HP UX LDAP-UX Integration Software manual Security

Page 20

Security

Traditionally, HP-UX stores user account information in the local /etc/passwd file. Unless, the system is in trusted mode, any user logging into the system can read all other users’ encrypted passwords in /etc/passwd; and that is still true even if the system deploys Network Information Service (NIS). The exposure of passwords is a security risk. Windows 2000 uses AD to store account information, but Kerberos client keys and passwords are well protected. You cannot display them using directory search tools. Even an administrator cannot obtain a user’s password or client key from AD. So, integrating HP-UX accounts with Windows 2000 provides better password protection for HP-UX. Also, using Windows 2000 Kerberos Services to authenticate HP-UX users is more secure than traditional UNIX authentication.

However, be aware of some general security issues when using directory services as a data repository. In UNIX platforms, a super user, who has all the power to manipulate the system, is identified by uid = 0, which is the attribute uidNumber in AD. The uidNumber and other security-sensitive attributes (i.e. login shell, home directory) need to be protected from change by an arbitrary user. By default, a regular Windows 2000 domain user is not given the capability to modify AD objects. When granting access right, an AD administrator must be very careful about the protection of security-sensitive attributes. HP has published a white paper for security issues associated directory services. The white paper is “Preparing Your LDAP Directory for HP-UX Integration White Paper”, which can be downloaded from HP documentation web site, http://docs.hp.com/hpux/internet. Although the white paper is not specifically dedicated to the information for Windows 2000 Active Directory, the general principles are still applied.

20

Page 19 Page 21
Image 20
Page 19 Page 21
Contents White Paper Legal Notices Copyright NoticesIntroduction PAM Kerberos HP-UX and Windows 2000 Integration ProductsPAM and NSS Kerberos Services Services for Unix SFUWindows Active Directory ADNIS Server How HP-UX and Windows 2000 Products Integrate NIS IntegrationHP-UX Client Windows 2000 ServerNIS+PAMKerberos HP-UX client Ldap + PAMKerberos HP-UX Client Windows 2000 Server Ldap IntegrationHP-UX Client Windows 2000 Server NIS vs. Ldap Integration Common Authentication Benefits of IntegrationCommon Data Repository Single Point of Account ManagementConfiguring Windows 2000 and HP-UX Using NIS Integration Install Active Directory into your Windows 2000 serverInstall SFU 2.0, including Server for NIS Add an account for HP-UX client machine to ADNIS Client Configuration PAM Kerberos ConfigurationAdd a host key to the /etc/krb5.keytab file Add the Kerberos services to /etc/servicesCreate /etc/krb5.conf Change /etc/pam.conf to use PAM Kerberos Synchronize the HP-UX clock to the Windows 2000 clockPassword sufficient /usr/lib/security/libpamunix.1 Active Directory Configuration Configuring Windows 2000 and HP-UX Using Ldap IntegrationSoftware Installation Verify profile cache LDAP-UX Client Services ConfigurationRun the setup tool Configure a proxy user Change Name Service Switch NSS to use LdapSecurity Add and delete user accounts AdministrationAdd and delete groups Manage account and password policies Password expirationUser forced to change password Login procedureMigration Appendix a Setting a Proxy User’s Access Rights Read memberUid Read msSFUPassword Read msSFUName
Related manuals
Manual 214 pages 54.35 Kb Manual 65 pages 7.83 Kb
Top Page Image Contents