Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
71727374757677787980
sis(5), kinit(1), klist(1), kdestroy(1M), krbval(1M), k5dcelogin(1M), inetsvcs_sec(1M),
and inetsvcs(4).
When you run SIS commands, the security is enhanced because you no longer have to
transmit a password in readable form over the network.
NOTE: The SIS libraries do not encrypt the session beyond what is necessary to
authorize you or to authenticate the service. Therefore, these services do not provide
integrity checking or encryption services on the data or on remote services. To encrypt
the data, use OpenSSL. For more information, see the OpenSSL Release Notes:
www.hp.com/go/hpux-security-docs
Click HP-UX OpenSSL Software.
When two systems are operating in a Kerberos V5-based secure environment, Secure
Internet Services ensures that a local and remote host are identified to each other in a
secure and trusted manner and that the user is authorized to access the remote account.
For ftp/ftpd, rlogin/rlogind, and telnet/telnetd, the Kerberos V5
authentication mechanism sends encrypted tickets instead of a password over the network
to verify and to identify the user. For rcp/remshd and remsh/remshd, the secure
versions of these services ensure that the user is authorized to access the remote account.
4.5 Controlling an Administrative Domain
All network administration programs should be owned by a protected, network-specific
account, such as uucp, nso, or by a daemon, instead of by root.
An administrative domain is a group of systems connected by network services that allow
users to access one another without password verification. An administrative domain
assumes that system users have already been verified by their host system. Use the
following steps to identify and control an administrative domain:
1. List the nodes to which you export file systems in /etc/exports. The /etc/
exports file contains entries of a file system path name and a list of systems or
groups of systems that are allowed access to the file system. The /etc/exports
entries might contain names of groups of systems. You can find out what individual
systems are included in a group by checking /etc/netgroup.
2. List the nodes that have equivalent password databases in /etc/hosts.equiv.
3. Verify that each node in the administrative domain does not extend privileges to
any nodes that are not included. Repeat steps 2 and 3 for each node in the domain.
4. Control root and local security on every node in the administrative domain. A user
with superuser privileges on any machine in the domain can acquire those privileges
on every machine in the domain.
74 Remote Access Security Administration