You are on page 1of 374

AIX 5.



SC43-0499-07

AIX 5.3



SC43-0499-07



. 357.

( 2010 )
AIX 5L 5.3 ,
.
. ,
: Information Development, Department 04XA-905-6B013, 11501 Burnet Road, Austin,
Texas 78758-3400. :
pserinfo@us.ibm.com. IBM
- .
Note to U.S. Government Users Restricted Rights - - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Copyright IBM Corporation 2002, 2010.


. . . . . . . . . v
. .
AIX
ISO 9000 . . . . . . . .

.
.
.

.
.
.

.
.
.

.
.
.

.
.
.

.
.
.

.
.
.

. v
. v
. v

. . . . . . . . . . . . . . . 1
. . . . . . 1
. . . 1
, . . . . . . . 39
. . . . . . . . 71
. . . . . . . . 84

(LDAP) . . . . . . . . . . . . . . . 97
#11 . . 115

X.509 . . . . 118
. . . . 150
OpenSSH . . . . . . . . . 158
. . . . . . . . . . . . . . 164
TCP/IP . . . . . . . . . . . . 164
. . . . . . . . . . . 172
IP . . . . . . . . . . 176
NIS NIS+ . . 238
. . . . . 248
256
Kerberos . . . . . . . . . . . . . . 258
RADIUS. . . . . . . . . . . . 271
AIX . . . . . . 304
AIX . . . . . . . . . 307
AIX
308

AIX . . . . . . . . . . . 308


AIX . . . . . . . . . . . . . . . 311

AIX . . . . . . . . 312

AIX . . . . . . . . 314

Copyright IBM Corp. 2002, 2010

AIX
/etc/inittab . . . . . . . . . . . . . .
/etc/rc.tcpip
AIX . . . . . . . .
/etc/inetd.conf
AIX . . . . . . . .
SUID AIX . . .

AIX . . . . . . . . . . .
,
,
AIX . . . . . . . . . . . . . . .

AIX . . . . . . . . . . .
IPsec
AIX . . . . . . . . . . .
AIX. . .

AIX . . . . . . . . . . .

AIX . . . . . . . . . . .
AIX . . . . .

AIX . . . . . . . .

AIX . . . . . . . .

AIX . . . . . . . .

AIX . . . . . . . . . . .
. . . . . . . .
, . . . . . . . .
AIX . . . . .
. . . . . . . . . . .

315
317
320
327
328

330
330
334
335
337
338
338
339
339
340
340
340
341
342
353

. . . . . . . . . . . 357
.

. 358

. . . . . . . . . . . . . . 359

iii

iv

AIX 5.3:


, , ,
. ,
, ,
. - ,
.

, , , , ,
. ,
, - , , ..

, .

,
, , .

AIX
AIX , .. .
, ls. LS,
, . , FILEA, FiLea filea
, .
.

ISO 9000
ISO 9000.

Copyright IBM Corp. 2002, 2010

vi

AIX 5.3:


AIX , ,
, .
- ,
.
PDF, .
: Adobe Reader: PDF
Adobe Reader. Web- Adobe
(www.adobe.com/products/acrobat/readstep.html).


.
,
AIX .


AIX .


.
.
(TCB) - ,
. TCB
. TCB .
TCB . TCB
,
(SAK).
:
TCB - , . TCB
,
.
,
( tcbck).
(BOS). TCB ,
tcbck .
TCB.
TCB BOS
. .
TCB 2 Enter.
TCB , /dev
TCB. , TCB 600 ,
Copyright IBM Corp. 2002, 2010

/etc/security/sysck.cfg. TCB
(, , - ) .
TCB:
(TCB)
.
tcbck . tcbck
, /etc/security/sysck.cfg.
TCB, .
/etc/security/sysck.cfg , , .
, ,
.
.
TCB tcbck ,
(CAPP) 4+ (EAL4+). CAPP/EAL4+
4+ . 6.
sysck.cfg:
tcbck /etc/security/sysck.cfg , .
/etc/security/sysck.cfg.
:
, .
aclget.
sysck
aclput.

acl

class
group
links

mode

owner
program

source

AIX 5.3:

: SUID, SGID SVTX ,


mode, .
. ,
tcbck . .
. tcbck
.
, . -
, tcbck . tree ,
tcbck , .
tree, tcbck ,
.
, . SUID, SGID, SVTX TCB.
,
9- . , 755 rwxr-xr-x.
tcbck
.
.
tcbck .
, . -
. .
: -y, -n, -p -t, ,
tcbck.
, .
, ,
, .
.

symlinks

, . -
, tcbck.
tree, tcbck ,
.

/etc/security/sysck.cfg ,
.
tcbck:
tcbck , ;
, , ,
.
, tcbck :
v ,
v ,
v ,
tcbck :
v

cron
v

v
sysck.cfg
.
, TCB sum .
TCB , ,
md5sum. textutils RPM - AIX
Toolbox for Linux Applications.
:
tcbck
tcbck.
tcbck :
tcbck -y ALL

tcbck tcbck,
/etc/security/sysck.cfg.
,
/etc/rc.
:

tcbck.

:
tcbck -t tree

tcbck tree, (
). tcbck
, . ,
:
v root SetUID, .
v SetGID,
.
v tcb, .
v ( ), .
v , /etc/security/sysck.cfg,
.
v ,
/etc/security/sysck.cfg, .
: tcbck
/etc/security/sysck.cfg. .
/etc/security/sysck.cfg -l.
: tcbck -y tree. ,
TCB, .
:
/etc/security/sysck.cfg tcbck.
/etc/security/sysck.cfg :
tcbck -a [=]

,
. /etc/security/sysck.cfg.
, SetUID root /usr/bin/setgroups,
/usr/bin/getgroups:
tcbck -a /usr/bin/setgroups links=/usr/bin/getgroups

jfh jsl, developers,


/usr/bin/abc, :
tcbck -a /usr/bin/abc setuids=jfh,jsl setgids=developers

,
/etc/security/sysck.cfg. :
tcbck -t tree

, /etc/security/sysck.cfg.
:
, /etc/security/sysck.cfg,
.
, /etc/cvid, :

AIX 5.3:

tcbck -t ALL

:
3001-020 /etc/cvid .

