![[Return to Library]](BOOKSHELF.GIF)
![[Contents]](TOC.GIF)
![[Previous Chapter]](REW.GIF)
![[Next Section]](NEXT.GIF)
![[Next Chapter]](FF.GIF)
![[Index]](INDEX.GIF)
![[Help]](HELP.GIF)
Accounts are created and maintained on a trusted system using the Account Manager (dxaccounts) program. The traditional information systems security officer (ISSO), system administrator, and operator roles may be filled by the same person at a given site. An administrator logged in as root can perform the functions of both the security officer (ISSO) and the system administrator that are to set up, modify, and maintain accounts and administer the security aspects of the system. This chapter describes how the dxaccounts program are used to create and maintain accounts.
The traditional role for the system administrator, as it relates to accounts, is to create and retire all user accounts, to create groups, and to modify the account template. On a trusted Digital UNIX system, the dxaccounts program is used.
![[Previous Section]](PREV.GIF)
Use the Create User Accounts dialog box to create one or more user accounts. To create many accounts in a single session, fill in the information for a new user, click on Apply to save the account, then fill in the information for another user.
The new accounts are created without passwords. Use the passwd command to set a temporary passwords for the users.
New accounts are created in a locked state. Users receive an "Account Disabled" message and cannot log in. Use the XIsso Modify User Accounts dialog box to unlock the accounts.
Use the Retire User Account dialog box to permanently lock a user account.
Use the Create New Group dialog box to add a new group.
An account template is used to establish the account parameters when a new account is created. The ISSO sets default parameters for the system. These defaults apply to all users in the system, but the ISSO can override them for an individual user. Similarly, the system administrator can override these defaults for an individual ISSO.
The ISSO is responsible for modifying all (non-ISSO) accounts once they have been created by the system administrator. Use the Accounts dialog box to access the Modify User Accounts dialog box.
An account template is used to establish the account parameters when a new account is created. The ISSO sets default parameters for the system. These defaults apply to all users in the system, but the ISSO can override them for an individual user. Use the Accounts dialog box to access the Modify Account Template box, which provides the screen to make the changes.
The authentication subsystem verifys that users who log in to the system have the required password. It is the framework in which processes, protected subsystems, and the kernel work together to ensure that only authorized users and their processes gain access to the system.
The ISSO is responsible for ensuring that all user authorizations, whether they are set explicitly or by default, conform to a site's security requirements.
The authentication subsystem uses and maintains the following security databases. These databases contain parameters and statistics for the system, for users, and for terminals. For a summary of the contents of these databases, see Chapter 17 and the appropriate reference pages:
You can use the Network Information Service (NIS) to centralize the management of the password, group, and extended profile information. A NIS master server can serve an environment of NIS clients that includes ULTRIX and Digital UNIX machines with and without extended profiles, and non-Digital machines with ordinary UNIX passwords and groups. NIS is documented in the Network Administration manual.
The following section review the account databases and their relationships.
BASE (BSD) security is the traditional level of security that is available on UNIX systems. The local BASE user account databases are held in /etc on each system.
The /etc/passwd file in conjunction with the /etc/group file comprises the BASE user account database and is used to allow or deny a user access to the system and files on the system in addition to a variety of other functions.
Each line of /etc/passwd contains information about one user account. This file contains the users name, UID, password, and several other pieces of information. The passwd command is used to change a user's local BASE password.
The /etc/group file contains group information. The groupadd, groupdel, groupmod, and groups commands are used to manipulate local BASE group information.
The adduser, addgroup, useradd, userdel, usermod, and vipw commands are used by the system manager to add and change user account information.
NIS can be used to distribute all or part of the BASE user account database to systems across the network. When you are running NIS over BASE security you have two user account databases:
The entries in the NIS-distributed BASE user account database have the same fields as the /etc/passwd file entries.
A user's account information may be partially distributed. If the user's entry in the /etc/passwd file has a prepended "+", both databases are read with the information from the /etc/passwd file (except for the UID and gid fields) overlaying the information from the NIS distributed user account database.
The /etc/passwd file on each system must contain a "+:" as the last entry to allow users from the NIS distributed BASE user account database to log in.
| Symbol | Description |
| +: | If a user is not found in the local file, authenticate using the NIS file. |
| +username | Local file field overrides NIS. Used for partial distribution. |
| -username | User is excluded from all matches by local control. |
| +@netgr: | List of users to authenticate using the local file. See the netgroup(4) reference page. |
| -@netgr: | List of users to refuse using the NIS file. See the netgroup(4) reference page. |
| +:*: | Sends all password requests to the NIS map. |
The passwd command is used to change the password in the local BASE user account database, while the yppasswd command is used to change the password (and possibly other fields) in the NIS distributed BSD user account database.
To change NIS-distributed BASE user account database entries, the system manager does the following:
Installing the optional enhanced security subsets provides more security features for user accounts. When you are running enhanced security, you have TWO local user account databases.
The local BASE user account database (/etc/passwd) remains intact except for the encrypted password, which is held in the enhanced security local protected password database (/tcb/files/auth.db or /var/tcb/files/auth.db). If the /etc/passwd file contains an encrypted password it is ignored unless C1Crypt is being used. The other fields (gecos, shell, and so forth) are used as they normally would be.
The enhanced local protected password database contains the username and UID (to uniquely identify a user), the encrypted password, and a set of keyword-identified values used by enhanced security (see prpasswd(4) for a description of these values). Each user account in the local protected password database is backed by the system template (/etc/auth/system/default). If a value is not defined for a user in the protected password database, it is taken from the template. There should be entries in BOTH databases (with username and UID both matching) for each user.
A user runs the passwd command is to change his protected password.
The CDE Account Manager (or dxaccounts program) is used by the system manager to add and change user account information (including passwords).
NIS can be used to distribute part or all of the enhanced protected password database as well as part or all of the BSD user account database.
When you are running NIS over enhanced security you have FOUR user account databases:
The svc.conf file "auth=" entry indicates which order the enhanced protected password databases should be searched in (local first or NIS ("yp") first).
The "+" override feature still works the same as always for the BASE user account database (/etc/passwd).
Note
When you have NIS running and you are first updating to enhanced security, secsetup creates extended passwords for the +username entries in the /etc/passwd file only if you answer yes to the "Create entries for NIS users" question in secsetup.
There is no override feature for the protected password database. An entry in the protected password database is contained completely in either the local enhanced protected password database or in the NIS distributed enhanced protected password database. Both databases are backed by the local template.
Use the passwd command to change the password in the local or NIS distributed enhanced protected password database. Use the yppasswd command to change the fields in the NIS-distributed BASE user account database that you've always been able to change with yppasswd.
To change your password when you are running both enhanced and NIS you should use passwd to change the password regardless of whether your protected password database entry is local or distributed. Using the search list in the svc.conf file for "auth=", the passwd command updates the password in the first protected password database entry it finds for the specified user, even if that entry is in the NIS-distributed protected password database.
The procedure in Section 9.3.6 describes one method that can be used to create an NIS distributed protected password database using the existing local BASE user account database.
It is very important that each protected password database entry exists in only one database either the local protected password database or the NIS-distributed protected password database. The routines that check and manipulate the protected password database information work on the first copy found (as defined in svc.conf file). YP routines work on the NIS-distributed protected password database only. This can cause some confusing results if you have the same entry in both places. If this happens delete one of the copies.
It is strongly recommended that you do not distribute the root account information. This allows you to still log in to the client systems using the root account if your NIS server is down.
If NIS is running on the master server, you must stop NIS using the /sbin/init.d/nis stop command.
The following setup information is specific to an NIS master server that is supporting clients using enhanced security:
If you have a large existing NIS distributed BASE user accounts database you can automate the creation of the NIS distributed protected password database by doing the following:
#
convuser -Mc
If NIS is running on the slave server, you must stop NIS using the /sbin/init.d/nis stop command. The following setup information is specific to an NIS slave server that is supporting clients using enhanced security:
If NIS is running on the master server, you must stop NIS using the /sbin/init.d/nis stop command. The following is the setup information that is specific to an NIS client using enhanced password security:
To move existing local accounts to NIS, use the following command:
#
edauth -Lg | edauth -NsC
If you need to remove the NIS support from your trusted client system first disable NIS for authentication data, then enter the following command on the client:
#
edauth -gN | edauth -sLC
The protected password database on the client machine is updated with any accounts from the NIS database that are not present in the local database.