Chapter 27. Managing Security; Tasks Used To Manage Nfs And Nis Security; Starting The Keyserv Daemon - IBM TotalStorage NAS Gateway 500 Administrator's Manual

Chapter 27. Managing security

In addition to the standard UNIX authentication system, the NAS Gateway 500
support for NFS includes an authentication system that can be used by other UNIX
and non-UNIX systems. The system uses Data Encryption Standard (DES)
encryption and public key cryptography to authenticate both users and machines in
the network.
NFS uses the DES algorithm for different purposes. NFS uses DES to encrypt a
time stamp in the Remote Procedure Call (RPC) messages sent between NFS
servers and clients. This encrypted time stamp authenticates machines just as the
token authenticates the sender.
Because NFS can authenticate every RPC message exchanged between NFS
clients and servers, this provides an additional, optional level of security for each
file system. By default, file systems are exported with the standard UNIX
authentication. To take advantage of this additional level of security, specify the
secure option when you export a file system.

Tasks used to manage NFS and NIS security

The smit nfs_security menu displays all of the options that can be selected for
secure network service management. Use the following tasks to manage security:
v "Starting the keyserv daemon"
v "Stopping the keyserv daemon" on page 154
v "Adding or changing a user's key" on page 154
v "Decrypting and storing a secret key" on page 154
v "Deleting a stored secret key" on page 154
v "Changing encryption key" on page 155

Starting the keyserv daemon

The keyserv daemon stores the private encryption keys of each user logged into
the system. When a user enters a password during a keylogin, the secret key is
decrypted. The decrypted key is then stored by the keyserv daemon. These
decrypted keys enable the user to access secure network services such as secure
Network File System (NFS). The secure network services, keyserv daemon, can be
enabled and disabled by using the CLI, SMIT or WebSM interface.
CLI command
To start the keyserv daemon, the service can be enabled by using the System
Resource Controller command, startsrc -s keyserv.
To start the keyserv daemon from the command line, execute the mkkeyserv
command
SMIT fastpath
This action can be performed using the SMIT fastpath smit mkkeyserv.
WebSM
To enable secure network services using WebSM, execute the following: NAS
Management→NAS System→File Serving→Network File System. From the Menu
Bar, right-click Network File Systems, select Configure Secure NFS, and select
Start Key Service.
© Copyright IBM Corp. 2004
153