AIX and Linux Interoperability - IBM Redbooks

More documents

Recommendations

Info

1.1 User security mechanisms 1.1.1 AIX security 2 AIX and Linux Interoperabilty Traditional UNIX security depends on a single map file known as /etc/passwd. Probably just about any UNIX administration basics class begins with the description of this file, so we skip a detailed explanation. Historically, security mechanisms were developed in a race between system designers and programmers on the one side and “crackers” on the other. In the beginning, our passwords were present in /etc/passwd in a special form called password hash. A password hash is a function that does not have an inverse function and, for all practical purposes, it is impossible to reverse its result. Hence, it was deemed safe to keep password hashes in a world readable file. In time, the computers were becoming faster and mischievous users more skilled. Password hashes had to be moved out from /etc/passwd. The new way of storing passwords is usually called password shadowing, because the now defunct password field in /etc/passwd is shadowed by a more or less elaborate scheme for password storage. Both AIX and Linux have password shadowing and, by default, rely on /etc/passwd for identification. Other than that, their native identification and authentication mechanisms are rather different. Linux supports Name Service Switch (NSS) modules that enable other identification methods and PAM as an authentication mechanism. AIX has its own loadable authentication modules, which support both identification and authentication methods. The /etc/security/passwd file is the AIX version of the password shadow. The /etc/security/user file contains user attributes that supplement the traditional set in /etc/passwd. Every user has a stanza that defines additional attributes. To keep the file changes and the size minimal, only the attributes differing from the default stanza are listed. AIX loadable authentication modules framework The AIX loadable authentication modules framework has a well defined API with two sets of function calls: One for identification and the other for authentication. A module designer may choose to implement either one of these. For example, Kerberos is only an authentication method. Therefore, the AIX Kerberos module implements just the authentication functions. System managers may combine modules in an effective manner to bring together various authentication and identification methods.
Loadable authentication modules are configured in /usr/lib/security/methods.cfg. For example, the following stanzas describe one identification and authentication method: LDAP: program = /usr/lib/security/LDAP KRB5: program = /usr/lib/security/KRB5 options = authonly KERBEROS: options = auth=KRB5,db=LDAP The KERBEROS method specifies that the user and group information is available through LDAP and the authentication mechanism is Kerberos. Use the BUILTIN reserved keyword for the db option to refer to /etc/passwd and the /etc/security files. The SYSTEM attribute in /etc/security/user specifies which way the user is authenticated by referencing stanzas from /usr/lib/security/methods.cfg. This implies that authentication can be controlled on a per user basis, which is a rather rare feature. To set the authentication on the host level, you should just change the SYSTEM attribute of the default stanza. Furthermore, it is possible to make quite complex authentication configurations using the SYSTEM grammar: joe: SYSTEM = ”LDAP or LDAP[unavail] and compat” This example says that joe should be authenticated using the LDAP authentication method, but in case the LDAP service is not available, he can authenticate against the local files just as well. A complete description of the SYSTEM grammar is in the /etc/security/user file reference. Another related attribute in /etc/security/user is registry, which specifies where the user’s information is administered. Thus, a complete stanza for user joe in /etc/security/user may look like this: joe: SYSTEM = KERBEROS registry = KERBEROS Note that the user administration chuser, mkuser, and rmuser commands may not be well suited to some user registries, depending on the site’s security policy. This is because these commands assume superuser privileges that may not be appropriate if users are administered on a site level. Chapter 1. Identification and authentication 3
