Keylogin

When a principal logs in, the login process prompts for a password. That password is used to pass the user through the login security gate and give the user access to the network. The login process also decrypts the user's private key stored in the user's home domain cred table and passes that private key to the keyserver. The keyserver then uses that decrypted private key to authenticate the user each time the user accesses an NIS+ object.

Normally, this is the only time the principal is asked to provide a password. However, if the principal's private key in the cred table was encrypted with a password that was different from the user's login password, login cannot decrypt it using the login password at login time, and thus cannot provide a decrypted private key to the keyserver. (This most often occurs when a user's private key in the cred table was encrypted with a Secure RPC password different from the user's login password.)

To temporarily remedy this problem, the principal must perform a keylogin, using the keylogin command, after every login. (The -r flag is used to keylogin the superuser principal and to store the superuser's key in /etc/.rootkey on a host.)

For a principal user

keylogin

For a principal machine (only once)

keylogin -r

Note, however, that performing an explicit keylogin with the original password provides only a temporary solution good for the current login session only. The private key in the cred table is still encrypted with a password different than the user's login password so the next time the user logs in the problem will reoccur. To permanently solve this problem, the user must run chkey to change the password used to encrypt the private key to the user's login password (see "Changing Keys for a NIS+ Principal" on page 100).

Changing Keys for a NIS+ Principal

The chkey command changes an NIS+ principal's public and private keys that are stored in the cred table. It does not affect the principal's entry either in the passwd table or in the /etc/passwd file.

The chkey command:

• Generates new keys and encrypts the private key with the password. If run with the -p option, chkey re-encrypts the existing private key with a new password.

• Generates a new Diffie-Hellman key pair and encrypts the private key with the password you provide. However, in most cases you do not want a new keypair, you want to re-encrypt your current existing private key with the new password. To do this, you must use the -p flag: chkey -p.

See the man pages for more information on these subjects.

---

Note - In a NIS+ environment, when you change your login password with any of the current administration tools or the passwd (or nispasswd) commands, your private key in the cred table is automatically re-encrypted with the new password for you. Thus, you do not need to explicitly run chkey after a change of login password.

---

The chkey command interacts with the keyserver, the cred table, and the passwd table. In order to run chkey, you:

• Must have an entry in the passwd table of your home domain. Failure to meet this requirement will result in an error message.
• Must run keylogin to make sure that the keyserver has a decrypted private key for you.
• Must have modify rights to the cred table. If you do not have modify rights you will get a "permission denied" type of error message.
• Must know the original password with which the private key in the cred table was encrypted. (In most cases, this your Secure RPC password.)

To use the chkey command to re-encrypt your private key with your login password, you first run keylogin using the original password, and then use chkey -p as shown in Table 6-1 on page 102 which illustrates how to perform a keylogin and chkey for a principal user:

Table 6-1

Tasks	Commands
Log in. Provide login password.	Sirius% login Login-name Password:
If login password and Secure RPC password are different, perform a keylogin.	Sirius% keylogin
Provide the original password that was used to encrypt the private key.	Password: Secure RPC password
Run chkey.	Sirius% chkey -p Updating nisplus publickey database Updating new key for 'unix.1199@Wiz.Com'.
Enter login password. Re-enter login. password	Enter login password: login-password Retype password: Done

Changing the Keys

The following sections describe how to change the keys of an NIS+ principal.

Changing Root Keys From Root

Table 6-2 on page 103 shows how to change the keys for the root master server from the root master (as root):

Table 6-2

Tasks	Commands
Create new DES credentials	rootmaster# nisaddcred des
Find the Process ID of rpc.nisd Kill the NIS+ daemon	rootmaster# ps -e | grep rpc.nisd rootmaster# kill pid
Restart NIS+ daemon with no security	rootmaster# rpc.nisd -S0
Perform a keylogout (previous keylogin is no out of date).	rootmaster# keylogout -f
Update the keys in the directories served by the master	rootmaster# nisupdkeys dirs
Find the Process ID of rpc.nisd Kill the NIS+ daemon	rootmaster# ps -e | grep rpc.nisd rootmaster# kill pid
Restart NIS+ daemon with default security	rootmaster# rpc.nisd
Perform a keylogin	rootmaster# keylogin

Where:

• pid is the process ID number reported by the ps -e | grep rpc.nisd command.
• dirs are the directory objects you wish to update. (That is, the directory objects that are served by rootmaster.)

In the first step of the process outlined in Table 6-2, nisaddcred updates the cred table for the root master, updates /etc.rootkey and performs a keylogin for the root master. At this point the directory objects served by the master have not been updated and their credential information is now out of synch with the root master. The subsequent steps described in Table 6-2 are necessary to successfully update all the objects.

