Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
401402403404405406407408409410
OSF DCE Administration Guide—Core Components
object, an optional annotation, and the name of the file that actually stores the server
keys on the local machine. This object is usually a file.
Note that actual server keys are not stored in the keytab object, but in the file stored on
the local machine.
The pathname of the dced keytab object is
/.:/hosts/hostname/config/keytab/keytab_name
where:
hostname Is the name of the host on which the dced process resides.
keytab_name Is the name of the keytab file.
The pathname to the local keytab file is
/opt/dcelocal/keytab_path_name
where:
keytab_path_name Is the path name to the keytab file on the local node.
31.6.1.1 Protecting Keytab Files
The local keytab files must be adequately protected, and they must not be available on
the network. As they are used in the default DCE implementation, the keytab files
contain principal keys, which are the basis of DCE security. If these keys are
compromised, network security can also be compromised. The calls that access the
keytab file use rpc_c_protect_level_pkt_privacy. This protection level performs a
Data Encryption Standard (DES) encryption on the data being passed. The dcecp
keytab -noprivacy option allows you to specify that your site’s default protection level
should be used instead.
Create a separate individual keytab file for each server principal that runs on each local
node. Servers that share the same keytab file can access each other’s keys and thus
impersonate each other. Protect the keytab files so that they are readable only by root. If
you do this, the servers must be started by root in order to read their keytab files and
obtain their key during login.
When you create or change server keys, you can name a different keytab file for each
server that runs on the local node. Protect the file so that it is readable only by the server
whose key it contains. Then set the setuid bit for the server file to the server’s identity
so that the server can access the keytab file and obtain its key.
31 14 Tandem Computers Incorporated 124243