Page 1: AIX and Linux Interoperability Effe
Page 4 and 5: Note: Before using this information
Page 6 and 7: 2.6.2 AIX LDAP client setup. . . .
Page 8 and 9: vi AIX and Linux Interoperability 7
Page 10 and 11: viii AIX and Linux Interoperability
Page 12 and 13: 10-12 Webmin welcome Page for Linux
Page 14 and 15: Trademarks The following terms are
Page 16 and 17: Abhijit Chavan is a Systems Enginee
Page 18 and 19: xvi AIX and Linux Interoperability
Page 22 and 23: 1.1.2 Linux security Linux keeps sh
Page 24 and 25: 1.2.2 PAM keywords 6 AIX and Linux
Page 26 and 27: 8 AIX and Linux Interoperabilty Her
Page 28 and 29: It is also possible to install new
Page 30 and 31: Configuring a PAM module The PAM LD
Page 32 and 33: 14 AIX and Linux Interoperabilty
Page 34 and 35: 2.1 Lightweight Directory Access Pr
Page 36 and 37: platforms and supported by many LDA
Page 38 and 39: 2.3 LDAP servers the AIX LDAP authe
Page 40 and 41: 2.3.1 IBM Directory Server IBM Dire
Page 42 and 43: Example 2-4 IBM Directory Server in
Page 44 and 45: Choosing the suffix All DNs adminis
Page 46 and 47: krb5-devel-1.2.5-6.i386.rpm openlda
Page 48 and 49: 30 AIX and Linux Interoperabilty ad
Page 50 and 51: Figure 2-4 Creating the key databas
Page 52 and 53: 2.5 LDAP authentication clients 34
Page 54 and 55: Figure 2-6 Linux security subsystem
Page 56 and 57: Example 2-8 Alternative LDAP identi
Page 58 and 59: If you enter '.', the field will be
Page 60 and 61: Example 2-10 OpenLDAP /etc/openldap
Page 62 and 63: objectClass: posixAccount objectCla
Page 64 and 65: Though authconfig does a good job,
Page 66 and 67: ut values may be only host names or
Page 68 and 69: 50 AIX and Linux Interoperabilty si
Page 70 and 71:
standard authentication methods to
Page 72 and 73:
The kinit program obtains the TGT.
Page 74 and 75:
weeorg.com = WEEORG.COM The krb5.co
Page 76 and 77:
the kadmind administration server i
Page 78 and 79:
For example, ordinary users have ju
Page 80 and 81:
minclasses Minimum number of charac
Page 82 and 83:
server and loaded into the target d
Page 84 and 85:
There exists, however, an LDAP back
Page 86 and 87:
68 AIX and Linux Interoperabilty Ve
Page 88 and 89:
ACL restrictions. Enter password fo
Page 90 and 91:
Note that version numbers may chang
Page 92 and 93:
Example 3-7 The DNS zone with suppo
Page 94 and 95:
principals that are running on a pa
Page 96 and 97:
You should find other Kerberos serv
Page 98 and 99:
The -A option will instruct the scr
Page 100 and 101:
3.9 Security considerations Kerbero
Page 102 and 103:
On AIX 5L Version 5.2, the EIM APIs
Page 104 and 105:
4.1 Protocols Protocols define how
Page 106 and 107:
Configuring the master name server
Page 108 and 109:
90 AIX and Linux Interoperabilty c.
Page 110 and 111:
92 AIX and Linux Interoperabilty d.
Page 112 and 113:
Address: 192.168.5.10 94 AIX and Li
Page 114 and 115:
96 AIX and Linux Interoperabilty }
Page 116 and 117:
Route Tree for Protocol Family 2 (I
Page 118 and 119:
100 AIX and Linux Interoperabilty I
Page 120 and 121:
4.2 Data transfers 4.2.1 rsync On t
Page 122 and 123:
For more information on the rsync.c
Page 124 and 125:
Running the rdist command In AIX, g
Page 126 and 127:
The IBM Tivoli Netview supports AIX
Page 128 and 129:
If you want to install and compile
Page 130 and 131:
4.3.4 UNIX network performance mana
Page 132 and 133:
- Mail aliases file - Mail queue -
Page 134 and 135:
5.1.2 Configuration file: sendmail.
Page 136 and 137:
This creates a dbm version of the a
Page 138 and 139:
The MASQUERADE_AS macro removes all
Page 140 and 141:
macro files, which are generally in
Page 142 and 143:
6.1 Installing Samba on AIX You can
Page 144 and 145:
126 AIX and Linux Interoperabilty C
Page 146 and 147:
Figure 6-3 Creating homes share thr
Page 148 and 149:
Figure 6-5 Configuring print shares
Page 150 and 151:
Example 6-2 Verifying the shares av
Page 152 and 153:
# server and service. # For example
Page 154 and 155:
136 AIX and Linux Interoperabilty W
Page 156 and 157:
[homes] 138 AIX and Linux Interoper
Page 158 and 159:
140 AIX and Linux Interoperabilty T
