all the hosts, including the local host, that share the network. It is used to map between host names and IP addresses. Each line in the file, which describes a single host, consists of three fields separated by spaces:
IP-address host-name alias
The file /etc/hosts.equiv lists the hosts and users that can invoke remote commands on a local host without supplying a password (a trust relationship). The .rhosts file lists remote users who can use a local user account on a network without supplying a password. The file .rhosts is a hidden file that is located in a user's home directory and must be owned by the user. Both /etc/hosts.equiv and.rhosts have the same format:
host-name user-name
Both files support the use of a plus sign (+) as a wildcard. A plus sign after a host-name or user-name grants trust to all users from a particular host or from all hosts that a specific user has an account on. Trust can be granted to every user on every host in the network by placing a plus sign at the beginning of the file. This option should be used cautiously. Hosts or users whose names are omitted from a file are denied trust.
Triple DES, used for encryption by Services for UNIX Password Synchronization, is a variation on the Data Encryption Standard (DES). DES is an encryption method in which the sender and the receiver use the same secret key to encrypt and decrypt data. DES uses a 56-bit key. Triple DES encrypts data three times using the DES encryption algorithm. Three variations on this triple encryption are possible: