Embed Size (px)
Citation preview
AIX 5L f> 5.2
2+8O
S152-0648-01
���
AIX 5L f> 5.2
2+8O
S152-0648-01
���
"
Z9C>E"0d'VDz70,kDAZ 233 3D=< E, :yw;PDE"#
Z}f(2003 j 7 B)
>f>JCZ AIX 5L V5.2 0>z7DyPsx"Pf,1=ZBf>PmPyw*9#
>vfoDsfa)K;EA_b{m#g{CmQ}%,r+b{Dy:IBM Pz+>O#V+>:/?,PzO#P
4#P7 333 Ep2c! 10 %,J~`k:200021#*(}gSDN=a)b{,k9CKL5rXxX7:
[email protected]#RGI\a9Cza)DNNE",x^hTzP#NNpN#
Copyright (c) 1993, 1994 Hewlett-Packard CompanyCopyright (c) 1993, 1994 International Business Machines Corp.Copyright (c) 1993, 1994 Sun Microsystems, Inc.Copyright (c) 1993, 1994 Novell, Inc.All rights reserved. >z70d`XD5\f(#$"RZmI$BV",Sx^FTd9C"4F"V"M4`k#4
-BHifZ(,>z7r`XD5DNN?V<;CTNNN="NN==xP4F#
RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to the restrictionsset forth in DFARS 252.227-7013 (c)(1)(ii) and FAR 52.227-19.>vfoT04V41Dy!a),;=PNNN=D(^[Gw>D,9G,>D)#$,|((+;^Z)TGV
(T"JzTMJCZ3X(C>D,>#$#
>vfoPI\|,<u=f;;<7DX=r!"ms#K&DE"+(Z|D;b)|D+`k>vfoDBf>
P#HEWLETT-PACKARD COMPANY"zJL5zw+>"SUN MICROSYSTEMS, INC. M UNIXMICROSYSTEMS,INC. ITf1T>vfoPyhvDz7M/rLrxPDxM/r|D#
© Copyright International Business Machines Corporation 2002, 2003. All rights reserved.
?<
XZ>i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii>iJCZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii;vT> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiAIX PxVs!4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiISO 9000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii`Xvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Z 1 ?V %z532+T . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Z 1 B 20MdC2+53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3IEFcb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\XDCJ#$E*D~M@@#$6p 4+ . . . . . . . . . . . . . . . . . . . . . . . 8G<XF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20\m X11 M CDE "bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Z 2 B C'"G+M\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Root J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23\mG+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24C'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27hCxP2+C'J'Dd{ FTP . . . . . . . . . . . . . . . . . . . . . . . . . . 3053XbC'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33CJXFm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38C'O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42ELdn53Ev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Z 3 B sF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47sFS53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47B~!q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48sFS53dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49sFU>LrdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50hCsF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Z 4 B LDAP O$0k#i . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59hC LDAP 2+E"~qw. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59hC LDAP M'z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60LDAP C'\m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61LDAP wzCJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61LDAP 2+E"~qwsF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62LDAP |n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63`XE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Z 5 B PKCS #11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71IBM 4758 2 M\k-&mw . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71PKCS #11 S53dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72PKCS #11 9C=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Z 6 B X.509 $iO$~qM+C\?y!a9 . . . . . . . . . . . . . . . . . . . . 75$iO$~qDEv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75$iO$~qD5V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
© Copyright IBM Corp. 2002, 2003 iii
f.$iO$~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86$iO$~qDb0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8820MdC$iO$~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Z 7 B IekO$#i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101PAM b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101PAM #i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102PAM dCD~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103mS PAM #i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104|D /etc/pam.conf D~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104tC PAM wT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Z AIX PD/I PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Z 8 B OpenSSH m~$_ . . . . . . . . . . . . . . . . . . . . . . . . . . . 109OpenSSH `kDdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110OpenSSH M Kerberos V5 'V . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Z 2 ?V xgMrXxD2+T . . . . . . . . . . . . . . . . . . . . . . . 115
Z 9 B TCP/IP 2+T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117X(ZYw53D2+T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117TCP/IP |n2+T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118IExL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120xgIEFcb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123}]2+T0E"#$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123yZC'D TCP KZCJXFMrXxKZDxPTwCJXF . . . . . . . . . . . . . . . 123
Z 10 B xg~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1256pr*(EKZDxg~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1256p TCP M UDP WSV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Z 11 B xJ-i(IP)2+T . . . . . . . . . . . . . . . . . . . . . . . . . . 129IP 2+TEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920 IP 2+T&\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134f. IP 2+TdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dCrXx\?;;(Db0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142&m}V$iM\?\mw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148dCK$(Db0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158hC}Kw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160G<h8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166IP 2+TJb7( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170IP 2+TN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Z 12 B xgE"~q(NIS)M NIS+ 2+ . . . . . . . . . . . . . . . . . . . . . 181Yw532+zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181NIS+ 2+zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183NIS+ O$M>$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186NIS+ Z(kCJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188NIS+ 2+TM\m(^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191NIS+ 2+TN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Z 13 B xgD~53(NFS)2+T . . . . . . . . . . . . . . . . . . . . . . . . 193NFS O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
iv AIX 5L V5.2:2+8O
* DES O$|{xg5e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195/etc/publickey D~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196+C\?53D}<"bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1962+ NFS DT\"bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196\m2+ NFS DKTm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196dC2+ NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1979C2+ NFS <vD~53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1989C2+ NFS 20D~53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Z 14 B s5m]3d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201\m`vC'"am . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20110=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2019Cs5m]3d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Z 15 B Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203mb2+6L|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2039C Kerberos xP AIX O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . 205KRB5A O$0k#iJbMJOiRE" . . . . . . . . . . . . . . . . . . . . . . . 209
Z 3 ?V =< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
=< A. 2+TKTm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
=< B. 2+TN<JO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2192+T Web >c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2192+TJ]Pm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2192+T*zN<JO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
=< C. U( AIX 53~q** . . . . . . . . . . . . . . . . . . . . . . . . . . 221
=< D. xg~q!n** . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
=< E. yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Lj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
?< v
vi AIX 5L V5.2:2+8O
XZ>i
>ir53\m1a)XZ AIX Yw53DC'Mi"D~"53T0xg2+DE"#>8O|,XZgN
4Png|D(^"hCO$=("dCIEFcb73MP@@#$6p 4+(EAL4+)&\D\XDCJ#
$E*D~(CAPP)DNqDE"#
6AIX 5L V5.2 2+8O7|,TB?~:%z532+T"xgMrXx2+T0=<#
v Z;?V,0%z532+1a)K%z53D AIX 2+TDy_#K?VD6'|(9CIEFcb73
20%z53"20 CAPP/EAL4+ &\"XFG<"5)J1D\kfr"5V!1DC'2+TzF"t
C53sFT0`SD~M?<CJ#K?V9|,XZ X11"+2@f73(CDE)"a?6?<CJ-
i(LDAP)T0|`D2+TE"#
v Z~?V,0xgMrXx2+T1a)XZxgMrXx2+TDE"#K?V{vKXZdC TCP/IP 2
+T"XFxg~q"sFM`Sxg2+T"dC IP 2+T"dCib(Cx"gSJ~2+T"NFS 2
+T"{F~q0 Kerberos DX"#
v Z}?V|,=<,||,2+Te%"XZ2+T$_DE""*z2+TN<JOT0XZxg~q
M(EKZDN<E"#
>f>'VxP 5200-01 FvD,$m~|D AIX 5L V5.2 D"Pf#TZ>,$m~|DNNX(}C<
+m>*xP 5200-01 D AIX 5.2#
>iJCZ
>iG*53\m10 IT 2+T\m1<8D#
;vT>
>iP9CTB;vT><(:
Ve j6|n"S}L"X|V"D~"a9"?<0d|{FI53$(eDn#2j6<NT
s,}gC'!qD4%"j)0<j#
1e j6+IC'a)5J{Fr5DN}#
HmVe j6X(}]5D>}"kzI\{=DT>D>`FD>}"kzw*Lr1I\`4DLr
zk`FD,O>}"4T53DE"rz&5JdkDE"#
AIX PxVs!4
AIX Yw53PD?;n<GxVs!4D,bb6Eds!4V8.dPxp#}g,IT9C ls |n4
PvD~#g{zdk LS,r53l&C|n04R=1#,y,FILEA"FiLea M filea G}v;,DD~
{,49|G$tZ,;v?<B#*K\b}p4P;k*DYw,*<U7#9C}7Ds!4V8#
ISO 9000>z7D*"MzzP9CK ISO 9000 J?O$e5#
© Copyright IBM Corp. 2002, 2003 vii
`Xvfo
TBvfo|,`XDE":
v 6AIX 5L V5.2 53\m8O:Yw53kh87
v AIX 5L Version 5.2 System Management Concepts: Operating System and Devices
v 6AIX 5L V5.2 53\m8O:(Ekxg7
v 6AIX 5L V5.2 Yw5320:kE7
v 6AIX 5L V5.2 208OkN<s+7
v 6AIX 5L V5.2 |nN<s+7
v AIX 5L Version 5.2 Files Reference
v AIX 5L Version 5.2 General Programming Concepts: Writing and Debugging Programs
v 6AIX 5L V5.2 53C'8O:Yw53kh87
v 6AIX 5L V5.2 53C'8O:(Ekxg7
v AIX 5L Version 5.2 Network Information Services (NIS and NIS+) Guide
v AIX 5L Version 5.2 Guide to Printers and Printing
viii AIX 5L V5.2:2+8O
Z 1 ?V %z532+T
>8ODZ;?Va)KPXgN#$%z53DE",x;<Gxg,(T#b)BZhvKgNZ2+T
!nr*12053,T0gN#$ AIX Tb9^Z(C'!CT53DCJ#
© Copyright IBM Corp. 2002, 2003 1
2 AIX 5L V5.2:2+8O
Z 1 B 20MdC2+53
>Ba)XZ20MdC2+53DE"#
>BPDwb|,:
v :IEFcb;
v Z 8 3D:\XDCJ#$E*D~M@@#$6p 4+;
v Z 20 3D:G<XF;
v Z 22 3D:\m X11 M CDE "bBn;
IEFcb
53\m1Xk7(IT3h3vX(Lr`sDEN#b;7(|,Zv(TX(20Lrh*`sEN
1,<G53OE"J4D[5#
0IEFcb1(TCB)G:p?F536'E"2+_TD53D;?V#(}20M9C TCB,IT(e
TIE(E76DC'CJ,b+JmC'M TCB dD2+(E#;PZ20Yw531,EtC TCB &
\#*ZQ20DzwO20 TCB,z+Xk4P0#t120#tC TCB JmzCJIE shell"IExL
T002+"b|1(SAK)#
>?VV[TBwb:
v :20xPIEFcbD53;
v Z 4 3D:liIEFcb;
v Z 4 3D:sysck.cfg D~Da9;
v Z 4 3D:9C tcbck |n;
v Z 6 3D:dCnbDIE!n;
20xPIEFcbD53
TCB G:p?F53E"2+_TD53D;?V#TCB |,+?Fcz2~,+\m53DK1&Cw*X
D TCB Dm~i~#
g{z205319C0IEFcb1!n,zMtCKIE76"IE shell 053j{T#i(tcbck |
n)#b)&\vITZy>Yw53(BOS)20}LPtC#g{Zu<20}LP4!q TCB !n,
tcbck |n+;{C#;P(}tC TCB !n4XB2053EIT9CC|n#
*Z BOS 20}LPhC TCB !n,kS020MhC1A;!q|`!n#Z020!n1A;,20
IEFcb!qD1!5G no#*tCTCB ,kdk 2 "4B Enter |#
IZ?vh8<G TCB D;?V,yT TCB `S /dev ?<PD?vD~#mb,TCB T/`S,} 600
v=SD~,Qb)D~DX|E"f"Z /etc/security/sysck.cfg D~P#g{}Z20 TCB,20Ts
"4QCD~8]=IF/DiJP,}gEx"CD rEL,"QiJf"Z2+DX=#
© Copyright IBM Corp. 2002, 2003 3
liIEFcb
tcbck |nsF0IEFcb1D2+4,#1 TCB D~4C=}7#$r1dCD~_PG2+51,Y
w53D2+Ta\=#&#tcbck |n(}A! /etc/security/sysck.cfg D~sFCE"#CD~|,yP
TCB D~"dCD~MIE|nDhv#
/etc/security/sysck.cfg D~";PQz,rKZMMPI\Dd|#7#?;v TCB |Bs,4(;vQ
zD;A1>#,1,vxPNNli.0,QCD~Si5iJP4F=ELO#
20 TCB M9C tcbck |n;\#$53Z{O\XCJ#$E*D~(CAPP)M@@#$6p
4+(EAL4+)D==BKP#PX CAPP/EAL4+ !nDE",kNDZ 8 3D:\XDCJ#$E*D~M@
@#$6p 4+;#
sysck.cfg D~Da9
tcbck |nA! /etc/security/sysck.cfg D~T7(liD)D~#Z /etc/security/sysck.cfg D~PCZ
hvK53O?;vIELr#
?Z<PTBtT:
acl D>V{.zmD~DCJXFPm#|XkM aclget |ndvP`,Dq=#g{b;
\k5JD~ ACL(CJXFm)`%d,r sysck |n9C aclput |n4&CC5#
":g{fZ SUID"SGID M SVTX tT,|GXkM==8(DtT`%d#
class ;iD~D{F#CtTJm(}x tcbck |n8(%;N}4li_P`,`{D`v
D~#IT8(;vTOD`,?;v`C:EVt#
group D~iDij6r{F#g{|MD~yP_;%d,tcbck |nQD~DyP_j6hC
IC5#
links :EVtD76{FPm4S=CD~#g{CmPDNb76{F;MCD~4S,G
4 tcbck |n4(4S#g{;P9C tree N},tcbck |nr!v;u{":Pnb
D4S+;P7(|GD{F#g{9C tree N},tcbck |n2,yr!k4S=CD
~DNN=S76{F#
mode :EVtD5Pm#Jm5G SUID"SGID"SVTX M TCB#D~mI(XkGnsD5,
RI8(*KxF5r 9 vV{DV{.#}g,755 r_ rwxr-xr-x GP'DD~mI
(#g{|M5JDD~==;%d,tcbck |n&C}75#
owner D~yP_DC'j6rC'{F#g{|MD~yP_;%d,tcbck |nQD~DyP
_j6{hCIC5#
program :EVtD5Pm#Z;v5GliLrD76{F#14PLr1,=S5w*N}+
xLr#
":Z;vN}\G -y"-n"-p r -t PD;v,!vZ tcbck |n9CDvj>#
source D~{F,Zli.04D~*Sd4F}4#g{5*UW,R|*#fD~"?<r
|{\@,g{9;fZ,M4(CD~BDUf>#TZh8D~,*`,`MDh8
4(;vBDXbD~#
symlinks :EVtD76{FPm4S=CD~#g{CmPDNb76{F;GACD~D{E
4S,tcbck |n4({E4S#g{9C tree N},tcbck |n2r!vNbACD~
D{E47Dd|76{F#
g{ /etc/security/sysck.cfg D~PDZ;P8(tT,M;a4P`&Dli#
9C tcbck |n
tcbck |n(#CZ4PTBYw:
v 7#2+T`XD~D!120
4 AIX 5L V5.2:2+8O
v 7#D~53w;|,wT%4532+TDD~
v |B"mSr>}IED~
ITCTB==9C tcbck |n:
v }#9C
– 53u</1DG;%=
– 9C cron |n
v ;%=9C
– lvvpD~MD~`
v }VBIM9C
– Qzf"D~ sysck.cfg,"(ZV4CD~Tlvzw
d;;PS\#$,TCB 9C sum |nC=#iM#TCB }]bIT(};,D#iM|nxPV$hC,
}g,textutils RPM Package Manager m~|Pf AIX Toolbox for Linux Applications CD ;pa)D md5sum|n#
liIED~
*li tcbck }]bPyPDD~,"R^}"(fyPms,kdk:
tcbck -y ALL
by9 tcbck |nli /etc/security/sysck.cfg D~yhvD tcbck }]bPD?;vD~D20#
*Z53u</}LPT/4PKYw"zImsU>,k+H0D|nV{.mS= /etc/rc |nP#
liD~53w
^[N13I53Dj{TGqI\Q-\p,kKP tcbck |nliD~53w:
tcbck -t tree
19CxP tree 5D tcbck |n1,li53ODyPD~Gq}720(bI\h*O$D1d)#g{
tcbck |n"VNNT532+TP1Z~2DD~,ITDdIID~T}%p5DtT#mb,TD~5
3PyPd|DD~24PTBli:
v g{D~yP_G root,RD~hCK SetUID ;,G4Me} SetUID ;#
v g{D~iG;v\mi,D~GI4PD,xRD~hCK SetGID ;,G4Me} SetGID ;#
v g{D~hCK tcb tT,e}CtT#
v g{D~G;vh8(V{riXbD~),r}%|#
v g{D~G /etc/security/sysck.cfg D~PyvD76{FD=S4S,r}%C4S#
v g{D~G /etc/security/sysck.cfg D~PyvDA76{FD=S{E47,rv%C{E47#
":Z4P tcbck |nr53dC;IC.0,Xk+yPh8G<mS= /etc/security/sysck.cfg D
~P#*QIEh8mS= /etc/security/sysck.cfg D~P,9C -l j>#
/f: ;*KP tcbck -y tree |n!n#C!n>}"{CG)Z TCB P^P;1Dh8,RI\{C
53#
Z 1 B 20MdC2+53 5
mSIELr
*+X(LrmS= /etc/security/sysck.cfg D~P,kdk:
tcbck -a PathName [Attribute=Value]
; P d 5 ; G S D ~ 1 0 4 , } v D t T E X k Z | n P P x P 8 ( # y P D t T { F < | , Z
/etc/security/sysck.cfg D~P#
}g,TB|n"a;vBD SetUID yLr,|{* /usr/bin/setgroups, |P;v{* /usr/bin/getgroupsD4S:
tcbck -a /usr/bin/setgroups links=/usr/bin/getgroups
*mS jfh M jsl w*\mC'"mS developers w*\miTZD~ /usr/bin/abc 2+si}LPx
Pi$,kdk:
tcbck -a /usr/bin/abc setuids=jfh,jsl setgids=developers
20LrTs,I\;*@DvBD~Z /etc/security/sysck.cfg D~P"a#IT9CTB|niRMmS
b)D~:
tcbck -t tree
C|nV{.T>Z /etc/security/sysck.cfg D~P"aDNND~{F#
>}IELr
g{S53>};v /etc/security/sysck.cfg D~PyvDD~,r9XkS /etc/security/sysck.cfg D~
P}%CD~Dhv#}g,g{Q>}K /etc/cvid Lr,rTB|nV{.zz;ums{":
tcbck -t ALL
zzDms{"gBy>:
3001-020 The file /etc/cvid was not found.
CLrDhvT#tZ /etc/security/sysck.cfg D~P#*}%CLrDhv,kdkTB|n:
tcbck -d /etc/cvid
dCnbDIE!n
>Za)KPXgN* TCB dCd|!nDE"#
^FCJUK
getty M shell |n|DUKDyP_M==T@9GIELrCJUK#Yw53a)KdC(CUKCJ
D=(#
9C2+"b|
"b:19C SAK 1*!D,r*|a1@T<CJUKDyPxLT0NN8r|D4S(}
g,/dev/console IT4S= /dev/tty0)#
(}4B02+"b|1(SAK)#t4|3r(Ctrl-X,;s Ctrl-R),I4(IE(E76#y]TBu~
("IE(E76:
v 1G<=531
4B SAK .s:
6 AIX 5L V5.2:2+8O
– g{T>BDG<A;,G4zPK2+76#
– g{T>IE shell a>{,u<G<A;G4Z(DLr,|I\T<T!zD\k#9C who |n
7(10G-Z9CCUK,;s"z#
v 1z#{ydkD|nzz;vIELrKP#byD;)>}|,:
– w* root C'KP#;P4(KIE(E76.s,E\w* root C'KP#b+7#;PGIELr
9C root C'(^KP#
– KP su -"passwd T0 newgrp |n#;P4(KIE(E76.s,E\KPb)|n#
dC2+"b|
I T % @ d C ? v U K , T c Z C U K O 4 B 0 2 + " b | 1 ( S A K ) 4 ( I E ( E 7 6 # b Z
/etc/security/login.cfg D~D sak_enabled tTPxP8(#g{CtT5G True,tC SAK#
g{KZCZ(E,(}g,(} uucp |n),y9CDX(KZZ /etc/security/login.cfg D~PDZP
TBP:
sak_enabled = false
CP(rGZP;Pn){CGvUKD SAK#
*ZUKOtC SAK,+TBPmS=CUKDZP:
sak_enabled = true
Z 1 B 20MdC2+53 7
\XDCJ#$E*D~M@@#$6p 4+Z AIX 5.2 P*<,53\m1ITZy>Yw53(BOS)20}LP20xP0\XDCJ#$E*D~1
(CAPP)M0@@#$6p 4+1(EAL4+)!nD53#xPC!nD53T BOS 20}LP20Dm~
P^F,"RTxgCJ2P^F#
>ZV[TBwb:
v :CAPP/EAL4+ {OD53Ev;
v Z 9 3D:20 CAPP/EAL4+ 53;
v Z 10 3D:CAPP/EAL4+ m~|;
v Z 11 3D:CZ CAPP/EAL4+ 53Dom73;
v Z 12 3D:CZ CAPP/EAL4+ 53Di/73;
v Z 13 3D:CAPP/EAL4+ 53D53dC;
CAPP/EAL4+ {OD53Ev
CAPP 53G@U0+2j<1DkT2+T@@hFkdCDzc \XDCJ#$E*D~(CAPP)D5
3#CAPP 8(53DT\hs,`FZOgD TCSEC C2 j<(2F*H$i)#
0+2j<(CC)@@531GQ@U0+2j<1(CZ IT z7@@D ISO j<(ISO 15408))xP@
@D53# {Ob)hsD53dCZ>8OPG8 CAPP/EAL4+ 53#
g{4 CC j<@@53,CC @@;TX(D53dC(2~Mm~)GP'D#|D`XD2+TdCa
zz4@@D53#b";;(b6+uY53D2+T,;m>53;Y&ZQO$dC4,#CAPP k CC
<;-GyP AIX 5.2 I\D2+TdC!n#3)&\?~(g IPsec r(F\kli#i)4|(ZZ,
+ICZv?53D2+T#
AIX 5.2 CAPP/EAL4+ 53|, 64 ; POWER3 k POWER4 &mwODyYw53,PTB?V:
v _-m\mLr(LVM)kv?DU>D~53(JFS2)
v xP CDE gfD X-Windows 53
v y>xJ-i V4(IPv4)xg&\(Telnet"FTP"rlogin k rsh/rcp)
v xgD~53(NFS)
g{{OTBu~,rO* CAPP/EAL4+ 53GZ2+4,P:
v g{dCKsF}LR53G`C'==,rsF}LXkGIKwD#
v C53S\C'G<k~qxgks#
v TZV<=53,C\m}]bGSwX~qwxP NFS 20D#
a)KTB2+T&\D\mgf:
v 6pMO$k)(C'DdC"\khC"G<dCH#)
v sFk)(dC bin ==sF"!qQsFDB~"&msFzYH#)
v TwCJXF((^;}MD~53TsD ACL"IPC zFM TCP KZ)
v hC531d
v KP diag oOS53
v KP su |nTI*PX(D\m1(root C')
b|,KITC44P`&\mDdCD~M53wC#
8 AIX 5L V5.2:2+8O
a)KTB2+T&\DC'gf:
v passwd |n,CZ|DC'D\k
v su |n,CZ|DC'Dj6
v at"batch M crontab $_,CZwH|n&m
v TwCJXF((^;}MD~53TsD ACL M IPC zF)
v 53XF(DG<zF(}g,6pMO$zF)M\'VDxg&CLr(Hg,telnet M ftp)
b|,K&mC'j6rCJXFDhCD53wC#
AIX 5.2 CAPP/EAL4+ 53ZyZ9C;vM=v POWER3-II &mwD IBM eServer pSeries TF`&mw
(SMP)53(IBM eServer pSeries 610)"9C RS64 IV &mwD SMP 53(IBM eServer pSeries 660)
T09C POWER4 &mwD SMP 53(IBM eServer pSeries 690)D2~=(OKP#\'VDb'h8
Gw*f"h8DUKMr!z"2LM CD-ROM }/wT0w*8]h8DExzMmL}/w#\'V
DxgSZ`MGT+xMnF7#
Z x 5200-01 FvD,$m~|D AIX 5L V5.2 P*<,CAPP/EAL4+ <uZ'V_-VxdCD POWER4
&mw(IBM eServer pSeries 630"IBM eServer pSeries 650 M IBM eServer pSeries 690)2~=(OKP#
\'VDb'h8Gw*f"h8DUKMr!z"2LM CD-ROM }/wT0w*8]h8DExzMm
L}/w#\'VDxgSZ`MGT+xMnF7#
":\m1Xk(*53DyPC';*9C $HOME/.rhosts D~xP6LG<MKP|n#
20 CAPP/EAL4+ 53
*Z BOS 20ZdhC CAPP/EAL4+ !n,k4PTBYw:
1. Z020khC1A;O,!q |`!n#
2. Z0|`!n1A;P,*tC CAPP k EAL4+ <udkk Yes r No !n`{D}V#1!5hC
* No#
tC CAPP k EAL4+ <u!n;PZTBu~BEGICD:
v 20=(hC*B(Mj+2G20#
v !q"ooT#
v tC 64 ;ZK#
v tCv?DU>D~53(JFS2)#
1tC CAPP k EAL4+ <u!nhC* yes 1,IEFcy!n2hC* yes "R(;P'D Desktop!n* NONE r CDE#
g{}C(FD bosinst.data D~4P^a>20,INSTALL_TYPE VNXkhC* CC_EVAL RTBVN
Xk4gBhC:
control_flow:CONSOLE = ???PROMPT = yesINSTALL_TYPE = CC_EVALINSTALL_METHOD = overwriteTCB = yesDESKTOP = NONE or CDEENABLE_64BIT_KERNEL = yesCREATE_JFS2_FS = yesALL_DEVICES_KERNELS = noNETSCAPE_BUNDLE = noHTTP_SERVER_BUNDLE = no
Z 1 B 20MdC2+53 9
KERBEROS_5_BUNDLE = noSERVER_BUNDLE = noALT_DISK_INSTALL_BUNDLE = no
locale:CULTURAL_CONVENTION = en_US or CMESSAGES = en_US or C
CAPP/EAL4+ Mxg20\m(NIM)73
IT9C0xg20\m1(NIM)7344P CAPP/EAL4+ <uM'zD20#dCK NIM wXzTa)
20 AIX 5L D`& CAPP/EAL4+ 6pyhDJ4#;sIT9C;Z NIM wXzODJ4420 NIM M
'z#zIT(}Z bosinst_data J4PhCTBVN44PM'zD^a> NIM 20:
control_flow:CONSOLE = ???PROMPT = no
INSTALL_TYPE = CC_EVALINSTALL_METHOD = overwriteTCB = yesDESKTOP = NONE or CDEENABLE_64BIT_KERNEL = yesCREATE_JFS2_FS = yesALL_DEVICES_KERNELS = noNETSCAPE_BUNDLE = noHTTP_SERVER_BUNDLE = noKERBEROS_5_BUNDLE = noSERVER_BUNDLE = noALT_DISK_INSTALL_BUNDLE = no
locale:CULTURAL_CONVENTION = en_US or CMESSAGES = en_US or C
NIM wXz;\dC* CAPP/EAL4+ 53R^(,S=kd| CAPP/EAL4+ 53`,Dxg#1S NIM w
Xzt/201,20 SMIT s#t NIM M'zK%!nXkhC*q#Z20K NIM M'zw*
CAPP/EAL4+ 53s,XkS NIM wXzDxg}%C NIM M'z,"R^(9C NIM wXz44Pd
|Dm~20M|B#
Z;v>}ivP,P=Vxg73;Z;vxgI NIM wXzMG CAPP/EAL4+ 539I;Z~vxg;
I CAPP/EAL4+ 539I#Z NIM M'zO4P NIM 20#20jIs,QB20D CAPP/EAL4+ 53
S NIM wXzDxgO*,S,YQC53,S=@@}Dxg#
m;v>}I;vxg9I#1d|53T@@}DdCKP1,NIM wXz4,S=xg,R CAPP/EAL4+
53Z NIM 20}LP4,S=xg#
CAPP/EAL4+ m~|
g{!qK CAPP/EAL4+ !n,r20 /usr/sys/inst.data/sys_bundles/CC_EVAL.BOS.autoi 20|DZ
]#
(}!q CAPP/EAL4+ !n,ITfb!q20<Nm~|MD5~qm~|#g{!q CAPP/EAL4+ !n
,1!q0<Nm~1!n,r20 /usr/sys/inst.data/sys_bundles/CC_EVAL.Graphics.bnd m~|DZ
] # g { ! q C A P P / E A L 4 + ! n , 1 ! q 0 D 5 ~ q m ~ 1 ! n , r 2 0
/usr/sys/inst.data/sys_bundles/CC_EVAL.DocServices.bnd m~|DZ]#
Z20K0mILrz71(LPP)s,53|D1!dCT{O CAPP/EAL4+ D*s#T1!dCxPTB
|D:
v S /etc/pse.conf D~}% /dev/echo#
10 AIX 5L V5.2:2+8O
v 5}/ STREAMS h8#
v ;Jm root C'CJIF/iJ#
v S inetd.conf D~}%G CC n#
v |D;,DD~mI(#
v Z sysck.cfg D~P"a{E4S#
v Z sysck.cfg D~"ah8#
v hC1!C'kKZtT#
v */@wD9CdC doc_search &CLr#
v S inittab D~}% httpdlite#
v S inittab D~}% writesrv#
v S inittab D~}% mkatmpvc#
v S inittab D~}% atmsvcd#
v Z /etc/rc.tcpip D~P{C snmpd#
v Z /etc/rc.tcpip D~P{C hostmibd#
v Z /etc/rc.tcpip D~P{C snmpmibd#
v Z /etc/rc.tcpip D~P{C aixmibd#
v Z /etc/rc.tcpip D~P{C muxatmd#
v NFS KZ(2049)G_PX(DKZ#
v +*'DB~mS= /etc/security/audit/events D~#
v 7#XMSZ}ZKP#
v * /dev/console 4(,eJ#
v ?F1! X-server ,SmI(#
v |D /var/docsearch ?<,by9C+?D~GyPKIAD#
v mS0Ts}]\mw1(ODM)ZThCXF(mI(#
v hCZ BSD y= ptys ODmI(* 000#
v {C .netrc D~#
v mS9!?<&m#
CZ CAPP/EAL4+ 53Dom73
CAPP/EAL4+ 53TdKPD73PX(D*s#*sgB:
v Xk^FT53DomCJ,by;PZ(D\m1EI9C53XF(#
v 0~q&mw1;P,S=wFbww#
v ^FQZ(C'TUKDomCJ#
v omxgTT}MgS[-Lr(2F*0XeA>m1Lr)G2+D#1Z;2+D_7O(E1,
h*nbD2+k),gS\#
v ;JmkG AIX 5.2 CAPP/EAL4+ 53r;&Z`,\mXFBDd|53(E#
v 1kd| CAPP/EAL4+ 53(E1;9C IPv4,IPv6 P4-}@@#
v Xk{9C'|D531d#
v LPAR 73PD53^(2m PHB#
Z 1 B 20MdC2+53 11
CZ CAPP/EAL4+ 53Di/73
TZ CAPP/EAL4+ 53,XkzcTBLrTDki/ODhs:
v \m1XkG57PXD#
v \m1;O*GIED#
v ;PZ(&m53ODE"DC'E\Zh53ODC'j6#
v C'Xk9C_J?\k(!I\XfzRkC'ri/^X*)#PXhC\kfrDE",kNDZ
38 3D:\k;#
v C';CQ{GD\k86xd{K#
v \m1XkPdVD\mX|532+TD*6#
v \m1Xk453D5a)D8<$w#
v \m1XkT{GDvKj6G<"9C su - |nP;=,6C'==Tc\m#
v I\m1*53C'zID\kXk2+X"MxC'#
v G):p53DKXk(""5VX*D2+53YwD}L#
v \m1Xk7#T2+X|T53J4DCJ\=mI(;M ACL D`&hC#$#
v omxgXkIi/K<4+M535PDntPD}]#
v ,$}LXk|,53D#foO#
v \m1XkPJ1D}LT7#Z53JOs2+YwkV4#
v ;&C|D LIBPATH 73d?,r*bI\<BIExL0k;IEb#
v T}MzYm~(tcpdump"trace);CZKwD53O9C#
v d{-i(g HTTP);\CZ+2E"(}gZ_D5)#
v ;I9C TCP-based NFS#
v ;*3hC'TIF/iJDCJ(#h8D~+\=J1DmI(;r ACL D#$#
v \m AIX 1v9C root C'(^#yPyZG+MyZiD\mZ(&\0 AIX DX(zF<;|,Z
CAPP/EAL4+ {OTP#
v \m1;C9C/,Vx4VdMMEJ4#;PZ;PNNVxKP1EIT4PVxdC#
CAPP/EAL4+ 53DYw73
TZCAPP/EAL4+,XkzcTBYwhsM}L:
v g{9CDG Hardware Management Console(HMC),HMC ;ZomXFD73P#
v ;P-}Z(DK1E\CJYw73M HMC#
v g{*9C HMC,r HMC ;\CZTBNq:
– VxDu<dC#ZdC&m}LP,Vx;\Gn/D#
– XBt/0RpD1Vx
v ZQdCD53D{vYwP;C9C HMC#
v Xk{C53D0Xt1&\#
v Xk{C6LwFbwwCJ53#
v g{ AIX ZtCK LPAR D73PKP,r\m1&i4 LPAR D5TqCXZ_-VxD EAL4+ Y
wDhs#
v XkZ_-VxO{C~q(^&\#
12 AIX 5L V5.2:2+8O
CAPP/EAL4+ 53D53dC
>Za) CAPP/EAL4+ 53Pf0DXZS53dC=fDE"#
\m
\m1XkC{GvKC'J'G<,"9C su |nI*53\mD root C'#*P'h9Bb root J'
D\k,vJmZ(D\m1Z root J'O9C su |n#*7#b;c,k4PTBYw:
1. mSn= /etc/security/user D~D root Z,4gBy>:
root:admin = true...sugroups = SUADMIN
2. Zv|,Z(\m1DC'j6D /etc/group D~P(ei,gBy>:
system:!:0:root,paulstaff:!:1:invscout,juliebin:!:2:root,bin...SUADMIN:!:13:paul
\m12XkqXTB}L:
v ("k5V3)}L47#iIV<=53D2~"m~ML~i~T2+D=="<"20MdC#
v 7#53QdC9C;P\m1\QBDIEm~}k=53#
v 5V}LT7#C'S.PG<h8(g IBM 3151 UK)"z.0e}A;#
C'kKZdC
C'kKZD AIX dC!nXkhC*zc@@Dhs#5JDh*G}7Bb=\kDEJ&CAY*;Y
rV.;,"RZ;VSZ(}44"Tx}7Bb=\kDEJ&CAY*.rV.;#
TB>}PyT>D /etc/security/user D~9C /usr/share/dict/words VdPm#/usr/share/dict/wordsD~|,Z bos.data D~/P#ZdC /etc/security/user D~.0,zXk20 bos.data D~
/#/etc/security/user D~DFv5gB:
default:admin = falselogin = truesu = truedaemon = truerlogin = truesugroups = ALLttys = ALLauth1 = SYSTEMauth2 = NONEtpath = nosakumask = 077expires = 0SYSTEM = "compat"logintimes =logintimes =pwdwarntime = 5account_locked = falseloginretries = 3histexpire = 52histsize = 20minage = 0
Z 1 B 20MdC2+53 13
maxage = 8maxexpired = 1minalpha = 2minother = 2minlen = 8mindiff = 4maxrepeats = 2dictionlist = /usr/share/dict/wordspwdchecks =dce_export = false
root:rlogin = falselogin = false
;&CC%vC'DX(hC2G /etc/security/user D~PD1!hC#
":Z root ZhC login = false h91SD root C'G<#;PTZC root J'P su X(DC'J'
E\T root J'G<#g{t/0\x~q1%wT"Mms\kxC'J'D53"/%w,|\x(
yPDC'J'#K%wI\h9NNC'(|(\mC')G<=C53#;)x(3C'DJ',C
C ' + ; \ G < , 1 = 5 3 \ m 1 Z / e t c / s e c u r i t y / l a s t l o g D ~ P X B h C C C ' D
unsuccessful_login_count tT!Zloginretries C'tTD5#g{x(KyPD\mJ',I\h
*XBt/53=,$=="KP chsec |n#PX9C chsec |nD|`E",kNDZ 28 3D:C
'J'XF;#
/etc/security/login.cfg D~DFv5*gB:
default:sak_enabled = falselogintimes =logindisable = 4logininterval = 60loginreenable = 30logindelay = 5
J4^F
1Z /etc/security/limits D~PhCJ4D^F1,7#C^F{O53OxLDh*#XpG stack k rss
s!v;&ChC* unlimited#;\^FDQ;I\2G}KPDxLDd|N,R;\^FD rss s!J
mxL9CyPD5Zf,rKTd|xLlIKJ4Jb#stack_hard M rss_hard Ds!2&\=^F#
sFS53
TB}Loz#$sFS53:
v dCsFS534G<C'yPD`X2+Tn/#*7#sF}Lh*DD~UdIC"R;\D~5
3UdDd{M'p5,k*sF}]hC(CDD~53#
v #$sFG<(gsFzY"bD~kd|yPf"Z /audit D}]),Sx9G root C';\CJ#
v TZ CAPP/EAL4+ 53,19CsFS531,XkhC bin ==sF#PXgN("sFS53DE",
kN<Z 53 3D:hCsF;#
v 53PAY 20% DICELUd&CIsFzY(C#
v g{tCKsF}L,r /etc/security/audit/config D~D start ZPD binmode N}&ChC* panic#
Z bin ZPD freespace N}n!&dC*HZ 25% DIf"sFzY(CDELUd5#bytethreshold
k binsize N}?v<&ChC* 65536 VZ#
v S53=4sFG<=CZD5D@CTf"w#
14 AIX 5L V5.2:2+8O
xgdC
xgdCXk9C0rXxKZNbCJXF1(DACinet)47#;\d{9C X -i(X11)k NFS#P
X dacinet |nD|`E",kNDZ 123 3D:yZC'D TCP KZCJXFMrXxKZDxPTwC
JXF;#
dacinet |nh9vVTBiv:
v C X11 !zm;C'@fDC'#
v r NFS ~qw(C~qwJmC'I* root C')1lksDM'zODC'#(#,C'(}"vks
=>XwzOD0_-D~531,;sC53"vks(T root C'm])=6L~qw,Sx5VCJ
6L NFS ~qw#* root C'vhC ACL R;JmF}KKZ47#C';\1S"M-iks= NFS
~qw#
Z 1 B 20MdC2+53 15
53~q
BmT>KPZ CAPP/EAL4+ 53ODj<53~q(g{;P<N()#
m 1. j<53~q
UID |n hv
root /etc/init u</xL
root /usr/sbin/syncd 60 D~53 sync X$Lr
root /usr/sbin/srcmstr SRC wX$Lr
root /usr/sbin/cron x AT 'VD CRON h8
root /usr/ccs/bin/shlap64 2mDb'VX$Lr
root /usr/sbin/syslogd Syslog X$Lr
root /usr/lib/errdemon AIX msU>X$Lr
root /usr/sbin/getty /dev/console getty / TSM
root /usr/sbin/portmap CZ NFS k CDE DKZ3dLr
root /usr/sbin/biod 6 NFS M'Lr
root /usr/sbin/rpc.lockd NFS x(X$Lr
daemon /usr/sbin/rpc.statd NFS stat X$Lr
root /usr/sbin/rpc.mountd NFS 20X$Lr
root /usr/sbin/nfsd NFS ~qwX$Lr
root /usr/sbin/inetd Inetd wX$Lr
root /usr/sbin/uprintfd ZKr!X$Lr
root /usr/sbin/qdaemon ESX$Lr
root /usr/lpp/diagnostics/bin/diagd oO
KP CAPP/EAL4+ V<=53
*KP CAPP/EAL4+ `&DV<=53,yPC'Z+?53OXkP,yDC'j6#d;bIC NIS 4
o=,Ca{TZ CAPP/EAL4+ 539;;2+#>Zhv;vV<=DhC,|7#C'j6Z
CAPP/EAL4+ `&D+?53OG`,D#
wXz53f"CZ{vV<=53D6pkO$}](C'kiDdC)#yPd|539C NFS 420K
}]#NFS I DACinet #$,by;P\m1\ZwXzCJ NFS KZ#
Nb53ODNb\m1<I9C$_(g SMIT)4|DO$}]#ZwXzOTom==|DO$}]#
yP2m6pkO$}]4TZ /etc/data.shared ?<##fD6pkO$D~I{E4Sf;*
/etc/data.shared ?<#
16 AIX 5L V5.2:2+8O
V<=53OD2mD~: ZV<=53PTBD~G2mD#(#,|G4TZ /etc/security ?<#
/etc/group/etc/group D~
/etc/hosts/etc/hosts D~
/etc/passwd/etc/passwd D~
/etc/security/.idsB;vICDC'kij6
/etc/security/.profileCZBC'D1! .profile D~
/etc/security/acl/etc/security/acl D~f"CZ\#$D~qD536'D ACL (e,b)~q+I /etc/rc.tcpip D
~ZB;N53}<1XB$n#
/etc/security/audit/bincmdsCZCwzDb==sF|n
/etc/security/audit/config>XsFdC
/etc/security/audit/eventssFB~kq=DPm
/etc/security/audit/objectsCwzOsFTsDPm
/etc/security/audit/streamcmdsCZCwzDw==sF|n
/etc/security/environ?vC'D73d?
/etc/security/group4T /etc/security/group D~D)9iE"
/etc/security/limits?vC'DJ4^F
/etc/security/passwd?vC'D\k
/etc/security/priv53t/1*8(*PX(DKZPZ /etc/security/priv D~P
/etc/security/servicesPZ /etc/security/services D~DKZO*Gb} ACL liD
/etc/security/user?vC'k1!C'DtT
V<=53PG2mD~: /etc/security ?<PDTBD~ZV<=53PG;2mD,xG#t*X(w
z9C:
Z 1 B 20MdC2+53 17
/etc/security/failedlogin?(wzG<'\DU>D~
/etc/security/lastlogPXCwzOns;NI&k;I&G<D?vC'E"
/etc/security/login.cfgIE76"G< shell kd|G<`XE"DX(wzG<Xw
/etc/security/portlogCwzOCZx(KZD?vKZE"
2mD~T/zID8]D~2GG2mD#8]D~k-<D~P`,D{F,+P!4V8 o Dxp#
hCV<=53(w53): ZwXz,4(BD_-m,|#tCZ6pkO$D}]DD~53#C_
-m|{* /dev/hd10sec R|w* /etc/data.master 20Zw53#*ZwXzzIXhD|D,CwX
zD IP X7M{FKP mkCCadmin |n,gBy>:
mkCCadmin -m -a ipaddress hostname
hCV<=53(yP53): F/yP*2mD}]= /etc/data.shared ?<#t/1,yP53(}
/etc/data.shared ?<20wXzD /etc/data.master ?<#wXz>m9CXM20#
M'z53(}KPTB|nhC:
mkCCadmin -a ipaddress hostname
*|DM'zT9C;,DwXz,k9C chCCadmin |n#
53/I=V<=6pkO$53s,zITBnbD inittab n:
isCChostu</53* CAPP/EAL4+ ==#
rcCC e}yP DACinet ACL ";r*KZ3dLrM NFS yhDKZ#;s|SX2m?<#
rcdacinet0k\m1I\Q(eD=S DACinet ACL#
1KPV<=531,k<GTBZ]:
v \m1Xk7#Z|D2mdCD~0QSXK2mD}],T#$ZyPD53O<\4=2mD}
]#
v |D root C'\kG;PZ4SX2m?<1EJmD\mYw#
9C DACinet &\TqCyZC'MyZKZDxgCJXF
DACinet &\?~ICZ^FC'T TCP KZDCJ#h*XZ DACinet D|`E",kNDZ 123 3D:y
ZC'D TCP KZCJXFMrXxKZDxPTwCJXF;#}g,19C DACinet 4^F;x DACinet
&\D root C'T TCP/25 KZk>DCJ,;P4T CAPP/EAL4+ `&wzD root C'ITCJCKZ#
bViv^FK#fC'(}9C telnet ,S=\&KD TCP/25 KZ4[-gSJ~DI\T#
*Z}<1* TCP ,S$n ACL,S /etc/inittab KP /etc/rc.dacinet E>#|+A! /etc/security/aclD~PD(e"0X ACL =ZK#;&I ACL #$DKZ&CZ /etc/security/services D~PPv,C
D~9Ck /etc/services D~`,Dq=#
Y(yPQ,SD53DSx* 10.1.1.0/24,vTZ /etc/security/acl D~PD X(TCP/6000),root C'
D^(CJ ACL n+gB:
18 AIX 5L V5.2:2+8O
6000 10.1.1.0/24 u:root
Z CAPP/EAL4+ `&D53O20d|Dm~
\m1\Z CAPP/EAL4+ `&D53O20nbDm~#g{Cm~;GI root C'r;9C root C'X
(KPD,b+;a9 CAPP/EAL4+ {OT^'#dM>}|,;I#fC'KP";P SUID i~Dl+
&CLr#
mb,20D9C root C'X(KPDm~+9C CAPP/EAL4+ {OT^'#}g,bb6E;&C20O
ID JFS D}/Lr,r*|GTZK==KP#T root C'KPDd|DX$Lr(}g,SNMP X$L
r)2a9 CAPP/EAL4+ {OT^'#
CAPP/EAL4+ `&D53\YCZ@@dC,XpZL573#(#h*=S~q,byzz53+yZ@@
53,+;{O@@53D+7f6#
Z 1 B 20MdC2+53 19
G<XF
1ZDZM\;S1!D AIX G<A;q!&sDE",}gwz{MYw53f>#b)E"JO9{G\
7(%"TDV=i=(#*2+T-r,zI\#{Z5320s!I\lX|DG<A;1!5#>ZV
[TBwb:
v :hCG<XF;
v :|DG<A;D6-{";
v Z 21 3D:|D+2@f73DG<A;;
v Z 21 3D:hC531!G<N};
v Z 21 3D:#$^KU\UK;
v Z 21 3D:?FT/"z;
KDE M GNOME @f53<P;)`,D2+T5w#PX KDE M GNOME D|`E",kND6AIX 5L
V5.2 208OkN<s+7#
PXC'"iM\kDE",kNDZ 23 3DZ 2 B, :C'"G+M\k;#
hCG<XF
*9COQ(}Bb\k4%w53,kZ /etc/security/login.cfg D~PgBy>hCG<XF:
m 2. /etc/security/login.cfg D~D0tT100(i51#
tT CZ PtYs(x
g)
CZ TTYs (i5 "M
sak_enabled Y Y false \Yh*02+"b|1#kNDZ 6 3D
:9C2+"b|;#
logintimes N Y ZK&8(JmG<DN}#
logindisable N Y 4 ZKUK,x 4 NT<G<'\s,{9d
G<#
logininterval N Y 60 Z 60 kZxPK8(D^'"Ts,{CU
K#
loginreenable N Y 30 ZT/{CUK 30 VSsXBtCCUK#
logindelay Y Y 5 Z=NvVG<a>.dDTk*%;D1
ddt#b+fE"T'\DN}I6Xv
S;}g,u<5* 5 1,C1ddtM*
5 k"10 k"15 k"20 k#
b)KZ^Fw*ZQ,SD.PUKO"SwC,x;GZxgG<9CD1UKO#zIZCD~P8(
T=UK,}g:
/dev/tty0:logintimes = 0600-2200logindisable = 5logininterval = 80loginreenable = 20
|DG<A;D6-{"
*@9ZG<A;OT>3)E",k`- /etc/security/login.cfg D~PD herald N}#1!D herald |
,fG<a>;pT>D6-{"#zIC chsec |nr1S`-D~4|DCN}#
20 AIX 5L V5.2:2+8O
TB>}C chsec |n|D1!D herald N}:
# chsec -f /etc/security/login.cfg -a default -herald"Unauthorized use of this system is prohibited.\n\nlogin: "
PX chsec |nD|`E",kND6AIX 5L V5.2 |nN<s+,m 17#
*1S`-D~,kr* /etc/security/login.cfg D~"|B herald N}gB:
1!5:herald ="{94Z(9C>53 \nG<:"sak_enable = falselogintimes =logindisable = 0logininterval = 0loginreenable = 0logindelay = 0
":*9CC53|2+,k+ logindisable M logindelay d?D5hC*sZ 0(# > 0)#
|D+2@f73DG<A;
C2+T5w20l+2@f73(CDE)C'#Z1!ivB,CDE G<A;2T>wz{MYw53f>#
*@9T>KE",k`- /usr/dt/config/$LANG/Xresources D~,dP $LANG 8DG20ZzDzw
OD>XoT#
ZRGD>}P,Y( $LANG hC* C,+CD~4F= /etc/dt/config/C/Xresources ?<P#;s,r
* /usr/dt/config/C/Xresources D~"`-,T}%|,wz{MYw53f>D6-{"#
PX CDE 2+T5wD|`E",kNDZ 22 3D:\m X11 M CDE "bBn;#
hC531!G<N}
**m`G<N}hCy>1!5,}gG)I\h**BC'hCDN}(G<XTN}"G<XBtCM
G<Z?),k`- /etc/security/login.cfg D~#
#$^KU\UK
g{UK&ZG<4,4^KU\,G4yPD53<G`uD#153\m1CC,6(^tCDUK&Z
^KU\4,1,MavVnOXDJb#(#,NN1rC'k*{GDUK1<&C"z#C53UK&
ZG2+4,alI1ZD2+~2#*x(UK,k9C lock |n#g{zDgfG AIXwindows,k9
C xlock |n#
?FT/"z
m;v*X"DP'2+TJbGC'$1d+{GDJ'CZ^KU\4,lIDs{#bViv93k_
ITXFC'DUK,Sx1ZX#053D2+#
*$@b`1ZD2+~2,zIZ53PtCT/"z&\#*byv,k`- /etc/security/.profile D~,
*yPC'|,T/"z5,gB}y>:
TMOUT=600 ; TIMEOUT=600 ; export readonly TMOUT TIMEOUT
Z>}P,}V 600 GTk*%;,|HZ 10 VS#+G,C=(;Z shell Pz'#
1H0DYwJmzTyPC'?F4PT/"z_T1,53C'M\(}`-{GwTD .profile D~4
F};)^F#*Kj+5VT/"z_T,XkI!(~Dk),4xC'a)J1D .profile D~,h9
Tb)D~D4CJ(#
Z 1 B 20MdC2+53 21
\m X11 M CDE "bBn
>ZV[Kf0 X11 X ~qwM+2@f73(CDE)D1Z2+uc#
}% /etc/rc.dt D~
!\C'KP CDE SZ\=c,+GP)2+T5wk.PX#IZbv-r,k;*Zh*_6p2+T
D~qwOKP CDE#nCDbv=8G\b20 CDE(dt)D~/#g{zQ-ZzD53O20Kb)D
~/,GM<G+d6X,XpGt/ CDE D /etc/rc.dt E>#
|`XZ CDE DE",kND 6AIX 5L V5.2 53\m8O:Yw53kh87#
h96L X ~qwD4-Z(D`S
k X11 ~qwPXD;vX*2+JbG6L~qwD4-Z(D2,`S#xwd M xwud |nITCZ`
S X ~qwn/,r*|GP\&6qw|,ba)6\kMd|tP}]#*bvbvJb,}%b)I4
PD~,}GZzDdCB|GGX*D,r_,w*8C,+Tb)|nDCJ(|D*;P root C'E\
CJ#
xwd M xwud |n;Z X11.apps.clients D~/#
g{z75h*#t xwd M xwud |n,<G9C OpenSSH r MIT Magic Cookie#b)Z}=&CLr
ozh9KP xwd M xwud |nyzzDgU#
PX OpenSSH M MIT Magic Cookies D|`E",kN<?v&CLrwTDD5#
{CMtCCJXF
X ~qwJm6Lwz9C xhost + |n4,S53#7#9C xhost + |n8(Kwz{,r*|{C
T X ~qwDCJXF#bJmz+CJ(ZhX(wz,TcZ`ST X ~qwD1Z%w#*+CJ(
ZhX(wz,KPgBD xhost |n:
# xhost + wz{
g{z;8(wz{,G4+CJZ(hyPwz#
PX xhost |nD|`E",kND6AIX |nN<s+,m 67#
{CKP xhost |nDC'mI(
7#J1X9C xhost |nDm;V=(G^FC|nv\I_P root C'(^DC'4P#*v=b;c,
9C chmod |n+ /usr/bin/X11/xhost DmI(|D* 744,gBy>:
chmod 744/usr/bin/X11/xhost
22 AIX 5L V5.2:2+8O
Z 2 B C'"G+M\k
>BhvKgN\m AIX C'MG+#V[TBwb:
v :Root J';
v Z 24 3D:\mG+;
v Z 27 3D:C'J';
v Z 30 3D:hCxP2+C'J'Dd{ FTP;
v Z 33 3D:53XbC'J';
v Z 34 3D:CJXFm;
v Z 38 3D:\k;
v Z 42 3D:C'O$;
v Z 43 3D:ELdn53Ev;
Root J'
root J'5JO5PT53PyPLr"D~0J4D;\^FDCJ(#root J'G /etc/passwd D~P
C'j6(UID)* 0 DXbC',"R(#yxDC'{G root#";GbvC'{9C root J'b4X
b,xG UID D5 0#bb6E5P UID * 0 DNNC'25Pk root C';yD(^#"R,root J
'\G(}>X2+TD~O$#
root J'&C\GP\k,C\k&CS;2m#2053s,&"4x root J';v\k#;P53\m1
E\*@ root \k#53\m1&C;Z4Ph* root (^D53\m&\1Ew* root C'xPYw#
TZd|yPDYw,{G&C5X={GD;cC'J'#
/f: r* root J'2Gm`532+@$,yT-#w* root C'YwI\aT53zzp5#
{C1S root C'G<
1ZZMD;v#{%w=(Gq! root \k#
*\bK`%w,IT{C1SCJ root j6,;s*s53\m1(}9C su - |nq! root (^#}
KJm>}w*%wTsD root C',^F1SD root CJ9zIT`SD)C'q!K root CJ(0{
GYwD1d#ITi4 /var/adm/sulog D~v=b;c#m;V=(GtC53sF,b+(fK`n/#
*{9 root C'6LG<CJ,`- /etc/security/user D~#Z root nP8( false w* rlogin D5#
Z{C6L root G<.0,kli"<8I\953\m1CG root C'j6^(G<Div#}g,g{
C'DwD~53Qz,CC'+^(G<#g{{CK6L root G<,x\9C su - |n|D= root C
'DC'wD~53Qz,r root C'I\@6^(!CT53DXF#53\m1IT(}*{GT:4(
H;cC'D~53sDwD~53F}KJb#
PXXF root C'G<D|`E",kNDZ 13 3D:CAPP/EAL4+ 53D53dC;#
© Copyright IBM Corp. 2002, 2003 23
\mG+
IT+ root C'(^D;?VVdxG root C'#x;,D root C'NqVd;,D(^#b)(^Vi
IG+"8(x;,DC'#
>Z-GTBwb:
v :G+Ev;
v :9C SMIT hCM,$G+;
v Z 25 3D:mbZ(;.
G+Ev
G+IZ(9I#b)Z(JmC'KP(#h* root C'mI(D&\#TBGP'G+DPm:
mSk}%C' TZKG+,JmNNC'w* root C'Yw#|
G\;mSk}%C'"|DC'E""^DsF
`"\miM|D\k#4PC'\mDNNKX
kZ security iP#
|DC'\k JmC'|D\k#
\mG+ JmC'4("|D"}%MPvG+#C'Xk
Z security iP#
8]kV4 JmC'8]kV4D~530?<#CG+9;
cT9C mksysb tC538]MV4,9h*J1
D(^#
;8] JmC';8]D~530?<#C'XkPtC
538]DJ1(^#
KPoO JmC'r~qzmKPoO0oONq#C'X
k+ system 8(*wiM|, shutdown Di/
O#
":&ZKPoOG+DC'I|D53dC"|
B"kHH#KG+DC'Xkj+mbCG+y
*sD0p#
53Xz JmC'XU"XB}<r#953#
9C SMIT hCM,$G+
TB SMIT lY76ICZ5VM,$G+:
m 3. hCM,$G+Nq
Nq SMIT lY76
mSG+ smit mkrole
|DG+Xw smit chrole
T>G+Xw smit lsrole
}%G+ smit rmrole
Pv+?G+ smit lsrole
24 AIX 5L V5.2:2+8O
mbZ(
Z(GC'D(^tT#Z(JmC'4P3)Nq#VPTBZ(`M:
y>Z(
JmC'KPX(D|n#}g,RoleAdmin Z(GJmC'\m1KP chrole |nDy>Z(#^
KZ(,;^DG+(exU9|n#
Z(^N{
vSC'D\&#}g,UserAdmin Z(GvStZ security iDC'\m1D\&DZ(^N{#
^KZ(,mkuser |nv4(G\m1C'#PKZ(,mkuser |n24(\m1C'#
Z(4PTB&\:
Backup4P538]#TB|n9C Backup Z(:
Backup8]D~MD~53#C'\m1Xk5P Backup Z(#
DiagnosticsJmC'KPoO#2h*(^1SS|nPKPoONq#TB|n9C Diagnostics Z(:
diag Z!(DJ4OKPoO#g{C'\m1;P Diagnostics (^,|nax#
GroupAdminTi}]4P root C'&\#TB|n9C GroupAdmin Z(:
chgroup|DNbiE"#g{C';P GroupAdmin Z(,v\|DG\miE"#
chgrpmem\myPi#g{i\m1;P GroupAdmin Z(,v\|Dy\mDiPDiI1r|Di
2+TPDC'T\mNbG\mi#
chsec ^D /etc/group M /etc/security/group D~PD\mi}]#C'2\^D1!D Z5#
g{C';P GroupAdmin Z(,v\^D /etc/group M /etc/security/group D~PDG
\mi}]#
mkgroup4(Nbi#g{C';P GroupAdmin Z(,v\4(G\mi#
rmgroup}%Nbi#g{C';P GroupAdmin Z(,v\}%G\mi#
ListAuditClassesi4P'sF`DPm#9CKZ(DC'\m1;XG root C'rZsFiP#
9C smit mkuser r smit chuser lY76Pvzzr|DC'DICsF`#kZ AUDITclasses VNPdksF`Pm#
PasswdAdminT\k}]4P root C'&\#TB|n9C PasswdAdmin Z(:
chsec ^DyPC'D lastupdate M flags tT#Z;P PasswdAdmin (^DivB,chsec |
nvJmC'\m1^DG\mC'D lastupdate M flags tT#
lssec i4yPC'D lastupdate M flags tT#^ PasswdAdmin Z(,lssec |nvJmC'
\m1i4G\mC'D lastupdate M flags tT#
Z 2 B C'"G+M\k 25
pwdadm|DyPC'D\k#C'\m1XkZ security iP#
PasswdManageTG\mC'4P\k\m&\#TB|n9C PasswdManage Z(:
pwdadm|DG\mC'D\k#\m1XkZ security iPr_5P PasswdManage Z(#
UserAdminTC'}]4P root C'&\#v5P UserAdmin Z(DC'\^DC'DG+E"#^KZ(,
;\CJr^DC'sFE"#TB|n9C UserAdmin Z(:
chfn |DNbC';cE"(gecos)VN#g{C';P UserAdmin Z(+GZ security iP,
r{GIT|DNNG\mC'D gecos VN#qr,C'v\|DT:D gecos VN#
chsec ^D /etc/passwd"/etc/security/environ"/etc/security/lastlog"/etc/security/limits M
/etc/security/user D~PD\mC'}],|(G+tT#C'\m12\^D1!Z5M
/usr/lib/security/mkuser.default D~,;|(sF`tT#
chuser|D}KsF`tTDNbC'E"#g{C';P UserAdmin Z(,v\|D}KsF`M
G+tTDG\mC'E"#
mkuser4(}KsF`tTDNbC'#g{C';P UserAdmin Z(,v\4(}KsF`MG+
tTDG\mC'#
rmuser}%NbC'#g{C';P UserAdmin Z(,v\4(G\mC'#
UserAuditJmC'^DC'sFE"#TB|n9C UserAudit Z(:
chsec *G\mC'^D mkuser.default D~DsF`tT#g{C'P UserAdmin Z(,2\
*\m0G\mC'^D mkuser.default D~DsF`tT#
chuser^DG\mC'DsF`tT#g{C'\m1P UserAdmin Z(,2\^DyPC'DsF
`tT#
lsuser g{C'G root C'rZ security i,i4CG\mC'DsF`tT#g{C'\m1P
UserAdmin Z(,2\i4yPC'DsF`tT#
mkuser4(BC'"JmC'\m1VdG\mC'DsF`tT#g{C'\m1P UserAdmin Z
(,2\^DyPC'DsF`tT#
RoleAdminTG+}]4P root C'&\#TB|n9C RoleAdmin Z(:
chrole ^DG+#g{C'\m1;P RoleAdmin Z(,|nax#
lsrole i4G+#
mkrole4(G+#g{C'\m1;P RoleAdmin Z(,|nax#
rmrole}%G+#g{C'\m1;P RoleAdmin Z(,|nax#
26 AIX 5L V5.2:2+8O
Restore4P53V4#TB|n9C Restore Z(:
RestoreV48]D~#C'\m1Xk5P Restore Z(#
Z(|nPm
BmPvK|nM|G9CDZ(#
|n mI( Z(
chfn 2555 root.security UserAdmin
chuser 4550 root.security UserAdmin, UserAudit
diag 0550 root.system Diagnostics
lsuser 4555 root.security UserAudit, UserAdmin
mkuser 4550 root.security UserAdmin, UserAudit
rmuser 4550 root.security UserAdmin
chgroup 4550 root.security GroupAdmin
lsgroup 0555 root.security GroupAdmin
mkgroup 4550 root.security GroupAdmin
rmgroup 4550 root.security GroupAdmin
chgrpmem 2555 root.security GroupAdmin
pwdadm 4555 root.security PasswdManage, PasswdAdmin
passwd 4555 root.security PasswdManage, PasswdAdmin
chsec 4550 root.security UserAdmin, GroupAdmin, PasswdAdmin,
UserAudit
lssec 0550 root.security PasswdAdmin
chrole 4550 root.security RoleAdmin
lsrole 0550 root.security RoleAdmin
mkrole 4550 root.security RoleAdmin
rmrole 4550 root.security RoleAdmin
backup 4555 root.system Backup
restore 4555 root.system Restore
C'J'
v Z 28 3D:FvC'tT;
v Z 28 3D:C'J'XF;
v Z 29 3D:G<C'j6;
v Z 29 3D:9CCJXFmv?C'2+T;
v Z 29 3D:PATH 73d?;
Z 2 B C'"G+M\k 27
FvC'tT
C'\mI4(C'MiT0(e|GDtT9I#C'D;vw*tTGgNT{GxPO$#C'G53
Dw*zm#dtTXF{GDCJ("73"gNT{GxPO$T0gN"N1"ZDoITCJ{GD
J'#
iGT#$J42m,;CJmI(DC'/O#;viP;vj6,RIiI1M\m1iI#iD4(_
(#MGZ;\m1#
ITT?vC'J'hC`vtT,|,\kMG<tT#PXIdCtTDPm,kNDZ 43 3D:EL
dn53Ev;#FvTBtT:
v ?vC'&P;v;kd{C'2mDC'j6#yP2+@$k)MpN$_vZ?vC'<P(;j
61pwC#
v *53C'8(;vTdPbeDC'{#nC9C5J{F,r*s`}gSJ~539CC'j6*
SUDJ~jE#
v 9CyZ Web D53\mwr SMIT gfmS"|DM>}C'#d;IT(}|nP44PyPb)N
q,+b)gfPzZuY!ms#
v ZC'<8CG<530;**C'J'a)u<\k#g{Z /etc/passwd D~P+\kVN(e* *(G
E),d;J'E"C=#f,+;\G<=CJ'#
v ;*|D53}#KPyhDI53(eDC'j6#53(eDC'j6^PZ /etc/passwd D~P#
v ;civB,;*+NNC'j6D admin N}hC* true#;P root C'IT*Z /etc/security/userD~PhC* admin=true DC'|DtT#
Yw53'V(#vVZ /etc/passwd M /etc/group D~PDj<C'tT,}g:
O$E" 8(\k
>$ 8(C'j6"weiM9dij6
73 8(w73r shell 73#
C'J'XF
?vC'J'P;i`XtT#19C mkuser |n4(C'1,b)tTy]1!54(#b)tTIT(
}9C chuser |n4^D#TBC'tT;CZXFk\kJ?^XD=f:
account_locked g{Xkw7Xx(J',rCtTIThC* true;1!5G false#
admin g{hC* true,rCC'^(|D\k#;P\m1IT|D|#
admgroups PvKC'_P\m(^Di#TZb)i,CC'ITmSr>}I1#
auth1 CZZ(C'CJDO$=(#dMX,+|hC* SYSTEM,;s+9COBD=(#
auth2 4 auth1 8(D^[24TC'xPO$sKPD=(#|^(h9T53DCJ#dMX,+|h
C* NONE#
daemon K<{N}8(GqJmC'9C startsrc |nt/X$LrrS53#|2^FT cron M at h
8D9C#
login 8(GqJmCC'G<#
logintimes ^FC'N1ITG<#}g,C'I\;^F;\Z}#*51dCJ53#
registry 8(C'"am#ITCZf*53C'E"D8C"am,}g NIS"LDAP r Kerberos#rlogin 8(GqJmCC'(}9C rlogin r telnet G<#
su 8(d{C'GqIT9C su |nP;AKj6#
sugroups 8(JmDviP;AKC'j6#
ttys ^F3)J'xkom2+xr#
expires \m'zrCMJ';2ITCZY1XUJ'#
28 AIX 5L V5.2:2+8O
loginretries 8 ( C ' j 6 ; 5 3 x ( . 0 , x D I T " T G < ' \ D n s N } # ' \ D " T G < Z
/etc/security/lastlog D~P#
umask 8(C'Du< umask#
yPDC'tTZ /etc/security/user"/etc/security/limits"/etc/security/audit/config M /etc/security/lastlogD~P(e#9C mkuser |n4(DC'1!5Z /usr/lib/security/mkuser.default D~P8(#;P2
G /etc/security/user M /etc/securtiy/limits D~PD default ZPD;c1!5D!nMsF`XkZ
mkuser.default D~P8(#b)tTPD;)XFC'gNITG<,"RITdCb)tTZ8(ivB
T/x(C'J'(h9x;=G<)#
C'J'I53x(s,C'^(G<1=53\m1XBhCCC'Z /etc/security/lastlog D~PD
unsuccessful_login_count tT5!ZG<XT5#IT9CTB chsec |njI,gBy>:
chsec -f /etc/security/lastlog -s username -aunsuccessful_login_count=0
IT9C chsec |nZ`&2+TD~(}g /etc/security/user r /etc/security/limits D~)P`- default
Z4|D1!5#+m`1!5(e*j<P*#*w7X8(?N4(BC'1*hCDtT,k|D
/usr/lib/security/mkuser.default PD user n#
*Kb)9C'\ktTDE",kN<Z 38 3D:\k;#
G<C'j6
Yw53(}C'DG<C'j646p{G#G<C'j6Jm53IT7YyPC'YwA|GD4#Z
C'G<53s,u<C'LrKP0,53+xLDG<j6hC*ZC'}]bPR=DC'j6#G<
a0}LPyPsLxL<CKj6vjG#b)jGa)G<C'j64PDyPn/DY##C'ITZ
a0}LPXBhCP'C'j6"f5C'j6"P'ij6"f5ij6Mv9ij6,+;\|DG<
C'j6#
9CCJXFmv?C'2+T
*Z53O!C2+TD`&.=,**";v;BD2+T_T4\mC'J'#n#CD2+zFGCJ
XFm(ACL)#PX ACL M*"2+T_TDE",kNDZ 34 3D:CJXFm;#
PATH 73d?
PATH 73d?G;vX*D2+XF#|8(QwD?<4iR|n#1!536'D PATH 5Z
/etc/profile D~PxP8(,xR?vC'(#ZT:D $HOME/.profile D~P<P;v PATH 5#.profileD~PD PATH 5IT+536' PATH 52G,rr|mSnbD?<#
T PATH 73d?D4Z(|DI\9C53PDC'0[-1d{C'(|( root C')#gS[-Lr
(2F*XeA>mLr)|;K53|n,;s6qxC|nDE",}gC'\k#
}g,Y(C'|D PATH 5953KP|n1WHiR /tmp ?<#;sCC'Z /tmp ?<PEC;v
F* su DLr,CLrMs su |n;y*s root \k#SE,C /tmp/su Lr+ root \kJDxCC
',"ZKv0wC su |n#ZbVivB,NN9C su |nD root C'+)6 root \k,xRT:u
A94b6=#
53\m1MC'*@9XZ PATH 73d?DNNJb,k4PTBYw:
v 1P=3I1,k8(+76{#g{8(K+76{,+vT PATH 73d?#
Z 2 B C'"G+M\k 29
v Pp+10?<(I . 8((dc))ek* root C'8(D PATH 5P#PpJmZ /etc/profile P
8(10?<#
v root C'&1Zd=PD .profile D~PPT:D PATH f6#(#,/etc/profile PDf6PvKTZ
yPC'DnYj<,;x root C'I\h*H1!5|`r|YD?<#
v /fd{C'Z;PI/53\m1DivB,;*|D{GD .profile D~#qr,IEDC'I\vv
|DJm^b6DCJ#&+C' .profile D~DmI(hC* 740#
v 53\m1;&9C su |nSC'a0P!C root C'X(,r*Z .profile D~P8(DCC' PATH5GP'D#C'IThC{GT:D .profile D~#53\m1&1w* root C'rnC9C{GT:
Dj6G<=C'Dzw,;s9CTB|n:
/usr/bin/su - root
b7#Za0}LP9C root 73#g{53\m1Zm;C'a0PT root m]Yw,rZ{va0
P53\m1&18(+76{#
v #$dkVNVt{(IFS)73d?TbZ /etc/profile D~P|D#.profile PD IFS 73d?ITC
Z^D PATH 5#
hCxP2+C'J'Dd{ FTPC=8IC|nPgfME>hCxP2+C'J'Dd{ ftp#
":C=8;\CZxP \XDCJ#$E*D~(CAPP)M @@#$6p 4+(EAL4+)&\D53P#
1. (}dkTB|ni$ bos.net.tcp.client D~/Q20=zD53O:
lslpp -L | grep bos.net.tcp.client
g{;PU=dv,rCD~/420#PXgN20D8>E",kND6AIX 5L V5.2 208OkN
<s+7#
2. (}dkTB|ni$53D /home ?<BGqAYP 8 MB DICUd:
df -k /home
=h 4 PDE>h* /home ?<BAYP 8 MB ICUd420yhDD~M?<#g{zh*vS
ICUdD}?,kND6AIX 5L V5.2 53\m8O:Yw53kh87#
3. 9C root (^,|D* /usr/samples/tcpip ?<#}g:
cd /usr/samples/tcpip
4. *hCJ',kKPTBE>:
./anon.ftp
5. 1a>7(*^D /home/ftp?1,dk yes#dv`FZTBT>:
Added user anonymous.Made /home/ftp/bin directory.Made /home/ftp/etc directory.Made /home/ftp/pub directory.Made /home/ftp/lib directory.Made /home/ftp/dev/null entry.Made /home/ftp/usr/lpp/msg/en_US directory.
6. |D= /home/ftp ?<#}g:
cd /home/ftp
7. (}dkTB|n4( home S?<:
mkdir home
8. (}dkTB|n+ /home/ftp/home ?<DmI(|D* drwxr-xr-x:
30 AIX 5L V5.2:2+8O
chmod 755 home
9. (}dkTB|n|D= /home/ftp/etc ?<:
cd /home/ftp/etc
10. (}dkTB|n4( objrepos S?<:
mkdir objrepos
11. (}dkTB|n+ /home/ftp/etc/objrepos ?<DmI(|D* drwxrwxr-x:
chmod 775 objrepos
12. (}dkTB|n+ /home/ftp/etc/objrepos ?<DyP_Mi|D* root C'M system i:
chown root:system objrepos
13. (}dkTB|n4( security S?<:
mkdir security
14. (}dkTB|n+ /home/ftp/etc/security ?<DmI(|D* drwxr-x---:
chmod 750 security
15. (}dkTB|n+ /home/ftp/etc/security ?<DyP_Mi|D* root C'M security i:
chown root:security security
16. (}dkTB|n|D* /home/ftp/etc/security ?<:
cd security
17. (}dkTB SMIT lY764mSC':
smit mkuser
Z>}P,RG*mS;v{* test DC'#
18. Z SMIT VNP,dkTB5:
C'{ [test]\mC'? truewi [staff]i/ [staff]m;C'I SU AC'? truew?< [/home/test]
dk|D.s,4BX5|4(C'#Z SMIT }LjIs,Kv SMIT#
19. CTB|n*CC'4(\k:
passwd test
1a>1,dkZ{D\k#XkY;NdkB\kT7O#
20. (}dkTB|n|D= /home/ftp/etc ?<:
cd /home/ftp/etc
21. (}dkTB|n4F /etc/passwd D~= /home/ftp/etc/passwd D~:
cp /etc/passwd /home/ftp/etc/passwd
22. 9Cz26D`-w,`- /home/ftp/etc/passwd D~#}g:
vi passwd
23. S4FDZ]P>}} root"ftp M test C'TbDyPP#`-.s,Z]4p4&CkTB`F:
root:!:0:0::/:/bin/kshftp:*:226:1::/home/ftp:/usr/bin/kshtest:!:228:1::/home/test:/usr/bin/ksh
24. #f|D"Kv`-w#
Z 2 B C'"G+M\k 31
25. (}dkTB|n+ /home/ftp/etc/passwd D~DmI(|D* -rw-r--r--:
chmod 644 passwd
26. (}dkTB|n+ /home/ftp/etc/passwd ?<DyP_Mi|D* root C'M security i:
chown root:security passwd
27. (}dkTB|n+ /etc/security/passwd D~Z]4F= /home/ftp/etc/security/passwd D~:
cp /etc/security/passwd /home/ftp/etc/security/passwd
28. 9Cz26D`-w,`- /home/ftp/etc/security/passwd D~#}g:
vi ./security/passwd
29. S4FDZ]P>%} test C'.bDyPZ#
30. S test C'ZP}% flags = ADMCHG P#`-.s,Z]4p4&CkTB`F:
test:password = 2HaAYgpDZX3Twlastupdate = 990633278
31. #f|D"Kv`-w#
32. (}dkTB|n+ /home/ftp/etc/security/passwd D~DmI(|D* -rw-------:
chmod 600 ./security/passwd
33. (}dkTB|n+ /home/ftp/etc/security/passwd ?<DyP_Mi|D* root C'M security i:
chown root:security ./security/passwd
34. 9Cz26D`-w,`- /home/ftp/etc/security/group D~#}g:
vi ./security/group
35. +TBPmS=D~P:
system:*:0:staff:*:1:test
36. #f|D"Kv`-w#
37. 9CTB|n+`&DZ]4F= /home/ftp/etc/objrepos ?<:
cp /etc/objrepos/CuAt ./objreposcp /etc/objrepos/CuAt.vc ./objreposcp /etc/objrepos/CuDep ./objreposcp /etc/objrepos/CuDv ./objreposcp /etc/objrepos/CuDvDr ./objreposcp /etc/objrepos/CuVPD ./objreposcp /etc/objrepos/Pd* ./objrepos
38. (}dkTB|n|D= /home/ftp/home ?<:
cd ../home
39. (}dkTB|n*zDC'B(;vw?<:
mkdir test
b+GBD ftp C'Dw?<#
40. (}dkTB|n+ /home/ftp/home/test ?<DyP_Mi|D* test C'M staff i:
chown test:staff test
41. (}dkTB|n+ /home/ftp/home/test D~DmI(|D* -rwx------:
chmod 700 test
K1,zQ-ZzwOhCK ftp SG<#zITCTBD}L4bT|#
1. 9C ftp,,S=z4( test C'Dwz#}g:
32 AIX 5L V5.2:2+8O
ftp MyHost
2. T anonymous G<#1a>dk\k1,4BX5|#
3. (}9CTB|n|DAB|4(D test C':
user test
1a>dk\k1,9CzZ=h Z 31 3D 19 P4(D\k#
4. 9C pwd |n4i$C'Dw?<GfZD#}g:
ftp> pwd/home/test
dvT> /home/test w* ftp S?<#wzOD+76{F5JOG /home/ftp/home/test#
53XbC'J'
AIX a);i1!D53XbC'J',Th9 root M53J'5PyPYw53D~MD~53#
/f: 1}%53XbC'J'19C/f#zIT(}Z /etc/security/passwd D~`&PD*7ek;
vGE(*)4{CX(J'#;x,!D;*{C root C'J'#g{>}K53XbC'J'r{CK root
J',rYw53+;\}#KP#
TBJ'ZYw53P$(e:
adm adm C'J'5PTBy>53&\:
v oO,`&D$_f"Z /usr/sbin/perf/diag_tool ?<P#
v GJ,`&D$_f"ZTB?<P:
– /usr/sbin/acct
– /usr/lib/acct
– /var/adm
– /var/adm/acct/fiscal
– /var/adm/acct/nite
– /var/adm/acct/sum
bin bin C'J'(#5Ps`}C'|nDI4PD~#CJ'Dw*C>GozVdX*53?<MD
~DyP(,rKyP+w<;GI root M sys C'J'%@5PD#
daemondaemon C'J';G*K5PMKP53~qwxL0dX*DD~xfZ#CJ'#$b)xL9
CJ1DD~CJmI(KP#
nobodynobody C'J'I0xgD~531(NFS)CZtC6Lr!#PKbvJ',LrITJmT root
C'DY1 root CJ#}g,ZtC02+ RPC1r02+ NFS1.0,kliw NIS ~qwOD
/etc/public |TiR94Vd+C\?M2+\?DC'#w* root C',zIT*?v4VdDC
'Z}]bP4(;vn,(}dk:
newkey -u username
r_,zIT* nobody C'J'Z}]bP4(;vn,;sNNC'<ITKP chkey Lr4Z
}]bP4(|GT:Dnx^hw* root G<#
root root C'J',4 UID 0,(}CJ'zIT4P53,$NqMT53JbxPJOiR#
Z 2 B C'"G+M\k 33
sys sys C'5P1!D0V<=D~~q1(DFS)_Y:fD20c,bXkZM'zO20rdC DFS
.0fZ#/usr/sys ?<2ITf"203s#
}%;X*D1!C'J'
ZYw5320}LP,a4(m`1!C'Mij6#y]zZ53OKPD&CLrM53ZxgPy&
D;C,dP3)C'Mij6ITI*2+uc,]W;K{C#g{b)C'Mij6G;X*D,G4
zIT+d}%T9zdPXD2+gUn!/#
BmPvKzI\\;}%n#CD+21!C'j6:
m 4. zI\\;}%D+21!C'j6#
C'j6 hv
uucp, nuucp uucp -iyCD~XD~DyP_#uucp C'J'GCZ0UNIX =
UNIX 4FLr1,CLrGZs`} AIX 53OfZD;i|n"Lr
MD~,|GJmC'9C(_rg0_km; AIX 53xP(E#
lpd r!S53y9CD~DyP_
imnadm IMN Qw}f(ID5bQw9C)#
guest JmG)^(CJJ'DC'CJ
BmPvKI\;h*D+2ij6:
m 5. I\;h*D+2ij6#
ij6 hv
uucp uucp M nuucp C'ytDi
printq lpd C'ytDi
imnadm imnadm C'ytDi
VvzD53T7(D)j675G;h*D#I\2fZd|zI\;h*DC'Mij6#ZzD536
kzz.0,4PICj6D9W@@#
CJXFm
CJXFI\#$DE"J4iI,d8(Zh-Tb)J4DCJ(#Yw53Jmh**~rTIv(D
2+T#E"J4DyP_ITZ(d|C'TG)J4DAr4CJ(#xhTsCJ(DC'IT4(C
TsDd|1>"xhZ}=CB(TsDCJ(#;x,;PTsyP_ITZhZ}=-<TsDCJ
(#;PTsDyP_M root C'GIT|DTsDCJ(DC'#
C';P|GT:DTsDyZC'DCJ(#(#,C'SUJ4DimI(r1!mI(#\mCJXF
Dnw*DNqG(eC'Di1m],r*b)i1m]v(KC'T;G{GT:DD~DCJ(#
CJXFm(ACL)(}mS^DQVdxvKMiDy>mI(D)9mI(4vSD~CJXFDJ?#
(})9mI(,ITJmr\x8(vKriDD~CJx^h|Dy>mI(#
":D~D ACL s!;\,v;Zf3(s< 4096 VZ)#
CJXF2f09C setuid M setgid LrM2=4j)4\m\#$J4#Yw53'V8V`MDE"
J4rTs#b)TsJmC'&m*f"r(EE"#s`}X*DTs`MgB:
34 AIX 5L V5.2:2+8O
v D~M?<(CwE"f")
v |{\@"{"SP"2mZfNMEE(CwxLdDE"+M)
?vTsP`XDyP_"iT0==#==(eyP_"iMd|C'DCJmI(#TBG;,Ts`M
D1SCJXFtT:
yP_ X(TsDyP_XFdTIv(DCJtT#yP_DtThC*4(xLDP'C'j6#TZD~53
Ts,yP_D1SCJXFtTZ;P root (^DivB;\|D#
T System V xLd(E(SVIPC)Ts,4(_ryP_<IT|DyP_#SVIPC TsP`XD5PyP
_DyP(^D4(_(|(CJZ()#;x,49_P root (^2;\|D4(_#
i SVIPC Tsu</*4(xLDP'ij6#TZD~53Ts,1SCJXFtTu</*4(xLDP'
ij6r8?<Dij6(bGI8?<DiLPj>7(D)#
TsDyP_IT|Di;BiXk*4(xLDP'ij6r8?<Dij6#TsDyP_IT|Di;
BiXk*P'iryP_D10xLD1ij6PDP'i#(gOyv,SVIPC TsP;\|D"2mTs
iCJZ(D`X4(i#)
,$ ACL,k9C aclget"acledit M aclput |n#
}V==(CKxFG}()D chmod |nIThCy>mI(MtT#chmod S}L(C|nwCD)
{C)9mI(#g{TP ACL DD~9C chmod |nD}V==,r{C)9mI(#chmod |nD
{E==;{C)9mI(#PX}V==M{E==DE",kN< chmod |n#
9C setuid M setgid Lr
Z`}ivBmI(;zFJmTJ4DP'CJXF#+TZ|+7DCJXF,Yw53a)K setuid M
setgid Lr#
s?VLrTwC|GDC'DC'MiCJ(4P#LryP_(}9CLrI* setuid r setgid Lr
ITX*wC|GDC'DCJ(;MG5,LrZdmI(VNZhCKxP setuid r setgid ;#1xL4
PLr1,xLq!LryP_DCJ(#setuid Lr9CdyP_DCJ(4P,x setgid LrPdiD
CJ(,"R=v;<ITy]mI(zF4hC#
d;xLVdPnbDCJ(,b)(^<I_Pb)(^DLrXF#rK,setuid M setgid LrJmd
SZhCJ(DC'`LDCJXF#Lrw*IES53,#$C'DCJ(#
d;IT\P'X9Cb)Lr,g{;!DhF+P2+TgU#XpX,LrZ|TPdyP_DCJ(
1v;5XXFxC',r*by+JmC'^^FX9CyP_D(^#
":vZ2+T-r,Yw53;'VZ shell E>ZD setuid r setgid wC#
\mCJ(
Yw53*53\ma)X(CJ(#53X(GyZC'Mij6D#xPP'C'rij6 0 DC'*X
(C'#
xP'C'j6 0 DxLF* root C'xL,"IT:
v A4NNTs
v wCNN53&\
v (}4P setuid-root Lr44P3)S53XFYw#
Z 2 B C'"G+M\k 35
IT9C=`X(4\m53:su |nX(M setuid-root LrX(#su JmzwCDyPLr_Pw* root
C'xLD&\#su |n9CinD=(\m53,+;G\2+#
9;vLrI* setuid-root Lrb6ECLrGx setuid ;hCD root C'5PDLr#setuid-root L
ra)U(C';a#02+TMIT4PD\m&\;+X(b0ZLrPx;G1SZ(xC'#b0y
PX*D\m&\= setuid-root LrI\HO'Q,+G|a)53\mw|_D2+T#
y>mI(
y>mI(G+3DVd=D~yP_"D~iMd|C'DD~CJ==#CJ==G:A(r)"4
(w)M4P/Qw(x)#
Z ACL P,y>mI(*TBq=,xPm>* rwx(+?v;P8(DmI(|;*,V{(-))D Mode
N}:
base permissions:owner(name): Modegroup(group): Modeothers: Mode
tT
TBtTITmS= ACL:
setuid (SUID)hCC'j6(Set-user-ID)==;#CtTZKP1+P'D"Q#f}DxLDC'j6hC*
D~DyP_j6#
setgid (SGID)hCij6(Set-group-ID)==;#CtTZKP1+P'D"Q#f}DxLDij6hC*D~
Dij6#
savetext (SVTX)TZ?<,m>;PD~yP_\4Sr!{4S8(?<PDD~#
b)tTTTBq=mS:
attributes: SUID, SGID, SVTX
)9mI(
)9mI(JmD~DyP_|+7X(eCD~DCJ(#)9mI((}T8(DvK"iriMC'D
iOJm"\xr4PCJ==4^Dy>D~mI((yP_"i"d|)#(}9CX|V4^DmI
(#
permit"deny M specify X|V(egB:
permit ZhC'riTD~D8(CJ(
deny ^FC'ri9CTD~D8(CJ(
specify *C'ri+7X(eD~CJ(
g{(} deny r specify X|V4\xC'X(DCJ(,;PNNd|DnIT2GCCJ\x#
*9)9mI(z',enabled X|VXkZ ACL P8(#1!5* disabled X|V#
Z ACL P,)9mI(*TBq=:
36 AIX 5L V5.2:2+8O
extended permissions:enabled | disabled
permit Mode UserInfo...:deny Mode UserInfo...:specify Mode UserInfo...:
?;v permit"deny r specify n<@"D;P#Mode N}m>I rwx(?v;P8(DmI(C,V
{(-)zf)#UserInfo N}m>I u:UserName r g:GroupName r:Et*D u:UserName M g:GroupName
DiO#
":g{Z;vnP8(`Z;vDC'{,Cn;\ZCJXFP(P9C,r*;vxL;P;v
C'j6#
CJXFPm>}
TB* ACL D;v>}:
attributes: SUIDbase permissions:
owner(frank): rw-group(system): r-xothers: ---
extended permissions:enabled
permit rw- u:dhsdeny r-- u:chas, g:systemspecify r-- u:john, g:gateway, g:mailpermit rw- g:account, g:finance
ACL nhvgB:
v Z;Pm>r*K setuid ;#
v B;Pi\Ky>mI(,bGI!D#
v B}P8(y>mI(#Z(EZDyP_Mi{;GE"#|Db){F;aDdD~yP_rD~
i#;P chown |nM chgrp |nIT|Db)D~tT#
v B;Pi\)9mI(,bGI!D#
v B;Pm>tCzfD)9mI(#
v nsDPG)9n#Z;v)9nZhC' dhs A(r)M4(w)D~DmI(#
v Z~v)9n;Z chas C'* system iDI11\xdA(r)CJ(#
v Z}v)9n8(;*C' john HG gateway iDI12G mail iDI1,r{M5PA(r)CJ(#
g{C' john ;Gb=viDI1,K)9mI(;JC#
v ns;v)9nZhZ account iM finance i=viPDNNC'A(r)M4(w)mI(#
":TksCJ\XTsDxLIJC`Z;v)9n,^FnEHZJm==#
PX+?o(,kND6AIX 5L V5.2 |nN<s+7PD acledit |n#
CJZ(
E"J4DyP_T\mCJ(:p#J4G\mI(;#$D,mI(;|,ZTsD==P#mI(;(
eZ(xTsyP_"TsiM others 1!`DCJmI(#Yw53'VI@"Z(D}V;,DCJ=
=(A"4M4P)#
Z 2 B C'"G+M\k 37
1C'G<=J'(9C login r su |n)1,X*Vd=CJ'DC'j6Mij6=C'xL#b)j
67(xLDCJ(#
TZD~"?<"|{\@Mh8(X(D~),CJZ(gB:
v TZ ACL PD?vCJXFn(ACE),j6PmkxLj6`HO#g{%d,xLS\Cn(eDm
I(M^F#mI(M^FD_-"/GS ACL D?v%dnFcD#g{ksxL;P%dZ ACL P
DNNn,|S\1!nDmI(M^F#
v g{ksDCJ==*mI(|,ZmI("/P)R;G^F(|,Z^F"/P),rZ(CJ#q
r,\xCJ#
_PC'j6 0 DxLF* root C'xL#b)xL(#JmyPCJmI(#+Gg{ root C'xLk
s4PLrDmI(,;PZ4PmI(Z(=AY;vC'1EZ(CJ#
g{ZmPDyPj6%dksxL`&`MDP'j6,r ACL Dj6Pm%dxL#g{C'`Mj6
kxLPDP'C'j6`,rC'`Mj6%d,g{i`Mj6kxLPDP'ij6rv9ij6.;
`,ri`Mj6%d#}g,xPgBDj6PmD ACE:
USER:fred, GROUP:philosophers, GROUP:software_programmer
+%dxPP'C'j6* fred MihCgBDxL:
philosophers, philanthropists, software_programmer, doc_design
+G;%dxPP'C'j6 fred MihCgBDxL:
philosophers, iconoclasts, hardware_developer, graphic_design
"b,xPTBj6PmD ACE +%d=vxL:
USER:fred, GROUP:philosophers
;d05,ACE &\Pj6PmGXk**ZhD8(CJ(#tD4,/#
1TsZ;NCJ1,Z53wC6pOxPb)TsDyPCJmI(li#r* System V xLd(E
(SVIPC)Ts^4,CJ,yTT?;vCJvli#TZxPD~53{FDTs,Xk\;bv5JT
sD{F#{FbvITG`TD(`TZxL$w?<),2ITGxTD(`TZxLy?<)#yP{
Fbv(}Qwb)?<DdP.;*<#
TIv(DCJXFzFJmE"J4DP'CJXF"a)TE"Dz\TMj{TD@"#$#yP_X
FDCJXFzFv4UC'D*sP'#yPC'Xk*@CJmI(gNZ(M\xT0b)GgNhC
D#
\k
Bb\kG53n#v=D%w=(.;#rK,XFM`SzD\k^F_TG;I1YD#AIX a)zF
Tozz5)|?D\k_T,}g*TBDn("5:
v \kI;|D.0M.sI-}Dn!MnsGZ}
v \kDn!$H
v !q\k1,n!I9CDV8V{v}
>ZV[ AIX gNf"M&m\k,T0zgN("O?D\k_T#>ZPDwb|(:
v Z 39 3D:h(<CD\k;
38 AIX 5L V5.2:2+8O
v :9C /etc/passwd D~;
v Z 40 3D:9C /etc/passwd D~Mxg73;
v Z 40 3D:~XC'{M\k;
v Z 41 3D:hCFvD\k!n;
v Z 42 3D:)9\k^F;
h(<CD\k
<CD\kGVy4Z(xk53DZ;@P'@_,|GGTB`M:
v s!4V8DlO
v V8"}Vrjc{EDiO#Kb,|GIT|,XbV{,g ~!@#$%^&*()-_=+[]{}|\;:’",.<>?/< U
q>
v 44ZNNX=
v g{9C /etc/security/passwd D~,G4$HnY* 7 vV{ns 8 vV{(s LDAP Gy9C"a
m5)DO$,IT9C,vKns$HD\k)#
v ;GZVdPIi=Df5%J
v ;G|LOV8DEP#=,Hg qwerty
v ;Gf5%JrQ*EP#=D4r44
v ;|,NNkzT:"R%rsQPXDvKE"
v ;kS0;v\kD#=`,
v ITOldk,by_ODKM;\7(zD\k
}Kb)zF,zIT(}^(\k;IT|,I\Bb=Dj< UNIX %J,Sxx;=5)|OqDfr#
C&\9C dictionlist,|*szWH20 bos.data M bos.txt D~/#
*5V0f(eD dictionlist,k`- /etc/security/users D~PDTBP:
dictionlist = /usr/share/dict/words
/usr/share/dict/words D~9C dictionlist 4@99Cj< UNIX %Jw*\k#
9C /etc/passwd D~
+3O,/etc/passwd D~GC4G<?v5P53CJ(D"aC'#/etc/passwd D~T0EVt,||
,TBE":
v C'{
v QS\\k
v C'j6E(UID)
v C'Dij6E(GID)
v C'+{(GECOS)
v C'w?<
v G< shell
TBG;v /etc/passwd D~D>}:
root:!:0:0::/:/usr/bin/kshdaemon:!:1:1::/etc:bin:!:2:2::/bin:sys:!:3:3::/usr/sys:
Z 2 B C'"G+M\k 39
adm:!:4:4::/var/adm:uucp:!:5:5::/usr/lib/uucp:guest:!:100:100::/home/guest:nobody:!:4294967294:4294967294::/:lpd:!:9:4294967294::/:lp:*:11:11::/var/spool/lp:/bin/falseinvscout:*:200:1::/var/adm/invscout:/usr/bin/kshnuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucicoimnadm:*:188:188::/home/imnadm:/usr/bin/kshpaul:!:201:1::/home/paul:/usr/bin/kshjdoe:*:202:1:John Doe:/home/jdoe:/usr/bin/ksh
1!ivB,AIX ;Ps UNIX 53Gy+S\\kf"Z /etc/password D~Z,xGZ1!ivBf"
Z /etc/security/password D~(v root C'IA)Z#AIX 9C /etc/passwd Pi5D\k4m>\k
GqfZrJ'Gq;h9#
/etc/passwd D~I root C'5P,RXkTyPC'<GIAD,+;P root C'P4mI(,T>*
-rw-r--r--#g{C'j6_P\k,rC\kVNPaP;v !(P>E)#g{C'j6;P\k,rC\
kVNPP;v *(GE)#S\D\kf"Z /e tc /secur i ty /passwd D~P#TB>}|,
/etc/security/passwd D~(yZTOy>D /etc/passwd D~Dn)PDnsDvn#
guest:password = *
nobody:password = *
lpd:password = *
paul:password = eacVScDKri4s6lastupdate = 1026394230flags = ADMCHG
C'j6 jdoe Z /etc/security/passwd D~P;Pn,r*|Z /etc/passwd D~P;PhC\k#
I9C pwdck |n4li /etc/passwd D~D;BT#pwdck |n(}li+?C'r8(C'D(e4
i$C'}]bD~P\kE"D}7T#
9C /etc/passwd D~Mxg73
Z+3Dxg73P,C'XkZ?v53PP;vJ'E\qCTC53DCJ(#b(#b6EC'*Z
?v53OD?v /etc/passwd D~PP;vn#;x,ZV<=73P,*7#?v53<P`,D
/etc/passwd D~;G~]WDBi#*bvbvJb,PtIV=((|(xgE"53(NIS)M NIS+)
IT9 /etc/passwd D~PDE"Z{vxgPIC#
PX NIS M NIS+ D|`E",kNDZ 181 3DZ 12 B, :xgE"~q(NIS)M NIS+ 2+;#
~XC'{M\k
*Ko=|_6pD2+T,k7#C'j6M\kZ53ZG;I{D#.netrc D~|,C'j6M\k#
CD~4xPS\r`k#$,by|DZ]s?D>;ye~T>#*iRb)D~,KPTB|n:
# find `awk -F: ’{print $6}’ /etc/passwd` -name .netrc -ls
R=b)D~s,k>}|G##f\kD;v|P'D=(GhC Kerberos#PX Kerberos D|`E",k
NDZ 203 3DZ 15 B, :Kerberos;#
40 AIX 5L V5.2:2+8O
hCFvD\k!n
!1D\k\m;P(}C'L}45V#*a)3)nbD2+T,Yw53a)KIdCD\k^F#|
GJm\m1^FC'!qD\k,"?F(Z|D\k#\k!nM)9C'tT;Z /etc/security/user D
~P,KD~G|,C'tTZD ASCII D~#?1*C'(eB\k1,b)^FMa4P#yP\k^F
<G4UC'4(eD#(}Z /etc/security/user D~D1!ZP#f^F,TyPC'4P`,^F#*
K,$\k2+T,yP\kXk\=`FD#$#
\m19IT)9\k^F#9C /etc/security/user D~PD pwdchecks tT,\m1IT+BDS}L
(F*=()mS=\k^FzkP#by,>X>c_TImS=Yw53,"IYw534PC_T#P
X|`E",kNDZ 42 3D:)9\k^F;#
&C\k^F*PO5J#}Z^FD"T,Hg^F\kUd(b+9Bb\k|]W),r?FC'!q
QTGdD\k(C'I\!qa4B\k),<a#0\k2+T#\k2+TnU*@?C'#r%D\
k^FaOOmD8<M<{Dsi(Ti$10\kGq(;)GnCD_T#
BmPvk /etc/security/user D~PC'\k`XD;)2+tTDFv5#
m 6. C'\kDFv2+tT5#
tT hv Fv5 1!5 ns5
dictionlist i$\k;|,j<
UNIX %J#
/usr/share/dict/words ;JC ;JC
histexpire \kIXB9C0DG
Z}#
26 0 260" 1
histsize IJmD\kX4N
}#
20 0 50
maxage Xk|D\k0Dns
GZ}#
8 0 52
maxexpired ,} maxage sIIC
'|D=Z\kDns
GZ}#(root C'}
b#)
2 -1 52
maxrepeats Z\kPIX4V{D
ns}?#
2 8 8
minage \kI;|D0Dn!
GZ}#;&hCKn
*Gc5,}G\G\
\]W*5=\m14
T;vn||D}D"
bb9\D\kxPX
BhC#
0 0 52
minalpha \kXk|,V8V{
Dn!}?#
2 0 8
mindiff \kXk|,(;V{
Dn!}?#
4 0 8
minlen \k$HDn!5# 6(T root C'G
8)
0 8
minother \kXk|,GV8V
{Dn!}?#
2 0 8
Z 2 B C'"G+M\k 41
m 6. C'\kDFv2+tT5# (x)
tT hv Fv5 1!5 ns5
pwdwarntime 53"v*s|D\k
/f0Dl}#
5 ;JC ;JC
pwdchecks (}9C;vli\k
J?D(Fzk,Cn
IC4v? passwd|n#
PX|`E",kND
:)9\k^F;#
;JC ;JC
":
1. n`#t 50 v\k#
TZ\XCJ#$E*D~M@(#$6p 4+(CAPP/EAL4+)53,k9CZ 13 3D:C'kKZdC;P
FvD5#
g{Z53O20KD>&mLr,\m1IT9C /usr/share/dict/wordsD~w* dictionlist VdD~#
ZbVivB,\m1IThC minother tT* 0#bGr*VdD~PDs`}%J;|,tZ minothertT`pPDV{,Q minother tThC* 1 r|s+{}TbvVdD~Pxs`}%JDh*#
53P\kDn!$HI minlen tTD5r minalpha tTD5PDOs_SO minother tT4hC#
\kDns$HGKvV{#minalpha tTD5SO minother tTD5v;\sZ 8#g{ minalpha D
5SO minother tTD5sZ 8,r minother tTD5auY* 8 u% minalpha tTD5#
g{ histexpire tTD5M histsize tTD5<hCK,r53#tJCZ=VivyhD\kv},n`
o53y^FD?vC' 50 v\k#;#tU\k#
zIT`- /etc/security/user D~,9.|,z*C4\mC'\kDNN1!5#r_,z2IT(}9
C chuser |n|DtT5#
d|ITkCD~;p9CD|nP mkuser"lsuser M rmuser |n#mkuser |n* /etc/security/userD~PD?vB(C'4(;vn,"C /usr/lib/security/mkuser.default D~P(eDtTu</CnDt
T#*T>tTM|GD5,k9C lsuser |n#*}%;vC',k9C rmuser |n#
)9\k^F
\kLrS\r\x\ky9CDfr(\k9I^F)II53\m1xP)9,Ta)X(Z>cD^
F#(}mS=((Z|D\k}LPwC)4)9^F#/etc/security/user D~PD pwdchecks tT8
(wCD=(#
AIX 5L Version 5.2 Technical Reference |,T pwdrestrict_method Dhv,|G8(D\k^F=(Xk
{ODS}LSZ#*}7)9\k9I^F,r53\m1XkZ`4\k^F=(1TCSZ`L#kw
wT})9\khC^F#b))9+1S0l login |n"passwd |n"su |nT0d|Lr#532
+TI\;qbDrP1]DzkaWF5#
C'O$
6pMO$("C'm]#*s?;vC'G<=53P#g{J'PC'{FD0(2+53P,yPJ'
XkP\k,qr^'),C'a)J'DC'{FM\k#g{\k}7,C'G<=CJ';C'q!J
'DCJ(^MX(#/etc/passwd M /etc/security/passwd D~,$C'\k#
42 AIX 5L V5.2:2+8O
ICvVZ /etc/security/user PD SYSTEM tTQO$D8C=(/IZ53P#}g,0V<=Fc7
31(DCE)h*\kO$,+GTk etc/passwd M /etc/security/passwd P9CDS\#M;,D==
i$b)\k#(} DCE O$DC'IT+ /etc/security/user P{GDZhC* SYSTEM=DCE#
d| SYSTEM tT5G compat"files M NONE#1{Fbv(MsLO$)q->X}]b1,9C
compat jG,xRg{R;=bv1,M"T0xgE"~q1(NIS)}]b#files jG8(O$}LP
;\9C>XD~#ns,NONE jGXU=(O$#*KXUyPDO$,NONE jGXkvVZC'ZD
SYSTEM M auth1 P#
ITZ /usr/lib/security/methods.cfg P(e SYSTEM tTDd|IS\jG#
":\GIC>X532+D~D==O$ root C'#root C'D SYSTEM tTnZ /etc/security/user P
;XphC* SYSTEM = ″compat″#
PX#$\kD|`E",kND 6AIX 5L V5.2 53C'8O:Yw53kh87#
G<C'j6
*CC'G<DyPsFB~<jPKj6,xR1zzIsFG<1ITxPlib)B~#XZG<C'
j6D|`E",kND 6AIX 5L V5.2 53C'8O:Yw53kh87#
ELdn53Ev
53\m19CELdn53XFITVdxC'riDD~M}]iD}?#Bf?Va)KPXELdn
53"|D5VT09CDx;=E":
v :mbELdn53;
v Z 44 3D:S,dniNPV4;
v Z 44 3D:hCELdn53;
mbELdn53
CELdn53yZ Berkeley ELdn53,|a)KXFELUd9CDP'==#IT*vKC'ri(
edn53,"*?vU>D~53,$dn53#
ELdn53yZTBN}("dn,IT9C edquota |n|Db)N}:
v C'riDmdn
v C'riD2dn
v dnmS1d
mdn(eKZK^(BC'Xk#tD 1 KB DELi}rD~}#2dn(eKZQ("DELdnBC
'IT[}DnsELirD~}?#dnmS1dJmC'ZLZZ(1!5G;\),}mdn#g{Z
X(D1dZC';\Q9CUd5M=mdnTB,53aQmdnbM*nsJmDVd,x;YxC'
Vd|`f"Ud#(}}%c;DD~Q9CUdu!=mdnTB,C'IT4;Ku~#
ELdn53Z quota.user M quota.group D~PzYC'MiDdn,b)D~;ZQtCdnDD~
53y?<B#b)D~9C quotacheck M edquota |n4("ITCdn|nA!#
Z 2 B C'"G+M\k 43
S,dniNPV4
Z,}dn^F1*Ku!D~539C,IT9CTB=(:
v 1@B9D~53o=dnD10xL,}%}#DD~9^FMZdn,"XT'\DLr#
v g{}ZKP`-w(Hg vi),9C shell *erPlbD~Ud,}%``D~,r;*'Q`-D~
x5X#r_,g{}Z9C C r Korn shell,ITC Ctrl-Z 4|3r]R`-w,"vD~53|n,
;sC fg(0()|n5X#
v ]1QD~4k;P,}dn^FDD~53P,>}``DD~,;sQD~5X=}7DD~53
P#
hCELdn53
(#,;P|,C'w?<MD~DG)D~53Eh*ELdn#<GZTBu~B5VELdn53:
v 53ELUdP^#
v h*|_DD~532+T#
v EL9CLH\_,}gZm`s'#
g{b)u~;JCZzD73,zI\;#{4PELdn53T4(EL9C^F#
ELdn53;\kU>D~53;p9C#
":;** /tmp D~534(ELdn#
9CTB=hhCELdn53:
1. C root (^G<#
2. 7(D)D~53h*dn#
":IZZ /tmp D~53Pm``-wM535CLr4(Y1D~,rK|Xk;Pdn#
3. 9C chfs |n|, /etc/filesystems D~PD userquota M groupquota dndCtT#TB>}9
C chfs |ntC /home D~53PDC'dn:
chfs -a "quota = userquota" /home
*tC /home D~53DC'Midn,dk:
chfs -a "quota = userquota,groupquota" /home
/etc/filesystems D~PD`&nT>gB:
/home:dev = /dev/hd1vfs = jfslog = /dev/hd8mount = truecheck = truequota = userquota,groupquotaoptions = rw
4. 8(8CELdnD~{F(I!)#quota.user M quota.group D~{FG1!{F,ZQtCdnD
D~53Dy?<B#ITC /etc/filesystems D~PD userquota M groupquota tT*b)dnD
~8(8C{Fr?<#
TB>}9C chfs |n* /home D~534(C'Midn,"Rx myquota.user M myquota.groupdnD~|{:
44 AIX 5L V5.2:2+8O
chfs -a "userquota = /home/myquota.user" -a "groupquota = /home/myquota.group" /home
/etc/filesystems D~PD`&nT>gB:
/home:dev = /dev/hd1vfs = jfslog = /dev/hd8mount = truecheck = truequota = userquota,groupquotauserquota = /home/myquota.usergroupquota = /home/myquota.groupoptions = rw
5. g{T0;P20|G,k208(DD~53#
6. *?;vC'rihC#{Ddn^F#9C edquota |n*?;vC'riDJmELUdMnsD~
}?4(mdnM2dn#
TB>}nT> davec C'Ddn^F:
Quotas for user davec:/home: blocks in use: 30, limits (soft = 100, hard = 150)
inodes in use: 73, limits (soft = 200, hard = 250)
CC'Q-9CK 100 KB nsELUdPD 30 KB#davec Q-4(Kn` 200 vD~PD 73 v#
CC'P 50 KB ELUdM 50 vD~:eIVdwY1f"#
1*`vC'("ELdn1, 9Cx -p j>D edquota |n*m;C'4FC'Ddn#
**C' nanc 4FQ*C' davec ("Ddn,kdk:
edquota -p davec nanc
7. C quotaon |ntCdn53#quotaon |ntC8(D~53Ddn,rZ9C -a j>1*xPd
nDyPD~53(g /etc/filesystems D~P8(D)tCdn#
8. 9C quotacheck |nlbdnD~TZ5JEL9CJD;BT#
":(izZ?ND~53WNtCdn1,T0?NXB}<53.s4PKYw#
*Z53t/}LPtCKlb"r*dn,Z /etc/rc D~Da2mSTBP:
echo " Enabling filesystem quotas "/usr/sbin/quotacheck -a/usr/sbin/quotaon -a
Z 2 B C'"G+M\k 45
46 AIX 5L V5.2:2+8O
Z 3 B sF
sFtC53\m14G<2+T`XDE",IVvCE"4lbT532+T_T1ZM5JD%3#
>ZV[TBwb:
v :sFS53;
v Z 48 3D:B~!q;
v Z 49 3D:sFS53dC;
v Z 50 3D:sFU>LrdC;
v Z 53 3D:hCsF;
sFS53
sFS53PTB&\:
v :lbB~;
v :U/B~E";
v Z 48 3D:&msFzYE";
53\m1ITdCb)&\D?;n#
lbB~
B~lbV<i0{vIEFcb(TCB),HZZK(\m4,k)VZIELr(C'4,k)P#Z5
3P"zDNN2+T`XDB~*IsFDB~#2+T`X"zG8NN532+T4,D|D"NN5
3CJXFrpN2+_TDT<r5JD%}"r=_<G#lbIsFDB~DLrMZK#i:p(f
b)B~=53sFU>Lr,|w*ZKD;?VKP"IIS}L(TZIELrsF)rZZK}Lw
CP(T`=4,sF)CJ#(fDE"|,IsFB~D{F"CB~DI&k'\,T0NN=SDz
2+TsFPXDX(B~DE"#
B~lbdC|,r*rXUB~lb,T08(*sFDvC'DDvB~#$nB~lb,9C audit |
n4tCr{CsFS53#/etc/security/audit/config D~|,sFS53&mDB~MC'#
U/B~E"
E"U/'FG<!(DIsFB~#K&\IZKsFU>Lr4P,ZKsFU>Lra)K53wCM
G<IsFDB~DZ?ZK}LwCgf#
sFU>LrPpN9lj{DsFG<,IsFjbMsFzYiI#jb|,yPB~+CDE"(Hg
B~{"h:pNDC'"1dMB~D5X4,),sFzY|,X(B~DE"#sFU>Lr+?v,
xG<7S=ZKsFzY,bITC=V==.;(r=_)44:
BIN ==
zY4k;%DD~,a)2+M$ZDf"#
STREAM ==
zY4k-7:ex,:ex(}sF1h8,=A!#STREAM ==a)lYl&#
© Copyright IBM Corp. 2002, 2003 47
IZ0K(B~G<)MsK(zY&m)dCE"U/#B~G<Z?vC'y!OGI!D#?vC'P
1B~"z1G<=sFzYDsFB~D(ehC#ZsK,pvXdCK==,Tc\m1\9CnJO
X(73DsK&m#mb,I+ BIN ==sFITdC*ZzYDICD~53Ud+!1,zI/f#
&msFzYE"
Yw53a)8V&mZKsFzYD!n#BIN ==zYITZsFzYi5f"09u"}K"q=/d
v"rNNb)DOmDiO(g{PD0)#(} Huffman `k9u#(}`j<i/oT(SQL)sFG
<!q4}K(9C auditselect |n),C!q*!qi4M!qsFzY#t1da)#sFzYG<q
=/ITC4lisFzY"zI(Z2+T(fT0r!=ODsFzY#
I51`S STREAM ==sFzY,Sxa)lY~2`S\&#b)!nDdCIIw*C4}K BIN r
STREAM ==zYDX$LrxLwCD@"Lr&m,d;3)}KLr|JOZ3V==rm;V#
B~!q
53ODIsFB~hC(eK5JIsFDB~T0sFa)D#H#gH0(eD,IsFB~Xk-G
53OD2+T`XB~#C4(eIsFB~Dj8E"6pXkZGc;j8E"(9\m1QZmb!
(DE")Mc;j8E"(<B}`DE"U/)d,V=b#{ClbB~D`FT4(eB~#TZK
V[D?D,lbB~GNN%vDIsFB~D5};}g,IZ;,DX=lb=x(DB~#y!-r
*:!(P`F2+TtTDlbB~*`,DIsFB~#TBPmT>2+T_TB~DV`:
v wbB~
– xL4(
– xL>}
– hCwb2+TtT:C'j6"ij6
– xLi"XFUK
v TsB~
– Ts4(
– Ts>}
– Tsr*(|(w*TsDxL)
– TsXU(|(w*TsDxL)
– hCTs2+TtT:yP_"i"ACL
v <k/<vB~
– <kr<vTs
v pNB~
– Z\k}]bPmSC',|DC'tT
– Zi}]bPmSi,|DitT
– C'G<
– C'"z
– |DC'O$E"
– IE76UKdC
– O$dC
– sF\m:!qB~MsFzY"*;r*rXU"(eC'sF`
v #f53\mB~
48 AIX 5L V5.2:2+8O
– X(9C
– D~53dC
– h8(eMdC
– 53dCN}(e
– }#53 IPL MXU
– RAS dC
– d|53dC
v 2+T%3(1ZD)
– CJmI(\x
– X('\
– oOlbJOM53ms
– "Td| TCB
sFS53dC
sF}LS53P;vm>sF}LS53Gqr*D+V4,d?#mb,?vxLP;vm>sF}LS
53Gq&CG<KxLE"D>X4,d?#b=Vd?7(KGqCIEFcb(TCB)MLr4lbB
~#XU8(xLD TCB sFJmKxLv|T:DsF"R;vT53pN_T#JmIELrTmsF
Jm|P'JMP'DE"U/#
U/sFS53E"
E"U/PB~!qMZKsFzY=V==#(}a)G<E"gf(lbIiDB~D TCB iI?V9
CD)MdCgf(sF}LS53C4XFsFG<}LD)GIZK}LjID#
sFG<
IsFB~(}TBgfG<:C'4,M,6C'4,#TCB DC'4,?V9C auditlog r auditwriteS}L,x TCB D,6C'4,?V9CZK}L/wC#
T?vG<,sFB~U>Lr=SsF(7*8(B~E"D0:#K(7j6sFKB~C'MxLT0
B~"zD1d#lbB~Dzka)B~`M"5Xzkr4,T0I!D"nbDX(B~E"(B~z
Y)#X(B~E"|,Ts{(}g,\xCJDD~rZ'\DG<T<P9CD tty)"S}LN}Md
|^DDE"#
swTX(eB~x;GC}V(e#Z;9CB~"a=81,buYK{Fe;DI\#IZS}LGI
sFD"RI)9DZK(e;PL(D;;Mibg7(SVC)E,*C}VG<B~\'Q#Xk#T}
V3d"G<?;NDZKgf)9rX(e#
sFG<q=
sFG<I+2(7"zP8(G<DsFB~DsFzY9I#Z /usr/include/sys/audit.h D~P(e(
7Da9#sFzYPDE"q=TZ?vy>B~GX(D,"T>Z /etc/security/audit/events D~P#
(#ZsF(7PDE"IG<}L4U/T7#|D<7T,xZsFzYPDE"GIlbB~Dzka
)D#sFU>Lr";Pa9/DE"rsFzYDoe#}g,1 login |nlb='\G<1,|G<
Z 3 B sF 49
Zd"zDUKOD8(B~"9C auditlog S}L+G<4ksFzY#sFU>LrZKi~G<8(w
bE"(C'j6"xLj6"1d)=(7"7Sd=mbDE"#wCLrva)B~{FMZ(7PD
a{VN#
sFU>LrdC
sFU>Lr:p9lj{DsFG<#Xk!qk*G<DsFB~#
!qsFB~
sFB~!qPTB`M:
?vxLsF
*P'X!qxLB~,53\m1IT(esF`#sF`G53PDy>sFB~DS/#sF
`a)y>sFB~=cD_-Vi#
T53OD?vC',53\m1(e7(I*CC'G<Dy>B~DsF`/#C'KPD?v
xLjGPdsF`#
?vTssF
Yw53a)(}{FCJTsDsF;MG5,8(Ts((#GD~)DsF#4{FDTss
F@9Xk-GyPTsCJTsF8u;PD`XTs#mb,IT8(sF==,Tc;G<8
(==(A/4/4P)DCJ#
ZKsFzY==
ZKG<IhC* BIN r STREAM ==T(eZKsFzY*4kDo#g{9C BIN ==,ZKsFU
>Lr(Zt/sF0)Xkx(AY;vD~hv{,G<7SZK#
BIN ==|,4sFG<=8CD~#ZsF}Lt/1,ZK"M=vD~hv{M;v(iDns bin s
!#|]RwCxL"*<+sFG<4=Z;vD~hv{#1Z;v bin Ds!o=ns bin s!1,R
g{Z~vD~hv{P',|P;AZ~v bin "XB$nwCxL#ZKLx4=Z~v bin 1ACm;
vP'DD~hv{YNwC#g{K1Z~v bin zK,|P;XZ;v bin "RwCxL"45X#qr,
]RwCxL"RZKLx4G<=Z~v bin 1=z*9#TK==Lx&m1=XUsF}L#kNDB
<sF BIN ==D5w:
50 AIX 5L V5.2:2+8O
;%D bin zFC47#Z&msFG<1sFS53\P3)+w*4#1sFS53P;Am;v bin 1,
|eUZ;v bin DZ]=zYD~#1VP;=K bin 1,Z;v bin Q-ICK#|9}]zID}]
f"MVvVk#(#,auditcat LrC4SKLZK;P4kD bin A!}]#7#53S;IZsFzY
(auditcat LrDdv)xUdD!,ITZ /etc/security/audit/config D~P8( freespace N}#g
{535P!ZK&8(D 512 ;Di},r|zI syslog {"#
g{tCsF,Z /etc/security/audit/config PD start ZPD binmode N}&ChI panic#Z bin Z
PD freespace N}&CdCIn!*ELUdD 25% 4f"sFzY#?v bytethreshold M binsizeN}&ChC* 65536 VZ#
Z STREAM ==P,ZK4G<=-7:ex#1ZKo=:exD^F1,|;GFX*7#xLS{*
/dev/audit D1h8A!E"#1xLr*Kh81,M*CxL4(K;v(@#w*!q,IT+Z(@
OA!DB~8(*sF`DPm#kNDB<sF STREAM ==D5w:
< 1. sF BIN ==D}L#. K5wT>KsF BIN ==D}L#
Z 3 B sF 51
STREAM ==Dw*?DGJm01XA!sFzY,bIC451~2`S#m;vC>G4(414Dz
Y4@9NNI\DTsFD[D(g{zYf"Z3)I4iJO,bGI\D)#
9P;v9C STREAM D=(GQsFw4=Z6L53Of"sFE"DLr,bJmPk|1&m,x
R,1@9sFE"Z4wzD[D#
&msFG<
auditselect"auditpr M auditmerge |nC4&m BIN r STREAM ==DsFG<#=v5CLrKP
*}KwTc|GIZ\@PW9C,bXp=cZ STREAM ==DsF}L#
auditselectIC4C`F SQL Dodv!qX(DsFG<#}g,*;!qIC' afx zID exec() B~,
rkdkTBZ]:
auditselect -e "login==afx && event==PROC_Execute"
auditprCZ+~xFsFG<*;IK`IADq=#yT>DE"?!vZZ|nPP8(Dj>#*q
!yPICDE",kgBy>KP auditpr |n:
auditpr -v -hhelrtRpPTc
< 2. sF STREAM ==D}L. K5wT>KsF STREAM ==D}L#
52 AIX 5L V5.2:2+8O
18(K -v j>1,}KZK*?vB~x"vj<sFE"b,9T>X(ZB~DV{.DsF
zY(kND /etc/security/audit/events D~)#
auditmergeC4O"~xFsFzY#bZh**S8v53DsFzY1XpPC#auditmerge |nq!|n
PPzYD{F"+O"D~xFzY"M=j<dv,rKTh*9C auditpr |n49.IA#
}g,auditmerge M auditptr |nITKPgB:
auditmerge trail.system1 trail.system2 | auditpr -v -hhelrRtpc
9ClY2+TliDsFS53
;20sFS534`S%;DIILr,IT9C watch |n#|+G<8(LrzIDksryPB~#
}g,ZKP vi /etc/hosts 1i4 FILE_Open B~,dkTBZ]:
watch -eFILE_Open -o /tmp/vi.watch vi /etc/hosts
/tmp/vi.watch D~T>`-wa0PDyP FILE_Open B~#
hCsF
TB}LT>gNhCsFS53#PX|`X(E",kN<b)=hP"MDdCD~#
1. S /etc/security/audit/events D~PDPm!q53n/(B~)sF#g{Q-r&CLrrZK)9
mSKBDsFB~,rXk`-D~TmSBDB~#
v g{|,DzkG<&CLr(9C auditwrite r audit log S}L)rZK)9(9C
audit_svcstart"audit_svcbcopy M audit_svcfinis ZK~q)oDB~,mSB~=KD~#
v 7#NNB(sFB~Dq=8>E"|,Z /etc/security/audit/events D~P#1q=/sFG<1,
b)f6tC auditpr |n4sFzY#
2. Vi!(DsFB~={*sF``Fn?/P#(e /etc/security/audit/config D~D`ZPDsF`#
3. 8(%@C'DsF`"8(sFB~=h*sFDD~,gB:
v 8(%@C'DsF`,mS;P= /etc/security/audit/config D~D user Z#8(C'DsF`,
IT9C chuser |n#
v 8(Ts(}]rI4PD~)DsFB~,*CD~mSZ= /etc/security/audit/objects D~#
v 9IT(}`- /usr/lib/security/mkuser.default D~4*BDC'8(1!DsF`#1zIB(C
'j61,D~#t*9CDC'tT#}g,*yPB(C'j69C general sF`,gB:
user:auditclasses = generalpgrp = staffgroups = staffshell = /usr/bin/kshhome = /home/$USER
q!+?sFB~,8( ALL `#1uAZJH1&D534PKYw1,+zIs?D}]#(
#,|5JDv(G^FG<B~D}?#
4. Z /etc/security/audit/config D~P,9C BIN U/"STREAM U/r=V==<C4dC}]U/`
M#(}*sF}]9CVkDD~537#sF}];\MD~UdDd|}]:y#b7#sF}]
Pc;DUd#dC}]U/`MgB:
v dC BIN U/:
a. (}hC start ZoD binmode = on tC BIN ==U/#
Z 3 B sF 53
b. `- binmode ZdC bin M trail,"8(|, BIN ==sK&m|nDD~76#sK|nD1
!D~G /etc/security/audit/bincmdsD~#
c. 7EsF bin c;s\zch*"Rg{}ZndD~53`&hC freespace N}Tq!/f#
d. |,Z /etc/security/audit/bincmds D~PsF\@P&msF bin D shell |n#
v dC STREAM U/:
a. (}hC start ZPD streammode = on tC STREAM ==U/#
b. `- streammode Z8(=|, streammode &m|nDD~76#|,KE"D1!D~G
/etc/security/audit/streamcmds D~#
c. |,Z /etc/security/audit/streamcmds D~PsF\@P&m stream G<D shell |n#
5. jITdCD~DNNXhD|Ds,<89C audit start |n!ntCsFS53#
6. 9C audit query |n!ni4sFDvB~MTs#
7. 9C audit shutdown |n!nYNMEsFS53#
!qsFB~
sFD?DGlbI\Pp532+TDn/#14Z(C'4P1,TBn/%3532+T"RGsFD
Ts:
v ZIEFcboSBn/
v O$C'
v CJ53
v |D53dC
v F}sF53
v u</53
v 20Lr
v ^DJ'
v QE"+k=53rS53+v
sF53;P*sFB~D1!hC#Xky]zDh*!qB~rB~`#
*sFn/,Xk6pt/sFB~D|nrxL"R7#B~PZ53D /etc/security/audit/events D~
P#G4XkmSB~= /etc/security/audit/config D~PD`&`r= /etc/security/audit/objects D~
PDTsZ#kND53O /etc/security/audit/events D~oDsFB~MzYq=/8>E"Pm#PX
gN4M9CsFB~q=Dhv,kND auditpr |n#
Z!(sFB~s,XkQ`FB~"=sF`#;sVdsF`xC'#
!qsF`
(}Q,S`FB~"k=sF`,ITr/QsFB~8(xC'#sF`(eZ /etc/security/audit/configD~PD`Zo#
;)I\DdMsF`gB:
#f Dd534,M|DC'O$DB~#sFT<F}53CJXF#
Ts 2+TdCD~D4k(^#
ZK (}ZKDxL\m&\zIZK`PDB~#
54 AIX 5L V5.2:2+8O
/etc/security/audit/config PZD>}gB:
classes:general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Renamesystem = USER_Change,GROUP_Change,USER_Create,GROUP_Createinit = USER_Login,USER_Logout
!qsF}]U/=(
}]U/=(D!q!vZ*gN9CsF}]#g{h*s?}]D$Zf",!q BIN U/#g{U/1
&m}],!q STREAM U/#g{h*$Zf"M"4&m,!q=V=(#
Bin U/ JmssFzYD$1df"#sFG<4xw*Y1D bin DD~#f#ZD~nz
s,1sFS534xd| bin D~"RQG<4=sFzYf"1,(} auditbinX$Lr&m}]#
Stream U/ JmZU/D,1&msF}]#sFG<4xZKoD-7:ex,(}A
/dev/audit lw#sFG<ITT>"r!a)=ODsFzYr(} auditcat |n
*;I bin G<#
51D~^D`S>}
TB>}CZ`XX|D~D51D~CJ:
1. hC`XX|D~DdDPm,}g /etc PD+?D~,"RZ objects D~PdC|GTqC
FILE_Write B~:
find /etc -type f | awk ’{printf("%s:\n\tw = FILE_Write\n\n",$1)}’ >> /etc/security/audit/objects
2. hC stream sFPv+?D~4Yw#(K>}Pv4=XF(D+?D~,+Zzz73BI\k*P;
vsK,|"MB~=kVlb53#)The /etc/security/audit/streamcmds file is similar to the following:
/usr/sbin/auditstream | /usr/sbin/auditselect -e "event == FILE_Write" |auditpr -hhelpPRtTc -v > /dev/console &
3. Z /etc/security/audit/config PhC STREAM ==sF,*D~4B~mS`"RdC&CC`sFD
yPC':
start:binmode = offstreammode = on
stream:cmds = /etc/security/audit/streamcmds
classes:filemon = FILE_write
users:root = filemonafx = filemon...
4. VZKP audit start#ZXF(OT>yP FILE_Write B~#
`tsFU>=8D>}
K}PY(53\m1*9CsFS53`XsD`C'~qw53#44P1S/I= IDS,V$liyP
sFG<D;frT#vG<;)5JDsFB~,#VzI}]D}?*I\mDs!#
Z 3 B sF 55
TBG*sFlb<GDsFB~:
FILE_Write **@TdCD~DD~4Yw,rKKB~aCZ /etc woD+?D~#
PROC_SetUserIDs C'j6DyP|D
AUD_Bin_Def sF bin dC
USER_SU su |n
PASSWORD_Change passwd |n
AUD_Lost_Rec r;PG<*'D(*
CRON_JobAdd B( cron w5
AT_JobAdd B( at w5
USER_Login yPG<
PORT_Locked UKOIZ+`^'"Tx+?x(
TBGgNzI`tsFU>D>}:
1. hC*`XX|D~DdDPm,}g /etc o+?D~,"R* objects D~oD FILE_Write B~d
C|G,gB:
find /etc -type f | awk ’{printf("%s:\n\tw = FILE_Write\n\n",$1)}’ >> /etc/security/audit/objects
2. 9C auditcat |nhC BIN ==sF#/etc/security/audit/bincmds D~kTB`F:
/usr/sbin/auditcat -p -o $trail $bin
3. `- /etc/security/audit/config D~"R*RGPK$DB~mS`#PvyPVPDC'"R*|G8
( custom `:
start:binmode = onstreammode = off
bin:cmds = /etc/security/audit/bincmdstrail = /audit/trailbin1 = /audit/bin1bin2 = /audit/bin2binsize = 100000freespace = 100000
classes:custom = FILE_Write,PROC_SetUser,AUD_Bin_Def,AUD_Lost_Rec,USER_SU, \
PASSWORD_Change,CRON_JobAdd,AT_JobAdd,USER_Login,PORT_Locked
users:root = customafx = custom...
4. + custom sF`mS= /usr/lib/security/mkuser.default D~,byBDj6+T/5P}7D`X
sFwC:
user:auditclasses = custompgrp = staffgroups = staffshell = /usr/bin/kshhome = /home/$USER
5. (}9C SMIT r crfs |n4({* /audit DBDD~53#CD~53&CcT]I=v bin M;
vsDsFzY#
6. KP audit start |n!n"bT /audit D~#z&CIT4==v bin D~M;vu<*UD trail D
~#9C53;(1ds,trail D~P&CQPsFG<,IT(}TB|nA!
auditpr -hhelpPRtTc -v | more
56 AIX 5L V5.2:2+8O
K}v9C\YB~#*i4+?B~,zIT*yPC'8(`{ ALL#bvYw+zIs?D}]#zI
\#{+yPPXC'|DMX(|DDB~<mS= custom `P#
Z 3 B sF 57
58 AIX 5L V5.2:2+8O
Z 4 B LDAP O$0k#i
a?6?<CJ-i(LDAP)(eK;VZM'z - ~qw#MP>Xr6LCJM|B?<(}]b)P
DE"Dj<=(#wz:/IT9C LDAP =(TJm/P=2+O$T0CJC'MiE"#K&\bZ
CZ:/73T9O$"C'MiE"Z{v:/P+C#
2+S53D LDAP *"Iw* LDAP O$0k#i5V#EnO,|kd|0k#i(}g NIS"DCE M
Kerberos 5)`F#C0k#iZ /usr/lib/security/methods.cfg D~P(e#LDAP O$0k#iZM6p
5V,"RIb4&m#
tC LDAP O$0k#i4a)C'MiE"~qs,s`}_6 API"|nM53\m$_4U(#==K
w#}k -R j>9s`}_6|n(};,D0k#iKw#}g,*SM'z4({* joe D LDAP C
',k9CTB|n:
mkuser -R LDAP joe
M'z53(} /etc/security/user D~PC'D SYSTEM tTliC'GqG LDAP C'#g{C'D
SYSTEM tThC* LDAP,rC';\(} LDAP 4O$#g{Z1!ZPD SYSTEM tThC*
LDAP,ryP;P SYSTEM tThCDC'<;1wG LDAP C'#LDAP X|VITgZ 42 3D:C
'O$;yhvGykd| SYSTEM tT5;p9C#M'z=(} secldapclntd X$Lrk~qwxP
(E#X$LrS&CLr((} API b)S\ks"i/ LDAP ~qw"+}]5X=&CLr#
secldapclntd X$Lr9:p_Y:f#
hC LDAP 2+E"~qw
*+53hCI LDAP 2+E"~qw,C|\(} LDAP a)O$"C'MiE"~q,rXk20 LDAP
~qwMM'zm~|#Xk+ LDAP ~qwdCI*;vM'zM;v~qw#LDAP ~qw2h*P DB2
}]b#g{h*2+WSVc(SSL),rXk20 GSKit m~|#53\m1Xk9C ikeyman |n4
4(\?#Xk+~qw\?$i+M=M'z#
mksecldap |nICZhC LDAP 2+E"~qw#|("F* ldapdb2 D}]b,+4T>XwzDC
'MiE"2k}]b,"hC LDAP ~qw\m1 DN((P{F)M\k#|I!qTXhCCZM'z
/~qw(ED SSL#mksecldap |n+;vnmS= /etc/inittab D~PTZ?NXB}<1t/ LDAP
~qw#(} mksecldap |njI+? LDAP ~qwhC,C|n|BK slapd.conf D~(SecureWay®
Directory V3.2 M 4.1)r slapd32.conf D~(SecureWay Directory V3.2)#;h*dC LDAP Web \m
SZ#
Z LDAP ~qwhC}LP+yPC'MiS>X53(F= LDAP ~qw#*K=h!qTB LDAP #
=.;:
X(Z AIX D#=
|, aixAccount M aixAccessGroup Ts`#K#=a) AIX C'MiD+WtT#
NIS #=(RFC 2307)
|, posixAccount"shadowAccount M posixGroup Ts`,"RItI)&L?<z79C#
NIS #=;(eK AIX y9CtTD;v!S/#
j+ AIX 'VD NIS #=
|, posixAccount"shadowAccount M posixGroup Ts`T0 aixAusAccount M
aixAusGroup Ts`#aixAusAccount M aixAuxGroup Ts`a)I AIX 9C+;PI NIS #
© Copyright IBM Corp. 2002, 2003 59
=(eDtT#Fv9Cj+ AIX 'VD NIS #=4hC LDAP ~qw,}GXkhCX(Z AIX
D#= LDAP ~qwTkVPD LDAP ~qwf]#
yPC'MiE""fZ+2D AIX ?<wB(s:)#1!s:G "cn=aixdata"#mksecldap |n(} -dj>4S\C'a)Ds:#g{C'a)Ds:;P+ "cn=aixdata" w*dZ;v RDN(`T(P{F),
r mksecldap |nZC'a)Ds:PmS "cn=aixdata" w*0:#K AIX ?<wG\ ACL(CJXF
Pm)#$D#M'zXks(* LDAP ~qw\m1T\;CJ AIX ?<w#
mksecldap |n49Z LDAP ~qwhC*d|C>DivBTpwC;}g,+ LDAP ~qwhC*C
wiRC'j6E"#Z>}P,mksecldap mSK AIX ?<w,"+dx AIX 2+E"2kVP}]b
P#K?<wG\ ACL #$D,"@"Zd|?<w#Z>}P,}Kw* AIX LDAP 2+~qw~q.
b,LDAP ~qws=#;y$w#
":(iKP mdsecldap |nhC2+~qw42m,;}]b.08]VPD}]b#
ZI&hC LDAP 2+E"~qw.s,Xk+,;wzhC*M'z,T9jI LDAP C'Mi\m,"
R LDAP C'\;G<=C~qw#
g{hC LDAP 2+E"~qw;I&,zITKPxP -U j>D mksecldap |n47zhC#ba+
slapd.conf(r slapd32.conf)D~V4=|DhC04,#ZNNhC"T'\s,ZYN"TKP
mksecldap |n0,KPxP -U j>D mksecldap |n#qr,P`DhCE"a#tZdCD~P,
"<BsfDhC'\#w*2+$@k),7z!n;aT}]brd}]4PNNYw,r*KP
mksecldap |n.0C}]bI\Q-fZK#g{}]bG(} mksecldap |n4(D,G4MV$+d
}%#g{ mksecldap |nQ-+}]mS=H0fZD}]b,GM7(&I!24=hS'\DhC"
TPDV4#
XZhC LDAP 2+E"~qwD|`E",kND mksecldap |n#
hC LDAP M'z
?vM'z<Xk20 LDAP M'zm~|#g{h* SSL,G4Xk20 GSKit"4(\?,Xk+ LDAP
~qw SSL \?$imS=K\?P#
IT9C mksecldap |n4hCM'z#*CM'zk LDAP 2+E"~qw*5,MXkZhC}LPa
)~qw{F#M'zCJ~qwOD AIX ?<w2h*~qwD\m1 DN M\k#mksecldap |n+
~qwOD~qw\m1 DN"\k"~qw{"AIX ?<w DN T0 SSL \?76M\k#f=
/etc/security/ldap/ldap.cfg D~P#
ZM'zhC}LPITr mksecldap |na)`v~qw#Z>}P,M'z4Ua)DNr*5~qw,
"kM'zITI&s(DZ;v~qw(",S#g{ZM'zM~qw.d"z;<,S,G4a9C,
;_-"TksXB,S#2+ LDAP *"#M;'VNU##V4F~qw,=G\X*D#
M'zIk LDAP 2+E"~qw(}M'z=X$Lr(secldapclntd)xP(E#g{ZCM'zOtC
K0k#i,G4_6|nnUa(} API bR=CX$Lr#X$Lri/~qw,"+E"5XxwC
_#
ZM'zhC}LP,ITr mksecldap |na)d|+8wZ!n,}ghCX$LryCD_L}"_
Y:fns!T0_Y:f=Z,1#b)!nv)P-iDC'9C#TZs`}73xT,1!5Q-c
;#
60 AIX 5L V5.2:2+8O
ZM'zhCDns=hP,mksecldap |nt/M'z=X$Lr,"Z /etc/inittab D~PmS;vn,
byZ?NXB}<1at/X$Lr#zIT(}li secldapclntd xL4liGqhCI&#YghC
"KP LDAP 2+E"~qw,g{hCI&,G4MaKPCX$Lr#
LDAP C'\m
zI9C_6|nSNN LDAP M'zO\m LDAP 2+E"~qwODC'Mi#mS=s`}_6|n
D -R j>\;9C LDAP T0d|O$0k#i(}g DCE"DCE T0 Kerberos)4\mC'Mi#X
Zf0 -R j>9CD|`E",kN<?vC'ri\m|n#
*9C'\;(} LDAP O$,kKP chuser |n+C'D SYSTEM tT5|D* LDAP#(}y]Q
(eDo(4hC SYSTEM tT5,C'IT(}9C`Z;vD0k#i(}g,compat M LDAP)4O
$#PXhCC'O$=(D|`E",kNDZ 42 3D:C'O$;M /etc/security/user D~P(eD
SYSTEM tTo(#
(}4BPNN;Vq=KPxP -u j>D mksecldap |n,C'\;ZM'zhC1I* LDAP C':
1. KP mksecldap -c -u user1,user2,...,dP user1,user2,... GC'Pm#CPmPDC'ITG>X
(eDr6L LDAP (eDC'#/etc/security/user D~P?vTOC'ZPD SYSTEM tT<hC
* LDAP#b)C';\(} LDAP 4O$#CPmPDC'XkZ LDAP 2+E"~qwOfZ;q
r|G;\SCwzG<#KP chuser |n^D SYSTEM tT,"Jm(}`V=((}g,>XM
LDAP)xPO$#
2. KP "mksecldap -c -u ALL"#C|n*yP>X(eDC'+ /etc/security/user D~D?;C'ZPD
SYSTEM tThC* LDAP#yPbyDC'<;\(} LDAP 4O$#>X(eDC'XkZ LDAP
2+E"~qwOfZ;qr|G;\SCwzOG<#Z LDAP ~qwO(eDx;PZ>X(eDC
';\SCwzG<#*Jm6L LDAP (eDC'SCwzG<,kKP chuser |n+CC'D
SYSTEM tThC* LDAP#
mb,z2IT(}+ /etc/security/user D~P01!1ZD5^D*0LDAP1,Sx9yPD LDAP C
'(;\|GGqG>X(eD)<\;(}>XwzOD LDAP 4O$#yP;P*d SYSTEM tT(e
5DC'<XkqUZ1!ZPy(eD5#}g,g{1!ZP "SYSTEM = ″compat″",+||D*
"SYSTEM = ″compat OR LDAP″" Jmb)C'(} AIX r LDAP xPO$#+1!Z|D* "SYSTEM
= ″LDAP″" 9b)C';\(} LDAP O$#G)Q(e SYSTEM tT5DC';\1!Z0l#
LDAP wzCJXF
AIX *53a)C'6wzCJ(G<)XF#\m1IT(}+ LDAP C'D SYSTEM tThC* LDAP
4dC LDAP C'TG<= AIX 53#SYSTEM tTZ /etc/security/user D~P#chuser |nICZ
hC|D5,kTBZ]`F:
# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo
":ZbVXF`MB,;*+1!D SYSTEM tThC* LDAP(bJmyP LDAP C'G<=53)#
ba+ LDAP tThCIJmC' foo G<=C53#|9+"amhC* LDAP,bJmG<xLG< foo
G< LDAP D"T,"JmZ LDAP OjINNC'\mNq#
\m1h*Z?vM'z53OKPbyDhC,T93)C'\;G<#
S AIX 5.2 *<,AIX Q-5VK;v&\,4+ LDAP C'^F*;\G<=3) LDAP M'z53#
K&\Jm/P=wzCJXF\m#\m1\;T;vC'J'8(=vwzCJXFPm:;vJmPm
M;v\xPm#(}C'J'b=vC'tTf"Z LDAP ~qwP#C'ITTJmPmP8(D53r
Z 4 B LDAP O$0k#i 61
xgxPCJ,+;\T\xPmPD53rxgxPCJ#g{,1ZJmPmM\xPmP8(K;v5
3,G4C';\TC53xPCJ#P=V=(8(C'DCJPm:14(C'1IT9C mkuser |n,
r_TZVPDC'IT9C chuser |n#*rsf],g{C'DJmPmM\xPm;fZ,G41!
ivB,JmC'G<=NN LDAP M'z53#S AIX 5.2 *<,CwzCJXF&\IC#
hCC'DJmM\xmI(PmD>}gB:
# mkuser -R LDAP hostsallowedlogin=host1,host2 foo
ba4(C' foo,;JmC' foo G<= host1 M host2#
# mkuser -R LDAP hostsdeniedlogin=host2 foo
ba4(C' foo,C' foo ITG<= host2 .bDNN LDAP M'z53#
# chuser -R LDAP hostsallowedlogin=192.9.200.1 foo
ba+C' foo hCI_PG<=X7* 192.9.200.1 DM'z53DmI(#
# chuser -R LDAP hostsallowedlogin=192.9.200/24 hostsdeniedlogin=192.9.200.1 foo
ba+C' foo hCI_PG<= 192.9.200/24 SxZNNM'z53DmI(,}KX7* 192.9.200.1
DM'z53#
PX|`E",kND chuser |n#
LDAP 2+E"~qwsF
SecureWay Directory V3.2(0|Bf>)a)1!~qwsFU>&\#;)tC,1!DsFe~a+ LDAP
~qwn/G<=U>D~P#XZC1!sFe~D|`E",kND Packaging Guide for LPP Installation
PD LDAP D5#
Z AIX 5.1 0|Bf>PQ-5VK LDAP 2+E"~qwsF&\,F* LDAP 2+sFe~#|@"Z
SecureWay Directory 1!sF~q,rKITtCb=vsFS53PDNN;vr,1tC=v#AIX sF
e~;G<G)Z LDAP ~qwO|Bri/ AIX 2+E"DB~#|Z AIX 53sFDr\ZKw#
*a) LDAP,/etc/security/audit/event D~P|,TBsFB~:
v LDAP_Bind
v LDAP_Unbind
v LDAP_Add
v LDAP_Delet
v LDAP_Modify
v LDAP_Modifydn
v LDAP_Search
ldapserver sF`(e2Z|,yPOvB~D /etc/security/audit/config D~P4(#
*si LDAP 2+E"~qw,+TBPmS= /etc/security/audit/config D~P?vC'DZ:
ldap = ldapserver
62 AIX 5L V5.2:2+8O
r* LDAP 2+E"~qwsFe~Z AIX 53sir\Z5V,yT|G AIX 53sFS53D;?V#
9C53sF|n(}g audit start r audit shutdown)ITtCr{C LDAP 2+E"~qwsF#
+yPsFG<mS=53sFzYP,CzY\;9C auditpr |n4li#|`E",kNDZ 47 3DZ
3 B, :sF;#
LDAP |n
mksecldap |n
mksecldap |nITC4hC2+O$M}]\mD IBM SecureWay Directory ~qwMM'z#C|nX
kZ~qwMyPM'zOKP#
":
1. M'z(-c j>)M~qw(-s j>)!n;\,1KP#1hC~qw1,mksecldap |n&CZC
zwOKP=N#Z;NKPC4hC~qw,Z~NKPC4hCM'z#
2. SecureWay Directory ~qwdCD~G AIX 3.2 rsxf>D /etc/slapd32.conf#AIX 5.2 v'V
SecureWay Directory 3.2 Msxf>#
*hC~qw,7#20K ldap.server D~/#Z20 ldap.server D~/1,2,1T/20K ldap.clientD~/MsK DB2 m~#CC|nhC LDAP ~qw1;h*KPNN DB2 $dC#1KP mksecldap|nhC~qw1,|n+:
1. 4(;v DB2 5},+ ldapdb2 w*1!D5}{#
2. 4(;v DB2 }]b,+ ldapdb2 w*1!D}]b{F#g{}]bQ-fZ,mksecldap +F}
TO==#(bGhC LDAP ~qwmw|CD}S#)mksecldap |n+9CVPD}]bf" AIX C
'/i}]#
3. 4( AIX w DN(s:)#g{;PS|nPa)y> DN,1!Ds:hC* cn=aixdata "QC'/
ii}]ECZ cn=aixsecdb,cn=aixdata DN#bG(iDiv#qr,mksecldap |na!C'a)
D DN "ZdOSO cn=aixdata 0:,"9B(D DN I*s:#BmT>KbVP*#(EPD5
zmIC'S|nPa)DI! DN#
|nP DN: [o=ibm]s:: cn=aixdata[,o=ibm]2+T DN: cn=aixsecdb,cn=aixdata[,o=ibm]C' DN: ou=aixuser,cn=aixsecdb,cn=aixdata[,o=ibm]i DN: ou=aixgroup,cn=aixsecdb,cn=aixdata[,o=ibm]
g{>X53QhC LDAP ~qw,mksecldap |nS slapd32.conf dCD~P(eDs:M}]
bP0R cn=aixsecdb X|V#g{|R=KX|V,|Y(Q-KPK mksecldap,"F}y>
DN hC=hMC'/i(F=h,;sKv#
g{Zs:M}]bP;PR= cn=aixsecdb,mksecldap |nli cn=aixdata X|V#cn=aixdataG;v;;, AIX LDAP i~2mD+2y> DN#g{ mksecldap |nR=KX|V,|QX|V
M C ' a ) D D N x P H O # g { | G ` , D , + a Q C ' / i E Z
cn=aixsecdb,cn=aixdata,[userDN]Bf#g{|G;`,,mksecldap |nT>;vms{"T/
f cn=aixdata,... DN DfZ,x;QC'/iF=C'a)D DN Bf#(}TCVP DN YNKP
mksecldap |n,IT!q9CVPD cn=aixdata,...#
4. Q}]S>XwzD2+}]bD~(F= LDAP }]b#y] -S !n,mksecldap |n(FC'/
i19CD}v LDAP #=.;:
v AIX - AIX #=(aixaccount M aixaccessgroup Ts`)
Z 4 B LDAP O$0k#i 63
v RFC2307 - RFC 2307 #=(posixaccount"shadowaccount M posixgroup Ts`)
v RFC2307AIX - j+'V AIX D RFC 2307 #=(posixaccount"shadowaccount"posixgroupTs`T0 aixauxaccount M aixauxgroup Ts`)#
/f: KP AIX 4.3 M AIX 5.1(|Gw* LDAP M'zdC)D53+;\k AIX `M=8D
~qw;p9C#|G;k RFC2307 r RFC2307AIX `MD LDAP ~qwa0#
5. hC LDAP ~qw\m1 DN M\k#C{F/\kT2CZ AIX wDCJXF#
6. hCZC~qwMM'zd2++M}]D SSL(2+WSVc)#ChCh*Q20K GSKIT#
":g{9CKC!n,ZKP mksecldap |n.0Xk4(K SSL \?#qr,~qwI\^(t
/#
7. 20 /usr/ccs/lib/libsecldapaudit.a,;v LDAP ~qwe~#Ce~'V LDAP ~qwD AIX sF#
8. ZjIK+?Ov=hs,t//XBt/ LDAP ~qw#
9. ZXB}<s,Q LDAP ~qwxLmS=(slapd)/etc/inittab 4t/ LDAP ~qw#
10. C -U !n,7zgHD~qwdCD~hC#ZzZ;NKP mksecldap |n1,|#fK=]
slapd32.conf ~qwdCD~D1>#;]#f= /etc/security/ldap/slap32.conf.save.orig,m;]#
f= /etc/ security/ldap/slapd32.conf.save#mksecldap D?NsxKP,10 slapd32.conf v#
f= /etc/security/ldap/slapd32.conf.save D~#7z!nC /etc/security/ ldap/slapd32.conf.save1>4V4 /etc/slapd32.conf ~qwdCD~#
":7z!nvJCZ~qwdCD~#|;0l}]b#
":yPD LDAP dC#f= /etc/slapd32.conf LDAP ~qwdCD~P#
TZhCM'z,7#hCK LDAP ~qwR}ZKP#mksecldap |nZM'zhCZdvTBBi:
1. #f LDAP ~qwDwz{#
2. #f~qwDC'y> DN Miy> DN#g{;PS|nPa) -d !n,mksecldap |nZ LDAP
~qwOQw aixaccount"aixaccessgroup"posixaccount"posixgroup M aixauxaccount Ts`,
"hC`&Dy> DN#g{~qwP`vy>C'/i,zXka)P RDN D -d !n,9 mksecldap|nIThCC RDN P!nDy> DN#
g{ZhCM'zZdR= posixaccount Ts`,mksecldap 2+"TS~qwQwb)5eDy>
DN:wz"xg"~q"xgi"-iM rpc,"#fNNR=D5e#
3. 7( LDAP ~qw9CD#=`M - AIX X(#="RFC 2307 #=rPj+ AIX 'VD RFC 2307#=(kND=h 2 PvDTs`)#|Z /etc/security/ldap/ ldap.cfg D~`&DhCKTs`Mt
T3d#mksecldap |n;\6pd|#=`M,yTXkV$hCM'z#
4. ZCwzM LDAP ~qw.dhC SSL TxP2+}]+d#C=hh*$H4(M'zD SSL \?
M\?\k,xRXk+~qwhC*9C SSL T9M'z SSL \pwC#
5. #f LDAP ~qw\m1 DN M\k#DN/\kTXkk~qwhCZd8(DT`,#
6. y]M'z=X$Lr9CDn}?4hC_Y:fs!#TC'P'D5D6'* 100-10,000,TiP
'D* 10-1,000#TC'D1!5* 1,000,TiD1!5* 100#
7. hCM'z=X$LrD_Y:f,1#P'56'* 60-3600 k#1!5* 300 k#QC5h* 0 4
{C_Y:f#
8. hCM'z=X$Lr9CD_L}#P'56'* 1-1,000#1!5* 10#
9. Tk*%;hCM'zX$Lrli LDAP ~qw4,D1ddt#P'5* 60-3,600 k#1!5*
300#
10. (}^DZ /etc/security/user D~PD SYSTEM P4!qTXhCC'PmryP9C LDAP DC
'#XZtC ldap G<D|`E",kNDTB"b#
64 AIX 5L V5.2:2+8O
11. t/M'zX$xL(secldapclntd)#
12. +M'z=X$xLmS= /etc/inittab T9CX$LrZXB}<st/#
13. 9C -U !n,7z /etc/security/ldap/ldap.cfg D~DH0hC#
":M'zdC}]#f= /etc/security/ldap/ldap.cfg D~#hC /etc/security/user 1!ZD SYSTEM
* LDAP,;Jm LDAP C'G<=53#hC SYSTEM * LDAP r compat Jm LDAP C'M
>XC'G<=53#
>}
1. *hCC'MiDX(Z AIX #=D LDAP ~qw,kdk:
mksecldap -s -a cn=admin -p adminpwd -S aix
b+hC;v LDAP ~qw,"9 LDAP ~qw\m1 DN * cn=admin,\k* adminpwd#C'
Mi}]S>XD~(F=1!D cn=aixdata s:#
2. *hC;vxy> DN(}K1!5M SSL 2+(E.b)D LDAP ~qw,kdk:
mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 \ -k /usr/ldap/serverkey.kdb-w keypwd
b+hC LDAP ~qw,"9 LDAP ~qw\m1 DN * cn=admin,\k* adminpwd#C'Mi
}];S>XD~(F=1!D cn=aix-data, o=mycompany, c=us s:#LDAP ~qw(}9Cf"
Z /usr/ldap/serverkey.kdb D\?49C SSL (E#\?D\k(keypwd)2Xka)#C'MiT
RFC 2307 #=(F#
3. *7zH0D~qwhC:
mksecldap -s -U
b7zKH0T /etc/slapd32.conf ~qwdCD~DhC#IZ2+-r,b;}%H0hCy4(DN
N}]bnr}]b#g{;Yh*}]bn/}]b,kV$}%|G#
4. *hC9C server1.ibm.com M server2.ibm.com LDAP ~qwDM'z,kdk:
mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com
XkrCM'za) LDAP ~qw\m1 DN M\kTO$=~qw#mksecldap |n*5 LDAP ~
qwT!CyCD#=`M,"`&XhCM'z#S|nP;x -d !n,{v~qw DIT QwC'y
> DN Miy> DN#
5. *hCM'z9C SSL M server3.ibm.com LDAP ~qwa0,kdk:
mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2
byhCD LDAP M'z`FZ} 3,}K9C SSL xP(E#mksecldap |nQw o=mycompany,c=us RDN TqCC'y> DN Miy> DN#dC user1 J'M user2 J'(} LDAP xPO$#
":-u ALL !n9yP LDAP C'\;G<=CM'z#
6. *7zH0DM'zhC,kdk:
mksecldap -c -U
ba7zH0T /etc/security/ldap/ldap.cfg D~DhC#b";S /etc/security/user D~P}%
SYSTEM=LDAP M registry=LDAP#
XZ mksecldap |nD|`E",kND6AIX 5L V5.2 |nN<s+7PD mksecldap#
Z 4 B LDAP O$0k#i 65
secldapclntd X$Lr
secldapclntd X$LrS LDAP 0k#iPS\ks,Qks*"=0LDAP 2+E"~qw1O,"QS
~ q w 5 X D a { " M = L D A P 0 k # i # C X $ L r Z | D t / } L P A ! ( e Z
/etc/security/ldap/ldap.cfg D~PDdCE","9C~qw\m1D(P{FM\k=0LDAP 2+E"~
qw1OxPO$,"(">XwzM~qwD,S#
g{Z /etc/security/ldap/ldap.cfg D~P8(K`v~qw,secldapclntd X$LrM,S=yPD~q
wO#;xZX(1d,|;M|GPD;va0#secldapclntd X$LrITlb=k|a0D~qw24
1rXU,"T/Mm;vIC~qwa0#|2\lb=241r~qwYNIC,"MC~qwXB("
,S(+|LxM|}Za0D~qwa0)#bVT/lb&\(} secldapclntd X$Lr4jI,|(Z
li?;v~qw#sLli.dD1ddtD1!5* 300 k,ITZX$Lrt/1S|nP|D,r(
}^D /etc/ security/ldap/ldap.cfg D~P`&D54|D#
Zt/1,secldapclntd X$Lr"Tk LDAP ~qw(",S#g{|;\,S=NN;v~qw,|+
xk]_4,,"Z}.ksY;N"T,S#|X4C}L=N,g{|9G;\("NN,S,
secldapclntd X$xL+Kv#
secldapclntd X$LrG;v`_LLr#CX$Lr9CD1!_L}G 10#\m1IT(}w{CX$
Lr9CD_L}4+8wZ53T\#
secldapclntd X$LrfES LDAP 2+E"~qwlw=Dw{T\DE"#g{Z_Y:fP\R=y
ksD}]"R_Y:fn;P}Z,C}]M;MX=ks_#qr,secldapclntd X$Lrr0LDAP 2
+E"~qw1"v;vks4q!E"#
TZC',_Y:fnDP'}?6'G 100-10,000,xTiDP'}?6'G 10-1,000#TC'nD1!5
G 1000,TZiG 100#
_Y:f,1r TTL(zf1d)ITGS 60 k= 1 !1(60*60=3600 k)#1!ivB,_Y:fnZ
300 ks}Z#g{_Y:f,1hC* 0,_Y:f&\+;{C#
>}
1. *t/ secldapclntd X$Lr,kdk:
/usr/sbin/secldapclntd
2. *t/ secldapclntd,9C 20 v_L"R_Y:f,15* 600 k,kdk:
/usr/sbin/secldapclntd -p 20 -t 600
( i z ( } K P s t a r t - s e c l d a p c l n t d | n 4 t / s e c l d a p c l n t d X $ L r # 9 ( i z Z
/etc/security/ldap/ldap.cfg D~P8(b)5,9C?Nt/ secldapclntd xL1<IT9Cb)5#
PX secldapclntd X$LrD|`E",kND6AIX 5L V5.2 |nN<s+7PD secldapclntd#
LDAP \m|n
start-secldapclntd |n
g{ secldapclntd X$Lr;PKP,ITC start-secldapclntd |nt/|#g{ secldapclntd X$
LrQ-ZKP,r;wNNYw#E>Zt/ secldapclntd X$Lr09SNNH0D secldapclntd X
$xLPe}KZ3dLr"a(g{PD0)#CYwa@9IZKZ3dLr"a'\x<BDBX$x
Lt/'\#
>}:
66 AIX 5L V5.2:2+8O
1. *t/ secldapclntd X$Lr,kdk:
/usr/sbin/start-secldapclntd
2. *t/ secldapclntd 9C 20 v_L"R_Y:f,15* 600 k,kdk:
/usr/sbin/start-secldapclntd -p 20 -t 600
(izZ /etc/security/ldap/ldap.cfg D~P8(b)5,9C?Nt/ secldapclntd xL1<IT9
Cb)5#
XZ start-secldapclntd |nD|`E",kND6AIX 5L V5.2 |nN<s+7PD start-secldapclntd#
stop-secldapclntd |n
stop-secldapclntd |nU9KPED secldapclntdX$xL#g{ secldapclntd X$Lr;PKP,|+
5X;vms#
>}: *#9KP secldapclntd X$xL,kdk:
/usr/sbin/stop-secldapclntd
XZ stop-secldapclntd |nD|`E",kND6AIX 5L V5.2 |nN<s+7PD
stop-secldapclntd#
restart-secldapclntd |n
g{ secldapclntd X$LrZKP,G4 restart-secldapclntd E>9d#9,;sXBt/|#g{
secldapclntd X$Lr;PKP,C|n;Gt/|#
>}:
1. *XBt/ secldapclntd X$Lr,kdk:
/usr/sbin/restart-secldapclntd
2. *XBt/ secldapclntd 9C 30 v_L"R_Y:f,15* 500 k,kdk:
/usr/sbin/restart-secldapclntd -p 30 -t 500
X Z r e s t a r t - s e c l d a p c l n t d | n D | ` E " , k N D 6 A I X 5 L V 5 . 2 | n N < s + 7 P D
restart-secldapclntd#
ls-secldapclntd |n
ls-secldapclntd |nPvK secldapclntd X$LrD4,#5XDE"|,TBZ]:
v }k secldapclntd X$Lra0D LDAP ~qw
v LDAP ~qwKZE
v 9CD LDAP -if>
v C'y> DN
v iy> DN
v 53(j6)y> DN
v C'_Y:fs!
v C'9CD_Y:fs!
v i_Y:fs!
v 9CDi_Y:fs!
v _Y:f,1(zf1d)5
v secldapclntd = LDAP ~qwDlbEE1ddt
Z 4 B LDAP O$0k#i 67
v secldapclntd X$Lr9CD_L}
v LDAP ~qw9CDC'Ts`
v LDAP ~qw9CDiTs`
>}:
1. *Pv secldapclntd X$LrD4,,kdk:
/usr/sbin/ls-secldapclntd
XZ ls-secldapclntd |nD|`E",kND6AIX 5L V5.2 |nN<s+7PD ls-secldapclntd#
flush-secldapclntd |n
flush-secldapclntd |neU secldapclntd X$xLD_Y:f#
>}: *"B secldapclntd X$LrD_Y:f,kdk:
/usr/sbin/flush-secldapclntd
XZ flush-secldapclntd |nD|`E",kND6AIX 5L V5.2 |nN<s+7PD
flush-secldapclntd#
sectoldif |n
sectoldif |nA!>X(eDC'Mi,"T ldif q=+a{r!=j<dv#g{X(r=;vD~,I
TC ldapadd |nr db2ldif |n+a{mS= LDAP ~qw#
-S !n8(K ldif dvy9CD#=`M#sectoldif |nS\TB#=`M:
v AIX - AIX #=(aixaccount M aixaccessgroup Ts`)
v RFC2307 - RFC 2307 #=(posixaccount"shadowaccount M posixgroup Ts`)
v RFC2307AIX - j+'V AIX D RFC 2307 #=(posixaccount"shadowaccount M posixgroupTs`T0 aixauxaccount M aixauxgroup Ts`)#
mksecldap |nwC sectoldif |n4Z LDAP ~qwhCZd(FC'Mi#9C sectoldif dvQ=S
DC'MiSd|53(F= LDAP ~qw1*ww#19C sectoldif dvmSn"S`v53(FC'M
i1(I\a<B`vK'2m;v}Vj6,bG2+T%}),ldapadd M db2ldif |nvlin{(C
'{ri{),x;li}Vj6#
>}:
1. *r!>X(eDyPC'Mi,kdkTB|n:
sectoldif -d cn=aixsecdb,cn=aixdata -S rfc2307aix
b+yP>X(eDC'MiT ldif q=r!=j<dv#9C rfc2307aix #=`Mm>C'nMi
n#y> DN hC* cn=aixsecdb, cn=aixdata#
2. *vr!>X(eDC'<;{,kdkTB|n:
sectoldif -d cn=aixsecdb,cn=aixdata -u foo
b+>X(eDC'<;{T ldif q=r!=j<dv#;x -S !n,9C1! AIX #=`M4m>
<;{D ldif dv#
XZ sectoldif |nD|`E",kND6AIX 5L V5.2 |nN<s+7PD sectoldif#
68 AIX 5L V5.2:2+8O
ldap.cfg D~q=
/etc/security/ldap/ldap.cfg D~|,}7t/MKPKD secldapclntd X$LrDE",2|,K+8w
ZX$LrT\DE"#/etc/security/ldap/ldap.cfg D~ZM'z201(} mksecldap |n4|B#
/etc/security/ldap/ldap.cfg D~IT|,TBVN:
ldapservers 8(:EVtD0LDAP 2+E"~qw1#b)~qwITGw~qwM/rw~qwD
1>#
ldapadmin 8(0LDAP 2+E"~qw1D\m1 DN#
ldapadmpwd 8(\m1 DN D\k#
useSSL 8(Gq9C SSL (E#P'5G ON M OFF#1!5* OFF#
":z+h* SSL \?MC\?T&D\k4tCC&\#
ldapsslkeyf 8(= SSL \?D+76#
ldapsslkeypwd 8( SSL \?D\k#
":!{TCPD"MT9C~X\k#\kf"D~Xkk SSL \?>m$tZ,;v
?<,"Xkk\?D~P`,D{F,+C .sth )9{fzK .kdb )9{#
userattrmappath *C'8(= AIX-LDAP tT3dD+76#
groupattrmappath *i8(= AIX-LDAP tT3dD+76#
idattrmappath *j68(= AIX-LDAP tT3dD+76#14( LDAP C'1 mkuser |n9C
b)j6#
userbasedn 8(C'y> DN#
groupbasedn 8(iy> DN#
idbasedn 8(j6y> DN#
hostbasedn 8(wzy> DN#
servicebasedn 8(~qy> DN#
protocolbasedn 8(-iy> DN#
networkbasedn 8(xgy> DN#
netgroupbasedn 8(xiy> DN#
rpcbasedn 8( RPC y> DN#
userclasses 8(CZC'nDTs`#
groupclasses 8(CZinDTs`#
ldapversion 8( LDAP ~qw-if>#1!5G 3#
ldapport 8( LDAP ~qwl}DKZ#1!5G 389#
ldapsslport 8( LDAP ~qwl}D SSL KZ#1!5G 636#
followaliase 8(Gqzfp{#P'5G NEVER"SEARCHING"FINDING M ALWAYS#1!5G NEVER#
usercachesize 8(C'_Y:fs!#P'5G 100-1,000 vn#1!5G 1,000#
groupcachesize 8(i_Y:fs!#P'5G 10-1,000 vn#1!5G 100#
cachetimeout 8(_Y:fD TTL(zf1d)#P'5G 60-3,600 k#1!5G 300#Q5h* 0 4
{C_Y:f#
heartbeatinterval Tk*%;48(M'z*5~qwqC~qw4,D1ddt#P'5G 60-3,600 k#
1!5G 300#
numberofthread 8( secldapclntd X$Lry9CD_L}#P'5G 1-1,000#1!5G 10#
PX /etc/security/ldap/ldap.cfg D~D|`E",kND AIX 5L Version 5.2 Files Reference PD
/etc/security/ldap/ldap.cfg#
LDAP tTD3dD~q=
/usr/lib/security/LDAP #iM secldapclntd X$Lr9Cb)3dD~4+ AIX tT{F*;* LDAP
tT{F#3dD~D?vnzm;vtTD*;#;vnPIDvUqVtDVN:
AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type
Z 4 B LDAP O$0k#i 69
AIX_Attribute_Name 8( AIX tT{F#
AIX_Attribute_Type 8( AIX tT`M#5* SEC_HAR"SEC_INT"SEC_LIST M SEC_BOOL#
LDAP_Attribute_Name 8( LDAP tT{F#
LDAP_Value_Type 8( LDAP 5`M#* s D5m>%5,m m>`5#
PX LDAP tT3dD~q=D|`E",kND AIX 5L Version 5.2 Files Reference PD LDAP attributemapping file format#
`XE"
mksecldap"start-secldapclntd"stop-secldapclntd"restart-secldapclntd"ls-secldapclntd"
sectoldif M flush-secldapclntd |n#
secldapclntd X$Lr#
/etc/security/ldap/ldap.cfg D~#
LDAP tT3dD~q=#
70 AIX 5L V5.2:2+8O
Z 5 B PKCS #11
PKCS #11 S53*&CLra)KTh8`M^X==CJ2~h8(jG)D=(#>BZ]{O PKCS
#11 j< V2.01#
9CTBi~5V PKCS #11 S53:
v e[\mwX$Lr(pkcsslotd),|*S53a)XZIC2~h84,DE"#Z20}LPT01
53XBt/1,CX$LraT/t/#
v *Q-5V PKCS #11 'VDJdwa)K API 2mTs(/usr/lib/pkcs11/pkcs11_API.so)w*(CS
Z#
v ;vX(ZJdwDb,|*Jdwa) PKCS #11 'V#KVchF9C'ITZBD PKCS #11 h8
IC1;CXB`kVP&CLrM9CCBh8#
>B|,TBE":
v :IBM 4758 2 M\k-&mw;
v Z 72 3D:PKCS #11 S53dC;
v Z 73 3D:PKCS #11 9C=(;
IBM 4758 2 M\k-&mw
IBM 4758 2 M\k-&mwa)2+DFc73#ZT<dC PKCS #11 S53.0,i$JdwGqQ-
9C'VD"k}7XdC}#
C PKCS #11 S53i$ IBM 4758 2 M\k-&mwD9C#
PKCS #11 S53hF*T/lb\Z20MXBt/}LP'V PKCS #11 wCDJdw#rK,+;\S
PKCS #11 SZCJNN;P}7dCD IBM 4758 2 M\k-&mw,"R"M=JdwDwCa'\#*
i$JdwGqhC}7,kjITBYw:
1. dkTB|nT7#JdwDm~20}7:
lsdev -Cc adapter | grep crypt
g{ IBM 4758 2 M\k-&mw;P|,Za{PmP,rliGq}7ECK(T0Gq}720K
'Vm~#
2. dkTB|nT7((PGq0kK}7DL~:
csufclu /tmp/l ST device_number_minor
i$ Segment 3 Image Gq0kK PKCS #11 &CLr#g{;P0k,NUX(JdwDD5qCnB
D"kM205w#
":g{C5CLr;IC,r;P20'Vm~#
© Copyright IBM Corp. 2002, 2003 71
PKCS #11 S53dC
PKCS #11 S53T/lb'V PKCS #11 Dh8#IG,*K;)Lr\9Cb)h8,;)u<D20G
X*D#b)Nq|(:
v :u</nF;
v :hC2+Y1 PIN;
v :u</C' PIN;
(} API((}`4 PKCS #11 &CLr)r9C SMIT gfIT4Pb)Nq#(}w SMIT K%D\m
PKCS11 S53r(}9C smit pkcs11 lY76CJ PKCS #11 SMIT !n#
u</nF
ZI&9C?;vJdwr PKCS #11 nF.0,Xku</#Cu</=h|(*j>hC;v(;j)#
Cj)Jm&CLr(;Xj6nF#rK,j);&CX4#;x,API ;i$j)Gq;PXB9C}#
(} PKCS #11 &CLrrI9C SMIT D53\m14Pu</#g{nFP;v2+Y1 PIN,d1!
5hC* 87654321#u</.s&C|DC5,T7# PKCS #11 S53D2+T#
u</nF:
1. dk smit pkcs11 xknF\mA;#
2. !q u</nF#
3. S'VDJdwPmP!q;v PKCS #11 Jdw#
4. 4B Enter |7OzD!q#
":byaA}nFODyPE"#
5. dk2+Y1 PIN(SO PIN)M(;DnFj)#
g{dkK}7D PIN,|nKPjOTsJdwau</rXBu</#
hC2+Y1 PINg{nFP;v SO PIN,ITS PIN D1!5|D PIN,gBy>:
1. dk smit pkcs11:
2. !qhC2+Y1 PIN#
3. !qzkhC SO PIN DQu</Jdw#
4. dk10D SO PIN MBD PIN#
5. i$BD PIN#
u</C' PINnFu</Ts,I\PX*hCC' PIN TJm&CLrCJnFTs#N<X(h8DD5T7(ZCJ
Ts.0Ch8Gq*sC'G<#
u</C' PIN:
1. (}dk smit pkcs11 xknF\mA;#
2. !q u</C' PIN#
3. S'VDJdwPmP!q;v PKCS #11 Jdw#
4. dk SO PIN MC'D PIN#
72 AIX 5L V5.2:2+8O
5. i$C'D PIN#
6. i$1,Xk|DC' PIN#
XBhCC' PIN*XBhCC' PIN,IT9C SO PIN XBu</ PIN r9CVPDC' PIN hCC' PIN#*4PK
Yw:
1. dk smit pkcs11 xknF\mA;#
2. !qhCC' PIN#
3. !qzkhCC' PIN DQu</DJdw#
4. dk10DC' PIN MBD PIN#
5. i$BDC' PIN#
hC PKCS #11 /}XFr?
g{;P0k/}XFr?,G4nFI\;'V?S\Yw#N<X(h8DD57(nFGqh*/}X
Fr?T0ZN&R=|#
g{h*/}XFr?,z&CP;v\?D~#*SX/}XFr?:
1. dk smit pkcs11 xknF\mA;#
2. !q hC/}XFr?#
3. *nF!q PKCS #11 e[#
4. dk/}XFr?D~D76#
PKCS #11 9C=(
&CLr*9C PKCS #11 S53,S53De[\mwX$LrXk}ZKP,xR&CLrXk0k API
D2mTs#
(#Z}<1,inittab wC /etc/rc.pkcs11 E>4t/[\mw#Zt/[\mwX$Lr0,CE>i$
53PDJdw#rK,ZC'G<530,e[\mwX$LrG;ICD#X$Lrt/s,Z;P53
\m1I$DivB,S53+T'VJdwD}?M`MDyP|DxPO"#
IT(}KP14S=TsPr9CSYD{Ebv+ API 0k#}g,&CLrITCTB==q! PKCS
#11 /}Pm:
d CK_RV (*pf_init)();void *d;CK_FUNCTION_LIST *functs;
d = dlopen(e, RTLD_NOW);if ( d == NULL ){
return FALSE;}
pfoo = (CK_RV (*)())dlsym(d, “C_GetFunctionList”);if (pfoo == NULL){
return FALSE;}
rc = pf_init(&functs);
Z 5 B PKCS #11 73
74 AIX 5L V5.2:2+8O
Z 6 B X.509 $iO$~qM+C\?y!a9
$iO$~q* AIX 5.2 Yw53a)9C X.509 +C\?y!a9(PKI)$iO$C'M+$ikxLX
*w*C'm]$wD\&#(}I0XDO$#ir\(LAMF),CZa) DCE"Kerberos D`,I)9
D AIX zFMd|O$zFa)K\&#
TB>ZV[TBwb:
v :$iO$~qDEv;
v Z 77 3D:$iO$~qD5V;
v Z 86 3D:f.$iO$~q;
v Z 88 3D:$iO$~qDb0;
v Z 88 3D:20MdC$iO$~q;
$iO$~qDEv
?vNS PKI O$DC'J'<P;v(;D PKI $i#G<}LP+$ik\kaOp4CZO$C'#
PKI $iyZ+C\?/(C\?<u#C<u9C=vGTF\?4S\Mb\}]#9CdP;v\?S
\D}];\9Cm;v\?b\#C'#t;v\?(C,Pw(C\?,f"Z(CD\?f"wP,x
T$iDN="<m;v\?,Pw+C\?#$i;cZa?6?<CJ-i(LDAP)~qwO,$,Z
i/P+>Z9CrZrXxO@g6'Z9C#
{* John DC'*x{* kathy DC'"M;P}\b\D}],John XkS Kathy Q"<D$iPqC
+C\?,9C Kathy D+C\?S\}],Y+}]"Mx}#Kathy +9CZ}(C\?f"wP}D(
C\?b\4T John D}]#
K<u2CZ}V){#g{ Kathy k"MI}}V){D}]x John,Kathy +9C}D(C\?4}V)
{}]"R"M}]M}V){x John#John +qC4T Kathy DQ"<$iD+C\?,Z9C}]0C
+C\?4i$}V){#
b=VivB,Kathy D(C\?Z(CD\?f"wP,$#m``MD(C\?f"w|,G\(MD~,
+GyP\?f"w`M<(}9C\krvK6pk(PIN)4#$(C\?#|G(#*`v(C\?,
,$iMd| PKI Ts;pa)f"#C'(#5P{GT:D\?f"w#
ZG<}LP,$iO$~q9C}V){<u4O$C'#$iO$~qyZC'J'{FR=C'D$i
M\?f"w,9CC'D\kSC'D\?f"wPqC$iD%d(C\?,9CC'D(C\?j6}
]n,"C4T$iDC'D+C\?4li){#C'O$s,53Z\#$DZfPf"C'D$i,+
$ikC'4(D?vxLX*#TC'MYw53ZK5PDNNxL,CZfPX*tCTC'$iDl
YCJ#
$i
mb$iO$~qh*T$i"$iq=M$iz|\Z\mDy>mb#$iGq- X.509 j<Dj</T
s,dP,f> 3(X.509v3)GnBf#O$PD(CA)4("j6M"v$i,|(#GS\M&m$ik
sDm~&CLr#$iI8v$itTiI#;)tTGX*D,+m`GI!D#ZKD5P(#9CM
V[D$itTP:
v $if> - X.509 f>E(4 1"2 r 3)#
v rPE - ;v+C$iSyPd|I`, CA "vD$iP(;Xxp*4D$irPE#
© Copyright IBM Corp. 2002, 2003 75
v )"_{F - 8($iD)" CA D{F#
v P'Z - $iD$nM=ZU#
v +C\? - +CD\?#
v wb(P{F - 8($iyP_D{F#
v wb8C{FgSJ~ - yP_DgSJ~X7#
v wb8C{F URI - yP_D Web >c URI/URL#
?v$iP;v(;Df>E4m>{ODvf>D X.509 j<#?v$iP;vrPE(;X+dk,; CA
"vDyPd|$ixp*4#rPEvT"v CA G(;D#$iD)"_{Fj6"v CA#
$i;PZ=v8(DUZ.dGP'D:0;gZ1UZM0;mZ1UZ#rK,I\ZP'UZ.04
($i,Z+43vUZ.0#$iP 3 vB= 5 jDz|6'GUiD#
wb(P{F(}9C{*0(P{F1(DN)D(CD|{q=8($iyP_#DN <GKzRrXx"
i/"GP"]"yP_{FMd|kks5eX*DtT((#GK,+;^ZK)Df6#wb8C{F
gSJ~<GKyP_gSJ~X7Df6,wb8C{F URI <GKyP_D Web >c URI/URL Df6#
O$PDM$i
O$PD"v"f""(#"<$i#"<$iD+2;CGZ LDAP ~qwO,r* LDAP JmTfrE
e(r}]=cDCJ#
CA 9&m$iD!{M$i7zPm(CRL)D\m#!{$iG"<IZ3)-r(}$iP'Z=Z.
b)X($i;YP'DB5DP*#r*$iD1>ITZ"v CA DXFb,$M9C,CA Z CRL P
"<Q!{$iDPm9CbfD5e\i/Pm#byMC5e:pCQ4FD$i4HOQ4FD$iM
"v CA D CRL#CA ;\!{|4(r"vD$i#;\!{Id| CA "vD$i#
!{$iD\m-r|,:
v $iD(C\?D9)#
v $iyP_k*+>#
v CA D9)#
CA 2P|GT:D6p$i#d|9CP(}g,EN4),|Jm CA ZTH(EP%`6p#
m` CA 'Vi/M!{$iD$i\m-i(CMP)#-i'V`v=(ZM'z(2F*K5e)M CA
.d("2+,S,d;;G+?M'zM CA 'VyP=(#;v+2D=(h*?v$i4(M!{ks
9C}CEM CA 6pD\k#I\2h*}g CA 6pDXb$ibyDd|}]#!{ksI\h*!{
$iD%d(C\?#
d; CMP *$i4(M!{ksw<8,4;'V CRL i/ks#5JO,-#(}xb=(CJ CRL#
r*-#Z LDAP ~qwO"< CRL,yTm~&CLr\S LDAP ~qwPqC CRL "V$(h CRL#
m;VvVD=(G*z$i4,-i(OCSP),+;GyPD CA <'V OCSP#
CA (#I~.i/rIED=Ki/5PMYw,|GT<a)#$,9."vD$ikjk"v$iDK`
{#Lo"v$ib6E4($i,kksQ"<$iD1>;,#
$if"q=
f"vp$iDn(CDq=G9CXl`kfr(DER)Diso({Em>( V1(ASN.1)q=#Cq=
}C* DER q=#
76 AIX 5L V5.2:2+8O
\?f"w
\?f"w(P1F*\?/)|,%d|G$iD+C\?DC'(C\?#*K=cX6p,(#IC'
+;v(;D\?j)8(x?v(C\?#\?f"wG\\k#$D,ZC'CJ\?rmSB\?.0
h*C'dk\k#(#,C'5P{GT:D\?f"w#\kf"wPm`;,Dq=,}g:G\("
yZ LDAP"yZD~H#;vN=;,,9PCJ|GyCD=(Mf"(C\?}]Dq=2;,#$i
O$~qv'VyZD~D\?f"w#
$iO$~qD5V
$iO$~qw*M'z/~qw#MKP#*4(M,$ X.509 V3 $iM$i7zPm(CRL),~qw
K|,O$PD(CA)#((#,;vi/T{vi/9C;v CA#)M'z|,?vSk PKI O$D53
h*Dm~(|n"b"0k#iMdCD~)#~qwD20m~|G cas.server,M'zD20m~|G
cas.client#
4( PKI C'J'
4( PKI C'J',9C AIX mkuser |n#4(s,?vJ'P;v$iM;v(CD\?f"w#(2
\+VPDJ'*;* PKI J',+Gh*d|=h#)\m1+\?f"w\ka)xBC',BC'\G
<=53"|D{GD\?f"w\k#
C'O$}]w
>ZhvuyO$ PKI C'#C'ITPk{GJ'X*D`v$i#*=cO$,?v$iPk|X*D(
;D,C'(eDjG5,+;P;v$i\8(*O$$i#$iO$~q9C{* auth_cert D?vC'
DtT48(C'DDv$iGC'DO$$i#auth_cert tTD5G$iDjG5#
Z?C'y!OD LDAP B,$$i"jG"%d\?f"w;C"%d\?j)Md|`X}]#C'{M
jGDiOJm$iO$~qZ LDAP ~qwB(;$i#PX PKI LDAP cD|`E",kNDZ 79 3
D:PKI LDAP c($if"w);#
G<1,C'a)C'{M\k#(}C'{,53SC'D auth_cert tTPlwC'DO$$ijG#a
OC'{MjG,53S LDAP PlwC'D$i"\?f"w;CM%d\?j)#liZ$iP"VDP
'Z547($iGQ-=Z9G4o=$nUZ#SE53y]\?f"w;C"\?j)Ma)D\k4
lwC'D(C\?#lw(C\?s,53(}Z?)pxL4i$(C\?M$i%d#g{~_%d,
C'(}G<}LD PKI O$=h#(b";b6EC'QG<#JmC'CJ530,ZC'J'OD AIX
4P8nd|J'li#)
TZCwO$$iD$i,Xk9CIE)V\?)pC$i#*KTsD}C+){M$i;pf"Z LDAP
B#K5Vh*Z+jG8(x auth_cert 0$iQ5P){#
O$}L;HO$iM CRL#bGIZT\-r(CRL (Q1d4q!M(h,"RI\]1;IC),+G
9r* CRL D"<SY((} CRL,9C$i!{I*{CC'JEDI/Dfz7,CA Z"<!{$i
0I\SY;v!1r|`1d)#
O$;h* CA 2^Xt*#}Klw LDAP Bf"D}].b,$iO$~q>X4Pw*D$w#
~qw5V
$iO$~qD~qwK5V Java `4D CA,|,,,Tsi&\D"aPD(RA)#|"<$iM* LDAP
~qw4(D CRL#(}dCD~/(Java tTD~),CA GIdCD#||,{* runpki D\m&CL
Z 6 B X.509 $iO$~qM+C\?y!a9 77
r,C&CLrZd|&\Pa)S|n4t/M#9~qw,R*4(M!{$i'V CMP#CA h* Java
1.3.1"IBM DB2 7.1 }]bM IBM Directory 4.1#r* DB2 Dh*,CA XkZC'J'x;G root C'
BKP#
*oz20M\m cas.server i~,~qw|,TB|n:
mksecpki20P9CC|n4dC AIX PKI ~qwi~#w*NqD?V,C|n*O$PD4($iO$C
'J'#
runpkiC|nJm53\m1t/~qw#g{ JavaPKI X$Lr}ZKP,XkWH#9#runpki |n(
}9C lb j>iOZs(Pt/X$Lr#g{h*Z;%==Pt/X$Lr,\m1IT`-
runpki |n"9C l j>xG lb j>#
TZZdBKPO$PDDC'J',runpki |nXkZTd4P su - YwsKP#|n(;ZO
$PDC'J'w?<BD javapki ?<#(mksecpki |n4(O$PDC'J'#)
}g,g{O$PDC'J'G pkiinst,G4C,6(^,dkTBZ]:
1. su - pkiinst
2. cd javapki
3. runpki
M'z5V
$iO$~qM'z5V$iO$~qDC'O$"C'\mMC'$i\m&\#Z53O20MdCs,
(} AIX I0XDO$#ir\(LAMF)D9C,$iO$~q/I*VPDC'O$M\m&\(}g
mkuser"chuser"passwd M login |n)#9mS|n"bMdCD~4oz\mC'$iM\?f"w#
*Kf"j< AIX tT,$iO$~q\k AIX LDAP }]bzFryZD~}]bzFOC#$iO$~
q;19C LDAP 4,$C'$i,uAZ9CyZD~D}]bzF1#*q!PX9CyZD~D}]b
1D^FDE",kNDZ 86 3D:f.$iO$~q;#
$iO$~qDM'zK|,=?~Ps`}frC'Dm~#r*bv-r,TBZhv$iO$~quy
,$M9C PKI O$h*D}]#
#fM'z&\
TBPmhv$iO$~qD;)#f&\:
v (} PKI $ia)C'O$
v a)\mC'$iM\?f"wD|n
v ?vC''V`v$i
v ,1'V`v CA
v /I=VPD AIX \m|nMO$P(}g,login"passwd"mkuser)
v ZC'4(1zI$irC'4(smS$i
v C LDAP C'}]brj< AIX yZD~DC'}]b$w
v dC\?s!Mc(
v X*$iMxLO$i(PAG)#
78 AIX 5L V5.2:2+8O
#fM'ze5a9
$iO$~qDM'ze5a99CVcD=(,".V*TBiIi~:
v :Java X$Lr;
v :~q\mc;
v :PKI LDAP c($if"w);
v Z 80 3D:libpki.a b;
v Z 80 3D:I0XDO$#ir\c;
v Z 80 3D:M'z|n;
v Z 81 3D:xLO$i|n;
v Z 81 3D:C'\m|n;
v Z 82 3D:dCD~;
Java X$Lr: ZM'zDy!G9C JCE 2+m~|DyZ Java DX$Lr#X$Lr\mC'\?
f"w"4(\?T"4P CMP (E,"a)+?"PMS\&\#r* PKI ~q)&Lm~|D API T
C &CLrG;j<D,Pw~q\mc(SML)D|0Lrc API r&CLrMX$Lra)f6/D
API#
~q\mc: Java X$LrD SML ~q{* /usr/lib/security/pki/JSML.sml#SML 4($i,"4(M
\m\?f"w,+;\m$if"#$if"I PKI LDAP c\m#
(} SML f"(C\?: *f"C'\?,Java X$Lr9C PKCS#12 Qq=/\?f"wD~#C4
S\\?f"wP+?\?D%;\k#$\?f"w#+\?f"wD;C8(* URI#1!ivB,$i
O$~q,$ /var/pki/security/keys ?<PD\?f"wD~#
\?f"w(#Zs!O\^,|(D~\?f"w#SML ca)\m\?f"wD API#
$iO$~qv'VD~\?f"w#;'VG\(r LDAP \?f"w#IT(}+D~\?f"wECZ
yP53,;20cBD2mD~53P4'V~NC'#
PKI LDAP c($if"w): $iO$~q(} PKI LDAP c,Z LDAP D?vC'y!Of"$i
M$i`XE"#$iO$~q,$ LDAP ~qwO?vC'y!OD$iX*#C'J'ITP`vkdX
*D$i#*K=cX6pMi/,?vX*P(;D,C'8(DjG#$iO$~q9CC'D{FMj
GDiOZ LDAP P(;C'D$iX*#
TZT\`TELUd[T=8,$iO$~q\#f LDAP BD{v$irvvGT$iD URI }C#g
{ URI }CC4zf$i,$iO$~qi/}CTqC5JD$i#}Cn#kZ LDAP ~qwO"<$
iD CA aO9C#$iO$~q10'VD URI }C`MG LDAP }C#$iO$~qT DER q=f
"$i"Z{ URI }CTND DER q=/D$i#
$iO$~q2f"?v$ik LDAP ~qwX*D$i`,DG<P%dD\?f"wM\?j)D`MM
;C#JmC'P;vTO\?f"w,*lY"V$iD%d(C\?Jm$iO$~q#*'V~NDC
',C'D\?f"wXk$tZyP53OD,;;C#
$iO$~q,$T?vC'*y!D LDAP PD auth_cert tT#CtT8(C4O$D$iDjG#
}\^Z LDAP ldappkiadmin J'D auth_cert tTb,+? LDAP E"TZU(C'GIAD#H;
root C'(} acct.cfg D~CJ LDAP ldappkiadmin \k,G4T root DP' UID KPD&CLrI
TCJ auth_cert tT#(JCZ URI }C5DICJT,x;GI URI }C5}CD}]#(#,I URI
}C5}CD}]G+2D#)\m$if"D API |,Z libpki.a b#
Z 6 B X.509 $iO$~qM+C\?y!a9 79
libpki.a b: }w* SML API M PKI LDAP c API Dy~qb,libpki.a bUX8VS}L#b|,4
PTBYwD API:
v \mBdCD~
v CJ$iX(tT
v +`v|Mc&\iO=|_6&\P
v Z SML ~qP$ZG+2D
":;"< API#
I0XDO$#ir\c: SML API M PKI LDAP API .O$tI0XDO$#ir\(LAMF)c#
LAMF a) AIX O$MP+2O$MC'\m API DC'\m&CLr,;<GBcDzF(}g
Kerberos"LDAP"DCE"D~)#LAMF 9C SML API M PKI LDAP API w*5V PKI O$PD9(#
i#
(}+ LAMP D API 3d=;,O$/}]b<uD0k#iD9C44P#s login"telnet"passwd"
mkuser H|n9C LAMF API 45V|GD&\;rK,1b)<uDB0k#imS=53P1,b)
|nT/'VBO$M}]b<u#
$iO$~qmSB LAMF 0k#i={* /usr/lib/security/PKI D53#*KO$,XkZ9C PKI 0
I53\m1+#imS= /usr/lib/security/methods.cfg D~P##i2XkZCZO$0M methods.cfgD~PD}]b`M(}g,LDAP)GITD#|, LAMF #iM}]b(eD methods.cfg D~D;v
>},ITZZ 97 3D:methods.cfg D~;PR=#
;)+(emS= methods.cfg,\m1IT+ registry M SYSTEM C'tT(Z /etc/security/user D
~PQ(e)hC=* PKI O$DBZ5#
M'z|n: Z+? API cO(LAMF"PKI LDAP M SML)$t|n#}'V$iO$~q((}
LAMF)Dj< AIX O$MC'\m|n.b,9fZ8V$iO$~qX(|n#b)|nozC'\m$
iM\?f"w#BfGxPrLhvD|nPm#
certadd+$imS= LDAP PDC'J'"li$iGq!{#
certcreate4($i#
certdeleteSC'J'>}$i(4,S LDAP)#
certgetSC'J'lw$i(4,S LDAP)#
certlink+TfZZ6LJ4bD$iD4SmS= LDAP PDC'J'"li$iGq!{#
certlistPvk|,Z LDAP PDC'J'X*D$i#
certrevoke!{$i#
certverifyi$(C\?%d$i"4PIE)p#
80 AIX 5L V5.2:2+8O
keyadd+\?f"wTsmS=\?f"w#
keydeleteS\?f"wP>}\?f"wTs#
keylistPv\?f"wPDTs#
keypasswd|D\?f"wOD\k#
PXb)|nD|`E"#kND6AIX 5L V5.2 |nN<s+7#
xLO$i|n: xLO$i(PAG)|nTZ AIX GBD#PAG G+C'O$}]kxLX*D}]n#
TZ$iO$~q,g{QtC PAG zF,C'O$$ikC'G< shell X*#shell 4(SxL1,PAG
+%=?vSxL#
PAG zFh*tC /usr/sbin/certdaemon X$Lr4a)C&\#1!ivB,CzF;PtC#$iO$
~q;h* PAG zFGtCD,+Gg{GtCDr9CCzF$w#
tC certdaemon X$Lr,+TBPmS= /etc/inittab D~:
certdaemon:2:wait:/usr/sbin/certdaemon
xPrLhvD PAG |nPmgB:
paginitO$C'"4( PAG X*#
pagdelPvk10xLX*DO$E"#
paglist}%Z10xL>$PVPD PAG X*#
PXb)|nD|`E",kND6AIX 5L V5.2 |nN<s+7#
C'\m|n: kC'O$`F,$iO$~q(} AIX LAMF k AIX C'\m&\/I#s chuser"lsuser"mkuser M passwd D|n9C LAMF API 45V|GD&\#rK,1+*b)<uB0k#i
mS=531,b)|nT/X'VBO$M}]b<u#
BfSZa)K PKI O$gN0lC'\m|n=fD|nkD[c#
TB|n\ PKI O$xL0l:
chuserC|nJm\m1^D auth_cert C'tT#CtT8(C4O$D$iDjG5#*Kw*O$$
i9C,$iXkIIE)V\?)p#((}C|n,$itT"$if"tTM\?f"wtT
G;ICD#)
lsuser C|nPvC'D auth_cert tTD5,T0ZBfPvD$itT#auth_cert tT8(C4O$
D$iDjG5#((}C|n,d|$itT"$if"tTM\?f"wtTG;ICD#)
lsuser |nPvD$itTgB:
subject-DNC'DTs(P{F#
Z 6 B X.509 $iO$~qM+C\?y!a9 81
subject-alt-nameC'wb8C{FgSJ~#
valid-afterC'$id*P'DUZ#
valid-untilC'$id*^'DUZ#
issuer "PLD(P{F#
mkuserC|n*\m1a)ZC'4(1dzI$iD!n#Z*9;PO$$iDC'4(C'Zd,\
m1\9C mkuser |n4zI$i#N!D,g{C'Q-PO$$i,+;PC'J',\m1
\;zI$ix4(J',fsmS$i(M\?f"w)#C!nD1!5I cert tTZ newuser Z
PD /usr/lib/security/pki/policy.cfg D~P8(#
1*C'9C mkuser |nT/XzIO$$i1h*m`1!5#Z /usr/lib/security/pki/policy.cfgD~D newuser ZP8(m`b)5#newuser Za)Tb)1!5D\mXF#;)1!5gB:
v CA
v auth_cert tTD5
v \?f"wD;C
v \?f"wD\k
v (C\?j)
v wb8C{FgSJ~VNDr{
4( PKI C'J'MG PKI C'J'P*OD;,G:g{ mkuser |n*J'zIO$$i,4
( PKI C'J'h*\k4S\(C\?#r* mkuser |nGG;%=|n,|nS policy.cfgD~PqC\k,+\?f"w\k((C\?\k)hC=C5;rK,4(sJ'"4GICJ
D#4(G PKI C'J'1,mkuser |n+\khC*^'5,@9ICJT#
passwdK|nZ PKI C'J'O9C1^DC'\?f"w\k#|?FZ /etc/security/user D~PR=
\k^Ffr"|?FZ /etc/security/passwd D~PR=j>tT,R|?F PKI ~q)&Lh
*DNNfr#
r*yZD~D\?f"wCC'\kS\|GD(C\?,root C';*@\?f"wD10\k
1;\XBhCyZD~D\?f"wD\k#g{C'|Gd\?f"wD\k,r root C';\
XBhC\k,}G root *@C\?f"wD\k#g{;*@\k,I\XkxC'"<B\?f
"wMB$i#
dCD~: $iO$~q*dCM'z9CdCD~:acct.cfg"ca.cfg M policy.cfg#SMIT gf*b)
dCD~a)'V#TBZa)XZdCD~DE"#
acct.cfg D~: acct.cfg D~I CA ZM LDAP Z9I#CA Z|,;JO+CIAD ca.cfg D~D(
C CA E",}g CMP }CEM\k#LDAP Z|,;JO+2CJD(CD LDAP E",}g PKI LDAP
\m{FM\k#
T ca.cfg D~PD?v CA Z,acct.cfg D~&C|,,y|{D CA Z,+? CA ZXk(;|{#LDAP
Z+?|{* ldap,r*bv-r,CA Z;\|{* ldap#,y,;PZ\|{* default#LDAP ZX
kfZ,R2XkfZAY;v{* local D CA Z#
CA Z|,TBtT:
82 AIX 5L V5.2:2+8O
capasswd8( CA D CMP \k#\kD$HI CA 8(#
carefnum8( CA D CMP }CE#
keylabel8(ZIE\?f"wPC4)p$ijkD(C\?Dj)#
keypasswd8(IE\?f"w\k#
rvpasswd8(CZ CMP D!{\k#\kD$HI CA 8(#
rvrefnum8(CZ CMP D!{}CE#
LDAP Z|,TBtT:
ldappkiadmin8(Z ldapservers PPvD LDAP ~qwDJ'{F#
ldappkiadmpwd8( LDAP ~qwJ'D\k#
ldapservers8( LDAP ~qw{F#
ldapsuffix8(I mkuser |nmS=C'$i DN D DN tT#
TBG acct.cfg D~>}:
local:carefnum = 12345678capasswd = password1234rvrefnum = 9478371rvpasswd = password4321keylabel = "Trusted Key"keypasswd = joshua
ldap:ldappkiadmin = "cn=admin"ldappkiadmpwd = secretldapservers = "ldap.server.austin.ibm.com"ldapsuffix = "ou=aix,cn=us"
PX|`E",kND AIX 5L Version 5.2 Files Reference#
ca.cfg D~: ca.cfg D~I CA Z9I#CA Z|,*zI$ijkM$i7zjk,$iO$~q9CD
+2 CA E"#
TZ ca.cfg D~PD?v CA Z,acct.cfg D~&C|,;v,y|{D CA Z#ca.cfg D~PD?v CA
Z{FXkG(;D#XkfZAY;v{* local DZ#Z;\|{* ldap r default#
CA Z|,TBtT:
algorithm8(+C\?c((}g,RSA)#
Z 6 B X.509 $iO$~qM+C\?y!a9 83
crl 8( CA D CRL URI#
dn 8(4($i19CDy> DN#
keysize8(T;FcDn!D\?s!#
program8( PKI ~q#iD~{F#
retries8(*5 CA 1XTN}#
server 8( CA D URI#
signinghash8(CZ)p$iD"Pc((}g,MD5)#
trustedkey8(|,CZ)pO$$iDIE)V\?DIE\?f"w#
url *wb8C{F URI 8(1!5#
1! CA Z|{* local#TBG ca.cfg D~D;v>}:
local:program = /usr/lib/security/pki/JSML.smltrustedkey = file:/usr/lib/security/pki/trusted.p15server = "cmp://9.53.230.186:1077"crl = "ldap://dracula.austin.ibm.com/o=aix,c=us"dn = "o=aix,c=us"url = "http://www.ibm.com/"algorithm = RSAkeysize = 512retries = 5signinghash = MD5
PX|`E",kND AIX 5L Version 5.2 Files Reference#
policy.cfg D~: policy.cfg D~IDvZ9I:newuser"storage"crl M comm#b)Z^D;)53
\m|nDP*#mkuser |n9C newuser Z#certlink |n9C storage Z#certadd M certlink |
n9C comm M crl Z#
newuser Z|,TBtT:
ca 8(zI$i1 mkuser |n9CD CA#
cert 8(1!ivB mkuser |nGzI$i(new)9G;zI(get)#
domain8(zI$i1 mkuser |n9CD$iDwb8C{FgSJ~5Dr?V#
keysize8(zI$i1 mkuser |n9CDT;FcDn!DS\\?s!#
keystore8(zI$i1 mkuser |n9CD\?f"w URI#
keyusage8(zI$i1 mkuser |n9CD$iD\?9C5#
label 8(zI$i1 mkuser |n9CD(C\?j)#
84 AIX 5L V5.2:2+8O
passwd8(zI$i1 mkuser |n9CD\?f"wD\k#
subalturi8(zI$i1 mkuser |n9CD$iDwb8C{F URI 5#
tag 8( cert=new 4(C'1 mkuser |n9CD auth_cert jG5#
validity8(zI$i1 mkuser |n9CD$iDP'Z5#
version8(*4(D$iDf>E#'VD5vP 3#
storage Z|,TBtT:
replicate8( certlink |nG#f$iD1>(yes),9G;G4S(no)#
crl Z|, check tT,CtT8( certadd M certlink |nGq&Cli CRL(yes),r;li(no)#
comm Z|, timeout tT,CtT8(19C HTTP(}g,}Zlw CRL)ks$iE"1,certaddM certlink 9CDTkFcD,1\Z#
TBG policy.cfg D~D;v>}:
newuser:cert = newca = localpasswd = pkiversion = "3"keysize = 512keystore = "file:/var/pki/security/keys"validity = 86400
storage:replicate = no
crl:check = yes
comm:timeout = 10
PX|`E",kND AIX 5L Version 5.2 Files Reference#
sFU>B~: $iO$~qM'zzITBsFU>B~:
v CERT_Create
v CERT_Add
v CERT_Link
v CERT_Delete
v CERT_Get
v CERT_List
v CERT_Revoke
v CERT_Verify
v KEY_Password
Z 6 B X.509 $iO$~qM+C\?y!a9 85
v KEY_List
v KEY_Add
v KEY_Delete
zYB~: $iO$~qM'zZ 3B7 M 3B8 6'ZzI8vBDzYB~#
f.$iO$~q
T AIX 5.2 *<D$iO$~qGICD#T$iO$~qDn!m~hsG;( DB2 ~qw";( IBM
?<~qwM;($iO$~q~qw#+?\20Z;v53r;v53iOO#?vs5Xk*{GD7
37(nC!n#
>Za)f.$iO$~qDE",gB:
v :$i"bBn;
v :\?f"w"bBn;
v :C'"am"bBn;
v Z 87 3D:dC"bBn;
v Z 87 3D:2+T"bBn;
v Z 87 3D:d|$iO$~q"bBn;
$i"bBn
$iO$~q'V X.509 V3 $i#9'V8v V3 $itT,+;G+?$itT#q!\'VD$itT
DPm,kND certcreate |nM ca.cfg D~#$iO$~q|,\^D Teletex V{/D'V#X(X,
$iO$~q;'V 7 ;(ASCII S/)Teletex#
\?f"w"bBn
$iO$~q'V\?f"wD~#;'VG\("LDAP \?f"wMd|`MD\?f"w#
1!ivB,+C'\?f"w#tZ>XD~53D /var/pki/security/keys ?<B#r*\?f"wTZ
53G>XD,d|53;\CJ|G;rx,C'O$+^FZ|,C'D\?f"wD53P#<G=~
NC',+C'D\?f"wT`,D\?f"w{F4F=d|53D,;;C,r_+\?f"wECZ
V<=D~53O#
":Xkww47#TC'\?f"wDCJmI(;PDd#(Z AIX P,LDAP PD?v$i|,=|,
$i(C\?D(C\?f"wD76{F#*KCZO$,\?f"wXkfZZ LDAP P8(D76
{F#)
C'"am"bBn
$iO$~q'V LDAP C'"am#LDAP 2GFvDM$iO$~q;,9CDC'"am`M#
$iO$~q2'VyZD~DC'"am#*KyZD~D PKI }7$w,\m1X*?F3)^F#X(
X,Sk PKI O$D;,53O,y|{DC'J'Xk8r,;J'#
}g,53 A ODC' Bob M53 B ODC' Bob Xk8r,;C' Bob#bGr*$iO$~q9C
LDAP Z?vC'y!Of"$iE"#C'{w*w}\?4CJCE"#r*yZD~D"amTZ?v
53G>XD,LDAP TZyP53G+VD,Sk PKI O$DyP53OC'{Xk3d= LDAP {FU
86 AIX 5L V5.2:2+8O
dP(;DC'{#g{53 A ODC' Bob k53 B ODC' Bob ;,,r_;P Bob PD;v\S
k PKI O$,r_?v Bob J'Xk9C;,D LDAP {FUd/~qw#
dC"bBn
*KdCr%,<G,$ZV<=D~53OD}vdCD~(acct.cfg"ca.cfg M policy.cfg),9C{E
4S4\bXkZ?v53O^DdCD~#Zb)D~O,$}7DCJXFhC#r*Zb)D~PDE
"+gxg+M,yTCivI\vS2+)4#
2+T"bBn
acct.cfg D~
acct.cfg D~|,tPD CA }CEM\k(kND acct.cfg D carefnum"capasswd"rvrefnum M
rvpasswd tThv)#1Vp4($iM!{$i1*K CMP k CA (E,%@9Cb)5#g{b\F
5,kV_I\\;fb4($iT0fb!{NNKD$i#
*K^FgU,<G+$i4(r!{^F=Y?D53#vZ4($iD53Oh* carefnum M capasswdtT((} certcreate r mkuser |n)#bI\b6E^FC'J'4(=,yD53hC#
":C'4(}LPITdC mkuser |nTT/4($i,r|IT4(K'x^h$i,IK\m1Xk
fs4(MmS$i#
,yX,vZ!{$i((} certrevoke |n)D53O,Eh* rvrefnum M rvpasswd tT5#
acct.cfg D~2|,tPIE)V\?E"(kND acct.cfg D~D keylabel M keypasswd tThv)#
*XbD$ii$Yw%@9Cb)5#g{b\F5,kV_I\\;1lQi$D$i#
*K^FgU,<G^F$ii$=Y?53#;PZh*$ii$D53O,Eh* acct.cfg D~D
keylabel M keypasswd tT,T0 ca.cfg D~D trustedkey tT#X(X,Zh* mkuser(t/K
T/4($i)M certverify |nD53O#
$nBJ'
4( PKI C'J'1,g{+ policy.cfg D~P newuser ZD cert tThC* new,mkuser |n4
(n/D PKI J'"j+_P$wD$iM\k#newuser ZPD passwd tT8(J'OD\k#r*
\?f"wh*\kTf"(C\?#bkC'J'4(Dd|`MD;,ZZ\m1XkWH4(J',;
sZJ'$n0hC\k#
root C'M\?f"w\k
;sd|J'`M,root C';*@J'D\kM\|DJ'D\k,PKI J';Jmby#bGr*J'\
kC4S\\?f"w,x;*@\kM;\b\\?f"w#1C'|G\k1,Xk"vB$i"4(B
D\?f"w#
d|$iO$~q"bBn
f.$iO$~q1d|D"bBn|,gBZ]:
v $iO$~q|,T:DO$PD(CA)#$iO$~q;'Vd{ CA 5V#
v \?s!=s,zI\?TMS\}]yhD1d=`#;'VyZ2~DS\#
v $iO$~q* LDAP 9C IBM ?<#$iO$~q;'Vd{ LDAP 5V#
v $iO$~q*}]b'V9C DB2#$iO$~q;'Vd{}]b5V#
v $iO$~qh*yP|n"bMX$LrKPZ Unicode 73P#
Z 6 B X.509 $iO$~qM+C\?y!a9 87
$iO$~qDb0
$iO$~qDm~|i~PTBZ]:
m 7. $iO$~qDb0
m~|{F D~/ Z] `XT 20
cas.server cas.server.rte O$PD(CA) v AIX 5.2
v Java131(f AIX yiJ;p
a))
v Java131 2+T)9(f)9
|;pa))
v IBM ?<~qw(LDAP)
v DB2 7.1
Va
cas.client cas.client.rte v Cert |n
v PKI Auth 0k#i
v libpki.a
v SML #i
v dCD~
v Java X$Lr
v AIX 5.2
v Java131(f AIX yiJ;p
a))
v Java131 2+T)9(f)9
|;pa))
v IBM ?<M'z(LDAP)
v PAG(hk)
Va
cas.msg cas.msg.[lang].client {"`? cas.client Va
bos bos.security.rte PAG |nMX$Lr ;JC MZK;p
20
cas.server m~||, CA,Z /usr/cas/server M /usr/cas/client ?<P20#(#,;vi/v9C;
v CA,rK,V$20Cm~|#Cm~|Z IBM ?<~qwKDHvu~G db2_07_01.client"Java131.rte M Java131.ext.security#20 AIX 5.2 Yw531,1!ivB20 Java131.rte m~|,
+GV$20d|m~|#
*K db2_07_01.client m~|$w,db2_07_01.server m~|Xk20ZxgOD53O#
cas.client m~||,'V$iO$~qD?vM'z53yhDD~#;PCm~|,53;\Sk AIX PKI
O$#
20MdC$iO$~q
$iO$~qD20I4PTB}L9I:
v Z 89 3D:20MdC LDAP ~qw;
v Z 91 3D:20MdC$iO$~q~qw;
v Z 92 3D:*$iO$~q~qwdC LDAP;
v Z 94 3D:dC$iO$~qM'z;
v Z 97 3D:\mdC>};
88 AIX 5L V5.2:2+8O
20MdC LDAP ~qw
1* PKI C'$i}]20MdC LDAP 1I\"zTBiv#
v g{;P20 LDAP ~qwm~,4PTB}L:
1. :LDAP ~qw20;
2. :LDAP ~qwdC;
3. Z 90 3D:* PKI dC LDAP ~qw;
v g{Q20MdC LDAP ~qwm~,+;P* PKI dC,4PZ 90 3D:* PKI dC LDAP ~qw;#
LDAP ~qw20
PX20 IBM ?<~qwm~Dj85w\Z ldap.html.en_US.config D~/P|,Dz7D5PR=#
20 ldap.html .en_US.conf ig D~/s,IT9CTB URL OD web /@wi4D5:
file:/usr/ldap/web/C/getting_started.htm#
LDAP ~qw20}LgB:
1. w* root C'G<#
2. + AIX y>Yw53 CD Dm 1 Ek CD-ROM }/w#
3. Z|nPdk smitty install_latest "4B Enter |
4. !q Install Software#
5. !qdkh8r|, IBM ?<~qwm~Dm~?<,4B Enter |#
6. 9C F4 |4PvZ Software to Install VNPD20m~|#
7. !q ldap.server m~|,4B Enter |#
8. i$ AUTOMATICALLY install requisite software !nQhC* YES,"4B Enter |#b+20 LDAP
~qwMM'zD~/T0 DB2 sK}]bD~/#
20DD~/|,TBZ]:
v ldap.client.adt(?<M'z SDK)
v ldap.client.dmt(?<M'z DMT)
v ldap.client.java(?<M'z Java)
v ldap.client.rte(?<M'zKP173)
v ldap.server.rte(?<~qwKP173)
v ldap.server.admin(?<~qw)
v ldap.server.cfg(?<~qwdC)
v ldap.server.com(?<~qwr\)
v db2_07_01.*(DB2 KP173MX*DD~/)
DB2 m~|,db2_07_01.jdbc,2Xk20#DB2 m~|,db2_07_01.jdbc,;Z Expansion Pack CD#
9CTOPvD20}L20 db2_07_01.jdbc m~|#
LDAP ~qwdC
20 LDAP M DB2 D~/s,XkdC LDAP ~qw#49(}|nPMD~`-\4PdC,*Kua
\mMdC,Fv LDAP Web \m1#C$_h* Web ~qw#
Apache Web ~qw&CLr;Z LINUX Applications CD D AIX Toolbox P#9C SMIT gfr geninstall|n420 Apache Web ~qw#2\9Cd| Web ~qw,*q!j8E"kND LDAP D5#
Z 6 B X.509 $iO$~qM+C\?y!a9 89
dC LDAP Dj85w\Zz7 HTML D5PR=#BfGdC=hDrwhv:
1. 9C ldapcfg 4hC LDAP }]bD admin DN M\k#\m1G LDAP }]bD root C'#C\
k secret dC cn=admin D\m1 DN,dkTBZ]:
# ldapcfg -u cn=admin -p secret
TsdC?vM'z1+h* DN M\k#X(X,+ DN M\kCw acct.cfg D~P ldap ZD
ldappkiadmin M ldappkiadmpwd tT#
2. 9C Web ~qwdCD~D;CdC Web \m1$_,gB:
# ldapcfg -s apache -f /etc/apache/httpd.conf
3. XBt/ Web ~qw#TZ Apache ~qw,9C|n:
# /usr/local/bin/apachectl restart
4. C URL http:// hostname/ldap 4CJ Web \m1#;s9CZ=h 2 PdCD LDAP \m1 DN M
\kG<#
5. 9C Web \m1$_,q-dC DB2 }]bsKD8<,XBt/ LDAP ~qw#
* PKI dC LDAP ~qw
$iO$~qh*=vVkD LDAP ?<E"w#CA 9C;vw"<$iM CRL#?vM'z9Cm;v
wf"Mlw?vC' PKI }]#TB=hdCCZf"Mlw?vC' PKI }]D LDAP ?<E"w#
1. mS LDAP dCs:n#PKI }]D1!s:G cn=aixdata#TyPD AIX }],+ PKI $i}]E
CZ1!s:B#PKI }]D1!}] root G ou=pkidata,cn=aixdata#yP PKI }]ECZC;C#
PKI }]s:
cn=aixdataTZyP AIX }]D+2s:#g{d| AIX }]}Z9C LDAP ~qw,rI\Q-f
Z#
s:dCnI(} Web \m1$_,r1S`- LDAP ~qwdCD~xPmS#
9C Web \m1mSs:dCn,k4PTBYw:
a. Ss_DK%P!q Settings#
b. !q Suffixes#
c. * PKI }]dkX*Ds:,;s%w Update 4%#
d. I&mSs:s,XBt/ LDAP ~qw#
(}`- LDAP ~qwdCD~mSs:dCn,4PTBZ]:
a. Z /usr/ldap/etc/slapd32.conf D~P,(;|,TBZ]DP
ibm-slapdSuffix: cn=localhost
bG1!53s:#
b. * PKI }]mSX*D ibm-slapdSuffix n#}g,\mSkTBZ]`FDs:n:
ibm-slapdSuffix: cn=aixdata
c. #fdCD~|D#
d. XBt/ LDAP ~qw#
2. mS PKI }]s:"Root M ACL }]bn#}] Root G LDAP ?<a9PDc,dB$tyPD
PKI }]#TZ*yP PKI }]hCCJfrD}] Root,ACL GCJXFPm#a) pkiconfig.ldifD~+s:"root M ACL nmS=}]bP#WH,mSs:M root }]bnM PKI }]\m1\k#
D~DZ;v?V+1!s:nmS=}]bP,hC\kgB:
90 AIX 5L V5.2:2+8O
dn: cn=aixdataobjectclass: topobjectclass: containercn: aixdata
dn: ou=pkidata,cn=aixdataobjectclass: organizationalUnitou: certuserPassword: <<password>>
`- pkiconfig.ldif D~,TZ PKI }]\mwCzD\kf; userPassword tTsD <<password>>
V{.#
TsdC?vM'z1+h* DN M userPassword 5#X(X,+ DN(ou=pkidata,cn=aixdata)M
password D5Cw acct.cfg D~PD ldap ZPD ldappkiadmin M ldappkiadmpwd tT#
D~DZ~?V|DyP("* PKI }]mS ACL,gB:
dn: ou=pkidata,cn=aixdatachangetype: modifyadd: entryOwnerentryOwner: access-id:ou=pkidata,cn=aixdataownerPropagate: true
dn: ou=pkidata,cn=aixdatachangetype: modifyadd: aclEntryaclEntry: group:cn=anybody:normal:grant:rsc:normal:deny:waclEntry: group:cn=anybody:sensitive:grant:rsc:sensitive:deny:waclEntry: group:cn=anybody:critical:grant:rsc:critical:deny:waclEntry: group:cn=anybody:object:deny:ad aclPropagate: true
":*\b#&= PKI 5VDj{T,k;*T ACL hCwNN|D#
pkiconfig.ldif D~IT`-T9C}K1!5TbDD~s:,;x;TP-iD LDAP \m1Fv9
C#;sIT9CBfD ldapadd |n9 ldif D~JCZ}]b#C>X LDAP \m1 DN M\kf
; -D M -w !nD5,gB:
# ldapadd -c -D cn=admin -w secret -f pkiconfig.ldif
3. XBt/ LDAP ~qw#9C web \mw$_,r(}1@MXBt/ slapd xL4XBt/ LDAP ~
qw#
20MdC$iO$~q~qw
20MdC$iO$~q,k4PTBYw:
1. S Expansion Pack CD P20 Java 2+TD~/(Java131.ext.security.*)#yhDm~|gB:
v Java131.ext.security.cmp-us(Java $i\m)
v Java131.ext.security.jce-us(Java \ku)9)
v Java131.ext.security.jsse-us(Java 2+WSV)9)
v Java131.ext.security.pkcs-us(Java +C\?\ku)
2. S /usr/java131/jre/lib/ext P+ ibmjcaprovider.jar D~F/=m;v?<P#CD~k Java 2+TD
~/e;,*K$iO$~qD}7KPXkF/CD~#
3. S Expansion Pack CD P20$iO$~q~qwD~/(cas.server.rte)#
Z 6 B X.509 $iO$~qM+C\?y!a9 91
*$iO$~q~qwdC LDAP(}4PTB=hdC$iO$~q~qw4k LDAP ;,$w:
1. g{9;P20,G4Z'V cas.server m~|D53O20 IBM ?<M'zm~|#
2. g{9;PdC,G4dC IBM ?<M'z,gB:
# ldapcfg -l /home/ldapdb2 -u "cn=admin" -p secret -s apache \-f /usr/local/apache/conf/httpd.conf
hk Web ~qwGTOdC|nPD Apache Web ~qw#
3. +TBs:mS= slapd.conf D~P,gB:
ibm-slapdSuffix: o=aix,c=us
IT8(;,D(P{Fzf o=aix,c=us#
4. KP slapd |n,gB:
# /usr/bin/slapd -f /etc/slapd32.conf
5. mSTs`,gB:
# ldapmodify -D cn=admin -w secret -f setup.ldif
dP setup.ldif |,TBZ]:
dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.5.6.21 NAME ’pkiuser’ DESC ’auxiliary class for non-CA certificate owners’
SUP top AUXILIARY MAY userCertificate )
dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.5.6.22 NAME ’pkiCA’ DESC ’class for Cartification Authorities’ SUP top
AUXILIARY MAY ( authorityRevocationList $ caCertificate $ certificateRevocationList $crossCertificatePair ) )
dn:cn=schemachangetype: modifyreplace: attributetypesattributetypes: ( 2.5.4.39 NAME ( ’certificateRevocationList’
’certificateRevocationList;binary’ ) DESC ’ ’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5SINGLE-VALUE )
replace:ibmattributetypesibmattributetypes:( 2.5.4.39 DBNAME ( ’certRevocationLst’ ’certRevocationLst’ )
ACCESS-CLASS NORMAL)
6. mSn:
# ldapadd -D cn=admin -w secret -f addentries.ldif
addentries.ldif |,TBZ]:
dn: o=aix,c=uschangetype: addobjectclass: organizationobjectclass: topobjectclass: pkiCAo: aix
":cas.server m~|Pa)y> addentries.ldif M setup.ldif D~#
7. #9"t/ slapd X$Lr#
92 AIX 5L V5.2:2+8O
4(O$PD
4(O$PDgB:
1. 4(}CD~#}CD~|,;vr`v$i4(}CEM\kT#1$i4(Zd$iO$~qM'z
T<T~qwO$1,;v\kTm>$iO$~q~qwS\DO$E"#D~Dq=Gsz\kD}
CE,<Z@"DPO#}g:
12345678password123487654321password4321
dP 12345678 M 87654321 G}CE,password1234 M password4321 G|GwTD\k#;JmUW
P#UqV{;\Z}CEr\k0s#D~PXkAYfZ;v}CEM\k#Z
/usr/cas/server/iafile P\iR=>}D~#?NhCM'zh*}Cb)5#
2. 9C mksecpki |ndC CA,gB:
# mksecpki -u pkiuser -f /usr/cas/server/iafile -p 1077 -H ldap.cert.mydomain.com \-D cn=admin -w secret -i o=aix,c=us
mksecpki j>ODE"gB:
-u 8(20$iO$~q~qwyZDC'J'{F#
-f 8(Z.0=hP4(D}CD~#
-p 8( LDAP ~qwDKZE#
-H 8( LDAP ~qwwz{r IP X7#
-D 8( LDAP \mwD+2{F#
-w 8( LDAP \m\k#
-i 8(C'$i}]$tdPD LDAP V'#
mksecpki |nT/zI,, TrustedKey \?j)DIE)V\?M CA C'J'D\k,+|ECZ
/usr/lib/security/pki/trusted.pkcs12 \?f"wD~P#;PX*4P:4(IE)V\?;PD=h,
}Gh*zI`v\?rk*xP;,\?j)M/r\kDIE)V\?#
4(IE)V\?
mksecpki |nT/zI,, TrustedKey \?j)DIE)V\?M CA C'J'D\k,"+|ECZ
/usr/lib/security/pki/trusted.pkcs12 \?f"wD~P#g{h*zIBDIE)V\?r`vIE)V\?,
G4>Za)zIIE)V\?h*D=h#
yPJm$i4(M!{D$iO$~qM'z*K)pC'O$$ih*IE)V\?#Z@"D\?f"
wP#f\?,TZ\ZdP4($iDyP53I*ICD#yP53\9C%;\?,r_*K|2+D
=(,\4(MV<`v\?#
*4(IE\?,9C /usr/java131/bin/keytool |n#9C;fZDD~DD~{#keytool |na>dk
\?f"w\kM\?\k#*KCJ\?f"wPD\?,TZ$iO$~q,\?f"w\kM\?\k
XkG`,D#KP keytool |n,gB:
keytool -genkey -dname `cn=trusted key’ -alias `TrustedKey’ -keyalg RSA \-keystore filename.pkcs12 -storetype pkcs12ks
ZC>}P,IE\?j)G TrustedKey,RIE\?f"w\kGC'a)D#G!b)5,r*ZdC
$iO$~qM'z1h*|G#1dC$iO$~qM'z1,acct.cfg D~PD keylabel M keypasswdtTh*VphC=IE\?j)MIE\?f"w\k#
Z 6 B X.509 $iO$~qM+C\?y!a9 93
*K2+T-r,7#\?f"wD~(filename.pkcs12)GAM4#$D#;P root C'aP=CD~DC
J(#IE\?&CG\?f"wP(;DTs#
dC$iO$~qM'z
Z$iO$~qDM'zKPm`dC!n#TBZa)Sk PKI O$D?v53yhDdC}L#
20IE)V\?
+|,IE)V\?DIE\?f"w4F=>X53#PX4(IE)V\?DE",kNDZ 93 3D
:4(IE)V\?;#IE\?f"wD1!;CGZ /usr/lib/security/pki ?<P#
r*2+T-r,7#\?f"wD~GAM4#$D#;P root C'aP=CD~DCJ(#
`- acct.cfg D~
9Cs vi |n;yDyZD>D`-w,}%I\fZZ /usr/lib/security/pki/acct.cfg D~PDyP ldapZ#
dCO$PD
nM^H,XkdC>X CA J'#1!ivB,fZ>X CA J',+Xk+d^DT%dzD73#
(}yZZDdCD~D%;53,$iO$~q'V`v CA D9C#1C'rm~8( CA 1,9C1!
CA Z{F local#ZJ1D$iO$~qdCD~PyP53XkP;vP'D local Z(e#;P;v CA
P local DZ{F#yPd| CA XkP;v(;DZ{F#CA Z{F;\G ldap r default#
TBZ(} SMT dCA;8<zdC>X CA#
|D/T>O$PD:
1. KP PKI SMIT,gB:
smitty pki
2. !q|D/T>O$PD#
3. TO$PD{FVN,dk local,4B Enter |#
4. + Service Module Name VNhC* /usr/lib/security/pki/JSML.sml#bG1! SML 0k#i#C
VN3d= /usr/lib/security/pki/ca.cfg D~PD program tT#
5. vT CA D$i76{VN#CVN3d= /usr/lib/security/pki/ca.cfg D~PD certfile tT#
6. + CA DIE\?76{VNhC*>X53OIE\?f"wD;CD URI#v'VyZD~D\?f
"w#IE\?f"wDdMD;CGZ /usr/lib/security/pki ?<P#(kND:20IE)V\?;#)
CVN3d= /usr/lib/security/pki/ca.cfg D~PD trustedkey tT#
7. + URI of the Certificate Authority Server VNhC* CA ;C(cmp://myserver:1077)D URI#
CVN3d= /usr/lib/security/pki/ca.cfg D~PD server tT#
8. vT$iV<cVN#CVN3d= /usr/lib/security/pki/ca.cfg D~PD cdp tT#
9. hC$i7zm(CRL)URI VN#CVN*C CA 8(&ChC*$i7zmD;CD URI#(#,
bG LDAP URI,}g:
ldap://crlserver/o=XYZ,c=us
CVN3d= /usr/lib/security/pki/ca.cfg D~PD crl tT#
10. 1!$i(P{FVN8(4($i1yCDy_ DN(}g,o=XYZ,c=us)#CVNG;h*D#CVN
3d= /usr/lib/security/pki/ca.cfg D~PD dn tT#
94 AIX 5L V5.2:2+8O
11. g{Z4(1;Pa)wb8C{F URI,1!$iwb8C{F URI VN8(4($i19CD1!
wb8C{F URI#CVNG;h*D#CVN3d= /usr/lib/security/pki/ca.cfg D~PD url tT#
12. +C\?c(VN8(4($i19CD+C\?c(#!nG RSA M DSA#g{=_<;8(,53
1!5* RSA#CVN3d= /usr/lib/security/pki/ca.cfg D~PD algorithm tT#
13. +C\?s!(T;*%;)VN8(+C\?c(D;s!#CVNGT;,;GVZ*%;,*'V
B;IPDVZs!,y!D+C\?zFI\+C5Daek#((#,1;};G 8 D<6}1Da
ek)#>}5G 512"1024 M 2048#g{;8(CVN,531!* 1024 ;#CVN3d=
/usr/lib/security/pki/ca.cfg D~PD keysize tT#
14. ns(EXTVN8(53Ez0T<*5 CA(14(r!{$i1)DN}#531!* 5 N#CV
N3d= /usr/lib/security/pki/ca.cfg D~PD retries tT#
15. )p"Pc(VN8()pO$$i19CD"Pc(#!nG MD2"MD5 M SHA1#53D1!*
MD5#CVN3d= /usr/lib/security/pki/ca.cfg D~PD signinghash tT#
16. 4B Enter |a;|D#
|D/T> CA J':
1. KP PKI SMIT,gB:
smitty pki
2. !q|D/T> CA J'#
3. TO$PD{FVN,dk local,4B Enter |#
4. $i4(}CEVN8(4($iPyCD CA }CE#4(}CEXkIyP}ViI,R$HOAY
7 v } V # C A ( e } C E #( k N D Z 9 3 3 D : 4 ( O $ P D ; #) C V N 3 d =
/usr/lib/security/pki/acct.cfg D~PD carefnum tT#
5. $i4(\kVN8(4($i19CD CA D}C\k#4(\kXkI 7 ; ASCII kDV8M}V
iI,$HOAY 12 vV{#Z CA P(e4(\k,RXkGTO4(}CED%d\k#(kND
Z 93 3D:4(O$PD;#)CVN3d= /usr/lib/security/pki/acct.cfg D~PD capasswd tT#
6. $i!{}CEVN8(1!{$i19CD}CE#!{}CEXkIyP}ViI,$HOAY 7 v
}V#Z?v$i4(Zd+!{}CE"Mx CA,"(} CA k$iX*#*!{$i,!{}LP
X k " M M 4 ( $ i 1 " M D ` , D ! { } C E ( M ! { \ k )# C V N 3 d =
/usr/lib/security/pki/acct.cfg D~PD rvrefnum tT#
7. $i!{\kVN8(1!{$i19CD}C\k#!{\kXkI 7 ; ASCII kDV8M}ViI,
$HOAY 12 vV{#?v$i4(}LP+!{\k"Mx CA,"(} CA k$iX*#*!{$
i,!{}LPXk"MM4($i1"MD`,D!{\k(M!{}CE)#CVN3d=
/usr/lib/security/pki/acct.cfg D~PD rvpasswd tT#
8. IE\?j)VN8((;ZIE\?f"wDIE)V\?Dj)(P1F* alias)#IE\?jE5G
4TZ 93 3D:4(IE)V\?;D5#CVN3d= /usr/lib/security/pki/acct.cfg D~PD keylabeltT#
9. IE\?\kVN8((;ZIE\?f"wDIE)V\?D\k#IE\?\k5G4TZ 93 3D
:4(IE)V\?;D5#CVN3d= /usr/lib/security/pki/acct.cfg D~PD keypasswd tT#
10. 4B Enter |a;|D#
mS CA LDAP J':
1. KP PKI SMIT,gB:
smitty pki
2. !qmS LDAP J'#
Z 6 B X.509 $iO$~qM+C\?y!a9 95
3. \mC'{VN8( LDAP \mJ' DN#CA LDAP J'D\mC'{kZ 89 3D:LDAP ~qwdC;
MZ 92 3D:*$iO$~q~qwdC LDAP;9CD{F`,#C5&* cn=admin#CJ CA LDAP
}]1*Kk LDAP ~qw(EM'z9C|#CVN3d= /usr/lib/security/pki/acct.cfg D~PD
ldappkiadmin tT#}g:
ldappkiadmin = "cn=admin"
4. \m\kVN8( LDAP \mJ'\k#\m\kkZ 89 3D:LDAP ~qwdC;MZ 92 3D:*$
iO$~q~qwdC LDAP;9CD\k`,#CVN3d= /usr/lib/security/pki/acct.cfg D~PD
ldappkiadmpwd tT#}g:
ldappkiadmpwd = secret
5. ~qw{FVN8( LDAP ~qwD{F,RXkZ?v LADP ZP(e#C5G%;D LDAP ~qw
{F#CVN3d= /usr/lib/security/pki/acct.cfg D~PD ldapservers tT#}g:
ldapservers = ldapserver.mydomain.com
6. s:VN8(}]$tZdPD?<E"wD DN s:#Cs:GCZZ 92 3D:*$iO$~q~qw
dC LDAP;PD ibm-slapdSuffix tTD5#CtTXkZ?v LDAP ZP(e#CVN3d=
/usr/lib/security/pki/acct.cfg D~PD ldapsuffix tT#}g:
ldapsuffix = "ou=aix,cn=us"
7. 4B Enter |a;|D#
mS PKI ?vC' LDAP J': 4PMZ 95 3D:mS CA LDAP J';P,yD=h,}K9CZZ
90 3D:* PKI dC LDAP ~qw;PDmS PKI s:M ACL }]bn=hP9CD5#9CTB5:
v \mC'{(ou=pkidata,cn=aixdata),
v \m\k(password),
v ~qw{F(site specific),
v s:(ou=pkidata,cn=aixdata)#
4B Enter |a;|D#
|D/T>_T:
1. KP PKI SMIT,gB:
smitty pki
2. !q|D/T>_T#
v *BC'4($iVN8( mkuser |nG*BC'zI$iM\?f"w(new),9Gg{4(C's
\m1a)$iM\?f"w(get)#CVN3d= /usr/lib/security/pki/policy.cfg D~PD newuser Z
D cert tT#
v O$PD{FVN8(zI$i1 mkuser |n9CD CA#VN5XkG ca.cfg D~PR=DZ{F;
}g,local#CVN3d= /usr/lib/security/pki/policy.cfg D~PD newuser ZD ca tT#
v u < C ' \ k V N 8 ( 4 ( C ' \ ? f " w 1 m k u s e r | n 9 C D \ k # C V N 3 d =
/usr/lib/security/pki/policy.cfg D~PD newuser ZD passwd tT#
v $if>VN8(zI$i1 mkuser |n9CD$if>#(#X,v'V5 3,|zm X.509v3#CV
N3d= /usr/lib/security/pki/policy.cfg D~PD newuser ZD version tT#
v +C\?s!VN8(zI$i1 mkuser |n9CD+C\?Ds!(T;*%;)#CVN3d=
/usr/lib/security/pki/policy.cfg D~PD newuser ZD keysize tT#
v \?f"w;CVN8(4(\?f"w1 mkuser |n9CD URI q=D\?f"w?<#CVN3d
= /usr/lib/security/pki/policy.cfg D~PD newuser ZD keystore tT#
96 AIX 5L V5.2:2+8O
v P'ZVN8(zI$i1 mkuser |n9CD$i*sDP'Z#*sDP'ZI\GrI\;G4($
i1 CA ZhD#\Z\Tk"lrj*%;48(#g{;a);v}V,rO*GTk*%;#g{}
Vs"4GV8 d,rbM*l#g{}Vs"4GV8 y,rbM*j#>}5G:
– 1y(4 1 j)
– 30d(4 30 l)
– 2592000(4Tk*%;m>* 30 l)
CVN3d= /usr/lib/security/pki/policy.cfg D~PD newuser ZD validity tT#
v 4FG>X$iVN8( certlink |nG#f$iD1>(yes),9G;G=$iD4S(no)#CVN
3d= /usr/lib/security/pki/policy.cfg D~PD storage ZD replicate tT#
v li$i7zPmVN8( certadd M certlink |nZ4P|GDNq0Gli CRL(yes)9G;li
(no)#CVN3d= /usr/lib/security/pki/policy.cfg D~PD crl ZD check tT#
v 1!(E,1VN8(9C HTTP(}g,lw CRL)ks$iE"1 certadd M certlink |n9CDT
k*%;D,1\Z#CVN3d= /usr/lib/security/pki/policy.cfg D~PD comm ZD timeout tT#
methods.cfg D~
methods.cfg D~8( registry M SYSTEM tT9CDO$o(D(e#X(X,bMGTZ PKILDAP(49C LDAP D PKI)M FPKI(D~ PKI)DO$o(XkI53\m1(eMmSD;C#
BfGdMD methods.cfg (e#Z{F PKI"LDAP M PKILDAP *NbD{F,ITI\m1|D#
>Z*K;BT<U9Cb)Z{F#
PKI:program = /usr/lib/security/PKIoptions = authonly
LDAP:program = /usr/lib/security/LDAP
PKILDAP:options = auth=PKI,db=LDAP
*'V~NC',Z'V~NC'DyP53P9C`,D methods.cfg Z{FMtT5#
\mdC>}
4(B PKI C'J'
*4(B PKI C'J',9C mkuser |nMJ1D /usr/lib/security/methods.cfg Z{F(PKILDAP)#
!vZZ /usr/lib/security/pki/policy.cfg D~PDtThC,mkuser |n\*C'T/4($i#BfG
4(C'J' bob D mkuser >}:
mkuser -R PKILDAP SYSTEM="PKILDAP" registry=PKILDAP bob
+G PKI C'J'*;* PKI C'J'
+G PKI C'J'*;* PKI C'J'P;T;,D=(#Z;v=(nuJm53\m1u<XCJC'
(C\?f"w,bZxvD73PI\rI\;GIS\D,+4G*;C'DnlD=(#Z~V=(h
*ZC'M53\m1.dD;%wC,bI\(|`D1dhC#
=v>}<9CTBYh:
v Q-20"dC0KP cas.server M cas.client#
v Z methods.cfg P+ PKILDAP (e*:methods.cfg D~;PT>DGy#
Z 6 B X.509 $iO$~qM+C\?y!a9 97
>} 1:
(},6(^,53\m1TC'J' bob 4PTB|n:
certcreate -f cert1.der -l auth_lbl1 cn=bob bob # Create & save cert in cert1.der.certadd -f cert1.der -l auth_lbl1 auth_tag1 bob # Add cert to LDAP as auth_tag1.certverify auth_tag1 bob # Verify & sign the cert in LDAP.chuser SYSTEM="PKILDAP" registry=PKILDAP bob # Change account type to PKILDAP.chuser -R PKILDAP auth_cert=auth_tag1 bob # Set the user’s auth certificate.
G4,CC' bob 9C keypasswd |n|D{Z\?f"wOD\k#
>} 2:
CC' bob 4POf>} 1 D0 3 v|n(certcreate"certadd"certverify),4({T:D$iM\?
f"w#;sC53\m14POf>} 1 Dns=v chuser |n#
4(MmSO$$i
g{ PKI C'h*4(O$$i,C'IT4(B$i,RC53\m19C$iI*C'DO$$i#Bf
GC' bob 4($i,53\m19C$iI*O$$iD>}#
# Logged in as user account bob:certcreate -f cert1.der -l auth_lbl1 cn=bob # Create & save cert in cert1.der.certadd -f cert1.der -l auth_lbl1 auth_tag1 # Add cert to LDAP as auth_tag1.certverify auth_tag1 # Verify & sign the cert in LDAP.# As the system adminstrator:chuser -R PKILDAP auth_cert=auth_tag1 bob # Set the user’s auth certificate.
|D1!B\?f"w\k
`- /usr/lib/security/pki/policy.cfg D~PD newuser ZD passwd tT5T^DC44(B PKI C'
D\?f"wD\k#
&mQp5DIE)V\?
|,IE)V\?DD~h*f;,RC'O$$ih*XB)p#
&mQp5DC'(C\?
g{C'D(C\?Qp5,C'r\m1&C9CJ1D-rk!{C$i,&C+p5(*9C+C\?
Dd|C',RS(C/+C\?D?Dx(,&C"<B$i#g{$iCwC'DO$$i,G4m;v
$i(tZC'DB$irVPD4p5D$i)&CmS*BO$$i#
&mQp5D\?f"wr\?f"w\k
|D\?f"wD\k#!{yPC'D$i#*C'4(4($i,|,BO$$i#*KCJT0DS\
}],Qp5D(C\?I\TZC'T;GPCD#
F/C'D\?f"wr|DC'D\?f"wD{F
g{C'D(C\?Qp5,C'r\m1&C9CJ1D-rk!{C$i,&C+p5(*9C+C\?
Dd|C',RS(C/+C\?D?Dx(,&C"<B$i#g{C$iCwC'DO$$i,G4m;
v$i(tZC'DB$irVPD4p5D$i)&CmS*BO$$i#
F/C'D\?f"wr|DC'D\?f"wD{F
?v,$Z LDAP PDC'$i|,|D%d(C\?D\?f"w;C#*S;v?<P+C'D\?f"
wF/=m;v,r|D\?f"wD{F,h*|DkC'D$iX*D LDAP \?f"wD;CM{F#
g{C'9C`v\?f"w,G4XkXp"b;|D\?f"w|D0lD$iD LDAP E"#
+\?f"wS /var/pki/security/keys/user1.p12 F/= /var/pki/security1/keys/user1.p12:
98 AIX 5L V5.2:2+8O
# As root...
cp /var/pki/security/keys/user1.p12 /var/pki/security1/keys/user1.p12
# Retrieve a list of all the certificates associated with the user.certlist ALL user1
# For each certificate associated with the keystore, do the following:# A) Retrieve the certificate’s private key label and its "verified" status.# B) Retrieve the certificate from LDAP.# C) Replace the certificate in LDAP using the same private key label,# but the new keystore path name.# D) If the certificate was previously verified, it must verified again.# (Step D requires the password to the keystore.)
# Example modifying one certificate.# Assume:
# username: user1
# cert tag: tag1
# key label: label1
# Retrieve the certificate’s private key label.certlist -a label tag1 user1
# Retrieve the certificate from LDAP and place it in file cert.der.certget -f cert.der tag1 user1
# Replace the certificate in LDAP.certadd -r -f cert.der -p /var/pki/security1/keys/user1.p12 -l label1 tag1 user1
# Re-verify the certificate if it was previously verified.# (Need to know the keystore password.)certverify tag1 user1
Z 6 B X.509 $iO$~qM+C\?y!a9 99
100 AIX 5L V5.2:2+8O
Z 7 B IekO$#i
IekO$#i(PAM)a9*53\m1a)(}Iek#i+`vO$zFaOxVP53D\&#'
V9C PAM D&CLr\;;|DVPD&CLrMek=BD<uP#bVinTJm\m14PTBY
w:
v *&CLr!q53PDNbO$~q
v Tx(D~q9C`vO$zF
v ;^DVPD&CLrxmSBDO$~q#i
v 9CT0dkD\k4CZ`#iO$
PAM a9Ib"Iek#iT0dCD~iI#PAM b5VK PAM &CLr`LSZ(API)"*\m PAM
BqMwCZIek#iP(eD PAM ~q`LSZ(SPI)a)~q#Iek#iy]wC~q0dZdC
D~PDnxIb/,0k#I&;+!vZIek#i,2!vZ*~qy(eDP*#(}Q;DEn,
IT+~qdC*(}`vO$=(O$#g{C='V,G4#i2IdC*9CH0a;D\k,x;G
a>mbdk#
B<T>K&CLr"PAM b"dCD~T0 PAM #idD;%wC#Y(D PAM &CLr
(pam_login"pam_su T0 pam_passwd)wC PAM bPD PAM API#by]dCD~PD&CLrn7(
0kJ1D#i,"wCZC#iPD PAM SPI#(}9CZ PAM #iP5VDT0&\,ITZ PAM #
iMb.d(E#;s,#iDI&r'\kdCD~P(eDP*7(Gqh*0km;v#i#g{G,
xLLx;qr,a+}]"MX&CLr#
PAM b
PAM b /usr/lib/libpam.a |, PAM API,|w*yP PAM &CLrD+2SZ"R9XF#i0k#PAM
by]Z /etc/pam.conf D~P(eDQ;P*0k#i#
TBD PAM API &\wCI PAM #ia)D`& PAM SPI#}g,pam_authenticate API wCZ PAM
#iPD pam_sm_authenticate SPI#
< 3. PAM r\M5e. ><T>KY(D&CLr|ngN9C PAM b4CJJ1D PAM #i#
© Copyright IBM Corp. 2002, 2003 101
v pam_authenticate
v pam_setcred
v pam_acct_mgmt
v pam_open_session
v pam_close_session
v pam_chauthtok
,1Z PAM bP2a)K8v&\,b)&\tC&CLr4wC PAM #iM+E""M= PAM #i#
TBD PAM a9 API Z AIX P5V:
pam_start (" PAM a0
pam_end U9 PAM a0
pam_get_data lwX(Z#iD}]
pam_set_data hCX(Z#iD}]
pam_get_item lw+2 PAM E"
pam_set_item hC+2 PAM E"
pam_get_user lwC'{
pam_strerror q! PAM j<msE"
PAM #i
PAM #iJmZ53OO"rVp9C`vO$zF#x(D PAM #iXkAY5VDV#i`M.;##
i`MT0*sk#i`M;BD`&D PAM SPI hvgB#
O$#i
O$C'T0hC""BrF5>$#b)#iy]|GDO$M>$6pC'#
O$#i&\:
v pam_sm_authenticate
v pam_sm_setcred
J'\m#i
7(C'J'DP'TT0SO$#i6psDsLCJ#b)#i4PDli(#|,J'=ZM
\k^F#
J'\m#i&\:
v pam_sm_acct_mgmt
a0\m#i
t/MU9C'a0#Kb,I\a)a0sF'V#
a0\m#i&\:
v pam_sm_open_session
v pam_sm_close_session
\k\m#i
4P\k^DT0`XDtT\m#
\k\m#i&\:
v pam_sm_chauthtok
102 AIX 5L V5.2:2+8O
PAM dCD~
/etc/pam.conf dCD~I?v PAM #i`MD~qniI,"(}Q(eD#i76a)7I~q#KD
~PDnITBUWVtDVNiI:
service_name module_type control_flag module_path module_option
dP:
service_name 8(~qD{F#X|V OTHER CZ(enP;P8(D&CLryCD1!#i#
module_type *~q8(#i`M#P'#i`MG auth"account"session r password#
control_flag *#i8(Q;P*#'VDXFj>G required"sufficient r optional#module_path 8(5V~q&\DbTsD76{#module_path n&CSy(/)?<*<#g{C
n;T / *<,G4a+ /usr/lib/security $h*D~{#
module_option 8(\;"M=~q#iD!nPm#CVND5!vZZ module_path VNP(e
D#i'VD!n#
yPDHPVNTZ?vn<GX*D,}K module_options VN,|GI!D#PAM bavTq=msD
nT0 module_tyep r control_flag VN_P^'5Dn#Pp<T}V{E(#)*7Dn2a;vT,r*
bm>"M#
(}9C`,D module_type VN4(`vnZdCD~P5VQ;#TD~PPvD3rwC#i,"I?
vn8(D control_flag VN7(nUa{#control_flag VNDP'5MZQ;PD`&DP*gB:
required yPQ;P required #iXk(}E\C=I&Da{#g{;vr`v required #
i'\,G4a"TQ;PyP required #i,+5XZ;v'\D required #iD
ms#
sufficient g{;vj>* sufficient D#iI&,.0;P required r sufficient D#i'\,
GMavTQ;PyP#`D#i,"5XI&#
optional g{Q;P;P#iG required,"R;P sufficient #iI&,G4AYP;vTZ
~qD optional #iXkI&#g{ZQ;PDm;v#iI&K,G4MavT
optional #iPD'\#
TBG /etc/pam.conf D~>},|\;Z20Kd|D PAM #iD53O9C:
## PAM configuration file /etc/pam.conf#
# Authentication Managementlogin auth required /usr/lib/security/pam_aixlogin auth required /usr/lib/security/pam_verifylogin auth optional /usr/lib/security/pam_test use_first_passsu auth sufficient /usr/lib/security/pam_aixsu auth required /usr/lib/security/pam_verifyOTHER auth required /usr/lib/security/pam_aix
# Account ManagementOTHER account required /usr/lib/security/pam_aix
# Session ManagementOTHER session required /usr/lib/security/pam_aix
# Password ManagementOTHER password required /usr/lib/security/pam_aix
Z 7 B IekO$#i 103
K>}dCD~|,G<~qD}vn#+ pam_aix M pam_verify 8(* required .s,C'Xkdk=
v\kCZO$,xRC'*O$D0=v\kXk<I&#pam_test #iDZ}vnGI!D,|DI&r
'\;a0lC'Gq\;G<#pam_test #iD use_first_pass !nJm9CT0dkD\k,x;G
a>dk;vBD\k#
su |nDKP==9Cg{ pam_aix I&K,G4O$2I&K#g{ pam_aix '\K,G4Xk(}
pam_verify =II&O$#
+ OTHER X|VCw~q{F*dCD~P;Pw7ywDNNd|~qtCK;v1!5#hC1!57
#x(D#i`MZyPivB<AYP;v#iJC#
mS PAM #i
*mS PAM #i,9CTB}L:
1. +#i20Z /usr/lib/security ?<P#
2. +D~yP(hC* root,"+mI(hC* 555#PAM b;0kNN;G root C'5PD#i#
3. |B /etc/pam.conf dCD~,9dZnP|,CZZ{D~q{FD#i#
4. bT\0lD~qT7#d&\#Z4PjG<bT0;*S53"z#
|D /etc/pam.conf D~
|D /etc/pam.conf dCD~1,<GTBDZ]:
v AIX ;a)1!D /etc/pam.conf D~,rKXkZ9C PAM .04(KD~#4(KD~1,+D~
yP(hC* root,"+y>mI(hC* 644#;s root C'MITT|xPV$`-,TxPZ{D
|D#
v 7(?v#i`M*9CD1!#i,;s9C OTHER X|V4h9T?v~q8(C#i#
v DAx!(D#ia)DNND5,"7('VDvXFj>M!nT0|GD'{gN#
v P8!q#iD3rMXFj>,NGQ;#iP required"sufficient T0 optional XFj>DP*#
":PAM dCD~D;}7dCa<B53^(G<#|DD~s,k\GZS53"z.0bT\0lD&
CLr#;\G<D53IT(}T,$==XB}<53"|} /etc/pam.conf dCD~4V4#
tC PAM wT
PAM b\Z4P}LPa)wTE"#tC53U/wTdvs,U/DE"ICZzY PAM-API wC"7
(10 PAM 20'\c#*tC PAM wTdv,kq-TB=h:
1. Z /etc/pam_debug 4(;vUD~#PAM bli /etc/pam_debug D~DfZ,g{R=KD~,M
tC syslog dv#
2. `- /etc/syslog.conf D~,9d|,E"DZ{6pD`&n#
3. XBt/ syslogd X$LrTcdC|D\;6p#
4. XBt/ PAM &CLr1,wTE"aU/Z /etc/syslog.conf dCD~o(eDdvD~P#
104 AIX 5L V5.2:2+8O
Z AIX PD/I PAMIT(}9C AIX I0kDO$#i PAM M pam_aix #iQ PAM /I= AIX P#b)#ia) PAM
/IDTB@"76:
v (} PAM #ia)S AIX 2+~q= PAM DCJ
v (} PAM #i(pam_aix)a)S PAM &CLr= AIX 2+~qDCJ
PAM #iI+ AIX 2+~qdCI(}9CVPD AIX I0kO$#ia9wC PAM #i#1}7hCK
/usr/lib/security/methods.cfg D~s,PAM 0k#iQ AIX 2+~q(passwd"login H)7I= PAM
b#PAM bli /etc/pam.conf D~T7(9CDv PAM #i,;sxP`&D PAM SPI wC#S PAM
5XD53d* AIX mszk,"5X=wCDLr#
PAM 0k#i20Z /usr/lib/security ?<P"RGvCZO$D#i#PAM #iXkk}]baOTNI
4OD0k#i#TBD>}T>K;)Z,ITmSb)Z= methods.cfg D~PTNIxP;D~wC
D}]bD4O PAM #i#db tTD BUILTIN X|V+Q}]b8(* UNIX D~#
PAM:program = /usr/lib/security/PAM
PAMfiles:options = auth=PAM,db=BUILTIN
;s(}9C -R !nM\m|n"(}4(C'1hC SYSTEM tT44(M^DC'#}g:
mkuser -R PAMfiles SYSTEM=PAMfiles registry=PAMfiles pamuser
KYwQx;=DwC(* AIX 2+~q(login"passwd H)T9C PAM 0k#ixPO$#1D~}
]bZ>}PCZ4O#i1,g{20Kd|}]b(Hg LDAP),r2IT9C|#g0fhvGy4
(C'a<B AIX 2+= PAM API wCDgB3d:
< 4. = PAM #i76D AIX 2+~q. Ke<T>1}7dCK PAM s,AIX 2+~qwCyICD76#T>D
PAM #i(pam_krb"pam_ldap M pam_dce)w*Z}=bv=8D>}Pv#
Z 7 B IekO$#i 105
AIX PAM API===== =========authenticate --> pam_authenticatechpass --> pam_chauthtokpasswdexpired --> pam_acct_mgmtpasswdrestrictions --> ;fZIH3d,5XI&
(F /etc/pam.conf D~Jm*KO$+ PAM API wC(r=Z{D PAM #i#*x;=E/CO$z
F,IT5VQ;#
AIX 2+~qa>D}](} pam_set_item &\+]= PAM,r*;I\]I4T PAM DC'T0#
*M PAM #i/Iy4D PAM #i&(} pam_get_item wClwyP}]"R;&T<a>C'dk
}],r*b<GI2+~q4&mD#
a)K-7lbT6qI\DdCms,b)msI\"zZ AIX 2+~q7I= PAM,;s4}4,PAM
#iT<wC AIX 2+~qT4PCYwD}LP#K-7B~Dlba<BZ{YwD"4'\#
":19CS AIX 2+~q= PAM #iD PAM /I1,;&C4 /etc/pam.conf D~T{C pam_aix#i,r*b+<Bzz-7u~#
pam_aix #ipam_aix #iGa)tC PAM D&CLrT AIX 2+~qCJD PAM #i#bG(}a)wCdyZ;
CDTH AIX ~qDSZ5VD#b)~qII0kO$#ir AIX ZC/}Vw4P,C/}GyZC'
(eM methods.cfg D~PDT&hC#Z4P AIX ~q}LPzIDNNmszk3d*`&Dmszk#
pam_aix #i20Z /usr/lib/security ?<P#pam_aix #iD{O*s+ /etc/pam.conf D~dC*9
CC#i#Q;T;GICD,+G;ZTB /etc/pam.conf D~D>}PT>:
< 5. PAM &CLr= AIX 2+S5376. Ke<T>Kg{dC /etc/pam.conf D~T{C pam_aix #i,r
PAM &CLr API wC+*q-D76#g<my>,C/IJmC'IN;I0kDO$#i(DCE"LDAP r
KRB5)rZ AIX D~P(compat)xPO$#
106 AIX 5L V5.2:2+8O
## Authentication management#OTHER auth required /usr/lib/security/pam_aix
## Account management#OTHER account required /usr/lib/security/pam_aix
## Session management#OTHER session required /usr/lib/security/pam_aix
## Password management#OTHER password required /usr/lib/security/pam_aix
pam_aix #i5VK pam_sm_authenticate"pam_sm_chauthok M pam_sm_acct_mgmt D SPI &\#
pam_sm_setcred"pam_sm_open_session M pam_sm_close_session SPI 2Z pam_aix #iP5V,
+Gb) SPI &\5X PAM_SUCCESS wC#
TBG PAM SPI wC= AIX 2+S53DsB3d:
PAM SPI AIX========= =====pam_sm_authenticate --> authenticatepam_sm_chauthtok --> passwdexpired, chpass
":vZ PAM_CHANGE_EXPIRED_AUTHTOKj>(}1li passwdexpired#
pam_sm_acct_mgmt --> loginrestrictions, passwdexpiredpam_sm_setcred --> ;fZIH3d,5X PAM_SUCCESSpam_sm_open_session --> ;fZIH3d,5X PAM_SUCCESSpam_sm_close_session --> ;fZIH3d,5X PAM_SUCCESS
*+]= AIX 2+S53D}]ITZ9C#i0C pam_set_item &\4hC,r_g{C&\94fZ,
rITT}]9C pam_aix #i#
Z 7 B IekO$#i 107
108 AIX 5L V5.2:2+8O
Z 8 B OpenSSH m~$_
OpenSSH m~$_'V SSH1 M SSH2 -i#C$_*S\MO$xgw?a) shell &\#OpenSSH Gy
ZM'zM~qwe5a9#OpenSSH Z AIX wzOKP sshd X$Lr"H}M'z,S#|'VCZ(
@O$MS\D+C\?M(C\?TT#$2+xg,SMyZwzDO$#PX|,*zoz3D OpenSSH
D|`E",kNDTB Web >c:
http://www.openssh.org
PX AIX O OpenSSH D|`E",kNDTB Web >c,|P AIX 5L DnB installp q=m~|:
http://oss.software.ibm.com/developerworks/projects/opensshi
>Z5wKgNZ AIX O20"dC OpenSSH#OpenSSH m~Z AIX 5.2 Bonus Pack Oa)#(}9C
openssh-3.6.1p2 6pD4zkQKf>D OpenSSH `k"b0I* installp m~|#Bonus Pack CD-ROM
iJP|,D OpenSSH LrG4 IBM zJLrmI$-i(IPLA)P^#$LrDunMu~Z(D#T
Z AIX 4.3.3,OpenSSH 2ITZI AIX Toolbox for Linux Applications CD a)D8v RPM q=m~|
PqC#
Z20 OpenSSH installp q=m~|.0,Xk20*E2+WSVc(OpenSSL)m~#OpenSSL m~|
|,S\b#AIX Toolbox for Linux Applications CD D RPM m~|Pa)K OpenSSL#C20m~||,
KVa3MQ-kD{"D~/#
1. 9CgB geninstall |n20 OpenSSL RPM m~|:
# geninstall -d/dev/cd0 R:openssl-0.9.6g
dvkTBT>`F:
SUCCESSES---------openssl-0.9.6g-3
2. 9C geninstall |n420 OpenSSH installp m~|,gB:
# geninstall -I"Y" -d/dev/cd0 I:openssh.base
Zi4} OpenSSH mI$-is,9C Y j>TS\CmI$-i#
dvkTBT>`F:
20**--------------------{F 6p ?V B~ a{-------------------------------------------------------------------------------openssh.base.client 3.6.0.5200 USR APPLY SUCCESSopenssh.base.server 3.6.0.5200 USR APPLY SUCCESSopenssh.base.client 3.6.0.5200 ROOT APPLY SUCCESSopenssh.base.server 3.6.0.5200 ROOT APPLY SUCCESS
2IT9C SMIT install_software lY7620 OpenSSL M OpenSSH#
w*.020=hDa{,TBD OpenSSH ~xFD~2<20K:
scp `F rcp DD~4FLr
sftp `F FTP DLr,(} SSH1 M SSH2 -i$w
sftp-server SFTP ~qwS53(I sshd X$LrT/t/)
ssh `F rlogin M rsh M'zLr
© Copyright IBM Corp. 2002, 2003 109
ssh-add mS\?= ssh-agent D$_
ssh-agent ITf"(C\?Dzm
ssh-keygen \?zI$_
ssh-keyscan S;)wzPU/+2wz\?D5CLr
ssh-keysign yZwzO$D5CLr
ssh-rand-helper I OpenSSH 9CDLr,C4U/fz}#|;\Z AIX 5.1 20O9C#
sshd JmG<DX$Lr
TBD;cE"|,K OpenSSH:
v /etc/ssh ?<|, sshd X$LrM ssh M'z|nDdCD~#
v /usr/openssh ?<|,TvD~M OpenSSH *E4mI$-<D>D~#K?<9|, ssh -iM
Kerberos mI$D>#
v sshd X$Lr\ AIX SRC XF#IT"vTB|nt/"#9T0i4X$LrD4,:
startsrc -s sshd r startsrc -g ssh (i)stopsrc -s sshd r stopsrc -g sshlssrc -s sshd r lssrc -s ssh
2IT"vTB|nt/M#9X$Lr:
/etc/rc.d/rc2.d/Ksshd start
r
/etc/rc.d/rc2.d/Ssshd start
/etc/rc.d/rc2.d/Ksshd stop
r
/etc/rc.d/rc2.d/Ssshd stop
v 120K OpenSSH ~qwD~/s,MP;nmS= /etc/rc.d/rc2.d ?<#P;nZ inittab PT4PK
P6p 2 }L(l2:2:wait:/etc/rc.d/rc 2),Tc sshd X$Lr+Z}<1T/t/#*@9X$L
rZ}<1t/,k>} /etc/rc.d/rc2.d/Ksshd M /etc/rc.d/rc2.d/Ssshd D~#
v OpenSSH m~QE"G<= SYSLOG P#
v IBM l$i Managing AIX Server Farms a)PXZ AIX PdC OpenSSH DE",ITZTB Web >
cPITC=:
http://www.redbooks.ibm.com
OpenSSH `kDdC
>Za)PXZ AIX PgN`k OpenSSH zkDE"#
1dC AIX 5.1 fD OpenSSH 1,dvDZ]kTB`F:
OpenSSH QdCxPTB!n:C'~xFD~:/usr/bin53~xFD~:/usr/sbin
dCD~:/etc/sshAskpass Lr:/usr/sbin/ssh-askpass
Va3:/usr/manPID D~:/etc/ssh
X(Vk chroot 76:/var/emptysshd 1!C'76:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Va3q=:man
110 AIX 5L V5.2:2+8O
PAM 'V:noKerberosIV 'V:noKerberosV 'V:yes
G\('V:noAFS 'V:no
S/KEY 'V:noTCP |0Lr'V:no
MD5 \k'V:no$DISPLAY ZM%wPD IP X7:no
Z1!D%w19C IPv4:noZ v6 %wP*; v4:no
BSD O$'V:nofz}44:ssh-rand-helper
ssh-rand-helper U/;C:Command hashing (timeout 200)
wz:powerpc-ibm-aix5.1.0.0`kw:cc
`kwj>:-O -D__STR31__$&mwj>:-I. -I$(srcdir) -I/home/BUILD/test2debug/zlib-1.1.3/ -I/o
pt/freeware/src/packages/SOURCES/openssl-0.9.6g/include -I/usr/include -I/usr/include/gssapi -I/usr/include/ibm_svc -I/usr/local/include $(PATHS) -DHAVE_CONFIG_H
4SLrj>:-L. -Lopenbsd-compat/ -L/opt/freeware/lib/ -L/usr/local/lib-L/usr/krb5/lib -blibpath:/opt/freeware/lib:/usr/lib:/lib:/usr/local/lib:/usr/krb5/lib
b: -lz -lcrypto -lkrb5 -lk5crypto -lcom_err
/f:z}Z9CZCDfz}U/~q#kDA WARNING.RNG "kszD OS)&LZC OS DTsf>P|,yZZKDfz}/O#
1dC AIX 5.2 fD OpenSSH 1,dvDZ]kTB`F:
OpenSSH QdCxPTB!n:C'~xFD~:/usr/bin53~xFD~:/usr/sbin
dCD~:/etc/sshAskpass Lr:/usr/sbin/ssh-askpass
Va3:/usr/manPID D~:/etc/ssh
X(Vk chroot 76:/var/emptysshd 1!C'76:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
*zoz3:manPAM 'V:no
KerberosIV 'V:noKerberosV 'V:yes
G\('V:noAFS 'V:no
S/KEY 'V:noTCP |0Lr'V:no
MD5 \k'V:no$DISPLAY ZM%wPD IP X7:no
Z1!D%w19C IPv4:noZ v6 %wP*; v4:no
BSD O$'V:nofz}44:OpenSSL vTZZ?
wz:powerpc-ibm-aix5.2.0.0`kw:cc
`kwj>:-O -D__STR31__$&mwj>:-I/opt/freeware/src/packages/BUILD/openssl-0.9.6g/includ
e -I/usr/local/include -I/usr/local/include4SLrj>:-L/opt/freeware/src/packages/BUILD/openssl-0.9.6g -L/usr/lo
cal/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib:/usr/local/libb: -lz -lcrypto -lkrb5 -lk5crypto -lcom_err
Z 8 B OpenSSH m~$_ 111
OpenSSH M Kerberos V5 'V
Kerberos G;VO$zF,|*xgC'a)K;V2+DO$=(#|(}S\M'zM~qw.dDO$
{"4h9(}xg+MwD\k#mb,Kerberos a)K;v53CZT\mnFr>$DN=xPZ(#
*9C Kerberos 4O$C',CC'KP kinit |nSPD Kerberos ~qw,4 KDC(\?V"PD)q
Cu<>$#KDC +i$CC'"Q{Du<>$,4 TGT(Zh>%D>%)"MXx{#;sCC'I
T9C;v~q(Hg Kerberized Telnet r OpenSSH)4t/6LG<a0,x Kerberos (}S KDC q
CC'>$4O$CC'#Kerberos 4PKO$;h*NNC';%,rKC';h*dk\k4G<#IBM
f>D Kerberos F*0xgO$~q1(NAS)#NAS ITS0AIX )9| CD120#|ITZ
krb5.client.rte M krb5.server.rte m~|PqC#S OpenSSH 3.6 D 2003 j 7 B"Pf*<,OpenSSH
(} NAS V1.3 'V Kerberos 5 O$MZ(#
AIX Q4(KxP Kerberos O$D OpenSSH w*I!D=(#g{4Z53O20 Kerberos b,r1
OpenSSH KP1,+x} Kerberos O$x OpenSSH "TB;vQdCDO$=((Hg AIX O$)#
20K Kerberos s,(izHDA Kerberos D5Y%dC Kerberos ~qw#PXgN20M\m Kerberos
D|`E",kN< IBM Network Authentication Service Version 1.3 for AIX : Administrator’s and User’s Guide,
|;Z /usr/lpp/krb5/doc/html/lang/ADMINGD.htm 76#
9CxP Kerberos D OpenSSHTB=ha)KXZ*9CxP Kerberos D OpenSSH yhDu<hCDE":
1. ZzD OpenSSH M'zM~qwO,/etc/krb5.conf D~XkfZ#CD~f_ Kerberos 9CDv KDC"
x?v>%Dz|Z`$,HH#TBG;v krb5.conf >}D~:
[libdefaults]ticket_lifetime = 600default_realm = OPENSSH.AUSTIN.XYZ.COMdefault_tkt_enctypes = des3-hmac-sha1 des-cbc-crcdefault_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]OPENSSH.AUSTIN.xyz.COM = {
kdc = kerberos.austin.xyz.com:88kdc = kerberos-1.austin.xyz.com:88kdc = kerberos-2.austin.xyz.com:88admin_server = kerberos.austin.xyz.com:749default_domain = austin.xyz.com
}
[domain_realm].austin.xyz.com = OPENSSH.AUSTIN.XYZ.COMkdc.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
2. ,1,zXkQTB Kerberos ~qmS=?vM'zD /etc/services D~P:
kerberos 88/udp kdc # Kerberos V5 KDCkerberos 88/tcp kdc # Kerberos V5 KDCkerberos-adm 749/tcp # Kerberos 5 admin/changepwkerberos-adm 749/udp # Kerberos 5 admin/changepwkrb5_prop 754/tcp # Kerberos slave
# propagation
3. g{zD KDC }Z9C LDAP w*"amTf"C'E",r(iDAZ 59 3DZ 4 B, :LDAP O
$0k#i; M Kerberos vfo#mb,k7#4PKTBYw:
v KDC }ZKP LDAP M'z#zITC secldapclntd |nt/ LDAP M'zX$Lr#
v LDAP ~qw}ZKP slapd LDAP ~qwX$Lr#
112 AIX 5L V5.2:2+8O
4. Z OpenSSH ~qwO,`- /etc/ssh/sshd_config D~T|,TBP:
KerberosAuthentication yesKerberosTicketCleanup yesGssapiAuthentication yesGssapiKeyExchange yesGssapiCleanupCreds yes
5. Z SSH ~qwO,KP startsrc -g ssh |nTt/ ssh ~qwX$Lr#
6. Z SSH M'zO,KP kinit |nTqCu<>$(TGT)#IT(}KP klist |n4i$GqSU=
K TGT#b+T>tZzDyP>$#
7. (}KP ssh username@servername |n4,S=~qw#
8. g{}7dCK Kerberos TO$C',r+;aT>*s\kDa>,RC'+T/G<= SSH ~qw#
Z 8 B OpenSSH m~$_ 113
114 AIX 5L V5.2:2+8O
Z 2 ?V xgMrXxD2+T
>8ODZ~?Va)XZxgMrXx2+Tk)DE"#b8BhvKgN20MdC0IP 2+T1;g
N6pX*M;X*Dxg~q;sFM`Sxg2+T0|`Z]#
© Copyright IBM Corp. 2002, 2003 115
116 AIX 5L V5.2:2+8O
Z 9 B TCP/IP 2+T
g{20K0+dXF-i/xJ-i1(TCP/IP)M0xgD~531(NFS)m~,zITTzD53x
PdC,9.(}xgxP(E#>8O;T TCP/IP y>EnxPhv,xhv TCP/IP D2+`X"bB
n#XZ TCP/IP 200u<dCDE",kN< 6AIX 5L V5.2 53\m8O:(Ekxg7 PD:+d
XF-i/xJ-i;BZ#
;\P`YmI,53\m1<I\;C;v=;(6pD2+Jb#}g,2+6pI\G+>_T=fD
B#r53I\h*CJ~.53,rx*sT;(2+6pxP(E#b)2+j<I\JCZxg"Yw
53"&Cm~,uA53\m14DLr#
>Bhv TCP/IP Tj<==Mw*2+53ya)D2+XT,"V[K;)xg73PJ1D2+"bB
n#
20K TCP/IP 0 NFS m~s,9CyZ Web D53\mwr53\mgf$_(SMIT)tcpip lY76
4dC53#
>BV[TBwb:
v :X(ZYw53D2+T;
v Z 118 3D:TCP/IP |n2+T;
v Z 120 3D:IExL;
v Z 121 3D:xgIEFcb;
v Z 123 3D:}]2+T0E"#$;
v Z 123 3D:yZC'D TCP KZCJXFMrXxKZDxPTwCJXF;
X(ZYw53D2+T
m` TCP/IP ICD2+XTGyZG)(}Yw53ICD2+XT#TB8ZTv TCP/IP D2+T#
xgCJXF
*xD2+_TGYw532+_TD)9,R|ITBw*?ViI:
v kC'G<>X53D==`,,(}C'{FM\kZ6LwzOa)C'O$#IE TCP/IP |n,}
g ftp"rexec M telnet P`,D*s,"sYw53PDIE|n;y-z`,Di$}L#
v *7#6LwzP$ZD0xJ-i1(IP)X70{F,a),SO$#b@96Lwz10Im;v6
Lwz#
v }]<kk<v2+TJm_P8(2+6pD}]wkMwv_P,yD2+TM(^6pDxgSZ
Jdw#}g,x\}]vITZhC*x\2+6DJdw.dw/#
xgsF
TCP/IP a)xgsF,9CsFS534sFZKxg}L0&CLr#sFD?DGG<G)0l532+
TDYw0Tb)YwPpNDC'#
sFTB`MB~:
© Copyright IBM Corp. 2002, 2003 117
ZKB~
v |DdC
v |Dwzj6
v |D7I
v ,S
v 4(WSV
v <vTs
v <kTs
&CLrB~
v CJxg
v |DdC
v |Dwzj6
v |D2,7I
v dCJ~
v ,S
v <v}]
v <k}]
v +J~4kD~
Yw53sFTsD4(0>}#&CLrsFG<]R"V4sFT\bZKD_`sF#
IE76"IE shell M2+"b|(SAK)
Yw53a)IE76T$@4Z(LrA!C'UK}]#1h*,53D2+(E76,}g|D\kr
G<531,9CK76#Yw532a)IE shell(tsh),|;4PQ-}bT"i$*2+DIELr#
TCP/IP 'VyPb)XT02+"b|(SAK),|+Zzk53.d("2+(EDX*73#?19C
TCP/IP 1,>X SAK IC#(} telnet |n,6L SAK 2IC#
>X SAK Z telnet P_PZd|Yw53&CLrP`,D&\:|ax telnet xL0yPk}ZKP
telnet DUK`XDd|xL#;x,Z telnet LrPzI9C telnet send sak |n(K1T telnet |
n==)r6L53"MTIE76Dks#z2ITC telnet set sak |n(e;v%@|t/ SAK k
s#
XZIEFcbD|`E",kNDZ 3 3D:IEFcb;#
TCP/IP |n2+T
TCP/IP PD;)|na)Yw}LPD2+73#b)|nG ftp"rexec M telnet#ftp &\a)D~+M
}LPD2+T#rexec |n*Zb?wzOKP|na)2+73#telnet &\*G<b?wza)2+T#
ftp"rexec M telnet |nvZ|GYw}LPa)2+T#2MG5,|G";("kd||n;p9CD
2+73#*K#$53xPd|Yw,9C securetcpip |n#K|n(}{CGIEX$LrM&CLr,
0a)#$ IP cxg-iD!n,a)z#$532+D\&#
118 AIX 5L V5.2:2+8O
ftp"rexec"securetcpip M telnet |na)TBN=D530}]2+T:
ftp ftp |na)+MD~D2+73#1C'Tb?wzwC ftp |n1,a>
C'dkG<j6#T>D1!G<j6*:C'Z>XwzD10G<j
6#a>C'dk6LwzD\k#
T/G<}LQw>XC'D $HOME/.netrc D~Tq!CZb?wzDC'
j60\k#TZ2+T,$HOME/.netrc D~DmI(XkhC* 600 (;
\IyP_A4)#qr,T/G<'\#
":r* .netrc D~D9Ch*+\kf"ZGS\D~P,153d
CK securetcpip |n1,ftp |nDT/G<&\;IC#(}+ ftp|nS /etc/security/config D~D tcpip ZP}%ITXBtCK&
\#
*9CD~+M&\, ftp |nh*=v TCP/IP ,S,;vCZ0D~+d
-i1(FTP),m;vCZ}]+d#-i,SGw*DxRG2+D,r
*|("ZI?D(EKZO#Z~,SG5J}]+dyXhD,R>X0
6Lwz<i$KK,SDm;KIkw*,S`,Dwz("D#g{w*
,SMZ~,S;GI`,wz(",ftp |nWHT>ms{",8v}],
S4O$,;sKv#Z~,SDbVi$@9Z}wz9X*MAm;wz
D}]#
rexec rexec |n*Zb?wzO4P|na)2+73#a>C'dkG<j60\
k#
T/G<&\}p rexec |nQw>XC'D $HOME/.netrc D~Tq!b
?wzODC'j60\k#TZ2+T,$HOME/.netrc D~DmI(Xkh
C* 600(;\IyP_A4)#qr,T/G<'\#
":r* .netrc D~D9Ch*+\kf"ZGS\D~P,153Z
2+4,BYw1,rexec DT/G<&\;IC#(}+ rexec nS
/etc/security/config D~PD tcpip Z}%ITXBtCK&\#
securetcpip securetcpip |ntC TCP/IP 2+&\#"vK|n1,S53P}%TG
IE|nDCJ#(}KP securetcpip |n4}%TB?;v|n:
v rlogin M rlogind
v rcp"rsh M rshd
v tftp M tftpd
v trpt
9C securetcpip |n+53Sj<2+T6p*;*|_2+T6p#53
*;s,}GX0K TCP/IP,qr;XYN"v securetcpip |n#
telnet r tn telnet(TELNET)|na)G<=b?wzD2+73#a>C'dkG<
j60\k#+C'UK4w1Skwz,SDUK#4CJUK\XZmI
;#d|C'(i0d|);PTUKDACJ(,+g{yP_xh|G4
mI(,|GMITTUK4{"#telnet |n2(} SAK a)T6L53
OIE shell DCJ#K4|3r;,ZwC>XIE76D3r,"ITZ
telnet |nP(e#
6L|n4PDCJ((/etc/hosts.equiv)
PZ /etc/hosts.equiv D~PDwzODC',^ha)\kMITZ53OKP3)|n#BmPa)PX
g N 9 C y Z W e b D 5 3 \ m w " S M I T r | n P P v " m S M } % 6 L w z D E " #
Z 9 B TCP/IP 2+T 119
6L|n4PDCJ(Nq
Nq SMIT lY76 |nrD~ yZ Web D53\mw \m73
Pv_P|n4P
DCJ(D6Lw
z
s m i tlshostsequiv
i 4
/etc/hosts.equivD~
m~ —> xg —> TCPIP(IPv4 M IPv6) —> TCPIP -i
dC —> TCP/IP —> dC TCP/IP —> _6=( —> wzD
~ —> /etc/hosts D~DZ]#
*|n4PDCJ
(mS6Lwz
s m i tmkhostsequiv
` -
/etc/hosts.equivD~" 1
m~ —> xg —> TCPIP(IPv4 M IPv6) —> TCPIP -i
dC —> TCP/IP —> dC TCP/IP —> _6=( —> wzD
~#ZmS/|DwznP,jITBVN:IP X7"wz{"
p{M"M#%wmS/|Dn,Y%w7(#
S|n4PDCJ
(P}%6Lwz
s m i trmhostsequiv
` -
/etc/hosts.equivD~" 1
m~ —> xg —> TCPIP(IPv4 M IPv6) —> TCPIP -i
dC —> TCP/IP —> dC TCP/IP —> _6=( —> wzD
~#Z /etc/host D~Z]P!qwz#%w>}n —> 7(#
":PXb)D~}LD|`E",kND AIX 5L Version 5.2 Files Reference PD0hosts.equiv File Format
for TCP/IP1#
^FD~+MLrC'(/etc/ftpusers)
/etc/ftpusers D~PPvDC'\=#$,;Jm6L FTP CJ#}g,YhC' A G<=6L53,x
R{*@53OC' B D\k#g{C' B PZ /etc/ftpusers D~P,49C' A *@C' B D\k,
C' A 2;\C FTP TC' B DJ'O+rBXD~#
Bma)PXgN9CyZ Web D53\mw"SMIT r|nPPv"mS0}%\^C'DE"#
6L FTP C'Nq
Nq SMIT lY76 |nrD~ yZ Web D53\mw \m73
Pv\^ FTP C
'
smit lsftpusers i4 /etc/ftpusersD~
m~ —> C' —> +?C'#
mS\^C' smit mkftpusers `- /etc/ftpusersD~" 1
m~ —> C' —> +?C' —> !(D —> rimSK
C'#!qi,"%w7(#
}%\^C' smit rmftpusers `- /etc/ftpusersD~" 1
m~ —> C' —> +?C' —> !(D —> >}#
":PXb)D~}LD|`E",kND AIX 5L Version 5.2 Files Reference PD0ftpusers File Format for
TCP/IP1#
IExL
IELrrIExLGzcX(2+j<D shell E>"X$LrrLr#b)2+j<I@zz@?hC",
$,@zz@?2O$;)IELr#
IELrZ;,6pIE#2+6p|( A1"B1"B2"B3"C1"C2 M D,A1 6a)n_2+T6p#?
v2+T6pXkzc;(D*s#}g,C2 2+T6pI_e5wTBj<:
Lrj{T 7#j+4F.4PxL#
#iT +xL4zkVtI;a1S\d|#i0lrCJD#i#
120 AIX 5L V5.2:2+8O
nYX(-r 5wC';1TZhDnM6X(Yw#4g{C';\P(i
43)D~,G4C'2M^(bbXDdKD~#
TsXCD^F }g,@9C'bbXR=Qjv*2Gx94e}DI\|,
tPJODZfxr#
TCP/IP |,8vIEX$Lr0m`GIEX$Lr#
IEX$LrD>}gB:
v ftpd
v rexecd
v telnetd
GIEX$LrD>}gB:
v rshd
v rlogind
v tftpd
TZIE53,XkCIEFcbYw,4TZ%@wz,zwXk2+#TZxg,+?D~~qw"xX
Md|wzXk2+#
xgIEFcb
0xgIEFcb1(NTCB)I2~Mm~9I"7#xg2+T#>Z(ek TCP/IP PXD NTCB i~#
xgD2~2+XTIk TCP/IP ;p9CDxgJdwa)#b)Jdw(};SU?DX*>X53D}
]MyP53<ISUDc%}]4XFxkD}]#
NTCB Dm~i~vIG)QO*IEDLr9I#w*2+53D;?VDLr0`XD~yZ?<=?<
ZBmPPv#
/etc ?<
{F yP_ i == mI(
gated.conf root system 0664 rw-rw-r—
gateways root system 0664 rw-rw-r—
hosts root system 0664 rw-rw-r—
hosts.equiv root system 0664 rw-rw-r—
inetd.conf root system 0644 rw-r—r—
named.conf root system 0644 rw-r—r—
named.data root system 0664 rw-rw-r—
networks root system 0664 rw-rw-r—
protocols root system 0644 rw-r—r—
rc.tcpip root system 0774 rwxrwxr—
resolv.conf root system 0644 rw-rw-r—
services root system 0644 rw-r—r—
3270.keys root system 0664 rw-rw-r—
Z 9 B TCP/IP 2+T 121
/etc ?<
{F yP_ i == mI(
3270keys.rt root system 0664 rw-rw-r—
/usr/bin ?<
{F yP_ i == mI(
host root system 4555 r-sr-xr-x
hostid bin bin 0555 r-xr-xr-x
hostname bin bin 0555 r-xr-xr-x
finger root system 0755 rwxr-xr-x
ftp root system 4555 r-sr-xr-x
netstat root bin 4555 r-sr-xr-x
rexec root bin 4555 r-sr-xr-x
ruptime root system 4555 r-sr-xr-x
rwho root system 4555 r-sr-xr-x
talk bin bin 0555 r-xr-xr-x
telnet root system 4555 r-sr-xr-x
/usr/sbin ?<
{F yP_ i == mI(
arp root system 4555 r-sr-xr-x
fingerd root system 0554 r-xr-xr—
ftpd root system 4554 r-sr-xr—
gated root system 4554 r-sr-xr—
ifconfig bin bin 0555 r-xr-xr-x
inetd root system 4554 r-sr-xr—
named root system 4554 r-sr-x—
ping root system 4555 r-sr-xr-x
rexecd root system 4554 r-sr-xr—
route root system 4554 r-sr-xr—
routed root system 0554 r-xr-x—-
rwhod root system 4554 r-sr-xr—
securetcpip root system 0554 r-xr-xr—
setclock root system 4555 r-sr-xr-x
syslogd root system 0554 r-xr-xr—
talkd root system 4554 r-sr-xr—
telnetd root system 4554 r-sr-xr—
/usr/ucb ?<
{F yP_ i == mI(
tn root system 4555 r-sr-xr-x
122 AIX 5L V5.2:2+8O
/var/spool/rwho ?<
{F yP_ i == mI(
rwho(?<) root system 0755 drwxr-xr-x
}]2+T0E"#$
TCP/IP D2+&\";PS\(}xg+MDC'}]#rK,(iC'6p(EPNNI\<B\k0d|
tPE"96DgU,"yZCgU&C`&DT_#
Z0z@?1(DOD)73P9C TCP/IP 2+&\I\h*qXXZ(E2+TD DOD 5200.5 M
NCSD-11#
yZC'D TCP KZCJXFMrXxKZDxPTwCJXF
0rXxKZ(DACinet)DTwCJXF1G3VyZC'DCJXFDXw,CCJXF&CZ AIX 5.2 w
z.d(ED TCP KZ#AIX 5.2 IT9C=SD TCP 7+M53.dDC'0iE"#DACinet XTJ
m?j53OD\m1XFyZ?jKZ"<"C'j60wzDCJ#
mb,DACinet XTJm\m1^F>XKZ;\I root C'9C#s AIX byD UNIX 53+ 1024 T
BDKZS*;\I root C'r*DX(KZ#AIX 5.2 Jmz8( 1024 TO;\I root C'r*D=S
KZ,rK@9C'Zl*DKZOKP~qw#
ShCx(,G DACinet 53I\ITr^(,SA DACinet 53#DACinet XTDu<4,\xCJ#;
)tCK DACinet,M^({C DACinet#
dacinet |nS\;8(*wz{"cV.xFwzX7rsfzPxg0:$HDxgX7DX7#
TB>}8(;v%;wz,Q*|D+^(wz{* host.domain.org:
host.domain.org
TB>}8(;v%;wz,Q*|D IP X7* 10.0.0.1:
10.0.0.1
TB>}8(_P 10.0.0.0 5D0 24 ;(xg0:$H)D{vxg:
10.0.0.0/24
Kxg|( 10.0.0.1 k 10.0.0.254 .dDyP IP X7#
yZ TCP D~qDCJXF
DACinet 9C /etc/rc.dacinet t/D~,R9CDdCD~G /etc/security/priv"/etc/security/services M
/etc/security/acl#
PZ /etc/security/services DKZS*bZ ACL li#KD~_Pk /etc/services `,Dq=#Tdx
Pu</nrcD==MG+D~S /etc 4F= /etc/security,;s>}yP&C&C ACL DKZ#ACL
f"Z=vX=#10n/D ACL f"ZZK,xRIT(}KP dacinet aclls 4A!#+ZB;N53
}<1(} /etc/rc.tcpip 4XB$nD ACL f"Z /etc/security/acl P#9CTBq=:
service host/prefix-length [user|group]
Z 9 B TCP/IP 2+T 123
boIC}Vr /etc/services PyPD==8(~q,ICwz{r_PSxZkf6DxgX7xvw
z,xRC u: r g: 0:8(C'ri#1;P8(C'ri1,G4 ACL ;<G"Mwz#x~qSO
0: - +T=X{CCJ#y]Z;v%d@@ ACL#rxzIT*;iC'8(CJ,+2IT(}+i
P3C'DfrCZifr.04T=X\xKC'#
/etc/services D~|,=vn,|G_P AIX 5.2 P;'VDKZE5#53\m1XkZ4P mkCCadmin|n0}%D~PDb=P#S /etc/services D~P}%TBP:
sco_printer 70000/tcp sco_spooler # For System V print IPCsco_s5_port 70001/tcp lpNet_s5_port # For future use
DACinet 9C>}
}g,9C DACinet +KZ TCP/25 Dk>CJ^(Z;_P DACinet XTD root C'1, G4;Pd|
AIX 5.2 wzD root C'\CJKKZ,rK,^FK#fC'v(}6LG<=CwzDKZ TCP/25 M
\[-gSJ~DI\T#TB>}T>gN*;\CJD root C'dC X -i(X11)#7#+
/etc/security/services PD X11 nQ}%,T9 ACL &CZK~q#
Y(;vyP,S53D 10.1.1.0/24 Sx,+CJ^(Z root C'(vT /etc/security/acl PD X
(TCP/6000))D ACL ngB:
6000 10.1.1.0/24 u:root
^F friends iPC'D Telnet ~q1,;\|G4TDv53,S /etc/security/services }% telnet n
s,9CTB ACL n:
telnet 0.0.0.0/0 g:friends
{9C' fred CJ Web ~qw,+Jmd{KCJ:
-80 0.0.0.0/0 u:fred80 0.0.0.0/0
KP>X~qDX(KZ(#NNC'ITr* 1024 TODNNKZ#}g,C'IZKZ 8080 EC#CZKP Web zmD~q
w,r(#Z 1080 ;CEC SOCKS ~qw#*@9#fC'Z8(KZKP~qw,I+b)KZ8(*
_PX(#dacinet setpriv |nITCZr}ZKPD53mSX(KZ#53t/1,8(*_PX(DK
ZXkPZ /etc/security/priv P#
C /etc/services P(eD{E{Fr(}8(KZE+KZPZKD~P#TBn+{9G root C'Z(#
DKZKP SOCKS ~qwr Lotus Notes ~qw#
1080lotusnote
":K&\;\@9C'KPLr#|;\@9C'Zl*DKZKP~q,xb)KZ(#}h*b)~
q#
XZ dacinet |nD|`E",kND 6AIX 5L V5.2 |nN<s+7#
124 AIX 5L V5.2:2+8O
Z 10 B xg~q
>Ba)PX6pM#$r*(EKZDxg~qDE"
6pr*(EKZDxg~q
M'z~qw&CLrZ~qwOr*(EKZ,Jm&CLrl}SU=DM'zks#r*r*DKZW
\1ZD2+%w,yT*6pr*KZDb)&CLr"XUG);PX*r*DKZ#bV0_\PC,
r*|9z*@2453TSrXxOCJDK45GICD#
*7(r*DKZ,k4PTBYw:
1. 9CgBD netstat |n46p~q:
# netstat -af inet
BfGC|ndvD}S#netstat |ndvDns;Pm>?V~qD4,#H}xk,S4,D~q&
Z LISTEN 4,#
n/DrXx,S(|(~qw)
Proto Recv-Q Send-Q >XX7 b?X7 (4,)
tcp4 0 0 *.echo *.* LISTEN
tcp4 0 0 *.discard *.* LISTEN
tcp4 0 0 *.daytime *.* LISTEN
tcp 0 0 *.chargen *.* LISTEN
tcp 0 0 *.ftp *.* LISTEN
tcp4 0 0 *.telnet *.* LISTEN
tcp4 0 0 *.smtp *.* LISTEN
tcp4 0 0 *.time *.* LISTEN
tcp4 0 0 *.www *.* LISTEN
tcp4 0 0 *.sunrpc *.* LISTEN
tcp 0 0 *.smux *.* LISTEN
tcp 0 0 *.exec *.* LISTEN
tcp 0 0 *.login *.* LISTEN
tcp4 0 0 *.shell *.* LISTEN
tcp4 0 0 *.klogin *.* LISTEN
udp4 0 0 *.kshell *.* LISTEN
udp4 0 0 *.echo *.*
udp4 0 0 *.discard *.*
udp4 0 0 *.daytime *.*
udp4 0 0 *.chargen *.*
udp4 0 0 *.time *.*
© Copyright IBM Corp. 2002, 2003 125
n/DrXx,S(|(~qw)
Proto Recv-Q Send-Q >XX7 b?X7 (4,)
udp4 0 0 *.bootpc *.*
udp4 0 0 *.sunrpc *.*
udp4 0 0 255.255.255.255.ntp *.*
udp4 0 0 1.23.123.234.ntp *.*
udp4 0 0 localhost.domain.ntp *.*
udp4 0 0 name.domain..ntp *.*
....................................
2. r* /etc/services D~rXxEkVd\mV(IANA)~qSxZYw53P+~q3d=QKZE#
BfG /etc/services D~Dy>,N:
tcpmux 1/tcp # TCP Port Service Multiplexer
tcpmux 1/tcp # TCP Port Service Multiplexer
Compressnet 2/tcp # Management Utility
Compressnet 2/udp # Management Utility
Compressnet 3/tcp # Compression Process
Compressnet 3/udp Compression Process
Echo 7/tcp
Echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
..............
rfe 5002/tcp # Radio Free Ethernet
rfe 5002/udp # Radio Free Ethernet
rmonitor_secure 5145/tcp
rmonitor_secure 5145/udp
pad12sim 5236/tcp
pad12sim 5236/udp
sub-process 6111/tcp # HP SoftBench Sub-Process Cntl.
sub-process 6111/udp # HP SoftBench Sub-Process Cntl.
xdsxdm 6558/ucp
xdsxdm 6558/tcp
afs3-fileserver 7000/tcp # File Server Itself
afs3-fileserver 7000/udp # File Server Itself
af3-callback 7001/tcp # Callbacks to Cache Managers
126 AIX 5L V5.2:2+8O
af3-callback 7001/udp # Callbacks to Cache Managers
3. (}}%}ZKPD~q4XU;X*DKZ#
6p TCP M UDP WSV
6p&Z LISTEN 4,D TCP WSVMH}}]=oDUP UDP WSV#9C lsof |n,|G netstat-af |nDde#Z AIX 5.1 *<,lsof |n|,Z AIX Toolbox for Linux Applications CD P#
}g,*T>&Z LISTEN 4,D TCP WSVMH}}]=oDUP UDP WSV,kgBKP lsof |n:
# lsof -i | egrep "COMMAND|LISTEN|UDP"
dva{kTB`F:
Command PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dtlogin 2122 root 5u IPv4 0x70053c00 0t0 UDP *:xdmcp
dtlogin 2122 root 6u IPv4 0x70054adc 0t0 TCP *:32768(LISTEN)
syslogd 2730 root 4u IPv4 0x70053600 0t0 UDP *:syslog
X 2880 root 6u IPv4 0x70054adc 0t0 TCP *:32768(LISTEN)
X 2880 root 8u IPv4 0x700546dc 0t0 TCP *:6000(LISTEN)
dtlogin 3882 root 6u IPv4 0x70054adc 0t0 TCP *:32768(LISTEN)
glbd 4154 root 4u IPv4 0x7003f300 0t0 UDP *:32803
glbd 4154 root 9u IPv4 0x7003f700 0t0 UDP *:32805
dtgreet 4656 root 6u IPv4 0x70054adc 0t0 TCP *:32768(LISTEN)
..........
Z7(xLj6s,zITKPTB|nq!PX&CLrD|`E":
" # ps -fp PID#"
dv|,|n{FD76,zITC|4CJCLrD*zoz3#
Z 10 B xg~q 127
128 AIX 5L V5.2:2+8O
Z 11 B xJ-i(IP)2+T
IP 2+T(}Z IP cD2+}]w?4tCrXxM+>xgZD2+(E#|JmvpDC'ri/TZ
yP&CLr#$w?,x;XT&CLrxPNN^D#rK,IT2+D+MNN}],}ggSJ~r
X(&CLrD+>}]#
>BV[TBwb:
v :IP 2+TEv;
v Z 134 3D:20 IP 2+T&\;
v Z 135 3D:f. IP 2+TdC;
v Z 142 3D:dCrXx\?;;(Db0;
v Z 148 3D:&m}V$iM\?\mw;
v Z 158 3D:dCK$(Db0;
v Z 160 3D:hC}Kw;
v Z 166 3D:G<h8;
v Z 170 3D:IP 2+TJb7(;
v Z 179 3D:IP 2+TN<;
IP 2+TEv
>ZV[TBwb:
v IP 2+TMYw53
v IP 2+&\
v 2+TX*
v m@M\?\m
v >X}Kw\&
v }V$i'V
v ib(CxDC&
IP 2+TYw53
Yw539C IP 2+(IPsec)<u,C<uG;*ED"j<D2+<u,GIrXx$LNqi/(IETF)
*"D#IPsec TZ(EQ;Z IP cDyP}]a)yZ\k53D#$#;h*|DVPD&CLr#IPsec
G IETF * IP V4 M V6 73!qD$5j<xg2+r\#
IPsec 9CTB\k<u#$zD}](E:
O$ v(*i$DvwzrKcDm]DxL
j{Tli
7#Zg=xg+d1;P^D}]DxL
S\ 7#ZxgO+dD0~X1}]M=P IP X7#\TDxL
© Copyright IBM Corp. 2002, 2003 129
O$c($5"M=Dj6M}]j{T,(}9C\k"P/}4&m9C\?zz(;**D}]E"|
(|,L(D IP (7VN)#ZSU=,C`,D/}M\?&m}]#g{NN;=|DK}],r_"M
=\?^',rOzC}](#
S\9C;v\kc(^D"9}]fz/,C}L9CX(c(M\?zzF*S\D>DS\}]#S\
9}]Z+d1^(Fb#ZSU=S\}].s,9C`,c(M\?(TFDS\c()XBqCC}
]#S\Xh,O$,1"z4i$S\}]D}]j{T#
b)y>~qGZ IPsec P4PD,C4P}L9Cb02+TP':X(ESP)MO$jb(AH)#ESP (
}S\-<D IP E"|"9( ESP (7"+-kD>Ek ESP P':X4a)z\T#
g{z\T;PJb,IT%@9C AH 4xPO$M;BTli#9C AH,IP (7M}]D2,VNP;
vJCZFc|X**D"Pc(#SU=9C|D\?Fc"HO**T7#E"|;PDdT0"M=G
QO$m]#
IP 2+&\
CYw53D IP 2+&\a)TB&\:
v 10/100 Mbps T+x PCI Jdw II D2~SY#
v AH 'V9C RFC 2402,ESP 'V9C RFC 2406#
v 0$i7zPm1'V9C HTTP r_ LDAP ~qwlw#
v m@DT/\?"B9C IETF rXx\?;;(IKE)-i#
v Z\?-LZd IKE -i'V X.509 }V$iM$2m\?#
v V$m@ITdC*a),d|53D%YwT,Cd|53;'VT/ IKE \?"B=(,CZ IP V6
m@#
v wzrxXm@Dm@==M+d==#
v HMAC("P{"O$zk)"MD5({"** 5)M HMAC SHA(2+"Pc()O$c(#
v S\c(|, 56 ;}]S\j<(DES)xP64 ;u<r?(VI)D\kVi4S(CBC),}X
DES,DES CBC 4(32 ;IV)#
v + IP Q;'V(IP V4 M IP V6)#
v ITb0M}K IP V4 M IP V6 Dw?#r* IP Q;GVkD,?vQ;D0IP 2+T1/}IT@
"dC#
v IKE m@ITC Linux dCD~(AIX 5.1 Msxf>)44(#
v (}`V IP Xw,Hg4M?j IP X7"SZ"-i"KZEH,}K2+M;2+Dw?#
v T/4(M>}`}m@`MD}Kfr#
v 1(em@M}Kfr1CZ?DX7Dwz{D9C#wz{T/X*;I IP X7(;* DNS IC)#
v +0IP 2+T1B~G<= syslog#
v 9C53zYM3F'4xPJb7(#
v C'(eD1!YwJmC'8(GqJmk(eDm@;%dDw?#
rXx\?;;(IKE)Xw
rXx\?;;(S AIX 4.3.2 *<)ICTB&\:
v P$2mD\?M X.509 }V){DO$#
v 9CDw*==(m]#$==)Mx%==#
130 AIX 5L V5.2:2+8O
v 'V Diffie Hellman 1"2 M 5 i#
v ESP S\'V}]S\j<(DES)"}X DES"Null S\;ESP O$'V HMAC MD5 M HMAC SHA1#
v AH 'V HMAC MD5 M HMAC SHA1#
v 'V IP V4 M V6#
2+TX*
2+(Ey9(D9(#iF*2+TX*DEn#2+TX*9;v2+N}DX(hCX*=;vw?`
M#(}0IP 2+T1#$D}],?v=r"?v(7`M"AH r ESP <fZ;vVkD2+TX*#
Z2+TX*P|,DE"|((Ew=D IP X7";vFw2+TN}w}(SPI)D(;j6{"*O$
rS\!(Dc("O$MS\\?M\?z|Z#TB}VT>KZwz A Mwz B .dD2+TX*#
\?\mD?jG-LMFc#$ IP w?D2+TX*#
m@M\?\m
*Z=vwzd202+(E,Z9Cm@ZdXk-LM\m2+TX*#TBG'VDm@`M,?v`
M9C;v;,D\?\m<u:
v IKE m@(/,|D\?,IETF j<)
v V$m@(2,"VC\?,IETF j<)
IKE m@'V
IKE m@GyZ IETF *"D ISAKMP/Oakley(rXx2+TX*M\?\m-i)j<#9CK-i,-L
M"B2+TN},"2+X;;\?#TBO$`M'V:$2m\?M X.509v3 }V$i){#
-L9C;v=WN=8#Z;WNO$(EDw=,"*Z~WND2+(E8(9CDc(#ZZ~WN
Zd,-L}]+d}L+9CD0IP 2+T1N},"4(M;;2+TX*M\?#
< 6. Zwz A M B .d2+m@D(". >e<T>KPZwz A Mwz B dDibm@#2+TX* A GS A8r B D}7#2+TX* B GSwz B 8rwz A D}7#;v2+TX*I?jX7"SPI"\?"S\wc(
Mq="O$c(0\?z|Z9I#
Z 11 B xJ-i(IP)2+T 131
TBmT>DO$c(ITCZ9 AH M ESP 2+-i'V IKE m@#
c( AH IP V4 & 6 ESP IP V4 & 6
HMAC MD5 X X
HMAC SHA1 X X
DES CBC 8 X
}X DES CBC X
ESP Null X
V$m@'V
V$m@a)rsf]T,|Gk;'V IKE \?\m-iDzw%Yw#V$m@D1cG\?5G2,
D#S\MO$\?TZm@Dz|\ZG`,D,xRXhV$|B#
TBmT>DO$c(ITCZ9 AH M ESP 2+-i'VV$m@#
c( AH IP V4 AH IP V6 ESP IP V4 ESP IP V6
HMAC MD5 X X X X
HMAC SHA1 X X X X
}X DES CBC X X
DES CBC 8 X X
DES CBC 4 X X
r* IKE m@a)|P'D2+T,IKE GW!D\?\m=(#
>z}K\&
}KG;vy>&\,yZ|DwVXw+kM"MITS\r\xDE"|#bJmC'r53\m1dC
wz4XFCwzMd|wz.dDw?#}KGZwVE"|tTOjID,}g4M?jX7"IP f>(4
r_ 6)"SxZk"-i"KZ"7IXw"Vb,N"SZMm@(e#
F*}KfrDfrCZX*3V_PXbm@Dw?#ZV$m@Dy>dCP,1C'(eKwz=wz
Dm@1,}KfrT/zI8<SCwz4DyPw?(}2+m@#g{Z{|`X(`Mw?(}gS
x=Sx),IT`-rf;}Kfr4JmT9CXbm@Dw?xP+7XF#
TZ IKE m@,;)$nm@,}Kfr2+T/zI"ek=}KmP#
`FX,1^DKr>}Km@,rT/>}Cm@D}Kfr,b+r/0IP 2+T1dC"uYK*ms#
m@(eIT9C<kM<v5CLrZzwM@p=d+%M2m,bTZs?zwD\mGP\ozD#
}KfrX*m@DXb`MDw?,+}KD}]4Xh*Zm@P+M#}KfrDbv=fCYw53
*;)Ka)y>D@p=&\,b)Kk^FS;Pf}D@p=#$DZ?xrb?xgOy5Z{Gz
wDw?#Z>=8P,}KfrZ;izwba)Z~c#$AO#
ZzI}Kfrs,|G;f"Z;vmP,"0kZK#1<8Sxg"MrSUE"|,ZPmPS7=
2li}KfrT7(E"|GqmI"\xr(}m@"M#fr<r,E"|XwHO,1=R=%dr
o=1!fr#
132 AIX 5L V5.2:2+8O
0IP 2+T1&\,y5VG2+E"|}K,C}KGyZ!|D"C'(ej<D}K,bJmZ;h*
O$r0IP 2+T1DS\tTDxgMzwdXFw?#
}V$i'V
0IP 2+T1'V9C X.509 V3 }V$i#0\?\mw1$_\m$ijk,,$\?}]b,"xPd
|D\m&\#
}V$ihvZ}V$idCP#0\?\mw1M|D&\hvZ9C IBM \?\mw$_P#
ib(CxM IP 2+T
;vib(Cx(VPN),(}grXx;yD+Cxg2+X)9;v(CZ?x#VPN (}>JOGZr
XxOD(Cm@,Z6LC'"V+>MLqoi/)&L.dy5+]E"#+>IT!q(}rXx~
q)&L(ISP)DrXxCJ,9C1S_7r>Xg0Ek,E}|sDbC_7"$`ktPMbQg
0Ek#VPN bv=8IT9C IPsec 2+Tj<,r* IPsec G IETF !qD$5j<xg2+r\,J
CZ IP V4 M 6 D73,;h*DdVPD&CLr#
TZ AIX Pf.M5V VPN D(iJ4G A Comprehensive Guide to Virtual Private Networks, Volume III:
Cross-Platform Key and Policy Management DZ 9 B,ISBN SG24-5309-00#C8O2ITZrXxDr,
xPC= http://www.redbooks.ibm.com/redbooks/SG245309.html#
Z 11 B xJ-i(IP)2+T 133
20 IP 2+T&\
AIX PD IP 2+T&\G@"20"RIXkD#h*20DD~/gB:
v bos.net.ipsec.rte(CZZK IP 2+T73M|nDKP173)
v bos.msg.LANG.net.ipsec(dP LANG GkZ{DoT,}g en_US)
v bos.net.ipsec.keymgt
v bos.net.ipsec.websm
v bos.crypto-priv(DES M}X DES S\DD~/O)
bos.crypto-priv D~/;Z0)9|1P#TZ IKE }V){'V,zXk220 gskit.rte D~/(AIX
V4)r_0)9|1PD gskkm.rte(AIX 5.1)#
*Z yZ Web D53\mw P'V IP 2+,Xk20 Java131.ext.xml4j D~/,6p 1.3.1.1 rsx
f>#
20s,TZ IP V4 M IP V6,IT@"0k IP 2+T,9C:0k IP 2+T;Pa)DFv}Lr_9
C mkdev |n#
0k IP 2+T
":0k IP 2+TtC}K&\#0k.0,7#4(K}7D}KwfrG\X*D#qr,yPb
g(EI\<\h{#
Zt/ IP 2+T1,9C SMIT r_yZ Web D53\mwT/X0k IP 2+T#i#,yD,SMIT M
yZ Web D53\mw7#4U}7D3r0kZK)9M IKE X$Lr#
g{0kI&jI,lsdev |n+T> IP 2+Th8*Available#
lsdev -C -c ipsec
ipsec_v4 Available IP Version 4 Security Extensionipsec_v6 Available IP Version 6 Security Extension
0kK IP 2+TZK)9.s,<8dC(Db0M}Kw#
134 AIX 5L V5.2:2+8O
f. IP 2+TdC
*dC0IP 2+T1,XkdCm@M}Kw#1(e+?w?9Cr%m@1,ITT/XzI}Kfr#
g{Z{|4SD}K,ITvpXdC}Kfr#
dC0IP 2+T1,9CyZ Web D53\mwxge~"ib(Cxe~r53\mSZ$_(SMIT)#
g{9C SMIT,ICTBlY76:
smit ips4_basicIP V4 Dy>dC
smit ips6_basicIP V6 Dy>dC
ZdC>c0IP 2+T1.0,Xkv(bZC24=(;}g,Gq|k9Cm@r}Kw(r=v<9
C),D;V`MDm@n{Oh*HH#TB?Va)KZvvb)v(.0XkmbDE":
v 2~SY
v m@k}Kw
v m@M2+TX*
v !qm@`M
v x DHCP r/,VdX79C IKE
2~SY
10/100 Mbps T+x PCI Jdw II(&\zk 4962)a)yZj<D0IP 2+T1,T0hF*S AIX Y
w53P6X0IP 2+T1&\#1 AIX 53PP 10/100 Mbps T+x PCI Jdw II,0IP 2+T1Q
;9CJdwDTB\&:
v 9C DES r}X DES c(S\Mb\
v 9C MD5 r SHA-1 c(xPO$
v f"2+TX*E"#
9CJdwOD&\x;Gm~c(#10/100 Mbps T+x PCI Jdw II 2ICZV$M IKE m@#
0IP 2+T12~SY&\Z bos.net.ipsec.rte M devices.pci.1410ff01.rte D~/D 5.1.0.25 r|B6
pPIC#
TZ2+TX*D}?P;v^F,byIT6X=SU=(k>w?)DxgJdwO#Z"M=(v>w
?),yP9C'VdCDE"|6X=JdwO#3vm@dC;\6X=JdwO#
10/100 Mbps T+xJdw II 'VTBZ]:
v (} ESP S\ DES"3DES r NULL
v (} ESP r AH O$ HMAC-MD5 r HMAC-SHA-1,+;\,1#(g{ ESP M AH ,19C,ESP
XkWH4P#bTZ IKE m@<UG}7D,+C'IT!qV$m@D)%#)
v +dMm@==
v 6X IPV4 E"|
":10/100 Mbps T+x PCI Jdw II ;\C IP !n&mE"|#
**0IP 2+T1tC 10/100 Mbps T+x PCI Jdw,XkpkxgSZ,;stC0IPsec 6X1&\#
Z 11 B xJ-i(IP)2+T 135
*pkxgSZ,k9C SMIT SZ4PTBYw:
1. w* root C'G<#
2. Z|nPPdk smitty inet "4 Enter |#
3. !q}%xgSZ!n"4 Enter |#
4. !qk 10/100 Mbps T+x PCI Jdw II `T&DxgSZ"4 Enter |#
*tC0IPsec 6X1&\,kC SMIT SZ4PTBYw:
1. w* root C'G<#
2. Z|nPPdk smitty eadap "4 Enter |#
3. !q|D/T>T+xJdwDXw!n"4 Enter |#
4. !q 10/100 Mbps T+x PCI Jdw II "4 Enter |#
5. |D IPsec 6XVN*G"4 Enter |#
*pkxgSZ,kZ|nPPdkTBZ]:
# ifconfig enX detach
*tC IPsec 6XtT,kZ|nPPdkTBZ]:
# chdev -l entX -a ipsec_offload=yes
*i$ IPsec 6XtTQtC,kZ|nPPdkTBZ]:
# lsattr -El entX detach
*{C IPsec 6XtT,kZ|nPPdkTBZ]:
# chdev -l entX -a ipsec_offload=no
9C enstat |n47#m@dC}Z9C IPsec 6XtT#1 IPsec 6XXwtC1,enstat |nT>K
"MMSUD IPsec E"|D+?D3FE"#}g,g{T+xSZG ent1,kdkTBZ]:
# entstat -d ent1
dvkTBZ]`F:
.
.
.10/100 Mbps T+x PCI Jdw II (1410ff01)j!3F:--------------------------------------------..."M IPsec E"|:3>}D"M IPsec E"|:0SU IPsec E"|:2>}DSU IPsec E"|:0
m@k}Kw
0IP 2+T1D=v;,D?VGm@M}Kw#m@h*}Kw,+}Kw;h*m@#
v }KG;V&\,|ITyZF*frD`VXw4S\r\xSUM"MDE"|#bv&\Jm53
\m1dCwz4XFCwzkd|wz.dDw?#}KGyZ`VE"|tTjID,}g4X7M
?jX7,IP f>(4 r 6)"SxZk"-i"KZ"7IXw"Vb,N"SZMm@(e#C}KG
Z IP cjID,yT^k|D&CLr#
136 AIX 5L V5.2:2+8O
v m@(eK=vwzdD2+TX*#C2+TX*f0X(D2+N},CN}Im@DKc2m#
TBe<T>KE"|GgNSxgJdw= IP Q;PD#SGowC}Kw#iT7(GqJmr\xCE
"|#g{8(Km@j6,E"|aliVPDm@(e#g{Sm@PI&bb,r+E"|+]=Oc
-i#C&\Z"ME"|D9r1"z#m@@5Z}Kfr4+E"|kX(DE"|X*,+G}K&
\ITZ;+E"|"M=m@DivB"z#
m@M2+TX*
;\Z241rh*,m@<Xk+}]O$}rO$}"S\}#m@(}8(=vwz.dD2+TX*
4(e#2+TX*(eK;)*S\"O$c(Mm@XwDN}#TBe<T>Kwz A Mwz B .d
Dibm@#
< 7. xgE"|7I. Ce<T>KxgE"|ICD7I#Sxgk>,E"|xkxgJdw#SGo,|=o IPQ;,ZQ;PY"M=}Kw#i#S}Kw#i,r_+E"|"M=m@(e,r_+d5X= IP Q;,ZQ;
P+d*"=Oc-i#
< 8. Zwz A Mwz B .d("2+m@. Ce<T>KZwz A Mwz B .dKPDibm@#2+TX* A D
}7=rGSwz A =wz B#2+TX* B D}7=rGSwz B =wz A#A 2+TX*I?DX7"
SPI"KEY"Crypto c(Mq="O$c(T0\?z|ZiI#
Z 11 B xJ-i(IP)2+T 137
2+TN}w}(SPI)M?DX76p;v(;D2+TX*#*K(;8(m@,b)N}GXhD#d
|N},}g\kc("O$c("\?Mz|Z,IT8(r9C1!5#
m@"bBn
IKE m@kV$m@;,,r*2+T_TDdCG;vk(em@KcVkD}L#Z IKE P,P;v==
D-L}L#?;=D-L}LPv;vWN,?;WNITP;,D2+T_T#
1t/rXx\?-L,|Xk*-LhC;v2+E@#bF*\?\mWNrWN 1#ZCWNZd,?
;=9C$2m\?r}V$i4O$d|="+]j6E"#CWN20K2+TX*,ZCX*Zd+=
7(|GgNf.2+D(ET0ZZ~WNZd,CDv#$4xP(E#CWNDa{G IKE rWN 1 m
@#
Z~WNF*}]\mWNrWN 2,|9C IKE m@44( AH M ESP 5J#$w?D2+TX*#Z
~WN9*7(0IP 2+T1m@+*9CD}]#}g,|IT8(TBZ]:
v SxZk
v X76'
v -iMKZEiO
Z\`ivB,\?\m(IKE)m@DKc+k}]\m(0IP 2+T1)m@DKc`,#IKE m@Kc
G4P-LDzwDj6#0IP 2+T1m@KchvK+*9C0IP 2+T1m@Dw?D`M#TZr%
Dwz=wzDm@,[email protected]+?w?C`,Dm@#$,WN 1 MWN 2 Dm@KcG`,D#
1-L+=G=vxX,IKE m@KcG=vxX,0IP 2+T1m@KcGzwrSx(ZxX.s)rm
@C'DX76'(ZxX.s)#
< 9. IKE m@hC}L. Ce<T>KhC IKE m@D==h"=WN}L#
138 AIX 5L V5.2:2+8O
\?\mN}M_T
WN 1(\?\mWN)CTBN}4hC IKE m@dC#
\?\m
(WN 1)m@
IKE m@D{F#TZ?vm@,Xk8(-LDKc#P=vF.4"MMi
$ IKE E"Dzw#m@D{FI\hvKm@Kc,}g VPN Boston r VPN
Acme#
wz6p`M +CZ IKE ;;Dj6`M#*K7#4P}7D\?i/,j6`MM5X
kk$2m\?D5`%d#g{C%;j6Qw$2m\?D5,rwzj
6G\?Dj6,d`MG KEY_ID#g{%;wzP`Z;v$2m\?5,
r KEY_ID `MM\PCK#
wzj6 wzj6D5m>*;v IP X7";v+^(r{(FQDN)r;vZ+^(
r{PDC'(user@FQDN)#}g,[email protected]#
IP X7 6LwzD IP X7#1wzj6`MG KEY_ID r^[241rwzj6`
M;\IIP X7bv1,bv5GXhD#}g,g{C'{;\(}>X{
F~qwbv,rXkdk6L=D IP X7#
;\(}8(G)Z IKE -LZd9C}DN}(F\?\m_T#}g,P*$2m\?r){==O$D
\?\m_T#TZWN 1,C'Xk7(3v\?\m2+TtT,CCtT44P;;#
}]\mN}M_T
}]\m(iN}Z IKE m@dCDWN 2 ZdhC#ZV$m@P9C1,|GG`,D0IP 2+T1N
},"hvKCZZm@P#$}]w?D#$`M#ITZ,;vWN 1 m@Bt/`Z;vWN 2 m@#
TBDKcj6`MhvKG)9C0IP 2+T1}]m@D}]`M:
wz"Sxr6' hvZm@Pw(D}]w?ITGtZ;vX(Dwz"SxrX76'#
wz/Sxj6 |,(}Cm@+]w?D>XM6L53wzrSxD6p#7(ZWN 2 -
L"MDj6Mg{-LI&+9(D}Kfr#
SxZk hvSxZD+? IP X7(}g,wz 9.53.250.96 MZk 255.255.255.0)
p< IP X76' *X76'a)p< IP X7,|G+9Cm@(}g,9.53.250.96 =
9.53.250.93 D 9.53.250.96)
ax IP X76' *X76'a)ax IP X7,|G+9Cm@(}g,9.53.250.96 =
9.53.250.93 D 9.53.250.93)
KZ CZX(KZE(}g,21 r 23)Dhv}]
-i hv}CX(-i+MD}](}g,TCP r UDP)#7(ZWN 2 -L"M
D-iMg{-LI&+9(D}Kfr#>XKcD-iXkk6LKcD
-i%d#
!qm@`M
P(9CV$m@r IKE m@!vZ6LUK'VDm@MZ{D\?\m`M#(iC IKE m@(1IC
1),r*|Ga)K$5j<D2+\?-LM\?|B#|G2{C IETF ESP M AH 7`M"'V4
XE#$#P!qXdC){==TJm}V$i#
g{6LK9Ch*V$m@DdP;vc(,r&C9CV$m@#V$m@7#Ks?wzD%YwT#
r*\?G2,DR\QDd,|Bp4I\\i3,|G2;2+#V$m@ITCZKPCYw53Dw
zMNNd|KP IP 2+"RP+2S\MO$c(hCDzw#s`})&La)x DES D|X MD5,
rx DES D HMAC MD5#CS/8uITk+?0IP 2+T15V;p$w#
Z 11 B xJ-i(IP)2+T 139
20V$m@9CD}L!vZGq20m@DZ;vwzr20Z~vwz,Z~vwzhCDN}*kZ
;v%d#120Z;wz1,\?ITT/zz,c(ITG,OD#120Z~wz,g{I\,S6L
K<km@E"#
m;vX*D"bBnG7(6L53GqZ@p=.s#g{G,rhCXk|,ek@p=DE"#
9C IKE M DHCP r/,D8(X7
;v(}Yw5349C0IP 2+T1DU(=8G16L53ZC~qwt/ IKE a01,|GDj6;
\@5ZX(D IP X7#Z>XVrx(LAN)73BIT"zbViv,Hg9C0IP 2+T1,S=
LAN OD;v~qw"H}S\}]#d|+29Cf06LM'zr~qw&E,"R9C+^(r{
(FQDN)rgSJ~X7(user@FQDN)4j66Lj6#
*KF(yZw7DXZ6Lj6D_Tv_,Xk9Cw/==#ZbVivB,Z-LDZ;{"P"M
j6,"RITCZZ2+_T}]bPxP_Ti/#b+7#v8(|{D6Lj6IT9C IKE -i-
L#
TZ0}]\m1WN(WN 2),14(0IP 2+T1X*4S\ TCP r UDP w?,;cITdC}]
\mwm@#rK,g{ IP X7;PZ}]bPw7XdC,WN 1 ZdDNNO$KDks+9C`tm
@4(e0}]\m1WN#bJmNNX7%d`tm@,;*Oq+2DyZ\?D2+Ti$ZWN 1
GI&D,G4MIT9C#
9C XML 4(e;v`t}]\mm@
(e`t0}]\m1m@,9C ikedb ITmbD XML q=#PX IKE XML SZM ikedb |nD|
`E",kNDjb*Z 144 3D:IKE (Db0dCD|nPgf;D;Z#0`t}]\m1m@k DHCP
;p9C#XML q=9CjG{FyZ Web D53\mwwC0}]\m1m@#b2GN<Kd|OBD
PWN 2 m@#`t}]\mm@;Gf}Dm@,xG;v IPSecProtection,|ZSUD0}]\m1{
"(ZX(0\?\m1m@B)kNN*0\?\m1m@(eD0}]\m1m@;%d19C#|vZ
l&LrG AIX 53DivB9C#8(;v`t}]\mm@ IPSecProtection GI!D#
`t}]\mm@(eZ IKEProtection *XP#P=v XML tT,F* IKE_IPSecDefaultProtectionRefM IKE_IPSecDefaultAllowedTypes,|GG*KyCD#
WH,g{;P%dD IPSecTunnels(0}]\m1m@),rh*(e;vzkCw1!5D
IPSecProtection#Cw1!5D IPSecProtection XkPT _defIPSprot_ *<D IPSec_ProtectionName#
VZk*Az*9C IPSecProtection bv1!5D IKEProtection#8( IKE_IPSecDefaultProtectionReftT,||,1!5 IPSec_Protection D{F#
9XkZC IKEProtection P* IKE_IPSecDefaultAllowedTypes tT8(;v5#|ITP;vr`vT
BD5(g{P`v5,|G&CUqV*):
Local_IPV4_AddressLocal_IPV6_AddressLocal_IPV4_SubnetLocal_IPV6_SubnetLocal_IPV4_Address_RangeLocal_IPV6_Address_RangeRemote_IPV4_AddressRemote_IPV6_AddressRemote_IPV4_SubnetRemote_IPV6_SubnetRemote_IPV4_Address_RangeRemote_IPV6_Address_Range
140 AIX 5L V5.2:2+8O
b ) 5 k t / L r 8 ( D j 6 ` M ` { # Z I K E - L P , v T K 5 J D j 6 # g {
IKE_IPSecDefaultAllowedTypes tT|,;vT Local_ *<DV{.,CV{.kt/LrD>Xj6`
M`{,,1|,;vT Remote_ *<DV{.,CV{.kt/LrD6Lj6`M`{,G4+9C8(
D IPSecProtection#;d05,ZNN IKE_IPSecDefaultAllowedTypes tTPAYP;v Local_ 5M
AY;v Remote_ 5,bG*Kk*9CD IPSec_Protection `{#
>}: ZWN 2(}]\m)D{"Pt/Lrr AIX 53"MTBE":
>Xj6`M: IPV4_Address>Xj6: 192.168.100.104
6Lj6`M: IPV4_Subnet6Lj6: 10.10.10.26LxZk: 255.255.255.192
AIX 53;Pkb)j6%dD0}]\m1m@#+G|D7P;vPTB(eDtT IPSecProtection:
IKE_IPSecDefaultProtectionRef="_defIPSprot_protection4"IKE_IPSecDefaultAllowedTypes="Local_IPV4_Address
Local_IPV4_Address_RangeLocal_IPV6_Address_Range
Remote_IPV6_AddressRemote_IPV4_Address_Range"
xk{"D>Xj6`M(IPV4_Address)kyJm`M Local_ 5PD;v%d,Local_IPV4_Address#
,1,{"D6Lj6(IPV4_Subnet)k5 Remote_IPV4_Subnet %d#rK0}]\m1m@-L+L
xxP _defIPSprot_protection4 w* IPSecProtection#
/usr/samples/ipsec/default_p2_policy.xml D~G;vj+D XML D~,|(eK;v`t
IPSecProtection,|Iw*>}9C#
9CyZ Web D53\mw(e`t}]\mm@
*9CyZ Web D53\mwSZ(e`t0}]\m1m@,k4PTBYw:
1. Z0IKE m@1]wP!q;v0\?\m1m@,;s!q0(e}]\mm@1Yw#
2. !q`t0}]\m1m@#dCfe`FZCZ(e0}]\m1m@Dfe#;x,j6`MD!n
G;,D#;h*8(T=j6#j6`M(IP v4 r v6 Address Only"IP v4 r v6 Subnet Only M IP
v4 r v6 Address r Subnet)-GyJmDyPj6iv#
3. Ck0}]\mm@1hCP;yD==4hC#`E","%w07(1#?v0\?\m1m@v\P
;vX*D0`tm@1#
":0`t}]\m1m@;\CZ AIX 53Gl&LrDiv#
Z 11 B xJ-i(IP)2+T 141
dCrXx\?;;(Db0
>Za)XZgN9CyZ Web D53\mwgf"53\mgfLr(SMIT)r|nP4dCxJ\?;
;(IKE)(Db0DE"#
9CyZ Web D53\mwdC IKE (Db0
:9Cy>dCr<;a)K;Vr%D==4(exP$2m\?D IKE (Db0#PX|`_6!n,k
ND:_6 IKE (Db0dC;#
9Cy>dCr<
zIT(}yZ Web D53\mw(e IKE,9C$2m\?r_$iw*O$=(#yZ Web D53\
mwmSBD\?\mM}]\m IKE (Db0= IP 2+S53,Jmzdk+!}]"!q;)!n,T
Z(Db0z|ZbyDN},9C+21!5#
19Cy>dCr<1,TBD*G!:
v r<;ICZu<(Db0dC#*^D">}r$n(Db0,k9C IKE (Db0e~rNq8#
v 53P(Db0D{FG(;D,+zITZ6L53P9C`,D{F#}g,Z>XM6L53P,
(Db0D{FITG hostA_to_hostB,+>X IP X7M6L IP X7VN(Kc)G;;D#
v WN 1 MWN 2 D(Db0C`,DS\MO$c(4(e#
v $2m\?XkT.yxF(;x 0x 0<)r ASCII D>dk#
v g{!q}V$iw*O$=(,rzXk9C\?\mw44(}V$i#
v wzj6`M;\G IP X7.
v z4(D*;MaiGTC'(eD(Db0{Fa2D8({F#zIT(} VPN M IKE (Db0e
~ZyZ Web D53\mwPi4*;kai#
(}r<9CTB}L4dCBD(Db0:
1. Z|nPP9C wsm |nr*yZ Web D53\mw#
2. !qxge~
3. !qib(Cx(IP 2+T)#
4. SXF(xr,!qEvkNqD~P#
5. !qdCy>(Db0dCr<#
6. Z=h 1 i\feP%wB;=,;s4U=hdC IKE (Db0#
g{h*D0IT9C*zoz#
Z9Cr<(eK(Db0.s,(Db0D(eMT>ZyZ Web D53\mw IKE (Db0PmP,
"RIT$nr^D#
_6 IKE (Db0dC
zITVpdC\?\mM}]\m(Db0,ICTBD}L#
dC\?\m(Db0: ICyZ Web D53\mwdC IKE (Db0#9CTB}L4mS\?\m(
Db0:
1. 9C wsm |nr*yZ Web D53\mw#
2. !qxge~#
3. !qib(Cx(IP 2+T)#
4. SXF(xr,!qEvkNq#
142 AIX 5L V5.2:2+8O
5. !qt/ IP 2+T#CYw0k0IP 2+T1ZK)9"t/ isakmpd"tmd M cpsd X$Lr#
(}(e\?\mM}]\mKc0dPXD2+T*;Mai44((Db0#
v \?\mGO$WN#|ZFcnUD0IP 2+T1N}M\?.0,hCK-L?V.dD2+E@#
v }]\mhvK9CXb(Db0Dw?`M#TZ%@Dwzrwzi(9CSxr IP 6'),,8
(D-iMKZE;pdC#
IT9C`,D\?\m(Db04#$`v}]\m-LM\?"B,;*|G;Z`,D=vKc.
d;}g,Z=vxX.d#
6. *(e\?\m(Db0Kc,%w06p1!n(PDxJ\?;;(IKE)(Db0#
7. dkE"ThvNk-LD53Dm]#s?VivB9C IP X7,"RXk4(k6L=f]D_T#
Z0*;1!n(P,+=<9C%d*;,r_*56LK\m14(e%d*;#IT4(|,8v
!nD*;Ta)1air%d*;1DinT#
8. g{TZO$9C$2m\?,Z\?!n(Bdk$2m\?#Z6LM>XzwOC5Xk%d#
9. 9C0*;1!n(ODmS4%44(kC(Db0X*D*;#
*tC}V$iM){=='V,!q RSA ){ rxP RCL #iD RSA ){O$=(#
XZ}V$iD|`E",kNDZ 148 3D:&m}V$iM\?\mw;#
dC}]\m(Db0: *hC}]\m(Db0Kc0ai"jI IKE (Db0hC,r*yZ Web D
53\mw,gZ 142 3D:dC\?\m(Db0;Pyv#}]\m(Db04UTB=h4(:
1. !q\?\m(Db0"(eNb(;D!n#s`}}]\m!nIT4U1!(e#t#
2. Z0Kc1!n(B8(Kc`M(}gIP X7"Sxr IP X76')#zIT!qKZEM-ir_S
\1!5#
3. ZaifeP,zIT4(;vBDai,(}%wmS4%r_%w7(44(ai#g{P`va
i,zIT9C0OF1r0BF14%4|DQw3r#
Vi'V: S AIX 5.1 *<,IP 2+TZ(Db0(eP'V IKE j6Vi,T9`vj6k%;D2+
T_T`X*,x;h*4(%@D(Db0(e#1hC,S=8v6Lwz1,ViHdPC,r*zI
T\bhCr\m`v(Db0(e#,y,g{Xk*|D2+T_T,z;X|D`v(Db0(e#
Z9C(Db0(ePDi{.0,XkH(e;vi#iDs!^F* 1 KB#i{ITZ\?\mM}]\
m(Db0(eP9C,+G|;\Cw6Lj6#
iGIi{M IKE j60j6`MPmiID#j6IT+<G`,D`Mr_TBDiO:
v IPv4 X7
v IPv6 X7
v FQDN
v user@FQDN
v X500 DN `M#
Z02+TX*-L1Zd,_TQwiPDj6TqCZ;v%d#
yZ Web D53\mwITC4(eCZ0\?\m1(Db0D6LKcDi#XZS|nP(eiDE
",kN<Z 144 3D:IKE (Db0dCD|nPgf;Z#*CyZ Web D53\mw4(e;vi,
k9CTB}L:
1. Z IKE (Db0]wP!q0\?\m1(Db0#
2. r*tTT0r#
Z 11 B xJ-i(IP)2+T 143
3. !qj6!n(#
4. TZ6Lwzm]`M!qij6(e#
5. !qdCi(e4%,Z0ZPdkiI1#
9C IKE (Db0dCD SMIT gf
zIT9C SMIT gf4dC IKE (Db0"4Py>D IKE }]b&\#SMIT 9Cy!D XML |n
/}44PT IKE (Db0(eDmS">}M^D#IKE SMIT CZlYdC IKE (Db0"a)CZ4
( IKE (Db0(eD XML o(#IKE SMIT K%2Jmz8]"^4Mu</ IKE }]b#
*dC IPv4 IKE (Db0,k9C smitty ike4 lY76#*dC IPv6 IKE (Db0,k9C smitty ike6lY76#IKE }]b/}ITZ0_6 IP 2+TdC1K%PR=#
(} SMIT mSDyPD IKE }]bn<IT(}yZ Web D53\mw$_i4r^D#
IKE (Db0dCD|nPgf
ikedb |n(Z AIX 5.1 0Tsf>PIC)JmC'9C XML gflw"|B">}"<kM<v IKE
}]bPDE"#ikedb |nJmC'4k(Ek)r_A!(q!)IKE }]b#dkdvq=G0I)9
jGoT1(XML)D~#XML D~Dq=GI|D0D5`M(e1(DTD)8(D#ikedb |nJmC
'ND DTD,|CZZ4k1i$ XML D~#!\IT9C -e j>+5eywmS= DTD P,bGT
DTD (;\vD^D#+vTNNdk XML D~PDb? DOCTYPE yw,NNZ? DOCTYPE yw<
I\<Bvm#9C DTD Vv XML D~yq-DfrZ XML j<P8(#/usr/samples/ipsec D~P
vdMD XML D~y>,|(eK+2(Db0=8#XZo(Dj8E",kND6AIX 5L V5.2 |nN
<s+7PD ikedb |nhv#
zIT9C ike |n4t/"#9M`S IKE (Db0#ike |n2ICZ$n"}%r_Pv IKE M IP
2+T(Db0#XZo(Dj8E",kND6AIX 5L V5.2 |nN<s+7PD ike |nhv#
TB>}T>KgN9C ike"ikedb Md|8v|n4dCMli IKE (Db0D4,#
1. *t/(Db0-L($n(Db0)r_JmxkD53d1l&Lr(!vZ8(DG+),9Cx
P(Db0ED ike |n,gBy>:
# ike cmd=activate numlist=1
z2IT9C6Lj6r_ IP X7,gTBD}Sy>:
# ike cmd=activate remid=9.3.97.256# ike cmd=activate ipaddr=9.3.97.100, 9.3.97.256
IZI\h*8kS4jI|n,|nZt/-Ls5X#
2. *T>(Db04,,k9C ike |n,gBy>:
# ike cmd=list
dv`FZTBDT>:
Phase 1 Tunnel ID [1]Phase 2 Tunnel ID [1]
dvT>K10$nDWN 1 MWN 2 (Db0#
3. *qC(Db0Dj8Pm,k9C ike |n,gBy>:
# ike cmd=list verbose
dv`FZTBDT>:
Phase 1 Tunnel ID 1Local ID Type: Fully_Qualified_Domain_NameLocal ID: bee.austin.ibm.com
144 AIX 5L V5.2:2+8O
Remote ID Type: Fully_Qualified_Domain_NameRemote ID: ipsec.austin.ibm.comMode: AggressiveSecurity Policy: BOTH_AGGR_3DES_MD5Role: InitiatorEncryption Alg: 3DES-CBCAuth Alg: Preshared KeyHash Alg: MD5Key Lifetime: 28800 SecondsKey Lifesize: 0 KbytesKey Rem Lifetime: 28737 SecondsKey Rem Lifesize: 0 KbytesKey Refresh Overlap: 5%Tunnel Lifetime: 2592000 SecondsTunnel Lifesize: 0 KbytesTun Rem Lifetime: 2591937 SecondsStatus: Active
Phase 2 Tunnel ID 1Local ID Type: IPv4_AddressLocal ID: 10.10.10.1Local Port: anyLocal Protocol: allRemote ID Type: IPv4_AddressRemote ID: 10.10.10.4Remote Subnet Mask: N/ARemote Port: anyRemote Portocol: allMode: Oakley_quickSecurity Policy: ESP_3DES_MD5_SHA_TUNNEL_NO_PFSRole: InitiatorEncryption Alg: ESP_3DESAH Transform: N/AAuth Alg: HMAC-MD5PFS: NoSA Lifetime: 600 SecondsSA Lifesize: 0 KbytesSA Rem Lifetime: 562 SecondsSA Rem Lifesize: 0 KbytesKey Refresh Overlap: 15%Tunnel Lifetime: 2592000 SecondsTunnel Lifesize: 0 KbytesTun Rem Lifetime: 2591962 SecondsAssoc P1 Tunnel: 0Encap Mode: ESP_tunnelStatus: Active
4. *T>/,}KwmPD}KwfrTq!n|$nD IKE (Db0,9C lsfilt |n,gBy>:
# lsfilt -d
dv`FZTBDT>:
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no allpackets 0 all
2 *** Dynamic filter placement rule *** no0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all
packets 0 all
*** Dynamic table ***
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 500 eq 500 local both no allpackets 0
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both inbound no allpackets 0
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both inbound no allpackets 0
Z 11 B xJ-i(IP)2+T 145
1 permit 10.10.10.1 255.255.255.255 10.10.10.4 255.255.255.255 no all any 0 any0 both outbound yes all packets 1
1 permit 10.10.10.4 255.255.255.255 10.10.10.1 255.255.255.255 no all any 0 any0 both inbound yes all packets 1
C>}T>KP;v IKE (Db0x^d|(Db0Dzw#C'ITF//,}K<Vfr(Z2,
mD>}dvPDfr #2)4XFkyPd{C'(eDfrPXD<V#1-L(Db01/,mP
DfrT/9l,"RQ`&Dfrek=}KwmP#b)frITT>,+;\`-#
5. *r*/,}KwfrG<,+fr #2 DG<!nhC*G,9C chfilt |n,gTB>}y>:
# chfilt -v 4 -n 2 -l y
h* IKE w?G<D|`j8E",kNDZ 166 3D:G<h8;#
6. *!{$n(Db0,9C ike |n,gBy>:
# ike cmd=remove numlist=1
7. *i4(Db0(e,9C ikedb |n,gBy>:
# ikedb -g
8. *S,6h8OzID XML D~P4k(e= IKE }]b"2G}]bPVPDNb,{Ts,9C
ikedb |n,gBy>:
# ikedb -pFs peer_tunnel_conf.xml
peer_tunnel_conf.xml GZ,6h8OzID XML D~#
9. *q!|{* tunnel_sys1_and_sys2 DWN 1 D(Db0D(eMyPxPwTaiM#$D`XWN 2
(Db0,k9C ikedb |n,gBy>:
# ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2
10. *S}]bP>}yP$2m\?,9C ikedb |n,gBy>:
# ikedb -d -t IKEPresharedKey
XZ IKE (Db0i'VD;cE",kNDZ 143 3D:Vi'V;Z#zITS|nP9C ikedb |n
4(ei#
AIX IKE k Linux D`FT
*(}9C Linux dCD~(AIX 5.1 0sxf>)4dC AIX IKE (Db0,k9CxP -c j>(*;
!n)D ikedb|n,|ITCz+ /etc/ipsec.conf M /etc/ipsec.secrets Linux dCD~Cw IKE (D
b0(e#ikedb |nVv Linux dCD~"4( XML D~"!qTDQ XML (Db0(emS= IKE
}]bP#;szIT9C ikedb -g |nryZ Web D53\mw4i4(Db0(e#
IKE (Db0dC=8
TB=8hvKs`}M'T<hC(Db01v=DivD`M#b)=8IThv*V+>"5qoiM
6LCJiv#
v ZV+>ivB,M'P=vk,SZ;pDIExg(;v;CD$Li=m;;CD$Li)#>>}
P,P%`,SDxX,"RyPxX.dDw?9C`,D(Db0#(Db0NbKDw?b|"+
M=+>Z?xDUWx#
Z IKE -LDZ;vWN,Z=vxX.d4( IKE 2+TX*#(}0IP 2+T1(Db0Dw?G
=vSx.dDw?,CSxj6CZWN 2 -L#Zdk(Db0D2+T_TM(Db0N}.s,4
((Db0E#9C ike |nt/(Db0#
v Z5qoi=8P,xgG;IED,xg\m1I\k*^F2+TxX.sY?wzDCJ#ZbV
ivB,wz.dD(Db0KXw?,Cw?\0IP 2+T1#$"CZ=(X(wz.d#WN 2 (
Db0D-iG AH r ESP#bVwz=wzD(Db0ZxX=xX(Db0ZG2+D#
146 AIX 5L V5.2:2+8O
v Z6LCJivB,(Db04U*shC"R&C_62+T#IP X7I\;Pbe,rK,+^(r{
r user@ +^(r{w*W!#zIT!qTD9C KEYID +\?kwzj6`X*#
Z 11 B xJ-i(IP)2+T 147
&m}V$iM\?\mw
}V$i+m]s(=+C\?O,(}|zITi$S\+MD"M=rSU=#S AIX 4.3.3 *<,IP 2
+T9C}V$iTtC+C\?\ku,2F*GTF\ku,|IC;PC'*@D(C\?4S\}
],"IC4TZx(D+C - (C\?TD`X+C(2m)\?4b\}]#\?TG$.}],b)
}]d1C'S\=8D\?#
Z+C\?\kuP,+C\?;xC'k*k.(EDNNK#"M=T}V/==*d8(D\?T)p
yPxP`&D(C\?D2+(E#SU=9C+C\?4i$"M=D){#g{C+C\?I&DT{
"xPb\,rSU=ITi$"M=G-}O$D#
+C\?\ku@5ZIEDF*O$PD(CA)DZ}=,Sx"vI?D}V$i#SU=8(D)"
<i/r(^GO*IED#kTX(D1d?"v$i;1,}=ZU1,Xkf;|#
AIX 4.3.3 0sLf>a)0\?\mw1$_,|\m}V$i#TB?Va)XZ$i>mDEnTE"#
b)$iD\mNqZ:&m}V$iM\?\mw;Phv#
}V$iDq=
}V$i|,KXZ$iyP_Dm]MO$PDDX(E",O#kNDB<TqC}V$iD5w#
TBDPmx;=hvK}V$iDZ]:
yP_(P{F
?<wPDyP_+2{MOBD(;C)DiO#}g,ZTBDr%?<w<P,Prasad GyP_
DU({,OBDG:zR=US,i/=ABC,B6i/=SERV;rK,(P{F*:
/C=US/O=ABC/OU=SERV/CN=prasad.austin.ibm.com
< 10. }V$iDZ]. Ce<T>K}V$iDDv5e#SOrB@NG:yP_(P{F"yP_+C\?""P
L(CA)(P{FM"PL){#
148 AIX 5L V5.2:2+8O
yP_+C\?
SU=C4b\}]
wb8C{F
ITGj6{,}g IP X7"gSJ~X7"+^(r{HH#
"vUZ
"v}V$iDUZ#
=ZU }V$iD=ZU#
"PL(P{F
O$PDD(P{F#
"PL}V){
CZi$$iD}V){#
}V$iD2+T"bBn
%@D}V$i;\$wm]#}V$i;Jm(}a)liyP_D}V){yhD+C\?4i$}V$
iyP_Dm]#zIT2+X"M+C\?xm;=,r*;P\?TDm;?V(zD(C\?),}]
G^(b\D#rK,yP_Xk#$C(C\?,|tZ}V$iPD+C\?#g{*@K(C\?,r
}V$iyP_D+?(E<ITkk#;P(C\?,;\DC}V$i#
O$PDMENcNa9
}V$ivq"<|DO$PD(CA);y5CEN#w*bVEND;?V,&Cmb"<v$iD_
T#?vi/rC'Xk7(Iw*5CENDITS\DO$PD#
0\?\mw1$_2Jmi/4(T)p$i,bI\TbTrZY}C'rzwD73PPC#
w*2+T~qDC',zh**@|D+C\?4q!Mi$NN}V$i#xR,r%XSU}V$i;
7#|DI?T#*i$dI?T,zh*"<}V$iDO$PDD+C\?#g{z;P#t CA +C\
?D7#D1>,rI\h*d|D}V$i4qC CA D+C\?#
< 11. S?<wIz(P{FD>}. Ce<G;v?<w,0=ABC Z%6,Z~6V'v=v5e#~6|,%@D
V'OD OU=AIX M OU=Acctg;?v<P<rO;6%@5eDV'#O;6Vp|, CN=Prasad M CN=Peltier#
Z 11 B xJ-i(IP)2+T 149
$i7zPm(CRL)
}V$i$ZCZ|D{vP'ZP#;x,g{h*D0,$iI\Z|D5J=ZU.0M=ZK#9$
i^'I\GX*D,}g,g{M1k*+>r_$iD(C\?Q-9)#*9$i^',zXk(*`
&D73O$PD(CA)#1 CA !{$i1,|+^'D$irPEmS=0$i7zPm1(CRL)P#
CRL G)pD}]a9,|G\ZT"<D"Z+2J4bPIC#CRL ITS HTTP r LDAP ~qwO
lw#?v CRL |,101dAGM nextUpdate 1dAG#PmP?v!{D$iId$irPE6p#
dC IKE (Db0M9C}V$iw*zDO$=(1,IT(}!qxP CRL #iD RSA ){47O$
iGq94!{#g{tC CRL #i,Z-L}LZdR="liPm4("\?\m(Db0#
":*9C0IP 2+T1Dbv&\,XkdCzD53T9C SOCKS ~qw(HTTP ~qwf> 4)
r LDAP ~qwr,19C~_#g{z*@}Z9CDv SOCKS r LDAP ~qw4q! CRL,z
IT(}9CyZ Web D53\mw4xPX*DdC!q#S0}V$i1K%P!q CRL dC#
rXx&CLrP}V$iD9C
9C+C\?\ku53DrXx&CLrXk9C}V$i4q!+C\?#Pm`9C+C\?\kuD
&CLr,|,TBb):
ib(Cx(VPN)
ib(Cx,2F*2+(Db0,ITZ53(}g@p=).dhC4tC(};2+(E47
D2+xg.dD\#$,S#yP(yb)xgDw?<ZNkD53.dS\#
CZ(Db0D-iq- IP 2+TM IKE j<,|JmTZ6LM'z(}g,ZRo$wDM1)
M2+wzrxg.dD2+S\,S#
2+WSVc(SSL)
SSL G;v-i,|*(Ea)#\TMj{T#Web ~qw+|CZ Web ~qwM Web /@w
.dD2+,S,a?6?<CJ-i(LDAP)+|CZ LDAP M'zM LDAP ~qw.dD2+
,S,Host-on-Demand V.2 +|CZM'zMwz53.dD,S#SSL +}V$iCZ\?;;"
~qwO$,T0I)!qDCZM'zO$#
2+gSJ~
m`9C PEM r S/MIME w*2+gSJ~j<DgSJ~53+}V$iCZ}V){MS\b
\J~E"D\?;;#
}V$iM$ijk)pD}V$i|,yP_(P{F"yP_+C\?"CA (P{FM CA ){HVN#T)p}V$i|
,yP_(P{F"+C\?M){#
Xk4($ijk""Mx CA Tjk}V$i#$ijk|,jk_(P{F"+C\?M){HVN#CA
C}V$iPD+C\?i$jk_D){T7#:
v $ijkZjk_M CA .d+M}LP4-^D#
v TZ$ijkPD+C\?,jk_5P`&D(C\?#
CA 2:pi$jk_m]D3v6p#bVi$D*s6'SC'm]D+!$]=j+7E#
150 AIX 5L V5.2:2+8O
\?\mw$_
\?\mw$_\m}V$i,|;Z)9|D gskkm.rte D~/P#
>ZhvKgN9C\?\mw4PTBYw:
1. 4(\?}]b
2. mS CA y}V$i
3. ("ENhC
4. >} CA y}V$i
5. jk}V$i
6. mS(SU)BD}V$i
7. >}}V$i
8. |D}]b\k
9. 9C}V$i4( IKE (Db0
*hC}V$iM){'V,znYXk4PNq 1"2"3"4"6 M 7#;s,9CyZ Web D53\mw
44( IKE (Db0"+_TM9C RSA ){w*O$=(D(Db0`X*#
zITSyZ Web D53\mwD VPN Ev0ZP4(MdC\?}]b,(}!q\m}V$i!n,
r_9C certmgr |nS|nPPr*\?\mw$_#
4(\?}]b
\?}]bICP'D}V$i4tC*,SD VPN Kc#\?}]b(*.kdb)z IP 2+T VPN ;p9
C#
\?\mwa)TB CA }V$i`M:
v RSA 2+~qwO$PD
v Thawte vKUQO$PD
v Thawte vKbQJ~O$PD
v Thawte vKy>O$PD
v Thawte vK~qwO$PD
v Thawte ~qwO$PD
v Verisign ` 1 +2y>O$PD
v Verisign ` 2 +2y>O$PD
v Verisign ` 3 +2y>O$PD
v Verisign ` 4 +2y>O$PD
b)){}V$itCM'z,S=_P4Tb))"_DP'}V$iD~qw#Z4(K\?}]b.
s,zITQ|CwQ4(D\?}]b4,S=_P4T)"_.;DP'D}V$iD~qw#
*9CCmP4PvD){}V$i,zXkS CA Pjk"Q|mS=zD\?}]b#kNDZ 152 3D
:mS CA y}V$i;#
*9C certmgr |n4(\?}]b,k9CTB}L:
1. t/\?\mw$_,dk:
# certmgr
Z 11 B xJ-i(IP)2+T 151
2. S\?}]bD~B-K%P!qB(#
3. TZ\?}]b`MVN,S\1!5,CMS \?}]bD~#
4. ZD~{VNPdkTBD~{:
ikekey.kdb
5. Z;CVNPdkTB}]bD;C:
/etc/security
":\?}]bXk|{* ikekey.kbd "RXkEZ /etc/security ?<P#qr,IP 2+T;\}7
K*#
6. %w7(#T>\ka>A;#
7. Z\kVNPdk\k,Z7O\kVNPYNdk;i#
8. g{k*|D\k=Zl},ZhC=Z1d?VNdkk*Dl}#CVND1!5* 60 l#g{;
k*\k=Z,re}hC=Z1d?VN#
9. *Zf"D~P#f\kDS\f>,!q\kf"=D~?VN"dkG#
"b:zXkf"\kTtCxP IP 2+TD}V$iD9C#
10. %w7(#T>7OA;,i$zQ4(\?}]b#
11. YN%w7(,5X IBM \?\mA;#zIT4Pd|Nqr_Kv$_#
mS CA y}V$i
S CA Pjk"SU=y}V$i.s,ITQ|mS=}]bP#s`}y}V$i_P *.arm q=,gB
y>:
cert.arm
*mS;v CA y}V$i=}]bP,9CTB}L:
1. }GzQ-Z9C\?\mw,qrt/C$_,(}dk:
# certmgr
2. SwA;P,!q\?}]bD~B-K%PDr*#
3. ;vT>zk*mS CA y}V$i=dPD\?}]bD~,%wr*#
4. dk\k,%w7(#\kS\1,5X IBM \?\mA;#b1,jb8+T>z!(D\?}]bD
~{F,m>D~VZr*"<8&mK#
5. SvK/T)p$iB-K%P!qT)p$i#
6. %wmS#
7. S}]`MB-K%P!q}]`M,}g:
Base64 `kD ASCII }]
8. dk CA y}V$iD$iD~{M;C,r_%w/@!q{FM;C#
9. %w7(#
10. dk CA y}V$iDj),}gbT CA y$i,%w7(#5X=\?\mA;#T)p$iVNV
ZT>UUmSD CA y}V$iDj)#zIT4P|`Nqr_Kv$_#
("ENhC
20D CA $i1!ivBhC*IED#*|DENhC,k4PTBYw:
1. }GzQ-Z9C\?\mw,qr(}dkTBZ]t/C$_:
152 AIX 5L V5.2:2+8O
# certmgr
2. SwA;P,!q\?}]bD~B-K%PDr*#
3. ;vT>zk*|DdPD1!}V$iD\?}]bD~,%wr*#
4. dk\k,%w7(#\kS\Ts,5X IBM \?\mA;#jb8T>z!(D\?}]bD~{F,
m>D~VZr*K#
5. SvK/T)p$iB-K%P!qT)p$i#
6. ;vT>zk|DD$i,%wi4/`-,r_+wu?#T>$iu?D\?E"A;#
7. *9C$iI*IEy$i,!qhC$i*IEy.sDr,%w7(#g{$i;IE,e}4!
r,%w7(#
8. ZT)p$iA;P%w7(#5X IBM \?\mA;#zIT4Pd|Nqr_Kv$_#
>} CA y}V$i
g{;Yk'V){}V$iPmPD CA .;,Xk>}C CA y}V$i#
"b:Z>} CA y}V$i.0,4(8]1>,T@9Tsk*XB4( CA y#
*S}]bP>} CA y}V$i,9CBfD}L:
1. }GzQ-Z9C\?\mw,qrt/C$_,(}dk:
# certmgr
2. SwA;P,!qr*,Z\?}]bD~B-K%P#
3. ;vT>zk*>} CA y}V$iD\?}]bD~,%wr*#
4. dk\k,%w7(#\kS\Ts,5X=\?\mA;#b1,jb8+T>z!(D\?}]bD
~{F,m>D~VZr*"<8`-K#
5. !qT)p$i,SvK/T)p$iB-K%P#
6. ;vT>zk>}D$i,%w>}#T>7OA;#
7. %wG#5X IBM \?\mA;#T)p$iVN;YvV CA y}V$iDj)#zIT4Pd|Nq
r_Kv$_#
jk}V$i
*q!}V$i,9C\?\mwzIjk,"Qjka;x CA#zIDjkGT PKCS#10 Dq=#;s
CA i$zDm],xz"M}V$i#
*jk}V$i,ICTB}L:
1. }GzQ-Z9C\?\mw,qrt/C$_,(}dk:
# certmgr
2. SwA;P,!q\?}]bD~B-K%PDr*#
3. ;vT>zk*SPzIjkD /etc/security/ikekey.kdb \?}]bD~,%wr*#
4. dk\k,%w7(#\kS\Ts,5X IBM \?\mA;#jb8+T>z!(D\?}]bD~{
F,m>D~VZr*"<8`-K#
5. S0vK/)pK$i1B-K%P(Z AIX V4 P)!qvK$ijkr_!q4( —> BD$ij
k(S AIX 5.1 *<)#
6. %wB(#
7. STBDA;P,dkT)p}V$iD\?j),}g:
Z 11 B xJ-i(IP)2+T 153
keytest
8. dkU({F(1!5*wz{)Mi/,;s!qzRrXx#TZ#BDVN,S\1!5r_!q
B5#
9. (ewb8C{F#kwb8C`X*DI!VN*gSJ~X7"IP X7M DNS {F#TZ IP X7
D(Db0`M,dk`,D IP X7,Z IKE (Db0P+CX7dC= IP X7VN#TZ
user@FQDN D(Db0j6`M,jIgSJ~X7VN#TZ FQDN (Db0j6`M,Z DNS {
FVNdk+^(r{(}g,hostname.companyname.com)#
10. ZA;WK,dkD~{F,}g:
certreq.arm
11. %w7(#T>7OA;,i$zGqQ*BD}V$i4(jk#
12. %w7(#5X0IBM \?\m1A;#vK$ijkVNVZT>4(DBD}V$ijkD\?j)
(PKCS#10)#
13. "MD~x CA TjkBD}V$i#zIT4Pd|Nqr_Kv$_#
mS(SU)BD}V$i
S CA SUB}V$i.s,XkQ|mS=zIjkD\?}]bP#
*mS(SU)BD}V$i,9CTB}L:
1. }GzQ}Z9C0\?\mw1,qrt/C$_,kdk:
# certmgr
2. SwA;P,S0\?}]bD~1B-K%P!qr*#
3. ;vT>zI$ijkD\?}]bD~"%wr*#
4. dk\k"%w7(#\kS\Ts,5X0IBM \?\m1A;#jb8+T>z!qD\?}]bD
~{F,m>D~VZQr*"<8`-#
5. S0vK/){K$i1B-K%P!qvK$ijk#
6. %wSU(TmSB|SUD}V$i=}]bP)#
7. S}]`MB-K%P!qB}V$iD}]`M#1!5* Base64 `kD ASCII }]#
8. *B}V$idk$iD~{M;C,r_%w/@4!q{FM;C#
9. %w7(#
10. dkB(}V$iDhvTj),}g:
VPN V'$i
11. %w7(#5X0IBM \?\m1A;#vK$iVNVZT>zUUmSDB}V$iDj)#zIT
4Pd|Nqr_Kv$_#
g{0k$ivm,kli$iD~Gqp<ZD> ——-BEGIN CERTIFICATE——-,axZD> ——-END
CERTIFICATE——-#
}g:
-----BEGIN CERTIFICATE-----ajdkfjaldfwwwwwwwwwwadafdwkajf;kdsajkflasasfkjafdaffakdjf;ldasjkf;safdfdasfdaskaj;fdljk98dafdas43adfadfa-----END CERTIFICATE-----
g{D>;%d,`-$iD~Sx9|J1X*<Max#
154 AIX 5L V5.2:2+8O
>}}V$i
":Z>}}V$i.0,*Tszr;k*XB4(|4(8]1>#
*S}]bP>}}V$i,k9CBfD}L:
1. }GzQ}Z9C0\?\mw1,qrt/C$_,kdk:
# certmgr
2. SwA;P,S0\?}]bD~1B-K%P!qr*#
3. ;vT>zk*SP>}}V$iD\?}]bD~,"%wr*#
4. dk\k"%w7(#\kS\Ts,5X0IBM \?\m1A;#jb8+T>z!qD\?}]bD~
{F,m>D~VZQr*"<8`-#
5. S0vK/){K$i1B-K%P!qvK$ijk#
6. ;vT>zk>}D}V$i"%w>}#T>07O1A;#
7. %wG#5X0IBM \?\m1A;#vK$iVNP;YT>zUE>}D}V$ij)#zIT4Pd
|Nqr_Kv$_#
|D}]b\k
*|D\?}]b,k9CTB}L:
1. }GzQ}Z9C0\?\mw1,qrt/C$_,kdk:
# certmgr
2. SwA;P,S0\?}]bD~1B-K%P!q|D\k#
3. Z\kVNPdkB\k,"RZ7O\kVNPYdk;i#
4. g{k*|D\k=Zl},ZhC=Z1d?VNdkk*Dl}#CVND1!5* 60 l#g{;k
*\k=Z,re}hC=Z1d?VNdkk*Dl}#
5. *Zf"D~P#f\kDS\f>,!q\kf"=D~?VN"dkG#
":zXkf"\kTtCxP0IP 2+T1D}V$iD9C#
6. %w7(#4,8PD{"m>I&jIjk#
7. YN%w7("5X=0IBM \?\m1A;#zIT4Pd|Nqr_Kv$_#
9C}V$i4( IKE (Db0
*4(9C}V$iD IKE (Db0,Xk9CyZ Web D53\mwM0\?\mw1$_#
(e\?\m IKE (Db0_T1*tC}V$iD9C,XkdC9C){==D*;# ){==kTO
$9C RSA ){c(#0IP 2+T1a)yZ Web D53\mwT0r0mS/|D*;1TJmz!q
RSA ){rxP CRL #iD RSA ){DO$=(#
(Db0AY;vKcXk_P(e9C){==*;D_T#z2IT(}yZ Web D53\mw9C){
==4(ed{D*;#
0IP 2+T1'VD IKE \?\m(Db0`M(06p1!n(ODwzm]`MVN)gB:
v IP X7
v +^(r{(FQDN)
v user@FQDN
Z 11 B xJ-i(IP)2+T 155
v X.500 (P{F
v \?j6{
9CyZ Web D53\mwZ0\?\m(Db0tT - 6p1!n(P!qwzm]`M#g{!q IPX7"FQDN r user@FQDN,rXkZyZ Web D53\mwPdk5,;sQb)5a)x CA#CE
"CwvK}V$iPD0wb8C{F1#
}g,g{zZ6p!n(OSyZ Web D53\mwB-PmP!qwzm]`M* X.500 (P{F,"
Rdk Host identity * /C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com,rTBMG14(}V$
ijk1zXkZ0\?\mw1PdkD+75:
v Common name: name.austin.ibm.com
v Organization: ABC
v Organizational unit: SERV
v Country : US
dkD X.500 (P{FGIzD53r LDAP \m1hCD{F#dki/%;5GI!D#;sZ4(}
V$i1,CA 9CCE"#
m;v>},g{SB-PmP!qwzm]`M* IP X7,"dkwzm]* 10.10.10.1,BfGzZ}
V$ijkPXkdkD+75:
v Common name: name.austin.ibm.com
v Organization: ABC
v Organizational unit: SERV
v Country : US
v Subject alternate IP address field: 10.10.10.1
Z4(K_PCE"D}V$ijk.s,CA 9CCE"4(vK}V$i#
1jkvK}V$i1,CA h*TBE":
v z}Zjk X.509 $i#
v ){q=*xP RSA S\c(D MD5#
v zGq8(0wb8C{F1#8C{F`M*:
– IP X7
– +^(r{(FQDN)
– user@FQDN
TBDwb8C{FE"|,Z$ijkD~P#
v F.\?9C(Xk!q}V){;)#
v 0\?\mw1}V$ijkD~(T PKCS#10 DN=)#
TZX(=h9C0\?\mw144($ijk,kNDZ 153 3D:jk}V$i;#
Z$n IKE (Db0.0,XkQS CA SU=DvK}V$imS=0\?\mw1}]b(ikekey.kdb)
P#h*|`E",kNDZ 154 3D:mS(SU)BD}V$i;#
0IP 2+T1'VTBDvK}V$i`M:
156 AIX 5L V5.2:2+8O
wb DN0wb(P{F1Xk4UBfDq=M3r:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com
0\?\mw1$_;Jm;v OU 5#
w* IP X7Dwb DN Mwb8C{F
0wb(P{F1M0wb8C{F1IT8(* IP X7,gBy>:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com M 10.10.10.1
w* FQDN Dwb DN Mwb8C{F
0wb(P{F1M0wb8C{F1IT8(*+^(r{,gBy>:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com M bell.austin.ibm.com#
w* user@FQDN D0wb DN1M0wb8C{F1
0 w b ( P { F 1 M 0 w b 8 C { F 1 I T 8 ( * C ' X 7
(user_ID@fully_qualified_domain_name),gBy>:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com M [email protected]#
wb DN M`vwb8C{F
0wb(P{F1ITk`v0wb8C{F1`X*,gBy>:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com M bell.austin.ibm.com"10.10.10.1 M
Z 11 B xJ-i(IP)2+T 157
dCK$(Db0
TB}LdC IP 2+TT9CK$(Db0#
hC(Db0M}Kw
*hCK$(Db0,;X%@dC}Kfr#;*=(wz.dDyPw?<-}(Db0,MaT/zI
X*D}Kwfr#hC(Db0D}LG*KZ;K(e(Db0,Zm;K<k(e,"Z=K$n(D
b0M}Kwfr#;s(Db0M<89C#
g{;Pw7a),rXkzzXZ(Db0DE"CZ+=D%d#}g,g{?j5;P8(D0,kT
48(DS\MO$c(+Cw?j;C#
ZZ;(wzO4(K$(Db0
zIT9CyZ Web D53\mwxg&CLr"SMIT ips4_basic lY76(TZ IP V4)r_ SMIT
ips6_basic lY76(TZ IP V6)4dC(Db0#z2IT9CTB}LV$4((Db0#
BfG;vCZ4(K$(Db0D gentun |nD>}:
gentun -v 4 -t manual -s 5.5.5.19 -d 5.5.5.8 \-a HMAC_MD5 -e DES_CBC_8 -N 23567
zIT9C lstun -v 4 |nPvI0fD>}4(DK$(Db0DXw#dv`FZTBDT>:
Tunnel ID : 1IP Version : IP Version 4Source : 5.5.5.19Destination : 5.5.5.8Policy : auth/encrTunnel Mode : TunnelSend AH Algo : HMAC_MD5Send ESP Algo : DES_CBC_8Receive AH Algo : HMAC_MD5Receive ESP Algo : DES_CBC_8Source AH SPI : 300Source ESP SPI : 300Dest AH SPI : 23576Dest ESP SPI : 23576Tunnel Life Time : 480Status : InactiveTargetTarget Mask : -Replay : NoNew Header : YesSnd ENC-MAC Algo : -Rcv ENC-MAC Algo : -
*$n(Db0,kdkgB|n:
mktun -v 4 -t1
+aT/zIk(Db0PXD}Kwfr#
*i4}Kfr,9C lsfilt -v 4 |n#dv`FZBfDT>:
Rule 4:Rule action : permitSource Address : 5.5.5.19Source Mask : 255.255.255.255Destination Address : 5.5.5.8Destination Mask : 255.255.255.255Source Routing : yes
158 AIX 5L V5.2:2+8O
Protocol : allSource Port : any 0Destination Port : any 0Scope : bothDirection : outboundLogging control : noFragment control : all packetsTunnel ID number : 1Interface : allAuto-Generated : yes
Rule 5:Rule action : permitSource Address : 5.5.5.8Source Mask : 255.255.255.255Destination Address : 5.5.5.19Destination Mask : 255.255.255.255Source Routing : yesProtocol : allSource Port : any 0Destination Port : any 0Scope : bothDirection : inboundLogging control : noFragment control : all packetsTunnel ID number : 1Interface : allAuto-Generated : yes
*$n}Kfr,|,1!D}Kfr,k9C mktun -v 4 -t 1 |n#
*hCm;_(1|G9CCYw53Dm;(zw1),ITSwz A O<v(Db0(e,;s+d<k
=wz B#
TB|n+(Db0(e<v=;v{* ipsec_tun_manu.exp DD~P,"R?<PNNkD~
ipsec_fltr_rule.exp PXD}Kfr<I -f j>m>:
exptun -v 4 -t 1 -f /tmp
ZZ~(wzO4(K$(Db0
*4((Db0D%dK,9CgBD|n+<vDD~4F"<k6Lzw:
imptun -v 4 -t 1 -f /tmp
dP
1 G*<kD(Db0
/tmp G<kD~$tD?<
53zI(Db0E#zITS gentun |nDdv4qC,r_9C lstun |nPv(Db0"7(<kD
}7D(Db0}#g{Z<kD~P;P;v(Db0,r_yPD(Db0<*<k,r;h* -t !n#
g{6Lzw;ZKPCYw53,<vD~ITCwhC(Db0m;KDc("\?M2+TN}w}
(SPI)5DN<#
IT<kS@p=z7P}vDD~44((Db0#*byv,Z<kD~19C -n !n,gB:
imptun -v 4 -f /tmp -n
Z 11 B xJ-i(IP)2+T 159
hC}Kw
ICs?VT/zI}KwfrIT\]WXhC}Kw,r_ITy] IP E"|DtT(e+XpD}Kw
&\4(F}Kw#(}HO4X7M SPI 5Sx+xkE"|%d=}KwmPyPvD4X7M SPI 5#
rK,bVdTXkG(;D#
}KwmPD?P4wG;vfr#fr/O7(S\24E"|vkzwT0|GgN8r#}KwfrI
TXF(EDm`=f,|(4X7M?jX70Zk"-i"KZE"=r"VNXF"47I"(Db0
MSZ`M#
}KwfrD`MgB:
v Z}KwmP4(:2,}Kwfr;,CZw?D#f}KwrK$(Db0DX*#|GITmS"
>}"^DMF/#ITmSI!DhvD>VN4j6X(fr#
v Z 163 3D:T/zI}KwfrMC'8(}Kwfr;(2F*T/zI}Kwfr)G*K9C IKE
(Db0x4(DX(Dfr/O#2,M/,}Kwfr<GyZ}]\m(Db0E"M}]\m(
Db0-L44(D#
v Z 164 3D:$(eD}Kwfr;G(C}Kwfr,|;IT^D"F/r>},}g all traffic f
r"ah frM esp fr#|G8yPw?#
kb)}KwfrPXDGSxZk,|Qk}KwfrT0wz - @p= - wzdC!nPXDj6V
i#TB8Zhv;,`MD}KwfrM|GD`X&\#
2,}Kwfr
?v2,}Kwfr|,8vUqVtDVN#TBPma)K?vVND{F(4Tfr 1 D?vVND>
}T>Z2(EP):
v Rule_number (1)
v Action (permit)
v Source_addr (0.0.0.0)
v Source_mask (0.0.0.0)
v Dest_addr (0.0.0.0)
v Dest_mask (0.0.0.0)
v Source_routing (no)
v Protocol (udp)
v Src_prt_operator (eq)
v Src_prt_value (4001)
v Dst_prt_operator (eq)
v Dst_prt_value (4001)
v Scope (both)
v Direction (both)
v Logging (no)
v Fragment (all packets)
v Tunnel (0)
v Interface (all).
160 AIX 5L V5.2:2+8O
2,}KwfrDx;=bM4Ubv>}:
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no allpackets 0 all
2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both both no all packets0 all
3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both both no all packets0 all
4 permit 10.0.0.1 255.255.255.255 10.0.0.2 255.255.255.255 no all any 0 any 0 bothoutbound no all packets 1 all outbound traffic
5 permit 10.0.0.2 255.255.255.255 10.0.0.1 255.255.255.255 no all any 0 any 0 bothinbound no all packets 1 all
6 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp lt 1024 eq 514 localoutbound yes all packets 2 all
7 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 514 lt 1024local inbound yes all packets 2 all
8 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp/ack lt 1024 lt 1024local outbound yes all packets 2 all
9 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp lt 1024 lt 1024 localinbound yes all packets 2 all
10 permit 10.0.0.1 255.255.255.255 10.0.0.4 255.255.255.255 no icmp any 0 any 0 localoutbound yes all packets 3 all
11 permit 10.0.0.4 255.255.255.255 10.0.0.1 255.255.255.255 no icmp any 0 any 0 localinbound yes all packets 3 all
12 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 eq 21 localoutbound yes all packets 4 all
13 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 21 gt 1023 localinbound yes all packets 4 all
14 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp eq 20 gt 1023 localinbound yes all packets 4 all
15 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp/ack gt 1023 eq 20 localoutbound yes all packets 4 all
16 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 gt 1023 localoutbound yes all packets 4 all
17 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack gt 1023 gt 1023 localinbound yes all packets 4 all
Z 11 B xJ-i(IP)2+T 161
18 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no all any 0 any 0 both both yes allpackets
0f>}PD?vfrhvgB:
fr 1CZ0a0\?1X$Lr#Cfr;vVZ IP V4 }KwmP#|9CKZE 4001 4XFCZ"
Ba0\?DE"|#fr 1 GgN\+KZECZX(C>D;v>}#
":}G<C>Tb,;*^DC}Kwfr#
fr 2 M fr 3Jm&mO$7?V(AH)Mb02+TP':X(ESP)7?V#
":}G<C>Tb,;*^D}Kwfr 2 M fr 3#
fr 4 Mfr 5T/zIDfrD/O,|}Kw(}(Db0 1 DX7 10.0.0.1 M 10.0.0.2 .dDw?#fr 4 C
Zv>w?,fr 5 CZk>w?#
":fr 4 PC'(eD outbound traffic hv#
fr 6 =fr 9C'(eDfr/O,|}K(}(Db0 2 DX7 10.0.0.1 M 10.0.0.2 .dDv> rsh"rcp"
rdump"rrestore M rdist ~q#Z>>}P,G<hC*G,Sx\m1IT`Sb`w?#
fr 10 Mfr 11C'(eDfr/O,|}K(}(Db0 3 DX7 10.0.0.1 M 10.0.0.4 .dDNb`MDk>Mv
> icmp ~q#
fr 12 =fr 17C'(eD}Kwfr,|G}K(}(Db0 4 DS 10.0.0.1 M 10.0.0.5 .dDv>D~+d-i
(FTP)#
fr 18T/zID\GCZm)Dfr#Z>>}P,|Jmkd|}Kfr;%dDyPDE"|#IT
hC|4\xyPkd|}Kfr;%dDw?#
IT%@i4?vfr(9C lsfilt)"Pv?vVN0d5#}g:
Rule 1:Rule action : permitSource Address : 0.0.0.0Source Mask : 0.0.0.0Destination Address : 0.0.0.0Destination Mask : 0.0.0.0Source Routing : yesProtocol : udpSource Port : eq 4001Destination Port : eq 4001Scope : bothDirection : bothLogging control : noFragment control : all packetsTunnel ID number : 0Interface : allAuto-Generated : yes
162 AIX 5L V5.2:2+8O
TBDPm|,KZ}KwfrPIT8(DyPN}:
-v IP f>:4 r 6#
-a Yw:
d \x
p Jm
-s 4X7#ITG IP X7rwz{#
-m 4SxZk#
-d ?jX7#ITG IP X7rwz{#
-M ?jSxZk#
-g 47IXF:y r n#
-c -i#5ITG udp"icmp"tcp"tcp/ack"ospf"pip"esp"ah M all#
-o 4KZr ICMP `MYw#
-p 4KZr ICMP `M5#
-O ?jKZr ICMP zkYw#
-P ?jKZr ICMP zk5#
-r 7I:
r *"DE"|
l >X?j/4E"|
b ~_
-l U>XF#
y |,ZU>P
n ;|,ZU>P#
-f VN#
y &C=VN7?V"VN?VMGVN?V
o ;&CZVN?VMVN7?V
n ;&CZGVN?V
h ;&CZGVN?VMVN7?V
-t (Db0j6#
-i SZ,g tr0 r en0#
h*|`E",kND genfilt M chfilt |nhv#
T/zI}KwfrMC'8(}Kwfr
T/*0IP 2+T1}KwM(Db0zkzI3)fr#T/zIDfr|,:
v |B IKE(AIX 4.3.2 0sxf>)P IP f> 4 Da0\?X$LrDfr#
v &m AH M ESP E"|Dfr#
1(e(Db01,2aT/zI}Kwfr#TZK$(Db0,T/zIDfr8(4X7"?jX7"
Zk5M(Db0j6#G)X7dDyPw?<+w}(Db0#
TZ IKE (Db0,T/zIDfr7( IKE -LZdD-iMKZE#IKE }Kwfr#fZ%@DmP,
Z2,}Kwfr.sMT/zIDfr.0QwKm#ek IKE }Kwfr=2,}KwmPD1!;C,
+C';\F/|G#
Z 11 B xJ-i(IP)2+T 163
T/zIDfrJm(}(Db0DyPw?#C'(eDfrITT3)`MDw?ST^F#ZT/zI
Dfr.0ECb)C'(eDfr,r*0IP 2+T19CiR=DJCZE"|DZ;vfr#TBG;
vC'(eDfrD>},|}KyZ ICMP YwDw?#
1 permit 10.0.0.1 255.255.255.255 10.0.0.4 255.255.255.255 no icmp any 8 any 0local outbound no all packets 3 all
2 permit 10.0.0.4 255.255.255.255 10.0.0.1 255.255.255.255 no icmp any 0 any 0 localinbound no all packets 3 all
3 permit 10.0.0.4 255.255.255.255 10.0.0.1 255.255.255.255 no icmp any 8 any 0 localinbound no all packets 3 all
4 permit 10.0.0.1 255.255.255.255 10.0.0.4 255.255.255.255 no icmp any 0 any 0 localoutbound no all packets 3 all
*r/%;(Db0DdC,Z(e(Db01T/zI}Kwfr#C&\IT(}Z gentun P8( -g j
>Sx{9#zITC genfilt |niRy>}KwD~,Sx* /usr/samples/ipsec/filter.sample P;,
D TCP/IP ~qzI}Kwfr#
$(eD}Kwfr
C3)B~T/zI8V$(eD}Kwfr#0k ipsec_v4 r_ ipsec_v6 h81,+$(eDfrek
}Kwm"$nCfr#1!ivB,bv$(efrJmyPE"|,+|GC'IdCD,zIThC|
4\xyPE"|#
":6LdC1,k7#dCjI.0\xfr;tC,T@9zDa0x(Zzw.b#bVivI
T\b,ITZ$n0IP 2+T1.0(}hC1!Ywr_dC(Db0=6Lzw45V#
IPv4 M IPv6 }Kwm<P$(efr#IT@"XDd~_PDNN;v4\x+?E"|#by+h9w
?(},}GCw?GI=S}KwfrXp(eD#Dd$(efrD(;d|!nGxP -l !nD chfilt,|Jm+kCfr%dDE"|G<=U>#
*K'V IKE (Db0,Z IPv4 }KwmP2C/,}Kwfr#bMG/,}Kwfrek=}KwmP
D;C#C;CITIC'(}rOMrBF/}KwmD;C4XF#u</(Db0\mwX$LrM
isakmpd X$Lr(TJm IKE (Db0-L).s,Z/,}KwmPMaT/X4(fr,Sx&m IKE
{"T0 AH M ESP E"|#
SxZk
SxZkCZVik}KwfrX*Dj6/O#Zk5M}KwfrPDj6xP0k1Kc,"kE"|
P8(Dj6`HO#}g,4 IP X7* 10.10.10.4 xSxZk* 255.255.255.255 D}Kwfr8(X
kfZ.xF IP X7D+7%d,gBy>:
~xF .xF
4 IP X7 1010.1010.1010.0100 10.10.10.4
SxZk 1111.1111.1111.1111 255.255.255.255
10.10.10.x Sx8(* 1111.1111.1111.0 r_ 255.255.255.0#xkDX7&C=xSxZk,byIT+
bviOk}KwfrPDj6`HO#}g,Z&CKSxZk.s,X7 10.10.10.100 I* 10.10.10.0,
|k}Kwfr`%d#
SxZk* 255.255.255.240 JmX7PDnsD;*Nb5#
164 AIX 5L V5.2:2+8O
wz - @p= - wzdC
(Db0Dwz - @p= - wzdC!nJmzZwzM@p=.d4((Db0,;sT/zIXhD
}Kwfr,CZwzM@p=sDwz.dD}7(E#T/zID}KwfrJm(}8((Db0D=
(^@p=wz.dDyPfr#1!fr(CZC'}](-i(UDP)"O$7?V(AH)Mb02+
TP':X(ESP))&CQ-&mKwz=@p=(E#XkJ1DdC@p=4jIhC#&C9C4T
4(D(Db0<vDD~4dk@p=h*D SPI 5M\?#
< 12. wz - @p= - wz. Ce<T>Kwz - @p= - wzdC#wz A P;vKPD(Db0,|(}
>X@p="xkrXx#;s|*=6L@p= B,;sY=6Lwz C#
Z 11 B xJ-i(IP)2+T 165
G<h8
>Zhvk0IP 2+T1PXD53U>dCMq=#wzd`%(E1,+MDE"|aG<ZU>X$L
r(syslogd)P#d|XZ IP 2+TX*E"2T>v4#\m12ma*w?VvMwTzV!q`SG
<E"#BfGhCG<h)D=h#
1. `- /etc/syslog.conf D~mSTBn:
local4.debug var/adm/ipsec.log
9C local4 h8G<w?M0IP 2+T1B~#j<Yw53EH6p&C#Z(}0IP 2+T1(
Db0M}KwT>H(TM}7n/.0,&ChC debug DEH6p#
":}KwB~DG<\;Z0IP 2+T1wz4(s?Dn/,"{Ds?Df"w#
2. #f /etc/syslog.conf#
3. *Az*U>D~8(D?<,"C`,D{F4(;vUD~#ZOfDiv,z|D* /var/adm ?<,
""v|n:
touch ipsec.log
4. "v refresh |n= syslogd S53:
refresh -s syslogd
5. g{9C IKE (Db0,7# /etc/isakmpd.conf D~8(k*D isakmpd G<6p#(kNDZ 170
3D:IP 2+TJb7(;TqCXZ IKE G<D|`E"#)
6. 1*zDwz4(}Kwfr1,g{z#{G<%dX(frDE"|,khC -l N}* Y(G),9
C genfilt r_ chfilt |n#
7. r*E"|G<,t/ ipsec_logd X$Lr,9CTB|n:
mkfilt -g start
IT(}"vTB|n#9E"|DG<:
mkfilt -g stop
TBy>U>D~|,w?nMd|0IP 2+U>1n:
1. Aug 27 08:08:40 host1 : Filter logging daemon ipsec_logd (level 2.20)initialized at 08:08:40 on 08/27/97A
2. Aug 27 08:08:46 host1 : mkfilt: Status of packet logging set to Startat 08:08:46 on 08/27/97
3. Aug 27 08:08:47 host1 : mktun: Manual tunnel 2 for IPv4, 9.3.97.244, 9.3.97.130activated.
4. Aug 27 08:08:47 host1 : mkfilt: #:1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0udp eq 4001 eq 4001 both both l=n f=y t=0 e= a=
5. Aug 27 08:08:47 host1 : mkfilt: #:2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0ah any 0 any 0 both both l=n f=y t=0 e= a=
6. Aug 27 08:08:47 host1 : mkfilt: #:3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0esp any 0 any 0 both both l=n f=y t=0 e= a=
7. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.1 255.255.255.255 10.0.0.2255.255.255.255 icmp any 0 any 0 local outbound l=y f=y t=1 e= a=
8. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.2 255.255.255.255 10.0.0.1255.255.255.255 icmp any 0 any 0 local inbound l=y f=y t=1 e= a=
9. Aug 27 08:08:47 host1 : mkfilt: #:6 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0all any 0 any 0 both both l=y f=y t=0 e= a=
10. Aug 27 08:08:47 host1 : mkfilt: Filter support (level 1.00) initialized at08:08:47 on 08/27/97
11. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.20 p:udpsp:3327 dp:53 r:l a:n f:n T:0 e:n l:67
12. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.20 d:10.0.0.1 p:udpsp:53 dp:3327 r:l a:n f:n T:0 e:n l:133
13. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcpsp:4649 dp:23 r:l a:n f:n T:0 e:n l:43
166 AIX 5L V5.2:2+8O
14. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.15 p:tcpsp:23 dp:4649 r:l a:n f:n T:0 e:n l:41
15. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcpsp:4649 dp:23 r:l a:n f:n T:0 e:n l:40
16. Aug 27 08:08:51 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmpt:8 c:0 r:l a:n f:n T:1 e:n l:84
17. Aug 27 08:08:51 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmpt:0 c:0 r:l a:n f:n T:1 e:n l:84
18. Aug 27 08:08:52 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmpt:8 c:0 r:l a:n f:n T:1 e:n l:84
19. Aug 27 08:08:52 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmpt:0 c:0 r:l a:n f:n T:1 e:n l:84
20. Aug 27 08:32:27 host1 : Filter logging daemon terminating at 08:32:27 on08/27/97l
TBNdbMU>n#
1 $nD}KwG<X$Lr#
2 (}9C mkfilt -g start |n+}KwE"|G<hC*r*#
3 (Db0$n,T>(Db0j6"4X7"?DX7M1dAG#
4-9 Q$n}Kw#G<T>+?0kD}Kwfr#
10 {"T>}KwD$n#
11-12 b)nT>TwzD DNS i/#
13-15 b)nT>?VD Telnet ,S(IZUd-r,QS>}P}%d{n)#
16-19 b)nT>=v ping#
20 }KwG<X$LrXU#
TB>}St/wzDGHT>=v-LWN 1 MWN 2 (Db0Dwz#(8( isakmpd G<6p*
isakmp_events#)
1. Dec 6 14:34:42 host1 Tunnel Manager: 0: TM is processing aConnection_request_msg
2. Dec 6 14:34:42 host1 Tunnel Manager: 1: Creating new P1 tunnel object (tid)3. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( SA PROPOSAL
TRANSFORM )4. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( SA
PROPOSAL TRANSFORM )5. Dec 6 14:34:42 host1 isakmpd: Phase I SA Negotiated6. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( KE NONCE )7. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( KE
NONCE )8. Dec 6 14:34:42 host1 isakmpd: Encrypting the following msg to send: ( ID HASH
)9. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )10. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 (
Encrypted Payloads )11. Dec 6 14:34:42 host1 Tunnel Manager: 1: TM is processing a P1_sa_created_msg
(tid)12. Dec 6 14:34:42 host1 Tunnel Manager: 1: Received good P1 SA, updating P1
tunnel (tid)13. Dec 6 14:34:42 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need
to start14. Dec 6 14:34:42 host1 isakmpd: Decrypted the following received msg: ( ID HASH
)15. Dec 6 14:34:42 host1 isakmpd: Phase I Done !!!16. Dec 6 14:34:42 host1 isakmpd: Phase I negotiation authenticated17. Dec 6 14:34:44 host1 Tunnel Manager: 0: TM is processing a
Connection_request_msg
Z 11 B xJ-i(IP)2+T 167
18. Dec 6 14:34:44 host1 Tunnel Manager: 0: Received a connection object for anactive P1 tunnel
19. Dec 6 14:34:44 host1 Tunnel Manager: 1: Created blank P2 tunnel (tid)20. Dec 6 14:34:44 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need
to start21. Dec 6 14:34:44 host1 Tunnel Manager: 1: Starting negotiations for P2 (P2 tid)22. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH SA
PROPOSAL TRANSFORM NONCE ID ID )23. Dec 6 14:34:45 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )24. Dec 6 14:34:45 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 (
Encrypted Payloads )25. Dec 6 14:34:45 host1 isakmpd: Decrypted the following received msg: ( HASH SA
PROPOSAL TRANSFORM NONCE ID ID )26. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH )27. Dec 6 14:34:45 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )28. Dec 6 14:34:45 host1 isakmpd: Phase II SA Negotiated29. Dec 6 14:34:45 host1 isakmpd: PhaseII negotiation complete.30. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a P2_sa_created_msg31. Dec 6 14:34:45 host1 Tunnel Manager: 1: received p2_sa_created for an existing
tunnel as initiator (tid)32. Dec 6 14:34:45 host1 Tunnel Manager: 1: Filter::AddFilterRules: Created filter
rules for tunnel33. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a List_tunnels_msg
TBNbMU>n#
1-2 ike cmd=activate phase=1 |nt/;v,S#
3-10 isakmpd X$Lr-LWN 1 (Db0#
11-12 0(Db0\mw1Sl&LrSUP'DWN 1 2+X*#
13 0(Db0\mw1liGq ike cmd=activate _P|`$wDWN 2 5#|;P#
14-16 isakmpd X$LrjIWN 1 -L#
17-21 ike cmd=activate phase=2 |nt/WN 2 (Db0#
22-29 isakmpd X$Lr-LWN 2 (Db0#
30-31 0(Db0\mw1Sl&LrSUP'DWN 2 2+X*#
32 0(Db0\mw14k/,}Kwfr#
33 ike cmd=list |ni4 IKE (Db0#
VNnPDj)r/U>nPDVNTuY DASD Udhs:
# }pE"|G<DfrEk#
R fr`M
p Jm
d \x
i/o 1E"|I}Kw'VzkXq1DF/=r#j6,E"|X*DJdwD IP X7#
v TZk>(i)E"|,bMGE"|=oDJdw#
v TZv>(o)E"|,bMG IP cv(D&C&mE"|+MDJdw#
s 8(E"|"M=(S IP (7i!)D IP X7#
d 8(E"|SU=(S IP (7i!)D IP X7#
168 AIX 5L V5.2:2+8O
p 8(CZZE"|D}]?VP4({"D_6-i#rmG}Vr{F,}g:udp"icmp"tcp"tcp/ack"
ospf"pip"esp"ah r all#
sp/t 8(,E"|"M=(S TCP/IP (7i!D)`X*DD-iKZE#1-iG ICMP r_ OSPF 1,CVN
C t f;,|8( IP `M#
dp/c 8(,E"|SU=(S TCP/IP (7i!D)`X*DD-iKZE#1-iG ICMP r OSPF 1,CVNC
c f;,|8( IP zk#
- 8(^E"IC#
r m>E"|GqP>X*5#
f *"E"|
l >XE"|
o "M
b ~_
l TVZ==8(X(E"|D$H#
f 6pE"|GqGVN#
T m>(Db0j6#
i 8(E"|xkDSZ#
Z 11 B xJ-i(IP)2+T 169
IP 2+TJb7(
>Z|,;)a>M<I,Zv=Jb1|GI\aTzPyoz#(iZZ;NdC IPSec 120U>#Z
7(}Kw0m@"zK24Jb1,U>GG#PCD#(PXU>Dj8E",kNDZ 166 3D:G<
h8;#)
V$m@msJOiR
ms: "v mktun |nzzTBms:
insert_tun_man4():4'\:yksDJ4}&#
Jb:ks$nDm@Q-Gn/D,rP SPI 5e;#
^):"v rmtun |n4!{$n,;s"v mktun |n4$n#liT7("zJODm@D SPI 5G
qkNNd|$nDm@%d#?vm@P|T:(;D SPI 5#
ms: "v mktun |nzzKTBms:
h8 ipsec_v4 &Z0Q(e14,#
;P4P IP V4 Dm@$n#
Jb:;P90IP 2+T1h8IC#
^):"vTB|n:
mkdev -l ipsec -t 4
g{TZ IP V6 m@$nD2C=`,Dms,I\;C+ -t !n|D* 6#h8XkZIC4,#*l
i0IP 2+T1h84,,"vTB|n:
lsdev -Cc ipsecms: "v gentun |nzzKTBms:
4 IP X7^'
Jb:;Pdk4X7DP' IP X7#
^):TZ IP V4 m@,liT7OQ*>XzwdkKICD IP V4 X7#ZzIm@1;\9Cwz
{w*4,vIT9Cwz{w*?D#
TZ IP V6 m@,liT7OzdkKICD IP V6 X7#g{dk netstat -in ,1;fZ IP V6 X
7,KP /usr/sbin/autoconf6(SZ)qC;v>XT/zIX7(9C MAC X7)D4S,r9C
ifconfig |n4V$8(;vX7#
ms: "v gentun |nzzKTBms:
4 IP X7^'
Jb:;Pdk4X7DP' IP X7#
^):TZ IP V4 m@,liT7OQ*>XzwdkKICD IP V4 X7#;\ZzIm@19C4w
z{,;\9C?Dwz{#
TZ IP V6 m@,liT7OzdkKICD IP V6 X7#g{dk netstat -in 1;fZ IP V6 X7,
KP /usr/sbin/autoconf6(SZ)qC;v>XT/zIX7(9C MAC X7)D4S,r9C ifconfig|n4V$8(;vX7#
170 AIX 5L V5.2:2+8O
ms: "v mktun |nzzKTBms:
insert_tun_man4():4'\:53wCU=K;v^'DN}#
Jb:m@zIZ^'D ESP M AH iO,rZX*1;P9CBD7q=#
^):liT7(PJbDX(m@}Z9C24O$c(#kG! HMAC_MD5 M HMAC_SHA c(h*
BD7q=#BD7q=IT9C SMIT lY76 ips4_basic rx -z N}D chtun |n4|D#9P
*G! DES_CBC_4 ;\k7q=;p9C#
ms: SyZ Web D53\mw*<0IP 2+T1<BK;v'\{"#
Jb:0IP 2+T1X$Lr;ZKP#
^):(}dk ps -ef |ni4DvX$Lr}ZKP#TBX$Lrk0IP 2+T1PX:
v tmd
v isakmpd
v cpsd
cpsd X$LrvZ20}V$izk(D~/Pw gskit.rte r gskkm.rte)"RQ-dCK0\?\mw1
$_4|,}V$i1G$nD#
g{X$Lr;G$nD,9CyZ Web D53\mw4#90IP 2+T1,;sXBt/|,baT/
Xt/J1DX$Lr#
ms: "T9C0IP 2+T1zzKTBms:
y20D bos.crypto 6pM,XkxP|B#
Jb:bos.net.ipsec.* D~Q-|B*;vBf>,+GT&D bos.crypto.* D~;P|B#
^):+ bos.crypto.* D~|B*kQ|BD bos.net.ipsec.* D~`&Df>#
IKE m@msJOiR
TBwZhvZ9C IKE m@}LPI"zDms#
IKE m@}LwL
IKE m@I ike |nryZ Web D53\mw VPN fekTBX$LrD(E420:
m 8. IKE m@9CDX$Lr#
tmd 0m@\mw1X$Lr
isakmpd IKE X$Lr
cpsd $izmX$Lr
*K9 IKE m@}720,*KP tmd M isakmpd X$Lr#g{0IP 2+T1hCIXB}<1t/,
b)X$LraT/Xt/#qr,|GXk9CyZ Web D53\mwt/#
0m@\mw1r isakmpd |n"vks4t/m@#g{m@Q-fZr_^'(}g,P;v^'D6
LX7),|a(fms#g{-LQt/,I\*(;)1d4jI-L,w*!vZxg+d1d#ikecmd=list |nPvm@D4,T7(-LGqI&#xR,0m@\mw1+B~G<= syslog P,|y]
debug"event M information 6p4G<,bITCw`S-LxH#
4TB3r:
1. 9CyZ Web D53\mwr ike |n4t/m@#
Z 11 B xJ-i(IP)2+T 171
2. tmd X$Lrr isakmpd X$Lr"v;v\?\m(WN 1)D,Sks#
3. isakmpd X$Lrl& SA Q4(r;vms#
4. tmd X$Lrr isakmpd X$Lr"v;v}]\mm@(WN 2),Sks#
5. isakmpd X$Lrl& SA created r;vms#
6. m@N}ekZKm@_Y:f#
7. +}KfrmSxZK/,}Km#
1zwd1l&Lr1,isakmpd X$Lr(*0m@-L\mw1tmd X$Lr,m@Q--LI&,"R
P;vBDm@ek=ZKP#ZbVDivB,C}LS=h 3 *<1==h 7 ax,ZK}LP tmd X
$Lr;"v,Sks#
IKE G<
isakmpd"tmd M cpsd X$LrQB~G<= syslog P#TZ isakmpd X$Lr,9C ike cmd=log|ntCU>G<#IhC /etc/isakmpd.conf dCD~48(G<6p#6pIThCI none"error"isakmp_events r information#
":ZH AIX 5.1 |gDf>P,isakmpd X$Lr+U>G<=;v%@D~P,CD~2Z
/etc/isakmpd.conf D~P8(#
IT*U>G<hCDdCD~N}G log_level#IKE X$Lr9CTB6pDG<:
none ^G<(1!5)
error ;G<-iM API ms
isakmp_events;G< IKE -iB~Mms
informationG<-iM5VE"((iCZwT)#
C!nDo(sBfbyr%:
log_level
isakmpd X$Lrzkr_(}"M(i4t/,r_(}@@(i4l&#g{S\(i,r4(2+TD
X*"20m@#g{;PS\(irZ-LjI0,S,1,isakmpd X$LraT>ms#Z tmd D
syslog PDnmwGq-LI&#+I^'D$i}pD'\G<= syslog P#*7(-L'\D<7-
r,li8(Z /etc/syslog.conf D~PDU>D~#
syslog $_x?vU>PmSK;v0:,4jv}]"1d"zwMLr#TB>}9C googly w*zw
{F,9C isakmpd w*Lr{:
Nov 20 09:53:50 googly isakmpd: ISAKMP_MSG_HEADERNov 20 09:53:50 googly isakmpd: Icookie : 0xef06a77488f25315, Rcookie :0x0000000000000000Nov 20 09:53:51 googly isakmpd: Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0Nov 20 09:53:51 googly isakmpd: Xchg Type : 2 (ID protected), Flag= 0, Encr : No,COMMIT : NoNov 20 09:53:51 googly isakmpd: Msg ID : 0x00000000
*K|Se~,grep |nITC4i!yPK$DU>P(}gyP isakmpd G<),xR cut |nIT
C4S?PP}%0:#Z>Z#`?VD isakmpd U>>}GC`F=(FvD#
bvP':XG<&\
(};; IKE {"("=Kc.dD2+TX*(SA)#0bvP':X1&\TKIADq=bv{"#(
}`- /etc/isakmpd.conf D~,ITtCU>G<#/etc/isakmpd.conf D~PDG<nkTBZ]`F:
172 AIX 5L V5.2:2+8O
information
0bvP':X1G<D IKE P':X`M!vZ IKE {"DZ]#>}|,0SA P':X1"0\?;
;P':X1"0$ijkP':X1"0$iP':X1T00){P':X1#TBG;v0bvP':
X1U>D}S,dP ISAKMP_MSG_HEADER sfzPevP':X:
ISAKMP_MSG_HEADERIcookie : 0x9e539a6fd4540990, Rcookie : 0x0000000000000000Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0Xchg Type : 4 (Aggressive), Flag= 0, Encr : No,COMMIT : NoMsg ID : 0x00000000len : 0x10e(270)
SA Payload:Next Payload : 4(Key Exchange), Payload len : 0x34(52)DOI : 0x1(INTERNET)bitmask : 1(SIT_IDENTITY_ONLY
Proposal Payload:Next Payload : 0(NONE), Payload len : 0x28(40)Proposal # : 0x1(1), Protocol-ID : 1(ISAKMP)SPI size : 0x0(0), # of Trans : 0x1(1)
Transform Payload:Next Payload : 0(NONE), Payload len : 0x20(32)Trans # : 0x1(1), Trans.ID : 1(KEY_IKE)Attr : 1(Encr.Alg ), len=0x2(2)Value=0x1(1),(DES-cbc)Attr : 2(Hash Alg ), len=0x2(2)Value=0x1(1),(MD5)Attr : 3(Auth Method ), len=0x2(2)Value=0x3(3),(RSA Signature)Attr : 4(Group Desc ), len=0x2(2)Value=0x1(1),(default 768-bit MODP group)Attr : 11(Life Type ), len=0x2(2)Value=0x1(1),(seconds)Attr : 12(Life Duration), len=0x2(2)Value=0x7080(28800)
Key Payload:Next Payload : 10(Nonce), Payload len : 0x64(100)
Key Data :33 17 68 10 91 1f ea da 38 a0 22 2d 84 a3 5d 5da0 e1 1f 42 c2 10 aa 8d 9d 14 0f 58 3e c4 ec a39f 13 62 aa 27 d8 e5 52 8d 5c c3 cf d5 45 1a 798a 59 97 1f 3b 1c 08 3e 2a 55 9b 3c 50 cc 82 2cd9 8b 39 d1 cb 39 c2 a4 05 8d 2d a1 98 74 7d 95ab d3 5a 39 7d 67 5b a6 2e 37 d3 07 e6 98 1a 6b
Nonce Payload:Next Payload : 5(ID), Payload len : 0xc(12)Nonce Data:6d 21 73 1d dc 60 49 93
ID Payload:Next Payload : 7(Cert.Req), Payload len : 0x49(73)ID type : 9(DER_DN), Protocol : 0, Port = 0x0(0)
Certificate Request Payload:Next Payload : 0(NONE), Payload len : 0x5(5)Certificate Encoding Type: 4(X.509 Certificate - Signature)
Z?;vP':XP,Next Payload VN8rtz10P':XDP':X#g{10DP':XG IKE {
"PDns;v,G4 Next Payload VNP*cD5(^)#
>}PD0?vP':X1P8rVZ}Z4PD-LDE"#}g,SA P':XP0-iM*;P':
X1,CP':X@NT>S\c("O$==""Pc("SA z|`MM"p_(iDTl&LrD SA V
x1d#
Z 11 B xJ-i(IP)2+T 173
xR,0SA P':X1I;vr`v0(iP':X1M;vr`v0*;P':X19I#0(iP':
X1D Next Payload VNP;vr_G 0 r_G 2 D5,g{|G(;D0-iP':X115G 0,g
{|GxP`Z;vD0-iP':X115G 2#`FX,0*;P':X1D Next Payload VN,1|
G(;D0*;P':X115G 0,r_1zP`Z;vD0*;P':X115G 3,gTB}SPyT
>:
ISAKMP_MSG_HEADERIcookie : 0xa764fab442b463c6, Rcookie : 0x0000000000000000Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0Xchg Type : 2 (ID protected), Flag= 0, Encr : No,COMMIT : NoMsg ID : 0x00000000len : 0x70(112)
SA Payload:Next Payload : 0(NONE), Payload len : 0x54(84)DOI : 0x1(INTERNET)bitmask : 1(SIT_IDENTITY_ONLY
Proposal Payload:Next Payload : 0(NONE), Payload len : 0x48(72)Proposal # : 0x1(1), Protocol-ID : 1(ISAKMP)SPI size : 0x0(0), # of Trans : 0x2(2)
Transform Payload:Next Payload : 3(Transform), Payload len : 0x20(32)Trans # : 0x1(1), Trans.ID : 1(KEY_IKE)Attr : 1(Encr.Alg ), len=0x2(2)Value=0x5(5),(3DES-cbc)Attr : 2(Hash Alg ), len=0x2(2)Value=0x1(1),(MD5)Attr : 3(Auth Method ), len=0x2(2)Value=0x1(1),(Pre-shared Key)Attr : 4(Group Desc ), len=0x2(2)Value=0x1(1),(default 768-bit MODP group)Attr : 11(Life Type ), len=0x2(2)Value=0x1(1),(seconds)Attr : 12(Life Duration), len=0x2(2)Value=0x7080(28800)
Transform Payload:Next Payload : 0(NONE), Payload len : 0x20(32)Trans # : 0x2(2), Trans.ID : 1(KEY_IKE)Attr : 1(Encr.Alg ), len=0x2(2)Value=0x1(1),(DES-cbc)Attr : 2(Hash Alg ), len=0x2(2)Value=0x1(1),(MD5)Attr : 3(Auth Method ), len=0x2(2)Value=0x1(1),(Pre-shared Key)Attr : 4(Group Desc ), len=0x2(2)Value=0x1(1),(default 768-bit MODP group)Attr : 11(Life Type ), len=0x2(2)Value=0x1(1),(seconds)Attr : 12(Life Duration), len=0x2(2)Value=0x7080(28800)
0bvP':X1U>D0IKE {"71T>K;;`M(0w==1r0w/==1)"{v{"$H"{
"j6HH#
0$ijkP':X1Sl&Lrks$i#l&LrZ;,D(DP"M$i#TB>}T>K0$iP'
:X1M0){P':X1,|Gw* SA -LD;?VM=KTHc#$i}]M){}]T.yxFq=
T>#
ISAKMP_MSG_HEADERIcookie : 0x9e539a6fd4540990, Rcookie : 0xc7e0a8d937a8f13eNext Payload : 6(Certificate), Maj Ver : 1, Min Ver : 0Xchg Type : 4 (Aggressive), Flag= 0, Encr : No,COMMIT : NoMsg ID : 0x00000000len : 0x2cd(717)
174 AIX 5L V5.2:2+8O
Certificate Payload:
Next Payload : 9(Signature), Payload len : 0x22d(557)Certificate Encoding Type: 4(X.509 Certificate - Signature)Certificate: (len 0x227(551) in bytes82 02 24 30 82 01 8d a0 03 02 01 02 02 05 05 8efb 3e ce 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0405 00 30 5c 31 0b 30 09 06 03 55 04 06 13 02 4649 31 24 30 22 06 03 55 04 0a 13 1b 53 53 48 2043 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 20 5365 63 75 72 69 74 79 31 11 30 0f 06 03 55 04 0b13 08 57 65 62 20 74 65 73 74 31 14 30 12 06 0355 04 03 13 0b 54 65 73 74 20 52 53 41 20 43 4130 1e 17 0d 39 39 30 39 32 31 30 30 30 30 30 305a 17 0d 39 39 31 30 32 31 32 33 35 39 35 39 5a30 3f 31 0b 30 09 06 03 55 04 06 13 02 55 53 3110 30 0e 06 03 55 04 0a 13 07 49 42 4d 2f 41 4958 31 1e 30 1c 06 03 55 04 03 13 15 62 61 72 6e65 79 2e 61 75 73 74 69 6e 2e 69 62 6d 2e 63 6f6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 0101 05 00 03 81 8d 00 30 81 89 02 81 81 00 b2 ef48 16 86 04 7e ed ba 4c 14 d7 83 cb 18 40 0a 3f55 e9 ad 8f 0f be c5 b6 6d 19 ec de 9b f5 01 a6b9 dd 64 52 34 ad 3d cd 0d 8e 82 6a 85 a3 a8 1c37 e4 00 59 ce aa 62 24 b5 a2 ea 8d 82 a3 0c 6fb4 07 ad 8a 02 3b 19 92 51 88 fb 2c 44 29 da 7241 ef 35 72 79 d3 e9 67 02 b2 71 fa 1b 78 13 bef3 05 6d 10 4a c7 d5 fc fe f4 c0 b8 b8 fb 23 70a6 4e 16 5f d4 b1 9e 21 18 82 64 6d 17 3b 02 0301 00 01 a3 0f 30 0d 30 0b 06 03 55 1d 0f 04 0403 02 07 80 30 0d 06 09 2a 86 48 86 f7 0d 01 0104 05 00 03 81 81 00 75 a4 ee 9c 3a 18 f2 de 5d67 d4 1c e4 04 b4 e5 b8 5e 9f 56 e4 ea f0 76 4ad0 e4 ee 20 42 3f 20 19 d4 25 57 25 70 0a ea 4181 3b 0b 50 79 b5 fd 1e b6 0f bc 2f 3f 73 7d dd90 d4 08 17 85 d6 da e7 c5 a4 d6 9a 2e 8a e8 517e 59 68 21 55 4c 96 4d 5a 70 7a 50 c1 68 b0 cf5f 1f 85 d0 12 a4 c2 d3 97 bf a5 42 59 37 be fe9e 75 23 84 19 14 28 ae c4 c0 63 22 89 47 b1 b6f4 c7 5d 79 9d ca d0
Signature Payload:Next Payload : 0(NONE), Payload len : 0x84(132)
Signature: len 0x80(128) in bytes9d 1b 0d 90 be aa dc 43 95 ba 65 09 b9 00 6d 67b4 ca a2 85 0f 15 9e 3e 8d 5f e1 f0 43 98 69 d85c b6 9c e2 a5 64 f4 ef 0b 31 c3 cb 48 7c d8 30e3 a2 87 f4 7c 9d 20 49 b2 39 00 fa 8e bf d9 b07d b4 8c 4e 19 3a b8 70 90 88 2c cf 89 69 5d 07f0 5a 81 58 2e 15 40 37 b7 c8 d6 8c 5c e2 50 c34d 19 7e e0 e7 c7 c2 93 42 89 46 6b 5f f8 8b 7d5b cb 07 ea 36 e5 82 9d 70 79 9a fe bd 6c 86 36
Z 11 B xJ-i(IP)2+T 175
}V$iM){==Jb
ms: cpsd(0O$zm~qw1X$Lr);Pt/#kTBZ]`FDnvVZU>D~P:
Sep 21 16:02:00 ripple CPS[19950]: Init():LoadCaCerts()failed, rc=-12
Jb:$i}]b9;Pr*r_9;P4(#
^):7#0\?\mw1$i}]bvVZ /etc/security P#TBD~ITV9}]b:ikekey.crl"ikekey.kdb"ikekey.rdb"ikekey.sth#
g{v*' ikekey.sth D~,r10\?\mw1}]b4(1,;!P~X\k!n#Xk~X\k4t
C9CxP0IP 2+T1D}V$i#(kND4(\?}]bTqC|`E"#)
ms: 0\?\mw1ZSU=$i1xvTBms:
"V^'D Base64 bk}]
Jb:Z$iD~PR=``}]rd|}]*'rp5#
^):.DER/Q`k$i&C|,ZTBV{.P(ZBfT>D)#}K BEGIN M END CERTIFICATE
V{.Tb,.0r.s&C;Pd|DV{#
-----BEGIN CERTIFICATE-----MIICMTCCAZqgAwIBAgIFFKZtANowDQYJKoZIhvcNAQEFBQAwXDELMAkGA1UEBhMCRkkxJDAiBgNVBAoTG1NTSCBDb21tdW5pY2F0aW9ucyBTZWN1cml0eTERMA8GA1UECxMIV2ViIHRlc3QxFDASBgNVBAMTC1Rlc3QgUlNBIENBMB4XDTk5MDkyMTAwMDAwMFoXDTk5MTAyMTIzNTk1OVowOzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEeMBwGA1UEAxMVcmlwcGxlLmF1c3Rpbi5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5EZqo6n7tZrpAL6X4L7mf4yXQSm+m/NsJLhp6afbFpPvXgYWCwq4pvOtvxgum+FHrE0gysNjbKkE4Y6ixC9PGGAKHnhM3vrmvFjnl1G6KtyEz58LzBWW39QS6NJ1LqqP1nT+y3+Xzvfv8Eonqzno8mglCWMX09SguLmWoU1PcZQIDAQABoyAwHjALBgNVHQ8EBAMCBaAwDwYDVR0RBAgwBocECQNhhzANBgkqhkiG9w0BAQUFAOBgQA6bgp4Zay34/fyAlyCkNNAYJRrN3Vc4NHN7IGjUziN6jK5UyB5zL37FERWhT9ArPLzK7yEZs+MDNvB0bosyGWEDYPZr7EZHhYcoBP4/cd0V5rBFmA8Y2gUthPiIoxpi4+KZGHYyLqTrm+8Is/DVJaQmCGRPynHK35xjT6WuQtiYg==-----END CERTIFICATE-----
TB!n\;ozoOMbvCJb#
v g{}]*'rY5D,XB4($i
v 9C ASN.1 bvw(ZrXxr,xPICD),(}I&Xbv$i4li$iGqGP'D#
ms: 0\?\mw1ZSU=vK$i1xvTBms:
4R=C$iDks\?
Jb:;fZ}ZSUDvK$iD0vK$ijk1#
^):YN4(0vK$ijk1"ks;vBD$i#
ms: 1zdC IKE m@1,yZ Web D53\mwxvTBms:
Error 171 in the Key Management (Phase 1) Tunnel operation:PUT_IRL_FAILED
Jb:CmsD;v-rGwz6p`M^',C`MGZ IKE T0r(j6mq)PdCD#1SB-P
m!qDwz6p`M;kZ Host Identity VNPdkD`M%d1,a"zbyDJb#}g,g{!
q X500 (P{FDwzj6`M,rXkZ Host Identity VNP!1Xdk;vq=/(P{F#
^):7#ydkD(P{FTZZwzj6B-PmP!(D`MG}7D#
176 AIX 5L V5.2:2+8O
ms: IKE -L'\"ZU>D~PvV;vkTBZ]`FDn:
inet_cert_service::channelOpen():clientInitIPC():error,rc =2(;PbyDD~r?<)
Jb:cpsd ;PKPrQU9#
^):9CyZ Web D53\mwt/0IP 2+T1#CYw2t/J1DX$Lr#
ms: IKE -L'\"ZU>D~PvVkTBZ]`FDn:
CertRepo::GetCertObj: DN Does Not Match: ("/C=US/O=IBM/CN=ripple.austin.ibm.com")
Jb:1(eD IKE m@kZvK$iPD X.500 DN ;%d1dk X.500 (P{F(DN)#
^):|DZyZ Web D53\mwPD IKE m@(e4%dZ$iPD(P{F#
ms: 1(eZyZ Web D53\mwPD IKE m@1,{CZ0O$=(1j)BD}V$i4!r#
Jb:kCm@X*D_T;P9C RSA ){==O$#
^):|D`X_TD*;T9C RSA ){O$=(#}g,1(e IKE m@1,IT!q
IBM_low_CertSig w*\?\m_T#
zY$_
zYG;VCZzYZKB~DwT$_#zYC4q!XZZZK}KwMm@zkP"zDB~rmsD
|`X(E"#
SMIT0IP 2+T1zY$_ITZ0_6 IP 2+TdC1K%PC=#(}CzY$_6qD|,XZms"
}Kw"}KwE""m@"m@E""6q/ME6q"6qE""S\wMS\wE"DE"#(}h
F,mszYR3a)KnOXDE"#E"zYR3ITzIOXE","I\T53T\zz0l#Cz
Y+a)7(G24JbD_w#1k~q<uK1801,2h*zYE"#*CJzY$_,k9C SMIT
lY76 smit ips4_tracing(* IP V4 9C)r smit ips6_tracing(* IP V6 9C)#
ipsecstatIT"v ipsecstat |n4zITBy>(f#Cy>(fT>K0IP 2+T1h8ZIC4,,ZC4,2
0K}vO$c("}vS\c(T0;vE"|n/D10(f#g{xP0IP 2+T1w?JOiR1,
CE"Z7(JbZDo1aPCD#
IP Security h8:ipsec_v4 ICipsec_v6 IC
O$c(:HMAC_MD5 -- Hashed MAC MD5 Authentication ModuleHMAC_SHA -- Hashed MAC SHA Hash Authentication ModuleKEYED_MD5 -- Keyed MD5 Hash Authentication Module
S\c(:CDMF -- CDMF Encryption ModuleDES_CBC_4 -- DES CBC 4 Encryption ModuleDES_CBC_8 -- DES CBC 8 Encryption Module3DES_CBC -- Triple DES CBC Encryption Module
IP 2+T3FE" -SUDE"|\F:1106SUD AH E"|:326SUD ESP E"|:326JmD Srcrte E"|:0"MDE"|\F:844
Z 11 B xJ-i(IP)2+T 177
"MD AH E"|:527"MD ESP E"|:527>}DSUE"|\F:12}Kw\xDdk:12AH 4Fc:0ESP 4Fc:0AH XE%}:0ESP XE%}:0
>}D"ME"|\F:0}Kw\xdk:0
mSDm@_Y:fn:7=ZDm@_Y:fn:0>}Dm@_Y:fn:6
":S AIX 4.3.3 *<,Q}% CDMF 'V,r* DES VZZ+r<IC#XBdCNN9C CDMF
Dm@49C DES r}X DES#
178 AIX 5L V5.2:2+8O
IP 2+TN<
|nPm
ike cmd=activate t/rXx\?;;(IKE)-L(AIX 4.3.2 Msxf>)#
ike cmd=remove !{$n IKE m@(AIX 4.3.2 Msxf>)
ike cmd=list Pv IKE m@(AIX 4.3.2 Msxf>)
ikedb a)SZx IKE m@}]b(AIX 5.1 Msxf>)
gentun 4(m@(e
mktun $nm@(e
chtun |Dm@(e
rmtun }%m@(e
lstun Pvm@(e
exptun <vm@(e
imptun <km@(e
genfilt 4(}Kw(e
mkfilt $n}Kw(e
mvfilt F/}Kfr
chfilt |D}Kw(e
rmfilt }%}Kw(e
lsfilt Pv}Kw(e
expfilt <v}Kw(e
impfilt <k}Kw(e
ipsec_convert Pv0IP 2+T14,
ipsecstat Pv0IP 2+T14,
ipsectrcbuf Pv0IP 2+T1zY:exDZ]
unloadipsec 60S\w#i
=(Pm
defipsec (e IP V4 r IP V6 D0IP 2+T15}
cfgipsec dCM0k ipsec_v4 r ipsec_v6ucfgipsec T ipsec_v4 r_ ipsec_v6 !{dC
Z 11 B xJ-i(IP)2+T 179
180 AIX 5L V5.2:2+8O
Z 12 B xgE"~q(NIS)M NIS+ 2+
>Ba)K NIS+ gN#$d{FUdDEv,|,TB?V:
v :Yw532+zF;
v Z 183 3D:NIS+ 2+zF;
v Z 186 3D:NIS+ O$M>$;
v Z 188 3D:NIS+ Z(kCJ;
v Z 191 3D:NIS+ 2+TM\m(^;
v Z 192 3D:NIS+ 2+TN<;
Yw532+zF
Yw532+TG(}C'ZxkYw5373.0Xk(}DE,T07(C'xk5373s\;v24
DmI(Xs4a)D#Z3)OBDP,2+ RPC \k;F*xg\k#
{v53IDvEM=vmI(XsiI:
&EE *(}wFbwwMg0_Sb?CJx(Yw5373,zXka)P'DG<j6M&E\k#
G<E *xkx(Yw5373,zXka)P'DG<j6MC'\k#
root C'E
*!C,6(^,zXka)P'D root C'\k#
2+ RPC E
ZT2+6p 2 (1!5)KPD NIS+ 73P,1z"T9C NIS+ ~qT0!CT NIS+ Ts
(~qw"?<"m"mnH)DCJ1,NIS+ 9C2+ RPC xL7OzDm]#
*xk2+ RPC E,zXkv>2+ RPC \k#zD2+ RPC \kMzDG<\k(#G`,D#
ZbVivB,z+T/(}E,x;h*XBdkzD\k#(Z3)OBDP,2+ RPC \kF
*xg\k#*KbXZ&m=v;,;\kDE",kND AIX 5L Version 5.2 Network Information
Services (NIS and NIS+) Guide PD Secure RPC Password versus Login Password ?V#)
;W>$;C4(}2+ RPC ET/+]zDks#zI"v>"i$zD>$D}LF*O$,r
*|7OzDm]"7OzPP'D2+ RPC \k#?Nz*s NIS+ ~q1,CO$}LT/4
P#
Z NIS f]==BKPD NIS+ 73P,2+ RPC Ea)D#$ssuu,r*KK<PTyP
NIS+ TsDA!(,T0TJCZwnD^D(,;\{GGq5PP'D>$(2MG5,;\O
$xLGqQ7OK{GDm]"i$K{GD2+ RPC \k)#IZbVivJmNNK5PT
NIS+ +?TsDA!(T0TJCZwnD^D(,Zf]T==BKPD NIS+ xgHZ}#==
BKPD,yxg|;2+#(Z2+ RPC uoP,NN;PP'>$DC';O*GtZ nobody`DI1#*KbXZDv`Dhv,kNDZ 188 3D:Z(`;#)
PXgN\m NIS+ O$M>$Dj8E",kND AIX 5L Version 5.2 Network Information Services
(NIS and NIS+) Guide PD Administering NIS+ Credentials ?V#
D~M?<Xs
;)z!CTYw5373DCJ(,zA!"4P"^D"4(T0zYD~M?<D\&MIJ
CDmI(4\m#
© Copyright IBM Corp. 2002, 2003 181
NIS+ TsXs
;)z!CTZ NIS+ D!1O$,zA!"^D"4(T0F5 NIS+ TsD\&MIJCDmI
(\=#bv}LF* NIS+ Z(#
PX NIS+ mI(MZ(Dj8E",kND AIX 5L Version 5.2 Network Information Services (NIS
and NIS+) Guide PD Administering NIS+ Access Rights ?V#
182 AIX 5L V5.2:2+8O
NIS+ 2+zF
NIS+ 2+TG NIS+ {FUd{eD;?V#;I\@"Z{FUd.b4hC2+T#rK,hC2+TD
8>E"khC{FUdDd|i~y9CD=h;/Z;p#;)hCK NIS+ 2+T73,zITmSM
}%C'"|DmI("XBVdiI1T04P\m;v"9PDxgyhDyPd|U#\mNq#
NIS+ D2+T&\#${FUdPDE"T0{FUda9>mb\4Z(DCJ#;Pb)2+T&\,N
N NIS+ M'zITqC"|DuAp5{FUdPf"DE"#
NIS+ 2+Tp==vC>:
O$ O$GC46p NIS+ weD#?N;vwe(C'rzw)"TCJ NIS+ Ts,<*xPC'D
m]M2+ RPC \k7OMi$# (w*O$}LD;?V,z;;(G*dk\k#;x,g{
IZ3V-r,zD2+ RPC \k;,ZzDG<\k,rzXkZZ;N"TCJ NIS+ Tsr~
q1,4P keylogin#*4P keylogin,zXka)P'D2+ RPC \k#kND AIX 5L Version
5.2 Network Information Services (NIS and NIS+) Guide PD Secure RPC Password versus Login Password
?V#)
Z( Z(GC48(CJ(D#?N NIS+ we"TCJ NIS+ Ts1,|G+;ikDvZ(`
(owner"group"world"nobody).;#NIS+ 2+53Jm NIS+ \m18(?v`T NIS+ Ts
D;,DA!"^D"4(rF5(^#}g,;vx(`IJm^D passwd mPDX(P,+;\
A!CP,rm;`IJmA!;vX(mPD3)n,+;\A!d|n#
}g,;vx(D NIS+ m2mJm;v`A!M^DmPDE",+m;v`;JmA!E",xZ
}v`uA,A!2;;Jm#bZEnOkYw53DD~M?<mI(53G`FD#(PX`
D|`E",kNDZ 188 3D:Z(`;#)
O$MZ(@95Pzw A root X(D3K9C su |n40dm;vC'Dm],(GvC'r_y>4
G<,rZzw B OG<,);s9CGvC'D NIS+ CJX(4CJ NIS+ Ts#
+k"b,NIS+ ;\@9*@m;vC'G<\kD3K0dGvC'Dm]T0{D NIS+ CJ(^#NIS+
2;\@95P root X(DC'0dS`,zwOG<Dm;vC'Dm]#
B<j8bMKbv}L#
Z 12 B xgE"~q(NIS)M NIS+ 2+ 183
NIS+ we
NIS+ weGG)a; NIS+ ~qksD5e(M'z)#NIS+ weITGw*#fC'G<=M'zOD3
K"w* root C'G<D3KrNNZ NIS+ M'zOKPD5P root C'mI(DxL#by,NIS+ w
eITGM'zC'rGM'z$w>#
NIS+ we2ITGS NIS+ ~qwOa) NIS+ ~qD5e#IZyP NIS+ ~qw2G NIS+ M'z,>
V[Dm`?V2JCZ~qw#
NIS+ 2+6p
NIS+ ~qwZ=v2+6pPD;vOYw#b)6pv(K*KO$weDksxXka;D>$`M#
NIS+ GhFIZn2+D6pOKP,42+6p 2#6p 0 ;G*KbT"hCT0wTC>xa)D#
TBmq\aKb)2+6p#
":;[2+6pr>$4,gN,k9CyZ Web D53\mw"SMIT r passwd |n4|Dz
T:D\k#
NIS+ 2+6p
OXT6p hv
0 hF2+6p 0 G*KbTMhCu<D NIS+ {FUdhFD#Z2+6p 0 OKPD NIS+ ~
qwZhNN NIS+ weTrPyP NIS+ TsDj+CJ(#6p 0 ;CZhC?D,;&CI\
m1*K?D9C#6p 0 ;&CI#fC'ZxgOxP}#Yw19C#
1 2+6p 1 9C AUTH_SYS 2+T#NIS+ ;'VC6p,;&C9CC6p#
< 13. NIS+ 2+T}LD\a. bve<T>KT NIS+ 2+T}LDBv#
1. M'z/weks NIS+ ~qwZ(T NIS+ TsDCJ#
2. ~qwliM'zD>$,TO$M'zDm]#
3. 5PP'>$DM'z;ik world `P#
4. ;PP'>$DM'z;ik nobody `P#
5. ~qwliTsD(e,T7(M'zD`#
6. g{Z(xM'zD`DCJ(kyksDYw`M`%d,r4PCYw#
184 AIX 5L V5.2:2+8O
NIS+ 2+6p
OXT6p hv
2 2+6p 2 G1!5#w* NIS+ ?0a)Dn_2+6p,|;O$9C}]S\j<(DES)>
$Dks#;P>$Dks;8(* nobody `,"5PZ(xGv`DNNCJ(#9C^'D DES
>$Dks;XT#ZX4Dq!P' DES >$D"TS,'\s,9C^'>$Dks'\"5X
O$ms#(>$I\ar*;,D-rx^',Hg"MksDwe4(} keylogin G<ZG(z
wO"1S;,="\?;%dH-r#)
Z 12 B xgE"~q(NIS)M NIS+ 2+ 185
NIS+ O$M>$
NIS+ >$O$?vks NIS+ ~qrksT NIS+ TsxPCJDweDm]#NIS+ >$/Z(xLGT2
+ RPC 53D5V#
>$/O$53@93K0dm;KDm]#2MG5,|@95P;(zw,6(^D3K9C su |n40
dm;vC'Dm](GvC'r_y>4G<,r_GZm;(zwOG<),;s9CGvC'D NIS+ C
JX(4CJ NIS+ Ts#
":NIS+ ;\@9*@m;vC'G<\kD3K0dGvC'Dm]T0{D NIS+ CJ(^#NIS+
2;\@95P,6(^DC'0d?0G<Z`,zwODm;vC'Dm]#
~qwO$Kwes,|+liwek*CJD NIS+ TsTi$Z(we4PD)Yw#(PXZ(Dx;=
E",kNDZ 188 3D:NIS+ Z(kCJ;#)
C'Mzw>$
TZweDy>`M,C'MzwfZTB;,`MD>$:
C'>$
13Kw*#fC'G<= NIS+ M'zO,T NIS+ ~qDks|,KKDC'>$#
zw>$
1C'w* root C'G<= NIS+ M'zO,~qDks9CM'z$w>D>$#
DES >$k>X>$
NIS+ weIT5P DES r>X>$#
DES >$
}]S\j<(DES)>$a)2+O$#1>8Oa= NIS+ li>$TO$ NIS+ we,NIS+ yi$D
G DES >$#
":9C DES >$;GqCO$D;V=(#;*+ DES >$k NIS+ >$H,p4#
?N;vweks NIS+ ~qrT NIS+ TsDCJ,m~9C*Cwef"D>$E"4*CwezI>$#
DES >$GI NIS+ \m1*?vwe4(DE"zID,AIX 5L Version 5.2 Network Information Services
(NIS and NIS+) Guide PD Administering NIS+ Credentials ?VTKwKbM#
v 1 NIS+ 7OKweD DES >$DP'T,CweMG;O$K#
v Z;vweik owner"group r world Z(`.0,CweXk;O$#;d05,*Kikb)`.;,
zXkPP'D DES >$#(;PP' DES >$Dwe;T/ik nobody `#)
v DES >$E"\Gf"ZweDwrPD cred mP,;[CweGM'zC'rGM'z$w>#
>X>$
>X>$GC'DC'j6EM{GD NIS+ we{F(|,{Gwr{).dD3d#1C'G<1,53
iR{GD>X>$,C>$6pf"{G DES >$Dwr#539CbvE"4q!C'D DES >$E
"#
186 AIX 5L V5.2:2+8O
C'G<=6Lr1,G)ks9C{GD>X>$,b)>X>$8Xdwr#NIS+ ;si/C'Dwr,T
C=C'D DES >$E"#bMJmC'Z6LrP;O$,49CC'D DES >$E"4f"ZGvr
P#B<5wKbvEn#
>X>$E"If"ZNNr#*G<=6Lr"(}O$,M'zC'XkZ6LrD cred mP5P>X>
$#g{C'Z{"TCJD6LrP;P;v>X>$,NIS+ ^((;CC'Dwr4qC{D DES >$#
ZbVivB,C'+;;O$,"+;ik nobody `#
C'`MM>$`M
C'IT,15P=V`MD>$,+zw;\5P DES >$#
root C';\w* root C'5PTd|zwD NIS+ CJ(,r*?(zwD root C' UID \Gc#g{
zw A D root C'(UID=0)"TT root C'Dm]CJzw B,bkzw B PVPD root(UID=0)
`e;#by,>X>$TZM'z$w>G;J1D;|;JmM'zC'5P#
< 14. >$Mr. bve<T>;vrDcNa9#C'DwrP>XM DES >$#Sr;P>X>$#wrMSrj
PM'zC'>$#
Z 12 B xgE"~q(NIS)M NIS+ 2+ 187
NIS+ Z(kCJ
NIS+ Z(Dy>?DG8(?v NIS+ weT?v NIS+ Tsk~q_PDCJ(#
av NIS+ ksDweC=O$s,NIS+ +CweEkZ(`P#Z`Dy!OVdCJ((mI(),b)
CJ(8(weITTx(D NIS+ TsxPDnYw#;d05,;vZ(`I\P3VCJ(,x;v;
,D`rP;,D(^#
Z(` VPTBZ(`:owner"group"world M nobody#(j8E"kND:Z(`; )#
CJ( VPTB`MDCJ((mI():4("F5"^DMA!# (j8E"kNDZ 190 3D:NIS+
CJ(^;)#
Z(`
NIS+ Ts"G1Sr NIS+ weZhCJ(#`4,|GrTBweD`ZhCJ(:
Owner!CGTsyP_Dweq!r owner `ZhD(^#
Group ?v NIS+ Ts<P;vkdX*Di#I NIS+ \m18(TsiDI1#tZTs group `Dw
eq!Zh group `D(^#(ZKOBDP,i8 NIS+ i,xGYw53rxgi#)PX NIS+
iDhv,kNDZ 189 3D:group `;#
World world `|,~qwIO$D+? NIS+ we#(2MG5,H;Z owner `V;Z group `D?v
QO$Dwe#)
NobodyyPwetZ nobody `,|(G)4O$Dwe#
B<5wK`DX5:
TZNN NIS+ ks,537(kswetZD;`,;sKweICtZK`DNNCJ(#
< 15. Z(`. K<T>;5Pm>Z(`.dX5DV2#n!DV2G owner,bf|'EOsDj* group DV
2,Ybf|'Ej* world DV2,nbf|'Ej* nobody DV2#
188 AIX 5L V5.2:2+8O
TsIrb)`PD?;`ZhCJ(^DNbiO#+G,(#VdxO_`D(^kVdxyPOM`D
`,,I\=SD(^2GgK#
}g,TsI\r nobody M world `ZhA!CJ(,r group `ZhA!M^DCJ(,"r owner `
ZhA!"^D"4(0F5CJ(#
TBTZ(`xPKj8Dhv:
owner `
yP_G%; NIS+ we#
r NIS+ TsavCJksDwe,XkZZhyP_CJ(^0C=O$(v>P' DES >$)#
1!ivB,TsDyP_G4(KTsDwe#+G,TsDyP_I(}=V;,D=(CvyP(xm
;vwe:
v 4(Ts1,we8(m;vDyP_(kND AIX 5L Version 5.2 Network Information Services (NIS and
NIS+) Guide P Specifying Accesss Rights in Commands ;Z)#
v 4(Tss,we|DTsDyP((kND AIX 5L Version 5.2 Network Information Services (NIS and NIS+)
Guide P Changing Ownership of Objects and Entries ;Z)#
weCvyP(s,CweMCvK;P owner TCTsDCJ(,v#tCTsVdx group"world r
nobody D(^#
group `
TsDiG%; NIS+ i#(ZKOBDP,i8 NIS+ i,xGYw53rxgi#)
r NIS+ TsavCJksDweXkZ;ZhiCJ(^0C=O$(v> DES P'>$),"XktZ
Ci#
NIS+ iG NIS+ weD/O,TcZCJ{FUd#r NIS+ iZhDCJ(JCZGCiI1DyPwe#
(+G,TsDyP_;XtZKTsi#)
4(Ts1,4(_I!q1!i#IZ4(Ts1r.sDNN1r8(G1!i#
PX NIS+ iDE"f"Z NIS+ iTs(Z?v NIS+ rD groups_dir S?<B)P#("bPX NIS+
iDE"4f"Z NIS+ imP#Km"fPXYw53iDE"#)PX\m NIS+ iD8>E"Z AIX 5L
Version 5.2 Network Information Services (NIS and NIS+) Guide D Administratering NIS+ Groups ;ZPa
)#
world `
world `|, NIS+ O$DyP NIS+ we,4 owner 0 group `D+?I1T0v> DES P'>$Dy
Pd|we#
Zh world `DCJ(JCZyPQO$Dwe#
noboday `
noboday `|,+?we,uAG);P DES P'>$Dwe#
Z(`0 NIS+ TscNa9
NIS+ 2+T+Z(`%@&CZTscNa9#?<TsG1!cNa9D%c,;sGirmTs,;sG
P,;sGn#TB(ea)PX?v6pD|`E":
Z 12 B xgE"~q(NIS)M NIS+ 2+ 189
?<6p
?v NIS+ r|,=v NIS+ ?<Ts:groups_dir M org_dir#?v groups_dir ?<Ts|,
wVi#?v org_dir ?<Ts|,wVm#
irmD6p
i|,wvnMI\Dd|i#m|,P0wvn#
P6 ?vmP;vr`vP#
n(P)6
?irm<P;vr`vn#
DVZ(`&CZ?;6#by,?<TsP;vyP_M;vi#?<TsPD?vmPdT:DyP_M
i,|GI;,Z?<TsDyP_Mi#ZmZ?,PrnIPdT:DyP_ri,|GI;,Zm{e
r?<Ts{eDyP_Mi#
NIS+ CJ(^
NIS+ TsTYw53D~*Yw53C'8(mI(D`,==* NIS+ we8(CJ(^#CJ(8(Jm
NIS+ weZ NIS+ TsO4PDYw`M#(zITC niscat -o |nTb)xPli#)
Z;,`MDTsP,NIS+ DYw;,,+GyPDYw<tZTBCJ(`p.;:A!"^D"4(MF
5#
A! _PA!Ts(^DweIi4KTsDZ]#
^D _P^DTs(^DweI|DKTsDZ]#
F5 _PF5Ts(^DweIF5r>}KTs#
4( _PTO_6pTsD4((^DweITZC6pP4(BTs#g{zT NIS+ ?<TsP4((
^,zIZK?<Z4(Bm#g{zT NIS+ mP4((^,zIZKmZ4(BP0Bn#
S NIS+ M'= NIS+ ~qwD?N(E<GksZX(D NIS+ TsO4PdP;VYw#}g,1 NIS+
weksm;v$w>D IP X71,|5JOGZksTf"K`E"D hosts mTsDA!(#1we*
s~qwr NIS+ {FUdmS?<1,|5JOGZksTC?<D8TsD^DCJ#
b)(^Ou_-DrB9*,S?<=m"=mP0n6#}g,*K4(Bm,zXkP4( NIS+ ?<
Ts(CZf"m)D(^#1z4(Km1,zMI*d1!DyP_#w*yP_,zITxT:Vd4
(mD(^,K(^JmzZmP4(BDn#g{zZmP4(Bn,zMI*b)nD1!yP_#w*
myP_,z2ITd|`Zhm64((#}g,zIT+m64((3hmD group `#ZbVivB,
mDiPN;I1<IZKmP4(Bn#4(BmnDwviI1I*KnD1!yP_#
190 AIX 5L V5.2:2+8O
NIS+ 2+TM\m(^
NIS+ ;4PNN;mP;v NIS+ \m1D*s#NNTTs5P\m(^(2MG,4("F5(^T0T
3)TsD^D(^)DK<;O*GCTsD NIS+ \m1#
NN4(;v NIS+ TsDKhCTGvTsDu<CJ(#g{4(_TTsDyP_(u<4(_)^F
\m(^,r;PyP_5PTsD\m(^#m;=f,g{4(_+\m(Z(xTsDi,riPD?
vK5PTCTsD\m(#
m[O,zIT+\m(Z(x world `"uA nobody `#m~Jmzbyv#++\m(^Z(x group
`TbDK,5JO9C NIS+ 2+T''#rK,g{+\m(^Zhx world r nobody `,z5JOG
ZO} NIS+ 2+TD?D#
Z 12 B xgE"~q(NIS)M NIS+ 2+ 191
NIS+ 2+TN<
k9CTB|n4\m\k">$M\?(PX|`E",kND`&D|nhv):
chkey |DweD2+ RPC \?T#}Gz*CB\k4XBS\z10D(C\?,k9C passwd |
n#chkey |n;0l passwd mPr /etc/passwd D~PDwen#
keyloginC keyserv b\"f"weD#\\?#
keylogoutS keyserv P>}f"D#\\?#
keyserv9~qw\;f"(CS\\?#
newkeyZ+C\?}]bP4(BD\?T#
nisaddcred* NIS+ we4(>$#
nisupdkeys|B?<TsPD+C\?#
passwd|D"\mweD\k#
192 AIX 5L V5.2:2+8O
Z 13 B xgD~53(NFS)2+T
}Kj< UNIX O$53b,xgD~53(NFS)a)KTpu{"*y!O$xgPC'MzwD=(#
bVnbDO$539C}]S\j<(DES)S\M+*\?S\(#
>BV[TBwb:
v :NFS O$;
v Z 195 3D:* DES O$|{xg5e;
v Z 196 3D:/etc/publickey D~;
v Z 196 3D:+C\?53D}<"bBn;
v Z 196 3D:2+ NFS DT\"bBn;
v Z 196 3D:\m2+ NFS DKTm;
v Z 197 3D:dC2+ NFS;
v Z 198 3D:9C2+ NFS <vD~53;
v Z 198 3D:9C2+ NFS 20D~53;.
NFS O$
NFS *;,?D9C DES c(#NFS 9C DES 4S\6L}LwC(RPC){"D1dAG,b){"Z
NFS ~qwMM'z.d"M#KS\D1dAGO$zw,Mq0jG1O$"M=;y#
IZ NFS \O$Z NFS M'zM~qwd;;D?u RPC {",b*?vD~53a)KnbD"I!D
2+6p#1!ivB,D~53<v1xPj< UNIX O$#*{CCnbD2+6p,zITZ<vD~
5318( secure !n#
CZ2+ NFS D+*\?S\(
C'D+C\?MX\\?<Tdxg{FZ publickey.byname 3dPf"Mw}#X\\?9CC'G<
\kxPK DES S\#keylogin |n9CS\DX\\?,CG<\kb\|,Y+|;x;v2+D>X
\?~qw#f,T8+4 RPC Bq9C#C';a"b={GD+CMX\\?,r* yppasswd |n}
K|DG<\k,9T/zI+CMX\\?#
keyserv X$LrGZ?v NIS M NIS+ zwOKPD RPC ~q#*KbXZ NIS+ gN9C keyserv D
E",kND AIX 5L Version 5.2 Network Information Services (NIS and NIS+) Guide#Z NIS P,keyserv4PTB+C\?S}L:
v key_setsecret S}L
v key_encryptsession S}L
v key_decryptsession S}L
key_setsecret S}Lf_\?~qwf"C'DX\\?(SKA)T8+49C;|(#I keylogin |nw
C#M'zLrwC key_encryptsession S}LzIS\DT0\?,C\?ZZ;v RPC BqP;+]
x;v~qw#\?~qwiR~qw+C\?,"+|kM'zDX\\?(I;vH0D key_setsecretS}LhC)aO,TzI+2\?#~qw(}wC key_decryptsession S}L,*s\?~qwb\T
0\?#
© Copyright IBM Corp. 2002, 2003 193
wCLrD{FZb)S}LwCPG~=D,XkC3V==O$#\?~qw;\9C DES O$4xPO
vO$,r*b+zz;v@x#\?~qwbvCJbD=(G(}4C'j6(UID)f"X\\?,"
;Z(x>X root xLDks#;sM'zxL4P root C'5PD setuid S}L,CS}LTM'z{
eavks,f*\?~qwM'zDf} UID#
NFS O$*s
2+ NFS O$GyZ"M=S\101dD\&,SU=ITYb\K101d,"kT:D1SliTU#
C}LPTB*s:
v +=D101dXk;B#
v "M=MSU=Xk9C`,D DES S\\?#
-w101d
g{xg9C1d,=,r timed X$Lr#VM'zM~qwD1S,=#qr,M'zy]~qw1SF
c!1D1dAG#*v=bc,M'zZ*< RPC a0.07(~qw1d,YFcd>m1Sk~qw1
S.dD1n#;sM'z`&w{d1dAG#g{Z RPC a0}LP,M'zk~qwD1SdC;,
=,TA~qw*<\xM'zks,rM'z+XB7(~qw1d#
9C`, DES \?
M'zk~qw9C+*\?S\(Fc`,D DES S\\?#TZNNM'z A M~qw B,;vF*
+2\?D\?;\I A M B F<v#C\?G#M'z(}FcTB+=Cv+2\?:
KAB = PKBSKA
dP K G+2\?,PK G+C\?,x SK GX\\?,b)\?D?;v<G;v 128 ;D}V#~q
w(}FcTB+=Cv`,D+2\?:
KAB = PKASKB
;P~qwkM'zITFcvK+2\?,r**v=bc,h**@;vrm;vDX\\?#IZ+2
\?P 128 ;,x DES 9C 56 ;\?,M'zk~qwS+2\?Pi! 56 ;TNI DES \?#
NFS O$}L
1 M ' z k * k ~ q w 8 0 1 , | f z z I ; v \ ? , C Z S \ 1 d A G # K \ ? F * T 0 \ ?
(conversation key, CK)#M'z9C DES +2\?S\T0\?(ZO$*sPhvv)"ZZ;v RPC
BqP+|"MA~qw#B<5wKK}L:
194 AIX 5L V5.2:2+8O
K<T>M'z A ,=~qw B#uo K(CK)m> CK I DES +2\? K S\#Z|Z;NDksP,
M'z RPC >$|,M'z{F(A)"T0\?(CK)T0I CK S\DF* win(0Z)Dd?#(1!
0Zs!G 30 VS#)Z;NksPDM'zi${|,S\D1dAGM8(0ZDS\i${,win + 1#
C0Zi${9Bb}7D>$Hd'Q,vSK2+T#
O$M'z.s,~qw+TBwnf"Z;v>$mP:
v M'z{F,A
v T0\?,CK
v 0Z
v 1dAG
~qw;S\41rOsZON{=D1dAGD;v1dAG,rKNNXEBq;(a;\x#~qwZ
i${PrM'z5X;v>$mDw}j6,9PM'z1dAGu 1(C CK S\)#M'z*@;P~q
wE\"Mby;vi${,r*;P~qw*@M'z"MD1dAGG24#S1dAGPu% 1 D-r
G7#|^'R;\w*M'zi${YN9C#ZWN RPC Bqs,M'zv"Mdj6MS\D1dAG
=~qw,x~qw5XI CK S\Du% 1 sDM'z1dAG#
* DES O$|{xg5e
DES O$9Cxg{FxP|{#PX NIS+ gN&m DES O$DE",kND AIX 5L Version 5.2 Network
Information Services (NIS and NIS+) Guide#
xg{FG*O$D;.Ir!V{#+2MX\\?4?vxg{Fx;G4?vC'{F*y!xPf
"#netid.byname NIS 3d+xg{F3d=;v>X UID MiCJPm#
C'{Z?vrPG(;D#xg{G(}C NIS ,SYw53MC'j6T0rXxr{4VdD#;v|
{rDOC<(G+rXxr{(com"edu"gov"mil)=S=>Xr{O#
< 16. O$}L. K<5wKO$}L#
Z 13 B xgD~53(NFS)2+T 195
TC'Mzw<Vdxg{#zwxg{DNI\qC'xg{DNI#}g,eng.xyz.com rP{* hal D
zw_Pxg{ [email protected]#}7DzwO$TZh*(}xgTw?<Pj+CJ(D^Lzw
GG#X*D#
*SNN6LrO$C',kZ=v NIS }]bP*dh"u?#;vu?G*d+CMX\\?h"D;m
;vG*d>X UID MiCJPm3dh"D#by6LrDC'MITCJyP>Xxg~q,}g NFS
M6LG<#
/etc/publickey D~
/etc/publickey D~|,{FM+C\?,NIS M NIS+ 9C|G44( publickey 3d#publickey 3d
GC4#$*x#D~PD?vu?<IxgC'{(8C'{rwz{)9I,szC'D+C\?(9C
. y x F { E m > ( ) " 0 E M C ' S \ X \ \ ? ( 2 9 C . y x F { E m > ( )# 1 ! i v
B,/etc/publickey D~PD(;C'GC' nobody#
k;*9CD>`-w|D /etc/publickey D~,r*CD~|,S\\?#*|D /etc/publickey D~,
k9C chkey r newkey |n#
+C\?53D}<"bBn
1tgJO.sXBt/zw1,yPf"DX\\?<*',2;PxLITCJ2+xg~q,}g20
NFS#g{PKITdkb\ root C'X\\?D\k,root xLrILx#bv=8G+ root C'DQb
\DX\\?f"Z\?~qwITA!DD~P#
;GyPD setuid S}LwC<\}74P#}g,g{;v setuid S}LIyP_ A wC,xyP_ A
TSt/s94G<=zwO,rS}L;\w* A CJNN2+xg~q#;x,s`} setuid S}Lw
CI root C'5P,x root C'DX\\?\GZt/1f"#
2+ NFS DT\"bBn
2+ NFS TBP==0l53T\:
v M'zM~qw<XkFc+2\?#Fc+2\?D1ds<G;kS#rK,("u< RPC ,Ss<
h*=kS,r*M'zM~qw<Xk4PKYw#u< RPC ,S.s,\?~qwf"H0FcDa
{,by|M;h*?N<XBFc+2\?#
v ?v RPC Bq<*sTB DES S\Yw:
1. M'zS\ks1dAG#
2. ~qw+|b\#
3. ~qwS\&p1dAG#
4. M'z+|b\#
IZ53T\I\r*2+ NFS x5M,yTkZvS2+TqCDUfM53T\*sdxP(b#
\m2+ NFS DKTm
9CTBKTmoz7#2+ NFS }#KP:
196 AIX 5L V5.2:2+8O
v 19C -secure !nZM'zO20D~531,~qw{FXkk /etc/hosts D~PD~qwwz{`
%d#g{{F~qw}CZwz{bvP,rk7#{F~qw5XDwzE"k /etc/hosts D~PDu
?`%d#g{b){F;%d,rzzO$ms#r*zwDxg{FGyZ /etc/hosts D~PDw*u
?,"R publickey 3dPD\?GIxg{FCJD#
v k;*l}2+MG2+D<vM20#qr,D~CJ(7(I\a;}7#}g,g{M'z49C
secure !n202+D~53,r9C secure !n20G2+53,C'+w* nobody 5PCJ(,
x;Gw*{GT:#g{;v NIS r NIS+ 4*DC'T<4(r^D2+D~53ODD~,bVi
v2a"z#
v IZ NIS XkZ?N9C chkey M newkey |ns+%BD3d,yTk;Zxg:Xa1E9Cb)
|n#
v k;*>} /etc/keystore D~r /etc/.rootkey D~#g{zXB20"F/r}6;vzw,k#f
/etc/keystore M /etc/.rootkey D~#
v k8>C'9C yppasswd |n,x;G passwd |n4|D\k#byv9\kM(C\?#V,=#
v IZ login |n;S keyserv X$LrD publickey 3dPlw\?,yTC'Xk4P keylogin |
n#z2mk+ keylogin |nEZ?vC'DE*D~P,SxTZG<1T/4PC|n#keylogin |
n*sC'YNdkd\k#
v 1z9C newkey -h r chkey |n;*?vwzD root C'zI\?1,zXkKP keylogin |n
+BD\?+]= keyserv X$Lr#b)\?f"Z /etc/.rootkey D~P,?N keyserv X$Lrt
/1<aA!KD~#
v k(Zi$ yppasswdd M ypupdated X$LrGq}Z NIS wX~qwOKP#b)X$LrT,$
publickey 3dGXhD#
v (Zi$ keyserv X$LrGq}ZyP9C2+ NFS DzwOKP#
dC2+ NFS
*Z NIS wXMSt~qwOdC2+ NFS,k9CyZ Web D53\mwxg&CLrr9CTB=h#
PX;p9C NFS M NIS+ DE",kND AIX 5L Version 5.2 Network Information Services (NIS and NIS+)
Guide#
1. Z NIS wX~qwO,(}9C newkey |nZ NIS /etc/publickey D~P*?vC'4(;vu?,
gBy>:
v TZ#fC',kdk:
smit newkey
r
newkey -u usernameTZwzOD root C',kdk:
newkey -h hostname
v r_,C'2IT(}9C chkey r newkey |n("{GT:D+C\?#
2. k4U AIX 5L Version 5.2 Network Information Services (NIS and NIS+) Guide PD8>E"4( NIS
publickey 3d#`&D NIS publickey.byname 3d;$tZ NIS ~qwO#
3. !{ /etc/rc.nfs D~PTBZD"b:
#if [ -x /usr/sbin/keyserv ]; then# startsrc -s keyserv#fi#if [ -x /usr/lib/netsvc/yp/rpc.ypupdated -a -d /etc/yp/`domainname` ]; then# startsrc -s ypupdated
Z 13 B xgD~53(NFS)2+T 197
#fi#DIR=/etc/passwd#if [ -x /usr/lib/netsvc/yp/rpc.yppasswdd -a -f $DIR/passwd ]; then# startsrc -s yppasswdd#fi
4. k(}9C startsrc |nt/ keyserv"ypupdated M yppasswdd X$Lr#
*Z NIS M'zOdC2+ NFS,k(}9C startsrc |n4t/ keyserv X$Lr#
9C2+ NFS <vD~53
IT9CyZ Web D53\mwxg&CLrr9CTB=h.;4<v2+ NFS#
v *9C SMIT <v2+ NFS D~53,k4PTBYw:
1. (}KP lssrc -g nfs |ni$ NFS GqQ-ZKP#dvm> nfsd M rpc.mountd X$LrG
n/D#
2. i$ publickey 3dGqfZ,T0 keyserv X$LrGq}ZKP#PX|`E",kNDZ 197
3D:dC2+ NFS;#
3. KP smit mknfsexp lY76#
4. *TB!n8(J1D5:<v?<D PATHNAME"<v?<D MODET0VZr53XBt/(r
,18(=vVN)1 EXPORT#+0C'2+1!nVN8(* yes#
5. 8(NNd|I!DXwrS\1!5#
6. Kv SMIT#g{ /etc/exports D~;fZ,r+4(CD~#
7. Tzk*<vD?v?<,X4=h 3 = 6#
v *(}9CD>`-w4<v2+ NFS D~53,k4PTBYw:
1. Cz2.DD>`-wr* /etc/exports D~#
2. 9C?<D+76{,*?v*<vD?<4(;vu?#Ss_g*<,Pv*<vD?v?<#?
<;&|,NNd|Q<vD?<#kND /etc/exports D~D5,TKb /etc/exports D~Pu?