/etc/security/sysck.cfg.
:
tcbck -d /etc/cvid

:
(TCB).
:
.
getty shell ,
. .
:
SAK (Ctrl-X,
Ctrl-R).
: SAK , ,
, (, /dev/console
/dev/tty0).
:
v
SAK:
, .
,
, , , .
, who .
v . :
root. root
. , root
.
su, passwd newgrp.
.
:
.
, SAK
. /etc/security/login.cfg
sak_enabled. - True, SAK .
(, uucp),
/etc/security/login.cfg :
sak_enabled = false

( ) SAK .
SAK :
sak_enabled = true

4+

(CAPP) 4+ (EAL4+).
, BOS,
.
CAPP/EAL4+:
CAPP - ,
(CAPP) .
CAPP ,
TCSEC C2 ( ).
, (CC), - ,
, .. ISO 15408,
. , ,
CAPP/EAL4+.
CC, CC
( ).
. , , ,
. CAPP, CC
AIX 5.3. , IPsec
, , .
AIX 5.3 CAPP/EAL4+ , 64-
POWER3 POWER4, :
v (LVM) (JFS2)
v X-Windows CDE
v TCP/IP 4 (IPv4): Telnet, FTP, rlogin, rsh/rcp
v (NFS)
CAPP/EAL4+ , :
v ,
.
v .
v NFS
.
:
v ( , , ,
..)
v ( , ,
..)
v DAC ( ACL ,
IPC TCP)
v
v diag

AIX 5.3:

v su (root)
,
.
:
v passwd
v su
v at, batch crontab,
v DAC ( ACL
IPC)
v (, )
(, telnet ftp)
,
.
AIX 5.3 CAPP/EAL4+ IBM eServer pSeries
Symmetric Multiprocessor (SMP) POWER3-II (IBM eServer pSeries 610)
, SMP RS64 IV (IBM eServer pSeries 660), SMP
POWER4 (IBM eServer pSeries 690) SMP POWER5 (IBM System p5 520, System p5 570,
System p5 595). ,
CD-ROM ,
. : Ethernet
Token-Ring.
CAPP/EAL4+ POWER4 (IBM eServer pSeries 630, IBM
eServer pSeries 650 pSeries 690), .
, CD-ROM
,
. : Ethernet Token-Ring.
SCSI.
:
$HOME/.rhosts .
AIX 5.3 System p5 POWER5
CPU (p5-520, p5-570, p5-595).
CAPP/EAL4+:
CAPP/EAL4+ BOS :
1. .
2. ,
CAPP EAL4+. .
CAPP EAL4+ :
v .
v .
v 64- .
v (JFS2).
CAPP EAL4+ ,
,
CDE.

bosinst.data,
INSTALL_TYPE CC_EVAL,
:
control_flow:
CONSOLE = ???
PROMPT = yes
INSTALL_TYPE = CC_EVAL
INSTALL_METHOD = overwrite
TCB = yes
DESKTOP = NONE or CDE
ENABLE_64BIT_KERNEL = yes
CREATE_JFS2_FS = yes
ALL_DEVICES_KERNELS = no
FIREFOX_BUNDLE = no
HTTP_SERVER_BUNDLE = no
KERBEROS_5_BUNDLE = no
SERVER_BUNDLE = no
ALT_DISK_INSTALL_BUNDLE = no
locale:
CULTURAL_CONVENTION = en_US or C
MESSAGES = en_US or C

AIX 5L 5.3
5300-07 :
1. , AIX 6.1
5300-07 Download Director. AIX
web-: http://www14.software.ibm.com/webapp/set2/sas/f/genunix3/aixfixes.html.
2. Search by APAR number or abstract IY88827
.
3. APAR . Add to my download
list.
4. Continue.
5. Packaging Options Include prerequisites and corequisites Include
ifrequisites. Include fixes that correct regressions Replace superseded fixes with the latest
.
6. 5300-07 .
7. lslpp -Lc. Browse
.
8. Continue.
9. Download fixes Download all filesets using Java applet
Java Download Director. ,
, .
10. Java. ,
.
/usr/sys/sp2. .toc inutoc:
# inutoc /usr/sys/sp2

.toc , smitty
:
# smitty update_all

11. /usr/lib/security/CC_EVALify.sh.
AIX 6.1 5300-07. ,
. :
# oslevel -r or oslevel -s

AIX 5.3:

5300-07 .
CAPP/EAL4+ :
CAPP/EAL4+ (NIM).
NIM , AIX 5L
CAPP/EAL4+. NIM ,
NIM. bosinst_data , NIM:
control_flow:
CONSOLE = ???
PROMPT = no
INSTALL_TYPE = CC_EVAL
INSTALL_METHOD = overwrite
TCB = yes
DESKTOP = NONE or CDE
ENABLE_64BIT_KERNEL = yes
CREATE_JFS2_FS = yes
ALL_DEVICES_KERNELS = no
FIREFOX_BUNDLE = no
HTTP_SERVER_BUNDLE = no
KERBEROS_5_BUNDLE = no
SERVER_BUNDLE = no
ALT_DISK_INSTALL_BUNDLE = no
locale:
CULTURAL_CONVENTION = en_US or C
MESSAGES = en_US or C

NIM CAPP/EAL4+
CAPP/EAL4+. NIM
NIM SMIT . NIM
CAPP/EAL4+ NIM.
NIM.
: NIM ,
CAPP/EAL4+; - CAPP/EAL4+. NIM
NIM. CAPP/EAL4+
NIM .
. NIM
, CAPP/EAL4+
NIM.
CAPP/EAL4+:
CAPP/EAL4+
/usr/sys/inst.data/sys_bundles/CC_EVAL.BOS.autoi.
CAPP/EAL4+
. CAPP/EAL4+
,
/usr/sys/inst.data/sys_bundles/CC_EVAL.Graphics.bnd. CAPP/EAL4+
,
/usr/sys/inst.data/sys_bundles/CC_EVAL.DocServices.bnd.
(LPP)
CAPP/EAL4+. :
v /etc/pse.conf /dev/echo.

v
v
v
v
v

.
root.
inetd.conf , CC.
.
sysck.cfg .

v
v
v
v
v
v
v

sysck.cfg .
.
doc_search .
inittab httpdlite.
inittab writesrv.
inittab mkatmpvc.
inittab atmsvcd.

v
v
v
v
v
v

/etc/rc.tcpip snmpd.
/etc/rc.tcpip hostmibd.
/etc/rc.tcpip snmpmibd.
/etc/rc.tcpip aixmibd.
/etc/rc.tcpip muxatmd.
NFS (2049) .

v /etc/security/audit/events .
v loopback.
v /dev/console.
v
v
v
v

X-.
/var/docsearch .
ODM , .
BSD 000.

v .netrc.
v .
:
CAPP/EAL4+ X
Windows.
X Windows , ,
, ., ( aixterm). X Windows
xinit
.
X Windows :
xinit

X Windows .
X Windows root, X Windows
UNIX, root . X
Windows, , ,
, X Windows.
X Windows.
CAPP/EAL4+:

10

AIX 5.3:

CAPP/EAL4+ , .
:
v ,
, .
v .
v
.
v
(.. ).
, , .
v , AIX 5.3 CAPP/EAL4+,
, .
v CAPP/EAL4+ IPv4. IPv6
, , IPv4.
v .
v LPAR PHB.
CAPP/EAL4+:
CAPP/EAL4+ .
:
v .
v , ,
.
v ( ,
).
. 59.
v .
v
, .
v ,
.
v , su
.
v , ,
.
v , ,
, .
v
ACL.
v ,
.
v .
v
.
v LIBPATH,
.