Page 160 and 161:
142 AIX and Linux Interoperabilty
Page 162 and 163:
7.1 What NFS is NFS was designed by
Page 164 and 165:
Example 7-3 Installing NFS server f
Page 166 and 167:
Example 7-5 NFS options from SMIT 1
Page 168 and 169:
Use SECURE option? no + Public file
Page 170 and 171:
This means that /usr/home from aix_
Page 172 and 173:
► lockd ► statd The first servi
Page 174 and 175:
3. To verify the mounted directory,
Page 176 and 177:
On Linux, automount is started by r
Page 178 and 179:
7.6.4 NFS locking An RPC program ha
Page 180 and 181:
Page 182 and 183:
8.1 Journaled File System (JFS) The
Page 184 and 185:
Reboot the system. Now we have JFS
Page 186 and 187:
dev/fd0 /mnt/floppy auto noauto,own
Page 188 and 189:
which will be available in future r
Page 190 and 191:
udfcheck. The command names are sel
Page 192 and 193:
Where /dev/cd0 is the DVD-RAM drive
Page 194 and 195:
Since the export rules allow the wr
Page 196 and 197:
Another popular archiver is cpio. I
Page 198 and 199:
9.1 IPSec In this topic, we are goi
Page 200 and 201:
9.1.2 Tunnels and key management To
Page 202 and 203:
9.1.3 Installing IPSec on Linux The
Page 204 and 205:
In Figure 9-2, we suggest a test sc
Page 206 and 207:
9.1.4 Installing IPSec on AIX The I
Page 208 and 209:
6. Click OK. The Password Prompt wi
Page 210 and 211:
Expand the Network icon, on the lef
Page 212 and 213:
configuration to the corresponding
Page 214 and 215:
We can also check the logs files. I
Page 216 and 217:
9.2 Security tools 9.2.1 OpenSSL In
Page 218 and 219:
openssl ###########################
Page 220 and 221:
# so this is commented out by defau
Page 222 and 223:
# This goes against PKIX guidelines
Page 224 and 225:
Using OpenSSL Now we will cover som
Page 226 and 227:
To encrypt a file using a symmetric
Page 228 and 229:
In Example 9-17, we generate a set
Page 230 and 231:
In Example 9-21 we compute the publ
Page 232 and 233:
Example 9-24 Generating a RSA publi
Page 234 and 235:
organizationalUnitName = Internatio
Page 236 and 237:
Verifying password - Enter PEM pass
Page 238 and 239:
ea:c2:f7:e0:67:50:34:5d:ab:a9:89:83
Page 240 and 241:
9.2.2 OpenSSH 9.2.3 tcp_wrapper To
Page 242 and 243:
Page 244 and 245:
10.1 Web-based System Manager Web-b
Page 246 and 247:
If Web-based System Manager is not
Page 248 and 249:
Figure 10-2 Web-based System Manage
Page 250 and 251:
To install Web-based System Manager
Page 252 and 253:
Figure 10-5 Installation of Web-bas
Page 254 and 255:
We have a network that consists of
Page 256 and 257:
238 AIX and Linux Interoperability
Page 258 and 259:
10.On the Linux command line, run t
Page 260 and 261:
10.3 Webmin To view the CA certific
Page 262 and 263:
Config file directory [/etc/webmin]
Page 264 and 265:
Figure 10-11 Webmin welcome page fo
Page 266 and 267:
administer. An example Web page of
Page 268 and 269:
Figure 10-15 Servers category Other
Page 270 and 271:
252 AIX and Linux Interoperability
Page 272 and 273:
11.1 Printing from Linux to a print
Page 274 and 275:
Example 11-2 Adding a queue for pri
Page 276 and 277:
Example 11-5 Adding print access fo
Page 278 and 279:
11.2 Printing from AIX to a printer
Page 280 and 281:
4. Figure 11-4 shows that Red Hat a
Page 282 and 283:
Figure 11-7 A properly configured p
Page 284 and 285:
To configure a remote printer using
Page 286 and 287:
Example 11-10 Selecting the remote
Page 288 and 289:
2. Configure the IBM Directory to s
Page 290 and 291:
12.1 Linux on a logical partition (
Page 292 and 293:
Figure 12-2 Workload Management thr
Page 294 and 295:
Other related information and links
Page 296 and 297:
System applications Samba client, G
Page 298 and 299:
► Linux Applications on pSeries,
Page 300 and 301:
NS Name Server NSS Name Service Swi
Page 302 and 303:
284 AIX and Linux Interoperabilty A
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
► rsync Web site 290 AIX and Linu
Page 310 and 311:
Page 312 and 313:
allow-query 88 allow-transfer 88 Ap
Page 314 and 315:
LDAP directory schema 66 logging 56
Page 316 and 317:
AIX PAM module 9 applications on AI
Page 318 and 319:
udfcreate 171, 174 udflabel 171, 17
Page 322:
AIX and Linux Interoperability Effe
show all

AIX and Linux Interoperability - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?