Dj{o(hv,|(gN8(2+!n#
3. #f"XU /etc/exports D~#
4. g{ NFS 10}ZKP,kdk:
/usr/sbin/exportfs -a
+ -a !nM exportfs |n;p9C,Q /etc/exports D~PDyPE""M=ZK#
v *Y1<v NFS D~53(4;|D /etc/exports D~),kdk:
exportfs -i -o secure /dirname
dP,dirname Gz*<vDD~53{F#exportfs -i |n8(TZ8(?<;li /etc/exports D~,
"RyP!n<S|nP1SqC#
9C2+ NFS 20D~53
*T=X202+ NFS ?<,k4PTBYw:
1. (}KPK|ni$ NFS ~qwGqQ<v?<:
showmount -e ServerName
198 AIX 5L V5.2:2+8O
dP,ServerName G NFS ~qw{F#K|nT>10S NFS ~qwP<vD?<{F#g{z*20
D?<;PPv,kS~qwP<v?<#
2. (}9C mkdir |n(">X20c#*K NFS I&jI20,Xka)d1 NFS 20D20c(r
<;{)D?<#K?<XkGUD#ITq4(NNd|?<;y4(K20c,"R;h*Xbt
T#
3. i$ publickey 3dfZ,"R keyserv X$Lr}ZKP#*Kb|`E",kNDZ 197 3D:d
C2+ NFS;#
4. kdk:
mount -o secure ServerName:/remote/directory /local/directory
dP,ServerName G NFS ~qw{F,/remote/directory Gz#{20D NFS ~qwOD?<,x
/local/directory G NFS M'zOD20c#
": ;P root C'IT202+ NFS#
Z 13 B xgD~53(NFS)2+T 199
200 AIX 5L V5.2:2+8O
Z 14 B s5m]3d
qlDxg73GI4SD;i53M&CLr9ID,b<BXk\m`vC'"am#8Y&m`vC'
"am}v;vXsD\mJb,|0l=C'"\m1M&CLr*"K1#0s5m]3d1(EIM)J
m\m1M&CLr*"_R=CJb#
>BhvKb)Jb,EvK10$5=8,"bMK EIM =8#
\m`vC'"am
m`\m1\m|,;,53M~qwDxg,?;v<(};,DC'"amIC(;D\mC'==#Z
b)4SDxgP,\m1:p\m{v4S53P?vC'Dm]M\k#Kb,\m1Xk-#,=b)
m]M\k#C'*P#pG!`vm]M\k"#V|G,=DXN#r*C'M\m1ZC73PD*z
G:sD,\m1-#(Q&sD1dT'\DG<"TxPJOoO"XBhCE|D\k,x;G\ms
5#
\m`vC'"amDJb20l&C*"K1,{Gk*a)`cr_;,V`D&CLr#M'PX*D
5q}]V<Z`v;,`MD53P,?v53&m|T:DC'"am#rK,*"_Xk*d&CLr
4((PDC'"am0PXD2+Toe#!\bbvK&C*"K1DJb,+|vSKC'M\m1D
*z#
10=8
bv\m`vC'"amJbD8v105g>6GICD,+|G<a);j+Dbv=8#}g,a?6
?<CJ-i(LDAP)a);VV<=C'"ambv=8#;x,*9C LDAP byDbv=8,\m1
Xk9*\mm;vC'"amM2+Toe,r_f;*9CG)"amx9(DVP&CLr#
9Cb`bv=8,\m1kTvpDJ4Xk\m`v2+zF,SxvSK\m*z,"1ZDvSK2
+T9)DI\T#1`vzF'V%@DJ41,(};VzF|D(^"|G|D;vr|`Dd|zF
(^DzaMa|_#}g,1C'J1X\x(};vSZDCJ+Jm(};vr|`vd|SZDCJ
1,Ma<B2+T9)#
jIC$ws,\m1a"V";Pj+bvJb#(#,s5Z10C'"amPT0PXD2+ToeP
6kK+`JpT9Cb`5JDbv=8#4(m;vC'"am0PXD2+ToeIT*&CLr)&
LbvJb,+;\*C'r\m1bvJb#
m;vbv=8G9C%){D=8#P8vz7GICD,|GJm\m1\m|,C'DyPm]M\k
DD~#;x,C=8P8vuc:
v |;bvC'fYDJbPD;v#!\|JmC'(}a);vm]M\k"a=`v53P,+C'
T;h*Zd{D53PP\k,r_h*\mb)\k#
v |}kK;vzz2+T9)DBJb,r*wDrITb\D\k#fZb)D~P#\kx;IT#
fZwDD~r]W\NNK(|(\m1)CJDD~P#
v |;PbvZ}=&C*"K1DJb,{Ga);,V`D"`cD&CLr#{GTh*&CLra
)(PC'"am#
!\Pb)uc,;)s5T9Cb)bv=8,r*|G*`vC'"amJba)K;):b#
© Copyright IBM Corp. 2002, 2003 201
9Cs5m]3d
EIM e5a9hvs5PvKM5e.dDX5(}gD~~qwMr!~qw)T0s5Z?\`zm{G
Dm]#Kb,EIM a) API /,Jm&CLri/XZb)X5DJb#
}g,Z;vC'"amPxv;vKDC'm],zIT7(Zm;vC'"amPD;vm]zm,;v
C'#g{C'C;vm]O$,zITQCm]3d=m;vC'"amP`&Dm],C';h*YNa
)O$>$#z;h**@Zm;vC'"amPDvm]zmCC'#rK,EIM *s5a)E(Dm]3
d&\#
Z;,"amDC'm].d3dD\&a)Km`f&#WH,&CLr_PbyDinT,|IT9C;
v"am4O$x9C;vj+;,D"am4Z(#}g,\m1IT+ SAP m]3d=CJ SAP J4#
m]3dh*\m1k4PTBYw:
1. 4( EIM j6{4m>s5PDKr5e#
2. 4(hvs5PVPC'"amD EIM "am(e#
3. QG)"amPC'm].dDX5(e*{G4(D EIM j6{#
;h*|DVP"amDzk#kTC'"amPyPDC';h*3d#EIM Jm;=`3d(;T.,;
v%@DC'Z;v%@DC'"amP_P;vTODm])#EIM 2Jm`=;3d(;T.,Z;v%@
DC'"amP`vC'2m;v%@Dm],!\'VC&\,+G*K2+T-r;(i9C)#Z EIM P
\m1ITa)Nb`MDNbC'"am#
EIM ;h*QVPD}]4F=B(DJ4b""T#V=v1>,=#EIM }kD(;DB}]GX5E
"#\m1Z LDAP ?<PDb)}]a)KbyDinT,ITZ;vX=\m}]"ZNN9CCE"D
X=P1>#
PX0s5m]3d1D|`E",kCJTB Web >c:
v http://publib.boulder.ibm.com/eserver/
v http://www.ibm.com/servers/eserver/security/eim/
202 AIX 5L V5.2:2+8O
Z 15 B Kerberos
Kerberos G;Va)i$om;2+xgOwem]=(DxgO$~q#Kerberos a)`%O$"}]j{
TM#\T,GyZxgw?W\%wT<B;6q"liMf;DivBDV5Yh#
Kerberos >%Gi$m]D>$#P=V`MD>%:Zh>%D>%M~q>%#Zh>%D>%kTDG
u<j6ks#G<=wz531,h*\i$zDm]D>$,}g\krjG#_PZh>%D>%s,
MIT9CZh>%D>%4*X(D~qks~q>%#bV=V>%D=(F* Kerberos DIENZ}=#
Zh>%D>%r Kerberos ~qwO$zDm],x~q>%Gr~q2+Xi\z#
Kerberos PDIENZ}=r=iF*\?V"PD(KDC)#KDC rM'z"vyP Kerberos 1]#
Kerberos }]b#t?vweDG<;G<|,XZ?vweD{F"(C\?"weD=ZU03)\mE
"#w KDC |,}]bDw*1>,"+d"M=St KDC#
>B|,TB Kerberos E":
v :mb2+6L|n;
v Z 205 3D:9C Kerberos xP AIX O$;
v Z 209 3D:KRB5A O$0k#iJbMJOiRE";
mb2+6L|n
":
1. S0V<=Fc731(DCE)V2.2 *<,DCE 2+~qwIT5X Kerberos V5 1]#
2. S AIX 5.2 *<,yP2+6L|n(rcmds)9CI0xgO$~q1(NAS)V1.3 a)D Kerberos V5
b#Z DCE rP,ftp |n9C libdce.a DCE bPD GSSAPI b,xZ>XrP,ftp |n9C NAS
V1.3 PD GSSAPI b#NAS V1.3 ;Z0)9| CD1P#(;h*D LPP G krb5.client.rte D~/#
3. g{(F= AIX 5.2,"R20K Kerberos V5 r Kerberos V4,r20E>a>C'20 krb5.client.rte#
2+ rcmds G rlogin"rcp"rsh"telnet M ftp#b)|nGsR2,y*Dj< AIX =(#(C=(8 AIX
4.3 M|g"Pf9CDO$=(#)ya)Dd|=(G Kerberos V5 M Kerberos V4#
19C Kerberos V5 O$=(1,M'zS DCE 2+~qwr Kerberos ~qwq! Kerberos V5 1]#C
1]GC'10 DCE r>X>$(TZy*,SD TCP/IP ~qwGS\D)D;?V#TCP/IP ~qwOD
X$LrTK1]b\#KYwJm TCP/IP ~qwj+j6C'#g{Jm1]PyvD DCE r>Xwe
CJYw53C'J',r,S*<#2+ rcmds 'V Kerberos V5 M DCE D Kerberos M'zM~qw#
}KO$M'z,Kerberos V5 +10C'>$*"= TCP/IP ~qw#g{>$jGII*"D,M'z+
|Gw* Kerberos Zh1]D1](TGT)"M=~qw#Z TCP/IP ~qwK,g{C'}M DCE 2+~
qw(E,rX$Lr9C k5dcecreds |n+ TGT }6=j+D DCE >$#
ftp |n9Ckd|2+ rcmds ;,DO$=(#|9C GSSAPI 2+zFZ ftp |nM ftpd X$Lr.
d+]O$#9C clear"safe M private S|n,ftp M'z'V}]S\#
ZYw53M'zM~qw.d,ftp |nJmS\}],SD`VZ+d#j<v(eKS\}],SD%V
Z+d#1,S=Z}=zw"9C}]S\1,ftp |nq-%VZ+d^F#
© Copyright IBM Corp. 2002, 2003 203
53dC
TZyP2+ rcmds,536dCzF7(C53PJmNVO$=(#dCXFdvMdk,S#
O$dCI libauthm.a bM lsauthent T0 chauthent |n9I,a)T get_auth_methods M
set_auth_methods b}LD|nPCJ#
O$=((eKNV=(CZ(}xgO$C'#53'VTBO$=(:
v Kerberos V5 GnUiD=(,r*|G DCE Dy!#
v Kerberos V4 vI rlogin"rsh M rcp 2+ rcmds 9C#|vZ SP 53Pa)'Vrsf]T#Kerberos
V4 1];\}6= DCE >$#
v j< AIX GI AIX 4.3 0|g"Pf9CDO$=(#
g{dCK`Z;vDO$=(,xZ;v=(^(,S,rM'z"T9CydCDB;vO$=(4O
$#
O$=(ITdC*NNNr#(;D}bGj< AIX XkGydCDnsDO$=(,r*;PsK!n#
g{j< AIX ;GydCDO$=(,r;"T\kO$,"RNN9CC=(D,S"T<;\x#
IT;9CNNO$=(T53xPdC#ZbVivB,zw\xyP9C2+ rcmds 4TM=oNNzw
D,S#"R,r* Kerberos V4 v'V rlogin"rsh M rcp |n,yTdC*v9C Kerberos V4 D5
3;Jm9C telnet"ftp D,S#
Kerberos V5 C'i$
19C Kerberos V5 O$=(1,TCP/IP M'zq!* TCP/IP ~qwS\D~q1]#1~qwb\1]
1,|_P6pC'D2+=(((} DCE r>Xwe)#;x,~qwT;h*7(GqJmC DCE r>
XweCJ>XJ'#+ DCE r>Xwe3d=>XYw53J'GI2mb libvaliduser.a(|_P%@
S}L,F* kvalid_user)4&mD#g{W!K;,D3d=(,r53\m1Xka) libvaliduser.a b
D8C!q#
DCE dC
*9C2+ rcmds,TZIT,S=D?vxgSZ,XkfZ=v DCE we#|GG:
host/FullInterfaceNameftp/FullInterfaceName
dP:
FullInterfaceName
SZ{FMr{
>XdC
*9C2+ rcmds,TZIT,S=D?vxgSZ,XkfZ=v>Xwe#|GG:
host/FullInterfaceName@Realmnameftp/FullInterfaceName@Realmname
dP:
FullInterfaceName
SZ{FMr{
204 AIX 5L V5.2:2+8O
RealmName
>X Kerberos V5 rD{F
`XE"
v AIX 5L Version 5.2 Technical Reference: Communications Volume 2 PD get_auth_method M set_auth_method
S}L
v 6AIX 5L V5.2 |nN<s+,m 17PD chauthent |n
v 6AIX 5L V5.2 |nN<s+,m 37PD lsauthent |n
9C Kerberos xP AIX O$
AIX a)TB Kerberos O$0k#i:KRB5 M KRB5A#!\=V#i<xP Kerberos O$,+G KRB50k#i4P Kerberos we\m,x KRB5A 0k#i;4P#KRB5 0k#i9C IBM xgO$~qD
Kerberos }]bSZ4Yw Kerberos m]Mwe#9C KRB5 0k#i,AIX 53\m1IT(}9CV
PD AIX C'\m|n(x;h*NN|D)4\m Kerberos O$DC'0{GyX*D Kerberos we#
}g,*4(;v AIX C'MkCC'X*D Kerberos we,kKP mkuser |n#
KRB5A 0k#iv4PO$#Kerberos we\mG(}9C Kerberos we\m$_VpjI#KRB5A 0k
#i9CZby;v73B,ZC73P Kerberos wef"ZG AIX 53P"^((}9C Kerberos }]
bSZS AIX xP\m#}g,IT5P;v0Windows 2000 n/?<1~qw,ZC~qwP Kerberos
we\mG9C0n/?<1J'\m$_M API 44PD#
9C KRB5 20MdC Kerberos /IG<53
0xgO$~q1(IBM Kerberos 5V)Gf0)9|1;pa)D#*20 Kerberos V5 M'zm~|,
k20 krb5.client.rte D~/#*20 Kerberos V5 ~qwm~|,k20 krb5.server.rte D~/#*2
0{v Kerberos V5 m~|,k20 krb5 m~|#
*\b DCE M Kerberos |n.d(4 klist"kinit M kdestroy |n.d)D{FUde;,k+ Kerberos
|n20Z /usr/krb5/bin M /usr/krb5/sbin ?<B#zIT+b)?<mS= PATH (eP#qr,*4
P Kerberos |n,rXk8(+^(|n76{#
0xgO$~q1D5Z krb5.doc.lang.pdf|html m~|Pa),dP lang zmy'VDoT#
dC Kerberos V5 KDC M kadmin ~qw
":
1. ;FvZ,;om53P,120 DCE M Kerberos ~qwm~#g{Xkbyv,rXk|D DCE M
'zM~qwr Kerberos M'zM~qwD1!I!%,xKZE#;[GZDVivB,byD|D<
IT0l73PVPD DCE M Kerberos ?pD%YwT#PX DCE M Kerberos 2fDE",kN<
0xgO$~q1D5#
2. Kerberos V5 hCI\xSNNd1S;Zy8(D KDC ns1S+FZDwz4D>%ks#ns1S
+FD1!5G 300 k(5 VS)#Kerberos h*dCZ~qwMM'zdD8Vq=D1d,=#(iz
C xntpd r timed X$Lr91d,=#*9C timed X$Lr,k4PTBYw:
a. (}t/ timed X$Lr4+ KDC ~qwhC*1d~qw,gBy>:
timed -M
b. Z?v Kerberos M'zOt/ timed X$Lr#
timed -t
Z 15 B Kerberos 205
*dC Kerberos KDC M kadmin ~qw,kKP mkkrb5srv |n#}g,** MYREALM r"sundial
~qwM xyz.com rdC Kerberos,kdkTBZ]:
mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
H}8kS,T9 kadmind M krb5kdc |nS /etc/inittab t/#
KP mkkrb5srv |nzzTBYw:
1. 4( /etc/krb5/krb5.conf D~#r{5"Kerberos \m~qwMr{<y]|nPPy8(D4h
C#/etc/krb5/krb5.conf D~9hC default_keytab_name"kdc M admin_server U>D~D76#
2. 4( /var/krb5/krb5kdc/kdc.conf D~#/var/krb5/krb5kdc/kdc.conf D~hC kdc_ports"kadmin_port"max_life"max_renewable_life"master_key_type M supported_enctypes d?D5#CD~9hC
database_name"admin_keytab"acl_file"dict_file M key_stash_file d?D76#
3. 4( /var/krb5/krb5kdc/kadm5.acl D~#hC admin"root M host weDCJXF#
4. 4(}]bM;v admin we#*shC Kerberos w\?"|{MhC Kerberos \mwej6D\k#
TZVQV4C>,2+Xf"w\?M\mwej60\kG\X|D#
PX|`E",kN<Z 207 3D:y>KP;M:ms{"MV4Yw;#
dC Kerberos V5 M'z
Kerberos 20jIs,;T#fC'T>}Z9C Kerberos <u#Yw53DG<}LT#V4|D#;x,
VZC'IT5Pk{GyKPD}LX*D Kerberos Zh>%D>%(TGT)#*dC539C Kerberos w
*C'O$Dw*=(,rkKPxPTBN}D mkkrb5clnt |n:
mkkrb5clnt -c KDC -r realm -a admin -s server -d domain -A -i database -K -T
}g,*dC MYREALM r"sundial.xyz.com \m~qw"xyz.com rM files }]bD sundial.xyz.com
KDC,kdkTBZ]:
mkkrb5clnt -c sundial.xyz.com -r MYREALM -s sundial.xyz.com -d xyz.com -A -i files -K -T
H0D>}zzTBYw:
1. 4( /etc/krb5/krb5.conf D~#r{5"Kerberos \m~qwMr{<kZ|nPPy8(D;y#xR,
|B default_keytab_name"kdc M kadmin U>D~D76#
2. -i j>dCj+/IG<#yxkD}]bG Kerberos weyf"D;C#
3. -K j>+ Kerberos dC*1!O$=8#bJmC'ZG<1Q-} Kerberos O$#
4. -A j>Z0Kerberos }]b1PmSK;n,* Kerberos (" root \mC'#
5. -T j>q!yZ TGT \m>%D~qw\m#
g{53Q20,";Zk KDC ;,D DNS rP,rXk4PTBD=SYw:
1. `- /etc/krb5/krb5.conf D~"Z [domain realm] smSm;n#
2. +;,Dr3d=zDr#
}g,g{#{+ abc.xyz.com rPDM'z|,ZzD MYREALM rP,r /etc/krb5/krb5.conf D~|,
TBD=Sn:
[domain realm].abc.xyz.com = MYREALM
ms{"MV4Yw
9C mkkrb5srv |n1I\"zDms|,TBb):
206 AIX 5L V5.2:2+8O
v g{ krb5.conf"kdc.conf r kadm5.acl D~Q-fZ,r mkkrb5srv |n;^DC5#z+SU=;
uD~Q-fZD{"#(}`- krb5.conf"kdc.conf r kadm5.acl D~IT|DN;dC5#
v g{sdk"R;P4(}]b,r}%Q4(DdCD~"XBKPC|n#
v g{}]bMdC5;;B,rS /var/krb5/krb5kdc/* ?<}%}]b"XBKPC|n#
v k7# kadmind M krb5kdc X$LrQZzwOt/#9C ps |n4i$X$LrGqZKP#g{
;Pt/b)X$Lr,kliU>D~#
9C mkkrb5clnt |n1I\"zDms|,TBb):
v krb5.conf Dms5IT(}`- /etc/krb5/krb5.conf D~4^}#
v -i j>Dms5IT(}`- /usr/lib/security/methods.cfg D~4^}#
Q4(DD~
mkkrb5srv |n4(TBD~:
v /etc/krb5/krb5.conf
v /var/krb5/krb5kdc/kadm5.acl
v /var/krb5/krb5kdc/kdc.conf
mkkrb5clnt |n4(TBD~:
v /etc/krb5/krb5.conf
mkkrb5clnt -i D~!n+TBZmS= /usr/lib/security/methods.cfg D~:
KRB5:program =options =
KRB5files:options =
y>KP
TBG mkkrb5srv |nD;v>}:
# mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
T>kTBZ]`FDdv:
D~/ 6p 4, hv----------------------------------------------------------------------------
76:/usr/lib/objreposkrb5.server.rte 1.3.0.0 COMMITTED xgO$~q
~qw
76:/etc/objreposkrb5.server.rte 1.3.0.0 COMMITTED xgO$~q
~qw
;'V -s !n#\m~qw+G>Xwz#}Zu</dC...}Z4( /etc/krb5/krb5.conf...}Z4( /var/krb5/krb5kdc/kdc.conf...}Z4(}]bD~...}Zu</0MYREALM1rD}]b0/var/krb5/krb5kdc/principal1w\?{F0K/M@MYREALM1+a>zdk}]bD0w\k1#"b;(;*|GC\k#dk}]b0w\k1:
Z 15 B Kerberos 207
XBdk}]b0w\k1Ti$:/f:;** admin/admin@MYREALM; 8(_T1!5*;P_T#"b_TI\a;ACL ^F2G#
dkwe0admin/admin@MYREALM1D\k:XBdkwe0admin/admin@MYREALM1D\k:we0admin/admin@MYREALM1Q4(#}Z4(\?m...}Z4( /var/krb5/krb5kdc/kadm5.acl...}Zt/ krb5kdc...krb5kdc QI&Xt/#}Zt/ kadmind...kadmind QI&Xt/#|nI&XjI#XBt/ kadmind and krb5kdc
TBG mkkrb5clnt |nD;v>}:
mkkrb5clnt -r MYREALM -c sundial.xyz.com -s sundial.xyz.com \-a admin/admin -d xyz.com -i files -K -T -A
T>kTBZ]`FDdv:
}Zu</dC...}Z4( /etc/krb5/krb5.conf...|nI&jI#admin/admin@MYREALM D\k:}ZdCj+/IG<}Z+ admin/admin wekVPD>$xPO$#/f:;P8( host/diana.xyz.com@MYREALM D_T;1!5*;P_T#"b_TI\a;ACL ^F2G#
we0host/diana.xyz.com@MYREALM1Q-4(#
\m>$0;PzY1#}Z+ admin/admin wekVPD>$xPO$#
\m>$0;PzY1#}Z+ admin/admin wekVPD>$xPO$#we0kadmin/admin@MYREALM1Q^D#
\m>$0;PzY1#}Z+ Kerberos dC*1!O$=8#}Z9 Kerberos \m1I* root C'#}Z+ admin/admin wekVPD>$xPO$#/f:;P8( root/diana.xyz.com@MYREALM D_T;1!5*;P_T#"b_TI\;ACL ^F2G#
dkwe0root/diana.xyz.com@MYREALM1D\k:XBdkwe0root/diana.xyz.com@MYREALM1D\k:we0root/diana.xyz.com@MYREALM1Q4(#
\m>$0;PzY1#}Ze}\m1>$"Kv#
9C KRB5A 20MdC Kerberos /IG<53
KRB5A 0k#iCZO$1,Xk4P;5P=h(g Kerberos weD4()#
TB?VbMKgNT0n/?<1KDC xP0AIX xgO$~q1M'zO$#
S0)9|120 krb5.client.rte D~/#
208 AIX 5L V5.2:2+8O
dC0Windows 2000 n/?<1~qwD AIX Kerberos V5 M'z
9C config.krb5 |ndC AIX Kerberos M'z#dCM'zh* Kerberos ~qwE"#g{!qK Windows
20000n/?<1w* Kerberos ~qw,rTB!nITk config.krb5 |n;p9C:
-r realm = Windows 20000n/?<1~qwr{-d domain = w\ Windows 2000 n/?<~qwzwDr{-c KDC = KDC ~qwDwz{-s server = Windows 2000 ~qwDwz{
1. gTB>}T>D49C config.krb5 |n:
config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com
2. Windows 2000 'V DES-CBC-MD5 M DES-CBC-CRC S\`M#|D krb5.conf D~,9.|,`F
ZTBZ]DE":
[libdefaults]default_realm = MYREALMdefault_keytab_name = FILE:/etc/krb5/krb5.keytabdefault_tkt_enctypes = des-cbc-crc des-cbc-md5default_tgs_enctypes = des-cbc-crc des-cbc-md5
3. +TBZmS= methods.cfg D~:
KRB5A:program = /usr/lib/security/KRB5Aoptions = authonly
KRB5Afiles:options = db=BUILTIN,auth=KRB5A
4. kZ Windows 20000n/?<1~qwO4PTBYw:
a. 9C0n/?<\m1$_4* krbtest AIX wz4(BDC'J',gBy>:
1) !q0C'1D~P#
2) 9CsjRwB(#
3) !qC'#
4) dk{F krbtest#
b. S|nP9C Ktpass |n4(|mD~"* AIX wzhCJ'#}g,*4({* krbtest.keytabD|mD~,kdk:
Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password -out krbtest.keytab
c. +|mD~4F= AIX wz53#
d. gBy>+|mD~O"= /etc/krb5/krb5.keytab D~:
$ ktutilktutil: rkt krbtest.keytabktutil: wkt /etc/krb5/krb5.keytabktutil: q
e. 9C0n/?<1C'\m$_4( Windows 2000 rJ'#
f. gB4(k Windows 2000 rJ'`{D AIX J',9CG<}L9C Kerberos O$:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0
KRB5A O$0k#iJbMJOiRE"
TBZa)K KRB5A0O$0k#i1JbMJOiRE"Dp8#
gNdC AIX Kerberos M'zTn/?<~qw KDC xPO$
9C config.krb5 |ndC AIX Kerberos M'z#dCM'zh* Kerberos ~qwE"#g{!qK Windows
20000n/?<1~qww* Kerberos ~qw,rTB!nITk config.krb5 |n;p9C:
Z 15 B Kerberos 209
-r realm0n/?<1r{
-d domainw\0n/?<1?<~qDzwDr{
-c KDCKDC ~qwDwz{
-s serverWindows 2000 ~qwDwz{
gTB>}T>DZ]49C config.krb5 |n:
config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com
Windows 2000 'V DES-CBC-MD5 M DES-CBC-CRC S\`M#|D krb5.conf D~9.|,kTBZ]
`FDE":
[libdefaults]default_realm = MYREALMdefault_keytab_name = FILE:/etc/krb5/krb5.keytabdefault_tkt_enctypes = des-cbc-crc des-cbc-md5default_tgs_enctypes = des-cbc-crc des-cbc-md5
+TBZmS= methods.cfg D~:
KRB5A:program = /usr/lib/security/KRB5Aoptions = authonly
KRB5Afiles:options = db=BUILTIN,auth=KRB5A
kZ0n/?<1~qwO4PTBYw:
1. 9C0n/?<\m1$_* krbtest AIX wz4(BDC'J'#
v !q0C'1D~P#
v CsjR|%w,"!q0B(1#
v !qC'#
v dk{F krbtest#
2. S|nP9C Ktpass |n4( krbtest.keytab D~"* AIX wzhCJ',gBy>:
Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password \-out krbtest.keytab
3. + krbtest.keytab D~4F= AIX wz53#
4. + krbtest.keytab D~O"= /etc/krb5/krb5.keytab D~P,gBy>:
$ ktutilktutil: rkt krbtest.keytabktutil: wkt /etc/krb5/krb5.keytabktutil: q
5. 9C0n/?<1C'\m$_4( Windows 2000 rJ'#
6. 4(k Windows 2000 rJ'`{D AIX J',9CG<}L*@9C Kerberos O$,gBy>:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0
210 AIX 5L V5.2:2+8O
gN^D Kerberos /IG<D AIX dC
*tC Kerberos /IG<,k^D methods.cfg D~#Xk+4O0k#inmS= methods.cfg D~P#
O$=G KRB5A#}]b=IT!q BUILTIN r LDAP dP.;#BUILTIN G9C ASCII D~Dj< AIX C
'J'b#}g,g{!q BUILTIN w* AIX C'J'b,rgBy>^D methods.cfg D~:
>}:!q>XD~53w* AIX C'J'b#KRB5A:program = /usr/lib/security/KRB5Aoptions=authonly
KRB5Afiles:options = db=BUILTIN,auth=KRB5A
>}:!q LDAP w* AIX C'J'b#
KRB5A:program = /usr/lib/security/KRB5Aoptions=authonly
LDAP:program = /usr/lib/security/LDAP
KRB5ALDAP:options = auth=KRB5A,db=LDAP
gN4(xP KRB5A 0k#iD Kerberos /IG<D AIX C'
*4(xP KRB5A 0k#iD Kerberos /IG<D AIX C',kgB9C mkuser |n:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo
PX auth_name M auth_domain tTD9CE",kN<Z 212 3D:auth_name M auth_domain tTD
C>;#
gNZn/?<O4( Kerberos we
}Z4(D Windows 2000 C'J'~,X4(Kwe#}g,g{Z0n/?<1O4({* foo DC'
J',r24(Kk foo X*Dwe foo@MYREALM#PXZ0n/?<1O4(C'DE",kND0n/?
<1C'\mD5#
gN|D Kerberos O$C'D\k
*|D Kerberos O$C'D\k,kgB9C passwd |n:
passwd -R KRB5Afiles foo
gN}% Kerberos O$C'
*}% Kerberos O$C',k9C rmuser |n#;x,bvS AIX P}%C'#9Xk9C0n/?<1
C'\m$_+CC'S0n/?<1P}%#
passwd -R KRB5Afiles foo
gN+ AIX C'(F= Kerberos O$C'
g{C'QZ0n/?<1OP;vJ',r chuser |n+CC'*;I Kerberos O$C',gTB>}
y>:
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo
Z 15 B Kerberos 211
g{C'Z0n/?<1P;PJ',rZ0n/?<1P4(;vJ'#;s9C chuser |n#0n/?
<1J'I\P(2I\;P)`,D AIX C'{#g{!qK;,D{F,r9C auth_name tT43
d=0n/?<1{#}g,*+ chris AIX C'{3d= christopher0n/?<1C'{,kdkTBZ
]:
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_name=christopher auth_domain=MYREALM chris
g{|GK\kCuyv
Z0n/?<1O,\kXkI\m1|D#Z AIX O,root C';\hC Kerberos weD\k#
auth_name M auth_domain tTDC>
auth_name M auth_domain tTCZ+ AIX C'{3d=0n/?<1OD Kerberos we{F#}g,
g{ chris AIX C'_P auth_name=christopher M auth_domain=SOMEREALM,r Kerberos we{FG
christopher@SOMEREALM#SOMEREALM r{M MYREALM 1!r{;`,#bJm chris C'xP SOMEREALM r
DO$,x;GxP MYREALM rDO$#
Kerberos O$}DC'GqITdI9Cj< AIX O$DO$
p8GO(D#4PTBYw9C AIX O$4O$ Kerberos O$C':
1. C'9C passwd |nhC AIX \k(/etc/security/passwd),gBy>:
passwd -R files foo
2. |DC'D SYSTEM tT,gBy>:
chuser -R KRB5Afiles SYSTEM=compat foo.
b+O$S Kerberos |D= crypt#
g{#{9C crypt O$w*8]zF,kgB|D SYSTEM tT:
chuser -R KRB5Afiles SYSTEM="KRB5Afiles or compat" foo.
9C Windows 2000 n/?<~qw1Gqh*Z AIX OhC Kerberos~qw(KDC)
;h*,r*C'T0n/?<1KDC G-O$D,yT;PX*dC AIX OD KDC#`4,g{#{|
D0AIX xgO$~q KDC1w* Kerberos ~qw9C,rh*dC Kerberos ~qw#
AIX ;S\RD\k
li\kGq{O AIX M Kerberos D*s#KDC 9Xk}7dC"}#KP#
;\G<=53
v i$ KDC GqQt/"}ZKP#
– Z AIX 53P,dkTBZ]:
ps -ef | grep krb5kdc
– Z Windows 2000 53P,k4PTBYw:
1. Z0XFfe1P,+w0\m$_1<j
2. +w0~q1<j#
3. i$0Kerberos \?V"PD1GqZQt/4,#
212 AIX 5L V5.2:2+8O
v Z AIX 53P,i$ /etc/krb5/krb5.conf D~Gq8r}7D KDC,"RGq_PP'DN}#
v Z AIX 53P,i$M'z|mD~Gq|,wz>%#}g,Y(zQP /etc/krb5/krb5.keytab 1!
|mD~#dkTBZ]:
$ ktutilktutil: rkt /etc/krb5/krb5.keytabktutil: l
[ KVNO we------ ------ ------------------------------------------------------
1 4 host/krbtest.xyz.com@MYREALM
ktutil: q
v g{hCK auth_name M auth_domain tT,ri$|GGq}C ADS KDC OP'Dwe{F#
v i$ SYSTEM tTGqhC* Kerberos G<(KRB5Afiles r KRB5ALDAP)#
v i$\k;P=Z#
Z 15 B Kerberos 213
214 AIX 5L V5.2:2+8O
Z 3 ?V =<
© Copyright IBM Corp. 2002, 2003 215
216 AIX 5L V5.2:2+8O
=< A. 2+TKTm
>=<a);]ZB20rVP53O4PD2+TYwKTm#!\>Pm;G;]j{D2+TKTm,
|ITw*y!4*739(2+TKTm#
v 120B531,S2+y>iJ420 AIX#2014PTB=h:
– ;*Z~qwO20@fm~,}g CDE"GNOME r KDE#
– 20X*2+T^}MNNFvD,$6^}#*KbnBD~q+f"2+T(iM^}E",kN
D eServer pSeries Support Fixes Web >c(http://techsupport.services.ibm.com/server/fixes?view=pSeries)#
– u<20s8]53,"+538]f"Z2+;C#
v *\^FDD~M?<("CJXFPm#
v {C;h*DC'J'M53J',}g daemon"bin"sys"adm"lp M uucp#;Fv>}J',r*b+
>}J'E",}gC'j6MC'{,|G2mTk538]PD}]`X*#g{9CH0Q>}D
C'j64(;vC',"RZ53OV4K538],B(C'I\5PTQV4D53DbbCJ
(#
v (Zli /etc/inetd.conf"/etc/inittab"/etc/rc.nfs M /etc/rc.tcpip D~,"}%yP;X*DX$Lr
M~q#
v i$TBD~DmI(hC}7:
-rw-rw-r-- root system /etc/filesystems-rw-rw-r-- root system /etc/hosts-rw------- root system /etc/inittab-rw-r--r-- root system /etc/vfs-rw-r--r-- root system /etc/security/failedlogin-rw-rw---- root audit /etc/security/audit/hosts
v {9 root J'9d;\6LG<#root J'&C;\S53XF(G<#
v tC53sF}L#*Kb|`E",kNDZ 47 3DZ 3 B, :sF;#
v tCG<XF_T#*Kb|`E",kNDZ 20 3D:G<XF;#
v {9KP xhost |nDC'mI(#*Kb|`E",kNDZ 22 3D:\m X11 M CDE "bBn;#
v @9T PATH 73d?D4Z(|D#*Kb|`E",kNDZ 29 3D:PATH 73d?;#
v {C telnet"rlogin M rsh#*Kb|`E",kNDZ 117 3DZ 9 B, :TCP/IP 2+T;#
v ("C'J'XF#*Kb|`E",kNDZ 28 3D:C'J'XF;#
v ?FOqD\k_T#*Kb|`E",kNDZ 38 3D:\k;#
v *C'J'("ELdn#*Kb|`E",kNDZ 44 3D:S,dniNPV4;#
v vJm\mJ'9C su |n#`S /var/adm/sulog D~P su |nDG<#
v 9C X-Windows 1tCA;x(#
v ^FT cron M at |nDCJ,;xG)h*CJ|GDJ'CJ(#
v 9C ls |nDp{TT>~XD~MD~{PD~XV{#
v 9C rm |nDp{T\bS53Pbb>}D~#
v {C;X*Dxg~q#*Kb|`E",kNDZ 125 3DZ 10 B, :xg~q;#
v 4P#{D538]"i$8]Dj{T#
v )D2+`XDgSJ~V"Pm#
© Copyright IBM Corp. 2002, 2003 217
218 AIX 5L V5.2:2+8O
=< B. 2+TN<JO
>=<a)`=fD2+`XDN<JOE"#
2+T Web >c
AIX Virtual Private Networks:http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/index.html
CERIAS(Center for Education and Research in Information Assurance and Security):http://www.cerias.purdue.edu/
CERT(Computer Emergency Response Team,Z Carnegie Mellon University P):http://www.cert.org
CIAC(Computer Incident Advisory Capability):http://ciac.llnl.gov
Computer Security Resource Clearinghouse:http://csrc.ncsl.nist.gov/
FIRST(Forum of Incident Response and Security Teams):http://www.first.org/
IBM eServer Security Planner:http://www-1.ibm.com/servers/security/planner/
IBM Security Solutions:http://www-3.ibm.com/security/index.shtml
OpenSSH:http://www.openssh.org/
2+TJ]Pm
CERT: http://www.cert.org/contact_cert/certmaillist.html
IBM eServer pSeries Support Subscription Service: https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
comp.security.unix:news:comp.security.unix
2+T*zN<JO
Common Criteria Concepts FAQ:http://www.radium.ncsc.mil/tpep/process/faq-sect3.html
Rainbow Series Library:http://www.radium.ncsc.mil/tpep/library/rainbow/
faqs.org:http://www.faqs.org/faqs/computer-security/
IBM eServer pSeries E"PD: http://publib16.boulder.ibm.com/pseries/zh_CN/infocenter/base
© Copyright IBM Corp. 2002, 2003 219
220 AIX 5L V5.2:2+8O
=< C. U( AIX 53~q**
BmPv AIX P|SU(D53~q#9CKm46p#$53Dt/c#
ZxP#$53.0,8]yPD-<dCD~,XpG:
v /etc/inetd.conf
v /etc/inittab
v /etc/rc.nfs
v /etc/rc.tcpip
~q X$Lr gBt/ &\ "M
inetd/bootps inetd /etc/inetd.conf CZ^LM'
zD bootp ~
q
v TZ0xg20\m1(NIM)M
536L}<GXhD
v k tftp ;p$w
v Zs`}ivB{C
inetd/chargen inetd /etc/inetd.conf V { " z w
(vbT)v ICw TCP k UDP ~q
v *0\x~q1%wa)za
v }G}ZbTxg,qr{C
inetd/cmsd inetd /etc/inetd.conf U z ~ q
(CDE 9C)v T root C'm]KP,rKf02
+T
v }GC CDE jkC~q,qr{
C
v Zb?}]b~qwO{C
inetd/comsat inetd /etc/inetd.conf (*SUDg
SJ~v T root C'm]KP,rKf02
+T
v \Yh*D
v {C
inetd/daytime inetd /etc/inetd.conf Oz1d~q
(vbT)v T root C'm]KP
v ICw TCP k UDP ~q
v *0\x~q PING1%wa)z
a
v Oz~q"vTbT9C
v {C
inetd/discard inetd /etc/inetd.conf /dev/null service
(vbT)v ICw TCP k UDP ~q
v Z0\x~q%w1P9C
v Oz~q"vTbT9C
v {C
© Copyright IBM Corp. 2002, 2003 221
~q X$Lr gBt/ &\ "M
inetd/dtspc inetd /etc/inetd.conf CDE S}LX
F
v K~qI inetd X$LrT/t/
Tl& CDE M'z,CM'zk
s Z X $ L r D w z O t / x
L#b9|W\%w
v Z;P CDE Db?}]b~qw
O{C
v ;PC~q CDE I\apwC
v }GxTh*,qr{C
inetd/echo inetd etc/inetd.conf X+~q(;
bT)v ICw TCP k UDP ~q
v ICZ0\x~qr Smurf1%w
v CZXMEExd{KSx)}
@p=rt/}]+d
v {C
inetd/exec inetd /etc/inetd.conf 6L4P~q v T root C'm]KP
v *sdk^#$+]DC'j6
M\k
v C~qGG#]Wb=`}D
v {C
inetd/finger inetd /etc/inetd.conf ZC'&xP
!}v T root C'm]KP
v xvPXzD53kC'DE"
v {C
inetd/ftp inetd /etc/inetd.conf D~+d-i v T root C'm]KP
v C'j6kZn4S#$X+
M,rKW\`}
v {CK~q"9C+22+ shell
W~
inetd/imap2 inetd /etc/inetd.conf rXxJ~C
J-iv 7#z}9CC~qwDnBf
>
v ;1zKPJ~~qw1EX
h#qr,{C
v C'j6k\k4S#$X+]
inetd/klogin inetd /etc/inetd.conf Kerberos G< v g{zD>c9C Kerberos O$r
tC
inetd/kshell inetd /etc/inetd.conf Kerberos shell v g{zD>c9C Kerberos O$r
tC
inetd/login inetd /etc/inetd.conf rlogin ~q v WZb\ IP [-k DNS [-
v }](|(C'j6k\k)4
S#$X+]
v T root C'm]KP
v 9C2+ shell zfC~q
222 AIX 5L V5.2:2+8O
~q X$Lr gBt/ &\ "M
inetd/netstat inetd /etc/inetd.conf 10xg4,
(fv gZzD53OKP,I\1Z
XQxgE"xZM
v {C
inetd/ntalk inetd /etc/inetd.conf JmC'`%
;8v T root C'm]KP
v ;h*z7rb?~qw
v }GxTh*,qr{C
inetd/pcnfsd inetd /etc/inetd.conf PC NFS D~
~qv g{;G10Z9Cr{C~q
v g{h*kK`FD~q,<G
Samba,pcnfsd X$LrgZ
Microsoft D SMB f6D"Pf
inetd/pop3 inetd /etc/linetd.conf JV-i v C'j6k\k4S#$X"M
v g{zD53GJ~~qw"R
5P9Cv'V POP3 D&CLr
DM'z1Eh*
v g{zDM'z9C IMAP,rC
dw*fz,r9C POP3 ~q#
C~qP2+WSVc(SSL)(
Db0
v g{z;ZKPJ~~qwrP
h* POP ~qDM'z,r{C
inetd/rexd inetd /etc/inetd.conf 6L4P v T root C'm]KP
v C on |n`S
v {CD~q
v 9C rsh k rshd w*fz
inetd/quotad inetd /etc/inetd.conf D~^nD(
f(TZ NFS
M'z)
v g{z}ZKP NFS D~~qE
h*
v }Gh*T quota |na)&
p,qr{CC~q
v g{h*9CC~q,#VC~
qDyPD9!M^}|*nB
D
inetd/rstatd inetd /etc/inetd.conf ZK3FE"
~qwv g{h*`S53,9C SNMP
"{CC~q
v h*9C rup |n
inetd/rusersd inetd /etc/inetd.conf XZC'G<
DE"v b;Gy>D~q#{C
v T root C'm]KP
v xv53O10C'DPm"C
rusers `S
=< C. U( AIX 53~q** 223
~q X$Lr gBt/ &\ "M
inetd/rwalld inetd /etc/inetd.conf 4xyPC' v T root C'm]KP
v g{53P;%=C',I\h
*#VC~q
v g{53*z7r}]b~q
w,bM;h*
v {C
inetd/shell inetd /etc/inetd.conf rsh ~q v gI\r{CC~q#9C02
+ shell1w*fz
v g{Xk9CC~q,r9C TCP
$b4#9gS[-k^F)6
v h* Xhier m~V<Lr
inetd/sprayd inetd /etc/inetd.conf RPC gdbT v T root C'm]KP
v I\;h* NFS xgJbDoO
v g{;ZKP NFS r{C
inetd/systat inetd /etc/inted.conf 0ps -ef14,
(fv Jm6L>cl453ODxL
4,
v C~q1!ivB{C#Xk\
ZTXli47#4tCC~q
inetd/talk inetd /etc/inetd.conf ZxO=vC
'd("Vx
A;
v ;GXh~q
v k talk |n;p9C
v ZKZ 517 a) UDP ~q
v }GTZ UNIX C'zh*`v;
%=;8a0,qr{C
inetd/ntalk inetd /etc/inetd.conf 0new talk1Z
xO=vC'
d("VxA
;
v ;GXh~q
v k talk |n;p9C
v ZKZ 517 a) UDP ~q
v }GTZ UNIX C'zh*`v;
%=;8a0,qr{C
inetd/telnet inetd /etc/inetd.conf telnet ~q v 'V6LG<a0,+4S#$
X+]\kMj6
v g{I\,{CC~q"9C6
LCJ02+ shell1w*fz
inetd/tftp inetd /etc/inetd.conf viD~+M v ZKZ 69 a) UDP ~q
v T root C'm]KP"RI\#0
2+
v I NIM 9C
v }Gz}9C NIM rXk}<^
L$w>,qr{C
224 AIX 5L V5.2:2+8O
~q X$Lr gBt/ &\ "M
inetd/time inetd /etc/inetd.conf Oz1d~q v I rdate |n9CD inetd DZ
?&\#
v ICw TCP k UDP ~q
v P1Z}<1CZ,=1S
v C~qG}1D#9C ntpdate w
*fz
v ;PZz{CC~q4bT53
x4"VJb.s,E\{CC
~q
inetd/ttdbserver inetd /etc/inetd.conf $_ - ;8
}]b~qw
(CZ CDE)
v rpc.ttdbserverd T root C'm]
KP,RI\#02+
v * CDE f(w*h*D~q,+
CDE ;P|2\$w
v ;&CZb?~qwrf02+
TDNN53OKP
inetd/uucp inetd /etc/inetd.conf UUCP xg v }GP9C UUCP D&CLr,
qr{C
inittab/dt init / e t c / r c . d t s c r i p t i n t h e
/etc/inittab
@ f G < =
CDE 73v ZXF(t/ X11 ~qw
v 'V0X11 T>\m1XF-i1
(xdcmp),byd| X11 >\G
<=,;zw
v &C;ZvK$w>9C~q#
\bQ|CZb?53
inittab/dt_nogb init /etc/inittab @ f G < =
CDE 73(^
<N}<)
v 1=53dVXt/sEP<N
T>
v k inittab/dt f0Z]`,
inittab/httpdlite init /etc/inittab C Z
docsearch |
nD Web ~
qw
v D5Qw}fD1! Web ~qw
v }GzDzwGD5~qw,q
r{C
inittab/i4ls init /etc/inittab mI$\m1
~qwv kT*"zwtC
v kTzzzw{C
v kTPmI$h*Db?}]b
zwtC
v *`kw"}]bm~rNNd
|C=mIDz7a)'V
inittab/imnss init /etc/inittab docsearch |
nDQw}fv CZD5Qw}fD1! Web ~
qwD;?V
v }GzDzwGD5~qw,q
r{C
=< C. U( AIX 53~q** 225
~q X$Lr gBt/ &\ "M
inittab/imqss init /etc/inittab CZ0D5Q
w1DQw}
f
v CZD5Qw}fD1! Web ~
qwD;?V
v }GzDzwGD5~qw,q
r{C
inittab/lpd init /etc/inittab BSD P=r!
zgfv Sd|D53S\r!w5
v IT{CC~q+T;"Mw5
=r!~qw
v Z7Or!;\0ls,{CC
~q
inittab/nfs init /etc/inittab xgD~53
/xgE"~
q
v yZ("Z UDP/RPC OD NFS
k NIS ~q
v O$Gn!D
v Tb?zw{CKn
inittab/piobe init /etc/inittab r!z I/O s
K ( C Z r
!)
v &mI qdaemon a;Dw5Dw
H"YQzkr!
v g{r*z}"Mr!w5=~
qwx;SzD53r!,r{
C
inittab/qdaemon init /etc/inittab +X$LrE
kSP(CZ
r!)
v a;r!w5= piobe X$Lr
v g{;S53r!r{C
inittab/uprintfd init /etc/inittab ZK{" v (#;GXhD
v {C
inittab/writesrv init /etc/inittab 4"M= ttys v ;I;%=D UNIX $w>C'9
C
v T~qw"b?}]bk*"z
w{CC~q
v T$w>tCC~q
inittab/xdm init /etc/inittab +3D0X 1 1
T>\m1
v k;*Zb?zzr}]b~q
wOKP
v k;*Z*"53OKP,}G
X11 T>\mGh*D
v g{h*<N,rITZ$w>
OKP
rc.nfs/automountd /etc/rc.nfs T/D~53 v g{9C NFS,*$w>tCC~
q
v ;*QT/20wCZ*"rb
?~qw
rc.nfs/biod /etc/rc.nfs h9 IO X$
Lr(NFS ~
q w y X h
D)
v ;* NFS ~qwtC
v g{;G NFS ~qw,,, nfsdk rpc.mountd {CC~q
226 AIX 5L V5.2:2+8O
~q X$Lr gBt/ &\ "M
rc.nfs/keyserv /etc/rc.nfs 2+ RPC \
?~qwv \m2+ RPC yh*D\?
v T NIS+ 45\X*
v g{z;Z9C NFS"NIS k
NIS+,r{CK~q
rc.nfs/nfsd /etc/rc.nfs N F S ~ q
(NFS ~qw
yyXhD)
v O$*u
v \a)d>mQ;!@#
v g{Z NFS D~~qwOrtC
v g{{CC~q,G4;p{C
biod"nfsd k rpc.mountd
rc.nfs/rpc.lockd /etc/rc.nfs NFS D~x( v g{;Z9C NFS, {CK~q
v g{;(}xg9CD~x(r
{CK~q
v Z0SANS .Vns2+T~21
Pa= lockd X$Lr
rc.nfs/rpc.mountd /etc/rc.nfs NFS D~20
(NFS ~qw
yXhD)
v O$*u
v \a)d>mQ;!@#
v &CvZ NFS D~~qwOtC
v g{{CC~q,G4;p{C
biod k nfsd
rc.nfs/rpc.statd /etc/rc.nfs NFS D~x(
( 4 V 4 |
G)
v (} NFS 5VD~x(
v }GZ9C NFS qr{CC~q
rc.nfs/rpc.yppasswdd /etc/rc.nfs NIS \kX$
L r ( C Z
NIS wXz)
v C4Yw>X\kD~
v ;P1PJbDzwG NIS wXz
1EGXhD,ZyPd|iv
B{C
rc.nfs/ypupdated /etc/rc.nfs NIS |BX$
L r ( C Z
NIS Stz)
v SUI NIS wXzFxD NIS }
]b3d
v ;P1PJbDzwGw NIS ~
qwD NIS Stz1EGXhD
rc.tcpip/autoconf6 /etc/rc.tcpip IPv6 gf v }GZKP IPV6,qr{C
rc.tcpip/dhcpcd /etc/rc.tcpip /,wzdC
- i ( M '
z)
v b?~qw;&C@5Z DHCP#
{CC~q
v g{wz;Z9C DHCP,r{C
rc.tcpip/dhcprd /etc/rc.tcpip /,wzdC
-i(PLv a! DHCP c%""M|G=m
;xgD~qw
v Z7IwOiR=D~qD1>
v g{;Z9C DHCP r@5ZZ
xgd"ME",r{C
=< C. U( AIX 53~q** 227
~q X$Lr gBt/ &\ "M
rc.tcpip/dhcpsd /etc/rc.tcpip /,wzdC
-i(~qwv Z}<1SM'z&p DHCP k
s;xhM'zE",}g IP {
F"Ek"xZk"7Iwkc
%X7
v g{;Z9C DHCP ,r{CC
~q
v Zzzkb?~qw,,;Z9
C DHCP DwzO{C
rc.tcpip/dpid2 /etc/rc.tcpip }ZD SNMP
~qv }Gh* SNMP,qr{C
rc.tcpip/gated /etc.rc.tcpip SZdXFD
7Iv Bf7Iw&\
v {CC~q"9C RIP r7Iwf
z
rc.tcpip/inetd /etc/rc.tcpip inetd ~q v 9WX#$53rIT{CC~
q,+b(#G;5JD
v {CC~qa{C;)J~k Web
~qwh*D6L shell ~q
rc.tcpip/mrouted /etc/rc.tcpip `%7I v Bf7IwZxNd"M`cc
%E"|D&\
v {CK~q#9C7Iwfz
rc.tcpip/names /etc/rc.tcpip DNS {F~q
wv ;Pg{zDzwG DNS {F~
qwD0,9CKn
v T$w>"*"kzzzw{C
rc.tcpip/ndp-host /etc/rc.tcpip IPv6 wz v {C,}G9C IPV6
rc.tcpip/ndp-router /etc/rc.tcpip IPv6 7I v {C,}G9C IPV6#<G9C
7Iwfz IPv6
rc.tcpip/portmap /etc/rc.tcpip RPC ~q v XhD~q
v RPC ~qwC portmap X$Lr
"a#h*(; RPC ~qDM'
z*s portmap X$Lrf_|
GX(D~q;ZN&
v ;P1zQI&uY RPC ~q,
Sx(;#`DG portmap 1,
{C
rc.tcpip/routed /etc/rc.tcpip SZdD RIP
7Iv Bf7Iw&\
v {Cg{zPCZxgdDE"
|D7Iw
rc.tcpip/rwhod /etc/rc.tcpip 6L0w h o1
X$Lrv U/"c%}]4`S,;xg
OD~qw
v {CC~q
228 AIX 5L V5.2:2+8O
~q X$Lr gBt/ &\ "M
rc.tcpip/sendmail /etc/rc.tcpip J~~q v T root C'm]KP
v {CC~q,}GCzwCwJ
~~qw
v g{{C,G4vTBD;n:
– Z crontab EC;n4e}S
P#9C /usr/lib/sendmail -q|n
– dC DNS ~qw,Sx+M~
qwDJ~=3)d|D53
rc.tcpip/snmpd /etc/rc.tcpip r%xg\m
-iv g{z;Z(} SNMP $_`S
C53,r{C
v ZX|~qwOI\h* SNMP
rc.tcpip/syslogd /etc/rc.tcpip B~D53U
>
v ;(i{CC~q
v crZ\x~q%w
v NN53Xh
rc.tcpip/timed /etc/rc.tcpip ID1dX$
Lrv {CC~q"9C xntp zf
rc.tcpip/xntpd /etc/rc.tcpip BD1dX$
Lrv Z sync P#V53OD1S
v {CC~q#
v dCd|53*1d~qw"(
}9CwC ntpdate D cron w5C
d|53kd,=
dt login /usr/dt/config/Xaccess 4^FD CDE v g{;a) CDE G<= X11 >
Di,IT^F dtlogin =XF
(#
d{ FTP -i~q user rmuser -p <username> d{ FTP -i v d{ FTP -i\&9z;\zY
3vX(C' FTP D9C
v g{C'J'fZ,r}%C'
ftp,4gBYw:rmuser -p ftp
v (}+ /etc/ftpusers D~(xP
G);IT9C ftp DC'DP
m)2k53ITqC|_D2
+T
=< C. U( AIX 53~q** 229
~q X$Lr gBt/ &\ "M
d{ FTP 4k d{ ftp OX v ;PD~tZ ftp#
v FTP d{OXJmZ53O2C&
m;1zkD1\#
v QG)zk*{9DC'D{F
E= /etc/ftpusers D~
v ;)534(DC'(zI\k
*{9(} FTP d{OX=53
D C ' ) D > } G :
root"daemon"bin.sys"admin.uucp"guest"nobody"lpd"
v |D ftpusers D~DyP_Mi
( ^ , 4 g B y > : c h o w nroot:system /etc/ftpusers
v |D ftpusers D~DmI(,9
.*|OqDhC,gBy>:
chmod 644 /etc/ftpusers
ftp.restrict ftp =53J' v ;&CJmb?C'(} ftpusersD~f; root D~
root.access /etc/security/user rlogin/telnet =
root J'v Z etc/security/user D~hC
rlogin !n* false
v T root C'm]G<DNNK&C
HTT:D{FG<,;s+ suD* root;ba)KsFzY
snmpd.readWrite /etc/snmpd.conf SNMP A4E
ev g{;Z9C SNMP,r{C
SNMP X$Lr#
v Z /etc/snmpd.conf D~P{CE
e private kEe system
v TG)}`Sz53D IP X7^
F0public1Ee
syslog.conf dC syslogd v g{94dC /etc/syslog.conf,r{CCX$Lr
v g{}9C syslog.conf 4G<5
3E",r#V|GtCD
230 AIX 5L V5.2:2+8O
=< D. xg~q!n**
*9532+To=O_6p,IT9C 0 {CM 1 tC4|D8vxg!n#TBPmj6Kb)ITk
no |n;p9CDN}#
N} |n C>
bcastping /usr/sbin/no -o bcastping=0 JmTc%X7l& ICMP XME"
|#{C|4@9 Smurf %w#
clean_partial_conns /usr/sbin/no -o clean_partial_conns=1 8(Gq*\b SYN(,=rPE)%
w#
directed_broadcast /usr/sbin/no -o directed_broadcast=0 8(GqJmTxXxP(rc%#h
C* 0 PzZ@9(rE"|=o6L
xg#
icmpaddressmask /usr/sbin/no -o icmpaddressmask=0 8(53Gql& ICMP X7Zkk
s#{C|IT@9(}47I%wx
PCJ#
ipforwarding /usr/sbin/no -o ipforwarding=0 8(ZKGq&*"E"|#{C|I
T@9X(rDE"|=o6Lxg#
ipignoreredirects /usr/sbin/no -o ipignoreredirects=1 8(Gq&mU=DX(r#
ipsendredirects /usr/sbin/no -o ipsendredirects=0 8(ZKG&Cq"MX(rEE#{
C|IT@9X(rDE"|=o6L
xg#
ip6srcrouteforward /usr/sbin/no -o ip6srcrouteforward=0 8(53Gq*"47I IPv6 E"
|#{C|IT@9(}47I%wx
PCJ#
ipsrcrouteforward /usr/sbin/no -o ipsrcrouteforward=0 8(53Gq*"47IE"|#{C
|IT@9(}47I%wxPCJ#
ipsrcrouterecv /usr/sbin/no -o ipsrcrouterecv=0 8(53GqS\47IE"|#{C
|IT@9(}47I%wxPCJ#
ipsrcroutesend /usr/sbin/no -o ipsrcroutesend=0 8(&CLrGq\;"M47IE"
|#{C|IT@9(}47I%wx
PCJ#
nonlocsroute /usr/sbin/no -o nonlocsrcroute=0 f_0xJ-i1Oq47IE"|I
TT>XxgTbDwz07#{C|
IT@9(}47I%wxPCJ#
tcp_pmtu_discover /usr/sbin/no -o tcp_pmtu_discover=0 {C|IT@9(}47I%wxPC
J#
udp_pmtu_discover /usr/sbin/no -o udp_pmtu_discover=0 tCr{C TCP &CLrD76 MTU
"V#{C|IT@9(}47I%w
xPCJ#
XZIwxg!nD|`E",kND6AIX 5L V5.2 T\\m8O7#
© Copyright IBM Corp. 2002, 2003 231
232 AIX 5L V5.2:2+8O
=< E. yw
>E"G*Z@za)Dz7M~q`4D#
IBM I\Zd|zRrXx;a)>D5PV[Dz7"~qr&\XT#PXz10yZxrDz7M~q
DE",krz1XD IBM zmI/#NNT IBM z7"Lrr~qD}C"GbZw>r5>;\9C
IBM Dz7"Lrr~q#;*;V8 IBM D*6z(,NN,H&\Dz7"Lrr~q,<ITzf IBM
z7"Lrr~q#+G,@@Mi$NNG IBM z7"Lrr~q,rIC'TP:p#
IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC'9Cb)({DNN
mI$#zITCif==+mI$i/Dy:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
>un;JC"zrNNbyDunk1X(I;;BDzRrXx:zJL5zw+>T04V41Dy!
a)>vfo,;=PNNN=D(^[Gw>D,9G,>D)#$,|((+;^Z)TGV(T"Jz
TMJCZ3X(C>D,>#$#3)zRrXxZ3);WP;Jmb}w>r,>D#$#rK>un
I\;JCZz#
>E"PI\|,<u=f;;<7DX=r!"ms#K&DE"+(Z|D;b)|D+`k>JODB
f>P#IBM ITf1T>JOPhvDz7M/rLrxPDxM/r|D,x;mP(*#
>LrD;mI=g{*KbPXLrDE"To=gB?D:(i)JmZ@"4(DLrMd|Lr(|
(>Lr).dxPE";;,T0(ii)JmTQ-;;DE"xP`%9C,kkTBX7*5:
IBM Corporation
Dept. LRAS/Bldg. 003
11400 Burnet Road
Austin, TX 78758-3498
U.S.A.
;*qXJ1Du~Mun,|(3)iNBD;(}?D6Q,<IqCb=fDE"#
>JOPhvDmILr0dyPICDmIJOyI IBM @] IBM M'-i"IBM zJLrmI$-i
rNN,H-iPDuna)#
PX+VZ(DBCS)E"DmI$i/,kkzyZzRrXxD IBM *6z(?E*5,rCif==+
i/Dy:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NNpN#
© Copyright IBM Corp. 2002, 2003 233
f0G IBM z7DE"ISb)z7D)&L"dvf5wrd|I+*qCDJOPq!#IBM ;PTb
)z7xPbT,2^(7OdT\D+7T"f]TrNNd|XZG IBM z7Dyw#PXG IBM z7
T\DJb&1rb)z7D)&Lav#
>E"PTG IBM Web >cDNN}C<;G*K=cp{Ea)D,;TNN==d1TG) Web >c
D#$#C Web >cPDJO;G IBM z7JOD;?V,9CG) Web >cx4DgU+IzTPP##
CE"|,KU#L5YwP9CD}]M(f>}#k!I\j{X5wb)}]M(f,>}P|,v
K"+>"LjMz7D{F#yPb){F<Gi9D,g{k5J+>s5D{FMX7PNN`Fr?
tIO#
Lj
TBuoGzJL5zw+>Z@zM/rd|zRDLj:
AIX
AIX 5L
DB2
IBM
Lotus Notes
POWER3
POWER4
RS/6000
SecureWay
UNIX G The Open Group Z@zMd|zRrXxD"aLj#
Java MyPyZ Java DLjMUjG Sun Microsystems, Inc. Z@zM/rd|zRrXxD"aLj#
Microsoft"Active Directory M Windows G Microsoft Corporation Z@zM/rd|zRrXxDLj#
d|+>"z7r~q{FI\Gd|+>DLjr~qjG#
234 AIX 5L V5.2:2+8O
w}
[A]2+T
Yw53 181
ri
\mNq 38
i\ 3
\mNq 27
O$ 42
6p 42
xJ-i(IP) 129
NIS+ 183
\m(^ 191
6p 184
>$ 186
O$ 183
Z( 183, 188
we 184
root J' 23
TCP/IP 117
2+TN}w}(SPI)
M2+TX* 131
2+TX*(SA) 131
km@DX5 137
2+"b|
dC 7
2+ NFS 193
2+ RPC \k 181
[B]8]
G+ 24
Z( 25
>X>$ 186
[C]Yw532+T 181
2+ RPC \k 181
E 181
O$ 181
4(\?}]b 151
ELdn53
S,}dnDiNPV4 44
Ev 43
hC 44
[D]G<XF 20
#$^KU\UK 21
|D6-{" 20
|D CDE G<A; 21
L(531!G<N} 21
?FT/"z 21
hC 20
G<C'j6 29, 43
[F]CJ==
y>mI( 36
CJXF
)9mI( 36
Pm 34, 37
CJ( 188, 190
~qw
2+TE"
LDAP 59
[G]|D\?}]b\k 155
+2j<
,1kND\XDCJ#$E*D~M@@#$6p
4+ 8
+*\?S\(
2+ NFS 193
+C\?y!a9 75
XU
Z( 24
\mG+ 24
8] 24
Ev 24
XU 24
\k 24
Z( 25
,$ 24
\m(^ 191
}Kw
fr 132
Mm@DX5 136
}Kw,hC 160
© Copyright IBM Corp. 2002, 2003 235
[H]V4
G+ 24
Z( 27
n/?< 205, 208
[J]y>mI( 36
G< IP 2+T 166
G+ 24
8] 24
Ev 24
XU 24
\k 24
Z( 25
,$ 24
[K]IEFcb
Ev 3
IELr 6
IED~
li 5
sF 49
sF2+4, 4
9C tcbck |nli 4
D~53
li 5
IE(E76
C> 6
)9mI( 36
[L]`t}]\mm@
9CyZ Web D53\mw 141
9C XML 140
[M]\k 38
2+ RPC 181
)9^F 42
h(P'D\k 39
Z(|D 24, 25, 26
FvD\k!n 41
/etc/password D~ 39
\?
4(}]b 151
\? (x)
|D}]b\k 155
\?\m
Mm@ 131
\?\mw 151
\?}]bDENhC,(" 152
\?}]b,("ENhC 152
[P]dn53
NDELdn53 43
>$ 186
>X 186
DES 186
[Q]s5m]3d 201
10=8 202
a?6?<CJ-i(kND LDAP) 59
[R]O$ 186
O$PD(CA)
S}]bP>}y$i 153
SU$i 154
jk$iS 153
mSy$i=}]bP 152
ENhC 152
CA Pm 151
[S]>}vK}V$i 155
>} CA y}V$i 153
sF
Ev 47
G<
B~!q 50
G<&m 52
G<q= 49
G<B~
hv 49
lbB~ 47
ZKsFzY 48
ZKsFzY== 50
dC 49
hC 53
B~!q 48
236 AIX 5L V5.2:2+8O
sF (x)
>},`tsFU>=8 55
>},51D~`S 55
U/B~E" 47
watch |n 53
\XDCJ#$E*D~M@@#$6p 4+ 8
20 CAPP/EAL4+ 53 9
\mgf 8
C'gf 9
'VD53 9
CAPP/EAL4+ Mxg20\m(NIM)73 10
CAPP/EAL4+ J&D53 8
Z( 188
` 188
kcNa9 189
}V$i
4(\?}]b 151
4( IKE (Db0 155
\m 151
SU 154
>}vK 155
>}y 153
jk 153
mSy 152
ENhC 152
m@
M\?\m 131
!qDV`M 138
k}KwDX5 136
k SA DX5 137
[T]mS CA y}V$i 152
[W]xJ-i
2+T 129
Yw53 129
&\ 130
IKE &\ 130
xJ-i(IP)2+T 129
20 134
N< 179
G< 166
dC 160
f. 135
Jb7( 170
$(e 164
xgIEFcb 121
xgO$~q 205, 208
xgO$~q(NAS) 203
[X]ib(Cx(VPN) 129
mI(
y> 36
)9 36
[Y]rXx$LNq?F(IETF) 129
rXx\?;;
kND IKE 130
C' 24, 26
mS 24, 26
C'\m
LDAP 61
C'J'
XF 28
C}V$i4( IKE (Db0 155
[Z]$iO$~q
Ev 75
we
2+T 184
CCAPP/EAL4+
,1kND\XDCJ#$E*D~M@@#$6p
4+ 8
Ddacinet 123
DES >$ 186
EEIM
m{s5m]3d 201
Fflush-secldapclntd 68
ftp 203
w} 237
IIKE
&\ 130
IKE (Db0
4(
9C}V$i 155
IP
kNDxJ-i 129
IP 2+T
2+TX* 131
}Kw 132
km@ 136
}V$i'V 133
m@
M}Kw 136
M SA 137
!qDV`M 138
m@M\?\m 131
SA 137
IPv4
m{xJ-i(IP)2+T 129
IPv6 129
KKerberos 203
2+ rcmds
ftp 203
rcp 203
rlogin 203
rsh 203
telnet 203
xPC'D AIX O$ 205
9C KRB5 20MdC Kerberos /IG< 205
9C KRB5A 20MdC Kerberos /IG< 208
keylogin |n
2+ NFS 193
KRB5 205
KRB5A 208
LLDAP
2+E"~qw
hC 59
2+S53D*" 59
M'z
hC 60
sF
2+E"~qw 62
C'\m 61
ldap
mksecldap 63
LDAP tT3d 69
ldap.cfg D~q= 69
ls-secldapclntd 67
Mmgrsecurity 23, 27, 38
mksecldap 63
mount |n
2+ NFS
D~53 198
NNFS(xgD~53)
2+ NFS 193
+*\?S\( 193
\m 196
dC 197
O$*s 194
gN<vD~53 198
xg{F 195
xg5e 195
D~53 198
T\ 196
/etc/publickey D~ 196
NIS+
2+T 183
we 184
OOpenSSH
20MdC 109
`kDdC 110
ri 109
9CxP Kerberos V5 112
Kerberos V5 'V 112
Web X7 109
PPAM
wT 104
|D /etc/pam.conf file 104
/I AIX 105
i\ 101
b 101
#i 102
238 AIX 5L V5.2:2+8O
PAM (x)
dCD~
/etc/pam.conf 103
mS#i 104
PKI 75
Rrcp 203
restart-secldapclntd 67
rlogin 203
root C'xL
\& 35
root J' 23
{C1SD root G< 23
rsh 203
SSAK 7
secldapclntd 66
sectoldif |n 68
setgid Lr
9C 35
setuid Lr
9C 35
start-secldapclntd 66
stop-secldapclntd 67
TTCB 3
tcbck |n
dC 6
9C 4
TCP/IP
2+T 117
IE shell 118
}] 123
X(ZYw53D 117
X(Z TCP/IP 118, 120
^F FTP C' 120
6L|n4PDCJ( 119
DOD 123
NTCB 121
SAK 118
kND0xJ-i1 130
IP 2+T 129
20 134
N< 179
f.dC 135
Jb7( 170
TCP/IP (x)
IP 2+T (x)
$(e}Kwfr 164
IKE &\ 130
.netrc 118
/etc/ftpusers 120
/etc/hosts.equiv 119
/usr/lib/security/audit/config 118
telnet 203
VVPN
f& 133
XXML 140, 141
[XpV{].netrc 118
/etc/publickey D~ 196
/usr/lib/security/audit/config 118
w} 239
240 AIX 5L V5.2:2+8O
A_b{m
AIX 5L f> 5.22+8O
S152-0648-01
U{ X7
%;0?E
g0Ek
A_b{m
S152-0648-01
S152-0648-01
���kXK_:Br[p
kXK_:Br[p
[p"bZ kp9C$iz [p"bZ
[p"bZ kp9C$iz [p"bZ
ZK
yO
J1
IBM Pz+>O#V+>,:/?
PzO#P4#P7 333 Ep2c! 10 %
J~`k:200021
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
_
���
Pz!"
S152-0648-01