11

v
(tcpdump, trace ..).
v , , HTTP,
(, ).
v NFS TCP.
v .
ACL.
v AIX root.
, AIX,
CAPP/EAL4+.
v
. ,
.
CAPP/EAL4+:
CAPP/EAL4+
.
:
v (HMC), HMC
.
v HMC .
v HMC :
. .
"" .
v HMC .
v .
v .
v AIX LPAR,
EAL4+ LPAR .
v .
CAPP/EAL4+:
(CAPP) 4+ (EAL4+).
system, sys, adm, uucp, mail, security, cron, printq, audit shutdown
. .
:
,
su root .
root, su
root .
:
1. root /etc/security/user:

12

AIX 5.3:

root:
admin = true
.
.
.
sugroups = SUADMIN

2. /etc/group ,
, :
system:!:0:root,paul
staff:!:1:invscout,julie
bin:!:2:root,bin
.
.
.
SUADMIN:!:13:paul

:
v , ,
.
v ,
.
v (,
IBM 3151).
:
AIX , .
, 1 1 000 000,
1 100 000.
/etc/security/user
/usr/share/dict/words. /usr/share/dict/words bos.data.
/etc/security/user bos.data.
/etc/security/user:
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 077
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 5
account_locked = false
loginretries = 3
histexpire = 52
histsize = 20
minage = 0
maxage = 8
maxexpired = 1
minalpha = 2
minother = 2
minlen = 8

13

mindiff = 4
maxrepeats = 2
dictionlist = /usr/share/dict/words
pwdchecks =
dce_export = false
root:
rlogin = false
login = false

, /etc/security/user, ,
.
: login = false root root
. root
, root su.
,
.
, .
,
unsuccessful_login_count /etc/security/lastlog, , ,
loginretries .
,
chsec. chsec
. 49.
/etc/security/login.cfg:
default:
sak_enabled = false
logintimes =
logindisable = 4
logininterval = 60
loginreenable = 30
logindelay = 5

setuid/setgid:
AIX, CAPP .
suid/sgid , root,
. CAPP : system, sys,
adm, uucp, mail, security, cron, printq, audit shutdown. suid,
root sgid, .
.
,
:
v root SUID
v SGID
v , - ,

v , , :

14

/usr/bin/at
/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
AIX 5.3:

/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/bin/batch
/usr/bin/chsh

/usr/sbin/chtcb
/usr/sbin/cron
/usr/bin/crontab
/usr/sbin/diag
/usr/sbin/ftpd
/usr/sbin/inetd
/usr/bin/logout

/usr/bin/passwd
/usr/sbin/ping
/usr/sbin/rexecd
/usr/sbin/rlogind
/usr/sbin/rpc.mountd
/usr/sbin/rshd

/usr/bin/setgroups
/usr/bin/setsenv
/usr/bin/su

/usr/sbin/telnetd
/usr/sbin/tsm
/usr/lpp/X11/bin/xlock
/usr/lpp/diagnostics/bin/uformat

: setuid ipcs.
chmod u-s /usr/bin/ipcs chmod u-s /usr/bin/ipcs64.
:
AIX
AIX.
, .
, :
diag -T "format"

,
. .
. ,
, .
, .
. .
, .
.

15

. ,
. .
: .
:
/etc/security/limits, ,
.
, stack rss unlimited ().
,
rss ,
. stack_hard rss_hard .
:
, .
v , .
,

.
v (, ,
/audit) , root.
v CAPP/EAL4+ .
. 91.
v 20
.
v , binmode start /etc/security/audit/config
panic. freespace bin ,
25% , .
bytethreshold binsize 65 536 .
v .
:

(CAPP) 4+ (EAL4+).
, CAPP/EAL4+ (
).
1.
UID

root

/etc/init

root

/usr/sbin/syncd 60

root

/usr/sbin/srcmstr

SRC.

root

/usr/sbin/cron

CRON AT

root

/usr/ccs/bin/shlap64

root

/usr/sbin/syslogd

Syslog.

root

/usr/lib/errdemon

AIX

root

/usr/sbin/getty /dev/console

getty / TSM.

root

/usr/sbin/portmap

NFS CDE.

16

AIX 5.3:

1. ()
UID

root

/usr/sbin/biod 6

NFS.

root

/usr/sbin/rpc.lockd

NFS.

daemon

/usr/sbin/rpc.statd

NFS.

root

/usr/sbin/rpc.mountd

NFS.

root

/usr/sbin/nfsd

NFS.

root

/usr/sbin/inetd

Inetd.

root

/usr/sbin/uprintfd

root

/usr/sbin/qdaemon

root

/usr/lpp/diagnostics/bin/diagd

root

/usr/sbin/secldapcintd

LDAP AIX

root

/usr/sbin/gssd

, GSS

root

/usr/sbin/nfsrgyd

/ NFS v4

CAPP/EAL4+:
CAPP/EAL4+ ,
. , NIS,
CAPP/EAL4+
.
,
, CAPP/EAL4+.

.

, SMIT, . .
/etc/data.shared

/etc/data.shared
:
, , . ,
/etc/security
/etc/group
/etc/group
/etc/hosts
/etc/hosts
/etc/passwd
/etc/passwd
/etc/security/.ids
.
/etc/security/.profile
.profile .

17

/etc/security/acl
/etc/security/acl ACL ,
/etc/rc.tcpip
/etc/security/audit/bincmds
.
/etc/security/audit/config
.
/etc/security/audit/events
.
/etc/security/audit/objects
.
/etc/security/audit/streamcmds
.
/etc/security/environ
.
/etc/security/group
/etc/security/group
/etc/security/limits
.
/etc/security/passwd
.
/etc/security/priv
/etc/security/priv .
/etc/security/services
/etc/security/services , ACL.
/etc/security/user
.
:
, /etc/security,
, :
/etc/security/failedlogin
.
/etc/security/lastlog
.
/etc/security/login.cfg
, ,
..
/etc/security/portlog
.
.
o.
( ):

18

AIX 5.3:

,
. /dev/hd10sec
/etc/data.master .
mkCCadmin
IP- :
mkCCadmin -m -a ip-

( ):
.
/etc/data.shared.
/etc/data.master /etc/data.shared.
.
:
mkCCadmin -a ip- -

chCCadmin.
,
inittab:
isCChost
CAPP/EAL4+.
rcCC

ACL DACinet ,
NFS. .

rcdacinet
ACL DACinet, .
:
v ,
. .
v , -
root.
DACinet :
DACinet TCP.
DACinet TCP
Internet . 170. ,
DACinet TCP/25
DACinet, root CAPP/EAL4+.

telnet TCP/25 .
ACL TCP /etc/inittab
/etc/rc.dacinet. /etc/security/acl ACL
. , ACL,
/etc/security/services.
10.1.1.0/24, X (TCP/6000)
root /etc/security/acl ACL:

19

6000

10.1.1.0/24 u:root

CAPP/EAL4+:
CAPP/EAL4+ .
root
root, CAPP/EAL4+.
, ,
SUID.
, root,
CAPP/EAL4+. , , JFS,
. ,
root (, SNMP), CAPP/EAL4+.
CAPP/EAL4+ .
CAPP/EAL4+ , .
. ,
,
.
NSF v4 :
(ACL) NFS v4 Type, Mask Flags.
:
v Type :
ALLOW , Who, , Mask.
DENY , Who, , Mask.
v Mask :
READ_DATA / LIST_DIRECTORY
.
WRITE_DATA / ADD_FILE
.
APPEND_DATA / ADD_SUBDIRECTORY
.
READ_NAMED_ATTRS .
WRITE_NAMED_ATTRS .

EXECUTE / .
DELETE_CHILD .
READ_ATTRIBUTES ( ACL).
WRITE_ATTRIBUTES , .
DELETE .
READ_ACL ACL.
WRITE_ACL ACL.

WRITE_OWNER .
SYNCHRONIZE (
NFS v4; ).
v Flags - ACL , . ,
, Who . :

20

AIX 5.3:

FILE_INHERIT , , ,
.
DIRECTORY_INHERIT , , ,
.
NO_PROPAGATE_INHERIT , , ,
; , .
INHERIT_ONLY , ;
, .
IDENTIFIER_GROUP , Who ; Who
.
v Who - :
User , .
Group , .
Special :
- OWNER@ , .
- GROUP@ , , .
- EVERYONE@ , ,
.
ACL, UID 0. ACL
:
v READ_ACL
v WRITE_ACL
v READ_ATTRIBUTES
v WRITE_ATTRIBUTES
APPEND_DATA WRITE_DATA. , WRITE_DATA
APPEND_DATA . .
WRITE_OWNER.
setuid. ACL ;
, (,
ACL ).
ACL NFS v4 .
. , :
v Who, UID.
v , GID
v , .
, ,
. .
, . , ,
ACL.
ACL 64 . , ACL
.
WRITE OWNER:
NFS v4 .

21

UID NFS v4.


READ_ATTRIBUTES,
WRITE_ATTRIBUTES , READ_NAMED_ATTRS WRITE_NAME_ATTRS ACL.
ACL READ_ACL WRITE_ACL ACL.
: READ_ATTRIBUTES, WRITE_ATTRIBUTES, READ_ACL WRITE_ACL.
,
WRITE_OWNER.
, ACL WRITE_OWNER ,
ACL, WRITE_OWNER, Who OWNER@.
setuid.
:
v UID 0, UID 0,
WRITE_OWNER.
v WRITE_OWNER . UID 0,
AIX 5.3 5300-05 UID 0.
AIX 5300-05, UID 0,
EUID , .
v ;
GID 0 GID 7 ( ), ,
.
LDAP :
NFS. ,
DCE NIS, .
:
v ( )
v LDAP UNIX ( LDAP ITDSv 6.0)

.
LDAP:
LDAP "UNIX-type",
( , ) LDAP
LDAP.
LDAP SSL
LDAP, ( )
. LDAP
. LDAP
.
LDAP.
. , ,
UID .
LDAP LDAP.
LDAP SSL
SSL LDAP SSL LDAP.
LDAP:

22

AIX 5.3:

mksecldap -s AIX LDAP


.
:
v RFC2307AIX -S.
v SSL, -k.
GSKit ldap.max_crypto_server.
gsk7ikm.
LDAP .
RFC2370AIX. ,
CAPP/EAL4+. ITDS (,
MaxAge). LDAP
, AIX (MaxAge = 8 ()).
ITDS 5.2
. ,
. ITDS.
LDAP,
,
( ), TOE :
v
v
v
v

/etc/group
/etc/passwd
/etc/security/.ids
/etc/security/.profile

v /etc/security/environ
v /etc/security/group
v /etc/security/limits
v /etc/security/passwd
v /etc/security/user
LDAP:
mksecldap -c AIX LDAP
.
:
v mksecldap -c authType unix_auth -A.
v SSL, -k mksecldap -c.
SSL GSKit ldap.max_crypto_client.
gsk7ikm.
LDAP :
v : Integrating AIX into Heterogenous LDAP Environments.
v : Configuring an IBM Directory Server for User Authentication and Management in AIX.
v : Configuring an AIX Client System for User Authentication and Management Through
LDAP.
/ NFS v4 Kerberos:

23

/ NFS v4 LDAP, ,
Kerberos NFS v4.
NAS v1.4 Kerberos ITDS v6.0 ( LDAP)
.
NAS v1.4 ( Kerberos 5) LDAP.
Kerberos .
Kerberos ,
, Kerberos UID
. NFS,
Kerberos, setuid UID, Kerberos,
UID setuid.
RPCSEC-GSS NFS.
, NFS
NFS. Kerberos .
chnfs SMIT. chnfs RPCSEC_GSS.
, NFS.
RPCSEC-GSS DES3
Kerberos. des3.
:
Kerberos LDAP,
.
"Chapter 9. Managing Network
Authentication Service passwords" IBM Network Authentication Service Version 1.4 for AIX, Linux and Solaris
Administrator's and User's Guide.
mindiff

=4

maxrepeats

=2

minalpha

=2

minother

=2

minlen

=8

minage

=0

histsize

= 10

AIX NFS v4 AIX NFS v4


DES3 "nfs/hostname" DES3 (, des3-cbc-sha1)
keytab ( kadmin) DES3 (,
des3-cbc-sha1) default_tgs_enctypes /etc/krb5/krb5.conf
NFS v4.
NFS NFS AIX - NFS v4 AIX
5L 5.3.
-:
- (VIOS)
SCSI VIOS, ,
SCSI .

24

AIX 5.3:

( SCSI VIOS)
,
. , . , VIOS
Ethernet VIOS Ethernet VIOS,
.
Ethernet
Ethernet, .
. ,
Ethernet VLAN.
Ethernet .
VIOS .
VIOS .
1 1 000 000,
1 100 000.
/etc/security/user .
maxage

=8

maxexpired

=1

minother

=2

minlen

=8

maxrepeats

=2

loginretries

=3

histexpire

= 52

histsize

= 20

:
type oem_setup_env
chsec -f /etc/security/user -s default -a maxage=8 -a maxexpired=1 -a minother=2
-a minlen=8 -a maxrepeats=2 -a loginretries=3 -a histexpire=52 -a histsize=20

(padmin)
. , davis (padmin)
:
mkuser maxage=8 maxexpired=1 minother=2 minlen=8 maxrepeats=2 loginretries=3
histexpire=52 histsize=20 davis

, padmin :
v writesrv ctrmc /etc/inittab:
sshd:

stopsrc -s sshd

v , /etc/rc.d/rc2.d/Ksshd
/etc/rc.d/rc2.d/Ssshd. RSCT:
stopsrc -g rsct_rm stopsrc -g rsct

.

( padmin):
v chdate
v chuser
v cleargcl
v de_access

25

v
v
v
v
v

diagmenu
invscout
loginmsg
lsfailedlogin
lsgcl

v
v
v
v
v
v
v

mirrorios
mkuser
motd
oem_platform_level
oem_setup_env
redefvg
rmuser

v shutdown
v unmirrorios
X-:
X- 6000.
X- 6000 ( ), xserverrc
/usr/lpp/X11/defaults EXTENSIONS :
EXTENSIONS="$EXTENSIONS -x abx -x dbe -x GLX -secIP".



.
AIX , .
.
.
KDE GNOME .
KDE GNOME .
, , .
39.
:
/etc/security/login.cfg.

/etc/security/login.cfg :

26

AIX 5.3:

2. .

PtY
(
)

TTY

sak_enabled

false

Secure Attention .


. 5.

logintimes

logindisable


4
.

logininterval

60

,

60 .

loginreenable

30

30
.

logindelay


.

(;
- 5 ,
5, 10, 15
20).

, ,
, ,
. ,
:
/dev/tty0:
logintimes = 0600-2200
logindisable = 5
logininterval = 80
loginreenable = 20

:
herald /etc/security/login.cfg,
.
herald .
chsec .
chsec herald:
# chsec -f /etc/security/login.cfg -s default
-a herald=" .\n\nlogin:"

chsec AIX 5L 5.3: ,


1.
/etc/security/login.cfg ,
herald :
default:
herald =" .\n\nlogin:"
sak_enable = false
logintimes =

27

logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0

: logindisable logindelay
0 (# > 0).
:
Common Desktop Environment (CDE). ,
CDE, .
, /usr/dt/config/$LANG/Xresources, $LANG -
.
, $LANG C, /etc/dt/config/C/
Xresources. /usr/dt/config/C/Xresources
.
, CDE,
X11 CDE . 32.
:

, .
, :
: foo
foo:

,
usernameecho /etc/security/login.cfg.
usernameecho 'true', .. .
chsec .
chsec
usernameecho:
# chsec -f /etc/security/login.cfg -s default -a usernameecho=false

chsec AIX 5L 5.3: ,


1.
/etc/security/login.cfg ,
usernameecho:
default:
usernamecho = false

'false' usernameecho ,
.
'*', :
:
***:

.
pwdprompt /etc/security/login.cfg.
" -:", - .

28

AIX 5.3:

chsec .
chsec
pwdprompt ":":
# chsec -f /etc/security/login.cfg -s default -a pwdprompt="Password: "

/etc/security/login.cfg ,
pwdprompt:
default:
pwdprompt = ": "

pwdprompt ": "


, , .
:
: foo
:

:
/etc/security/login.cfg.
(
, ..), , ,
, /etc/security/login.cfg.
, :
lock xlock.
, ,
. -
, root.
, .
- .
lock. AIXwindows xlock.
:

.
,
. ,
, .
,
. /etc/security/.profile
, :
TMOUT=600; TIMEOUT=600; export TMOUT TIMEOUT; readonly TMOUT TIMEOUT

600, 600 10 .
.
, ,
.profile. ,
.profile.

29


- " ".
.
,
.
,
, . ,
AIX , .
, -
, .
,
(, , ,
- ).
.
. -

. , ,
1 , , ,
, 1 .
/ ,
root. ,
. root (UID) ,

root.
, ,
. ,
( ).
SED :
AIX (SED), ,
/, .

root . ,
,
.
POWER4, /
. AIX SED
"" .
,
.
, SED.
"". -
, ,
. AIX.
SED sedmgr. sedmgr
SED SED.
SED:

30

AIX 5.3:

(SED) AIX
.
SED, ,
SED. (BOP)
:
off

SED , SED .

select

SED .
SED
. , SED,
select.

setidfiles
SED , ,
setuid setgid. SED
SED- request,
( , exempt):
v SETUID, root
v SETGID, system security

, , SED,
, SED.
.

SED AIX ,
.
SED
.
sedmgr SED,
, . ,
.
-c. ,
, SED.
AIX. SED ,
, , SED,
.
- SED
. .
SED :
AIX SED sedmgr.
SED,
select exempt, . select
SED select SED, exempt
SED.
.
SED
.
, .
SED :

31

3. SED
SED
request

exempt

system

Setuid-root
setgid-system/security

select

enabled

setgidfiles

enabled

enabled

enabled

enabled

enabled

SED
off

SED:
AIX SED select. setuid setgid
select .
SED ,
"" .
.
bopmgr. AIX Java 1.3.1 AIX Java 1.4.2
Just-In-Time (JIT),
Java ( Java
). ,
JIT. , AIX SED ALL,
Java.
, SED, ,
. . SED
32-, 64- ,
. AIX 64- .

sedmgr
AIX

X11 CDE
,
X X11 (CDE).
/etc/rc.dt:
, , /etc/rc.dt.
CDE ,
. CDE ,
. CDE (dt).
, ,
/etc/rc.dt, CDE.
CDE .
X:

32

AIX 5.3:

,
X11.
xwd xwud X ,
,
. ,
- ,
, root.
xwd xwud X11.apps.clients.
xwd xwud,
OpenSSH MIT Magic Cookies.
, xwd xwud .
OpenSSH MIT Magic Cookies
.
:
X .
, xhost +.
xhost +,
X . ,
. xhost
:
# xhost + hostname

, .
xhost AIX 5L 5.3: .
xhost:
xhost chmod.
xhost , root.
/usr/bin/X11/xhost 744
chmod:
chmod 744/usr/bin/X11/xhost

setuid/setgid
AIX setuid/setgid.
.
, AIX. AIX CC
.
v /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
v /opt/IBMinvscout/bin/invscoutClient_PartitionID
v /usr/lpp/diagnostics/bin/diagsetrto
v /usr/lpp/diagnostics/bin/Dctrl
v /usr/lpp/diagnostics/bin/diagTasksWebSM
v /usr/lpp/diagnostics/bin/diagela

33

v
v
v
v
v

/usr/lpp/diagnostics/bin/diagela_exec
/usr/lpp/diagnostics/bin/diagrpt
/usr/lpp/diagnostics/bin/diagrto
/usr/lpp/diagnostics/bin/diaggetrto
/usr/lpp/diagnostics/bin/update_manage_flash

v
v
v
v
v
v
v

/usr/lpp/diagnostics/bin/utape
/usr/lpp/diagnostics/bin/uspchrp
/usr/lpp/diagnostics/bin/update_flash
/usr/lpp/diagnostics/bin/uesensor
/usr/lpp/diagnostics/bin/usysident
/usr/lpp/diagnostics/bin/usysfault
/usr/lpp/X11/bin/xlock

v
v
v
v
v
v

/usr/lpp/X11/bin/aixterm
/usr/lpp/X11/bin/xterm
/usr/lpp/X11/bin/msmitpasswd
/usr/lib/boot/tftp
/usr/lib/lpd/digest
/usr/lib/lpd/rembak

v /usr/lib/lpd/pio/etc/piodmgrsu
v /usr/lib/lpd/pio/etc/piomkpq
v /usr/lib/lpd/pio/etc/pioout
v
v
v
v

/usr/lib/mh/slocal
/usr/lib/perf/libperfstat_updt_dictionary
/usr/lib/sa/sadc
/usr/lib/semutil

v /usr/lib/trcload
v /usr/sbin/allocp
v /usr/sbin/audit
v
v
v
v
v

/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr

v /usr/sbin/auditselect
v /usr/sbin/auditstream
v
v
v
v
v
v
v

/usr/sbin/backbyinode
/usr/sbin/cfgmgr
/usr/sbin/chcod
/usr/sbin/chcons
/usr/sbin/chdev
/usr/sbin/chpath
/usr/sbin/chtcb

v /usr/sbin/cron
v /usr/sbin/acct/accton
v /usr/sbin/arp64

34

AIX 5.3:

v
v
v
v
v

/usr/sbin/arp
/usr/sbin/devinstall
/usr/sbin/diag_exec
/usr/sbin/entstat
/usr/sbin/entstat.ethchan

v
v
v
v
v
v
v

/usr/sbin/entstat.scent
/usr/sbin/diskusg
/usr/sbin/exec_shutdown
/usr/sbin/fdformat
/usr/sbin/format
/usr/sbin/fuser
/usr/sbin/fuser64

v
v
v
v
v
v

/usr/sbin/getlvcb
/usr/sbin/getlvname
/usr/sbin/getvgname
/usr/sbin/grpck
/usr/sbin/getty
/usr/sbin/extendvg

v /usr/sbin/fastboot
v /usr/sbin/frcactrl64
v /usr/sbin/frcactrl
v
v
v
v

/usr/sbin/inetd
/usr/sbin/invscout
/usr/sbin/invscoutd
/usr/sbin/ipl_varyon

v /usr/sbin/keyenvoy
v /usr/sbin/krlogind
v /usr/sbin/krshd
v
v
v
v
v

/usr/sbin/lchangelv
/usr/sbin/lchangepv
/usr/sbin/lchangevg
/usr/sbin/lchlvcopy
/usr/sbin/lcreatelv

v /usr/sbin/ldeletelv
v /usr/sbin/ldeletepv
v
v
v
v
v
v
v

/usr/sbin/lextendlv
/usr/sbin/lmigratelv
/usr/sbin/lmigratepp
/usr/sbin/lparsetres
/usr/sbin/lpd
/usr/sbin/lquerylv
/usr/sbin/lquerypv

v /usr/sbin/lqueryvg
v /usr/sbin/lqueryvgs
v /usr/sbin/lreducelv

35

v
v
v
v
v

/usr/sbin/lresynclp
/usr/sbin/lresynclv
/usr/sbin/lsaudit
/usr/sbin/lscfg
/usr/sbin/lscons

v
v
v
v
v
v
v

/usr/sbin/lslv
/usr/sbin/lspath
/usr/sbin/lspv
/usr/sbin/lsresource
/usr/sbin/lsrset
/usr/sbin/lsslot
/usr/sbin/lsuser

v
v
v
v
v
v

/usr/sbin/lsvg
/usr/sbin/lsvgfs
/usr/sbin/login
/usr/sbin/lvaryoffvg
/usr/sbin/lvaryonvg
/usr/sbin/lvgenmajor

v /usr/sbin/lvgenminor
v /usr/sbin/lvrelmajor
v /usr/sbin/lvrelminor
v
v
v
v

/usr/sbin/lsmcode
/usr/sbin/mailq
/usr/sbin/mkdev
/usr/sbin/mklvcopy

v /usr/sbin/mknod
v /usr/sbin/mkpasswd
v /usr/sbin/mkpath
v
v
v
v
v

/usr/sbin/mkvg
/usr/sbin/mount
/usr/sbin/netstat64
/usr/sbin/mtrace
/usr/sbin/ndp

v /usr/sbin/newaliases
v /usr/sbin/named9
v
v
v
v
v
v
v

/usr/sbin/named8
/usr/sbin/netstat
/usr/sbin/nfsstat
/usr/sbin/pdelay
/usr/sbin/pdisable
/usr/sbin/penable
/usr/sbin/perf/diag_tool/getschedparms

v /usr/sbin/perf/diag_tool/getvmparms
v /usr/sbin/phold
v /usr/sbin/portmir

36

AIX 5.3:

v
v
v
v
v

/usr/sbin/pshare
/usr/sbin/pstart
/usr/sbin/putlvcb
/usr/sbin/putlvodm
/usr/sbin/qdaemon

v
v
v
v
v
v
v

/usr/sbin/quota
/usr/sbin/reboot
/usr/sbin/redefinevg
/usr/sbin/repquota
/usr/sbin/restbyinode
/usr/sbin/rmdev
/usr/sbin/ping

v
v
v
v
v
v

/usr/sbin/rmgroup
/usr/sbin/rmpath
/usr/sbin/rmrole
/usr/sbin/rmuser
/usr/sbin/rsct/bin/ctstrtcasd
/usr/sbin/srcd

v /usr/sbin/srcmstr
v /usr/sbin/rmsock64
v /usr/sbin/sendmail_ssl
v
v
v
v

/usr/sbin/sendmail_nonssl
/usr/sbin/rmsock
/usr/sbin/sliplogin
/usr/sbin/sendmail

v /usr/sbin/rwhod
v /usr/sbin/route
v /usr/sbin/snappd
v
v
v
v
v

/usr/sbin/swap
/usr/sbin/swapoff
/usr/sbin/swapon
/usr/sbin/swcons
/usr/sbin/switch.prt

v /usr/sbin/synclvodm
v /usr/sbin/tsm
v
v
v
v
v
v
v

/usr/sbin/umount
/usr/sbin/umountall
/usr/sbin/unmount
/usr/sbin/varyonvg
/usr/sbin/watch
/usr/sbin/talkd
/usr/sbin/timedc

v /usr/sbin/uucpd
v /usr/bin/bellmail
v /usr/bin/at

37

v
v
v
v
v

/usr/bin/capture
/usr/bin/chcore
/usr/bin/acctras
/usr/bin/acctctl
/usr/bin/chgroup

v
v
v
v
v
v
v

/usr/bin/chkey
/usr/bin/chque
/usr/bin/chquedev
/usr/bin/chrole
/usr/bin/chsec
/usr/bin/chuser
/usr/bin/confsrc

v
v
v
v
v
v

/usr/bin/crontab
/usr/bin/enq
/usr/bin/filemon
/usr/bin/errpt
/usr/bin/fileplace
/usr/bin/fileplacej2

v /usr/bin/fileplacej2_64
v /usr/bin/ftp
v /usr/bin/getconf
v
v
v
v

/usr/bin/ipcs
/usr/bin/ipcs64
/usr/bin/iostat
/usr/bin/logout

v /usr/bin/lscore
v /usr/bin/lssec
v /usr/bin/mesg
v
v
v
v
v

/usr/bin/mkgroup
/usr/bin/mkque
/usr/bin/mkquedev
/usr/bin/mkrole
/usr/bin/mkuser

v /usr/bin/netpmon
v /usr/bin/newgrp
v
v
v
v
v
v
v

/usr/bin/pagdel
/usr/bin/paginit
/usr/bin/paglist
/usr/bin/passwd
/usr/bin/pwck
/usr/bin/pwdadm
/usr/bin/pwdck

v /usr/bin/rm_mlcache_file
v /usr/bin/rdist
v /usr/bin/remsh

38

AIX 5.3:

v
v
v
v
v

/usr/bin/rlogin
/usr/bin/rexec
/usr/bin/rcp
/usr/bin/rmque
/usr/bin/rmquedev

v
v
v
v
v
v
v

/usr/bin/rsh
/usr/bin/ruptime
/usr/bin/rwho
/usr/bin/script
/usr/bin/setgroups
/usr/bin/setsenv
/usr/bin/shell

v
v
v
v
v
v

/usr/bin/su
/usr/bin/sysck
/usr/bin/tcbck
/usr/bin/sysck_r
/usr/bin/telnet
/usr/bin/tftp

v /usr/bin/traceroute
v /usr/bin/tn
v /usr/bin/tn3270
v
v
v
v

/usr/bin/usrck
/usr/bin/utftp
/usr/bin/vmstat
/usr/bin/vmstat64

v /usr/bin/yppasswd
v /sbin/helpers/jfs2/backbyinode
v /sbin/helpers/jfs2/diskusg
v /sbin/helpers/jfs2/restbyinode

,
AIX.


AIX .
(, ,
LDAP), . AIX
:
AIX PAM. .
AIX
AIX : getty, login, rlogin, rsh, telnet
tsm. pam_aix module, AIX
STD_AUTH, PAM_AUTH. AIX /etc/security/login.cfg,
mkhomeatlogin usw true (
/etc/security/login.cfg). chsec
automatic-home-directory-creation-at-login. ,
:

39

# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true

,
. , .
PAM
AIX pam_mkuserhome
PAM. pam_mkuserhome
. PAM ,
. ,
telnet PAM, /etc/pam.cfg:
telnet session optional pam_mkuserhome


. AIX
.
,
. mkuser mkgroup AIX
, .
, ()
dist_uniqid. dist_uniqid usw
/etc/security/login.cfg chsec.
:
# chsec -f /etc/security/login.cfg -s usw -a dist_uniqid=always

dist_uniqid :
never

( ).

always .
- mkuser (mkgroup) ,
. ,
(, mkuser id=234 foo, 234
- ).
uniqbyname
.
,
mkuser id=123 foo. ,

. , acct1 234.
LDAP acct1 mkuser -R LDAP acct1 235.
acct1 234 LDAP acct1
235.
: ,
dist_uniqid.
uniqbyname . , -
,
mkuser (mkgroup) .
, . .
: : , LDAP DCE. LDAP
acct1, DCE - acct2, 234.
uniqbyname mkuser -R files id=234 acct1

40

AIX 5.3:

(mkgroup -R files id=234 acct1), LDAP , 234


LDAP acct1. ,
mkuser (mkgroup) acct1 234.
DCE, mkuser (mkgroup) , 234
DCE acct2, acct1 .
.

, , .
, mkuser (mkgroup), .

root
root ,
.
root - /etc/passwd (UID), 0.
, root. , root
, UID, 0. ,
UID , . ,
root .
root , .
root . root
.
root , root.
.
: root, ,
.
root:
- ,
root.
, root.
su -.
root
root, , .
/var/adm/sulog. - ,
.
root /etc/security/user.
rlogin root false.
root, ,
.
, .
root , ,
su - root, , root
. ,
, .
root
CAPP/EAL4+ . 12.

41


root-user .
root-user .
, .
:
, ,
root.
:


root .
,
, ,
. ,
,
security.
.
, ,
.
security.

.

mksysb
.

.
.


.
system,
shutdown.
:
,
..
.

, .
, ,
shutdown.

SMIT:
, , , ,
SMIT.
SMIT:

42

AIX 5.3:

4.

SMIT

smit mkrole

smit chrole

smit lsrole

smit rmrole

smit lsrole

:
.
.
:

. ,
RoleAdmin chrole. ,
, .

. , UserAdmin
, security. ,
, mkuser ,
.
mkuser.
:
Backup
. Backup
:
Backup
.
Backup.
.
.
. Diagnostics
:
diag

.
Diagnostics, .

GroupAdmin
. GroupAdmin
:
chgroup
. GroupAdmin,
.
chgrpmem
. GroupAdmin,
( -
) , .
chsec

/etc/group

43

/etc/security/group. ,
. GroupAdmin
/etc/group /etc/security/group .
mkgroup
. GroupAdmin
.
rmgroup
. GroupAdmin
.
ListAuditClasses ( )
.
,
audit.
, ,
smit mkuser smit chuser. .
PasswdAdmin
root . PasswdAdmin
:
chsec

lastupdate flags .
PasswdAdmin chsec lastupdate flags
, .

lssec

lastupdate flags .
PasswdAdmin lssec lastupdate
flags , .

pwdadm
.
security.
PasswdManage ( )
. PasswdManage
:
pwdadm
.
security PasswdManage.
UserAdmin
root . UserAdmin
.
. UserAdmin
:
chfn

(gecos). ,
, UserAdmin, security,
gecos , .
gecos.

chsec

-, /etc/passwd,
/etc/security/environ, /etc/security/lastlog, /etc/security/limits
/etc/security/user, .

/usr/lib/security/mkuser.default , auditclasses.

chuser , .