Changing Root Keys From Another Machine

To change the keys for the root master server from some other machine you must have the required NIS+ credentials and authorization to do so.

Table 6-3

Tasks	Commands
Create the new DES credentials. Update the directory objects. Update /etc.roootkey. Reinitialize othermachine as client	othermachine% nisaddcred -p principal -P nisprincipal des othermachine% nisupdkeys dirs othermachine% keylogin -r othermachine% nisinit -cH

Where:

• principal is the root machine's Secure RPC netname. For example: unix.rootmaster@wiz.com (no dot at the end).
• nis_principal is the root machine's NIS+ principal name. For example, rootmaster.wiz.com. (a dot at the end).
• dirs are the directory objects you wish to update (hat is, the directory objects that are served by rootmaster).

When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.

Changing the Keys of a Root Replica from the Replica

To change the keys of a root replica from the replica, use these commands:

Table 6-4 Changing Keys of a Root Replica

replica# nisaddcred des replica# nisupdkeys dirs

Where:

• dirs are the directory objects you wish to update, (that is, the directory objects that are served by replica).

When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.

Changing the Keys of a Nonroot Server

To change the keys of a nonroot server (master or replica) from the server, use these commands:

Table 6-5 Changing Keys of a Root Replica

subreplica# nisaddcred des subreplica# nisupdkeys parentdir dirs

Where:

• parentdir is the non-root server's parent directory (that is, the directory containing subreplica's NIS+ server).
• dirs are the directory objects you wish to update (that is, the directory objects that are served by subreplica).

When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.

Updating Public Keys

The public keys of NIS+ servers are stored in several locations throughout the namespace. When new credential information is created for the server, a new key pair is generated and stored in the cred table. However, namespace directory objects still have copies of the server's old public key. The nisupdkeys command is used to update those directory object copies.

The nisupdkeys Command

If a new keypair is generated because the old key pair has been compromised or the password used to encrypt the private key is forgotten, the nisupdkeys can be used to update the old public key in the directory objects.

The nisupdkeys command can:

• Update the key of one particular server
• Update the keys of all the servers that support a NIS+ directory object
• Remove a server's public key from the directory object
• Update a server's IP address, if that has changed

However, nisupdkeys cannot update the NIS_COLD_START files on the principal workstations. To update their copies of a server's keys, NIS+ clients should run the nisclient command. Or, if the NIS+ cache manager is running and more than one server is available in the coldstart file, the principals can wait until the time-to-live expires on the directory object. When that happens, the cache manager automatically updates the cold-start file. The default time-to-live is 12 hours.

To use the nisupdkeys command, you must have modify rights to the NIS+ directory object.

Updating Public Keys Arguments and Examples

The nisupdkeys command is located in /usr/lib/nis. The nisupdkeys command uses the following arguments (for a complete description of the nisupdkeys command and a full list of all its arguments, see the nisupdkeys man page):

Table 6-6 nisupdkeys

Argument	Effect
(no argument)	Updates all keys of servers for current domain
directoryname	Updates the keys of the directory object for the named directory.
-H servername	Updates the keys of the named server for the current domain directory object. A fully qualified host name can be used to update the keys of servers in other domains.
-s -H servername	Updates the keys of all the directory objects served by the named server.
-C	Clears the keys.

Table 6-7 on page 107 gives an example of updating a public key:

Table 6-7

Tasks	Commands
Update all keys of all servers of the current domain (Wiz.Com).	rootmaster# /usr/lib/nis/nisupdkeys Fetch Public key for server rootmaster.Wiz.Com.
Update keys of all servers supporting the Sales.Wiz.Com domain directory object.	netname='unix.rootmaster@Wiz.Com' Updating rootmaster.Wiz.Com.'s public key. Public key: public-key salesmaster# nisupdkeys Sales.Wiz.Com (Screen notices not shown)
Update keys for a server named server7 in all the directories that store them.	rootmaster# nisupdkeys -H server7
Clear the keys stored by the Sales.Wiz.Com directory object.	rootmaster# nisupdkeys -C Sales.Wiz.Com
Clear the keys for the current domain directory object for the server named server7.	rootmaster# nisupdkeys -C -H server7

Updating IP Addresses

If you change a server's IP address, or add additional addresses (multihome), you need to run nisupdkeys to update NIS+ address information.

To update the IP addresses of one or more servers, use the nisupdkeys command -a option.

To update the IP addresses of servers of a given domain

rootmaster# nisupdkeys -a domain

To update the IP address of a particular server

rootmaster# nisupdkeys -a -H server