44

AIX 5.3:

UserAdmin
, .
mkuser
( ).
UserAdmin
.
rmuser
. UserAdmin
, .
UserAudit ( )
.
UserAudit :
chsec

auditclasses mkuser.default ,
. UserAdmin,
auditclasses mkuser.default .

chuser .
UserAdmin .
lsuser

root , security,
auditclasses ,
. UserAdmin
.

mkuser

. UserAdmin
.
RoleAdmin
root .
RoleAdmin :
chrole . RoleAdmin,
.
lsrole

mkrole . RoleAdmin,
.
rmrole . RoleAdmin,
.
Restore
. Restore
:
Restore
.
Restore.
:
.
, ,
.

45

chfn

2555 root.security

UserAdmin

chuser

4550 root.security

UserAdmin, UserAudit

diag

0550 root.system

Diagnostics

lsuser

4555 root.security

UserAudit, UserAdmin

mkuser

4550 root.security

UserAdmin, UserAudit

rmuser

4550 root.security

UserAdmin

chgroup

4550 root.security

GroupAdmin

lsgroup

0555 root.security

GroupAdmin

mkgroup

4550 root.security

GroupAdmin

rmgroup

4550 root.security

GroupAdmin

chgrpmem

2555 root.security

GroupAdmin

pwdadm

4555 root.security

PasswdManage, PasswdAdmin

passwd

4555 root.security

PasswdManage, PasswdAdmin

chsec

4550 root.security

UserAdmin, GroupAdmin, PasswdAdmin,


UserAudit

lssec

0550 root.security

PasswdAdmin

chrole

4550 root.security

RoleAdmin

lsrole

0550 root.security

RoleAdmin

mkrole

4550 root.security

RoleAdmin

rmrole

4550 root.security

RoleAdmin

backup

4555 root.system

Backup

restore

4555 root.system

Restore


.
:
, .
. -
. , ,
.
- .
; .
.
,
. . 68.
:
v . ,
.
v . ,

.
v , WSM (Web-
) SMIT. ,
.

46

AIX 5.3:

v . ,
. /etc/passwd
(*), .
v - .
/etc/passwd.
v , admin true. ,
/etc/security/user admin=true,
root.
,
/etc/passwd /etc/system/group, :

.
,
.
.

:
.
9 . AIX 5.3
256 .
NULL,
8 255 .
v_max_logname
sys0. v_max_logname
ODM. , , . ,
ODM, .
:
. ,
, .
ODM:
v_max_logname .
lsattr v_max_logname ODM.
lsattr v_max_logname max_logname.
lsattr AIX 5L 5.3:
, 3.
, lsattr
max_logname:
$ lsattr -El sys0
SW_dist_intr
false
autorestart
true
boottype
disk
capacity_inc
1.00
capped
true
conslogin
enable
cpuguard
enable
dedicated
true
ent_capacity
4.00

SW

/



CPU

True
True
False
False
False
False
True
False
False

47

frequency
fullcore
fwversion
iostat
keylock
max_capacity
max_logname
maxbuf
maxmbuf
maxpout
maxuproc
min_capacity
minpout
modelname
ncargs
pre430core
pre520tune
realmem
rtasversion
sec_flags
sed_config
systemid
variable_weight
$

93750000
false
IBM,SPH01316
false
normal
4.00
20
20
0
0
128
1.00
0
IBM,7044-270
6
false
disable
3145728
1
0
select
IBM,0110B5F5F
0




-

.
.
. - -
. MBUF ()
. -
.
.
. -

ARG/ENV 4
, 430
520
()
RTAS

(SED)

False
True
False
True
False
False
True
True
True
True
True
False
True
False
True
True
True
False
False
True
True
False
False

:
v_max_logname .
getconf
getconf LOGIN_NAME_MAX
. getconf NULL.
, getconf
:
$ getconf LOGIN_NAME_MAX
20
$

sysconf
sysconf _SC_LOGIN_NAME_MAX
.
, sysconf
:
#include <unistd.h>
main()
{
long len;
len = sysconf(_SC_LOGIN_NAME_MAX);
printf("The name length limit is %d\n", len);
}

sys_parm
sys_parm SYSP_V_MAX_LOGNAME
.

48

AIX 5.3:

, sys_parm
:
#include <sys/types.h>
#include <sys/var.h>
#include <errno.h>
main()
{
int rc;
struct vario myvar;
rc = sys_parm (SYSP_GET, SYSP_V_MAX_LOGNAME, &myvar);
if (!rc)
printf("Max_login_name = %d\n", myvar.v.v_max_logname.value);
else
printf("sys_parm() failed rc = %d, errno = %d\n", rc, errno);
}

ODM:
.
ODM chdev.
.
v_max_logname ODM
chdev:
$ chdev -l sys0 -a max_logname=30
sys0 changed
$

:
.
.
mkuser .
chuser.
:
account_locked
admin
admgroups
auth1
auth2

daemon
login
logintimes
registry
rlogin
su
sugroups
ttys

True;
False.
True . .
, .
.
. SYSTEM.
: auth1 ; .
, auth1.
. NONE.
: auth2 ; .
,
startsrc. cron at.
, .
unsuccessful_login_count 0 ( loginsuccess).
, . ,
.
. ,
NIS, LDAP Kerberos.
, rlogin telnet.
, su.
, .
, .

49

expires
loginretries
umask
rcmds

hostallowedlogin

hostsdeniedlogin

maxulogs

; .

. /etc/security/lastlog.
umask .
rsh exec.
allow rsh rexec . deny
rsh rexec . hostlogincontrol ,
hostallowedlogin hostsdeniedlogin.
, .
,
.
, .
,
.
,
.

/etc/security/user ,/etc/security/limits,
/etc/security/audit/config /etc/security/lastlog. ,
mkuser, /usr/lib/security/mkuser.default. mkuser.default
, default
/etc/security/user /etc/security/limits.
.
, ,
, unsuccessful_login_count
/etc/security/lastlog ,
. chsec:
chsec -f /etc/security/lastlog -s username -a
unsuccessful_login_count=0

chsec default
, , /etc/security/user or /etc/security/limits.
. ,
, user /usr/lib/security/
mkuser.default.
, , . 59.
, ,
, .

account_locked

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

login

.
login ,
(rexec, rsh, rcp, ssh,
scp, rlogin, telnet ftp).

logintimes

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

rlogin

,

(ssh, scp, rlogin telnet).

loginretries

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

/etc/nologin

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

rcmds=deny

rexec, rsh, rcp, ssh, scp

50

AIX 5.3:

rcmds=hostlogincontrol and hostsdeniedlogin=<target_hosts>

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

ttys = !REXEC, !RSH

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

ttys = !REXEC, !RSH, /dev/pts

rexec, rsh

ttys = !REXEC, !RSH, ALL

rexec, rsh

expires

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

: rsh .
.
:
() .
, .
,
, .
, , .
, .
, , ,
, , .
:
,
. .
ACL
. 71.
PATH:
PATH . ,
.
PATH /etc/profile, PATH
$HOME/.profile. PATH .profile
, .
PATH
"" ( root). ,
,
, , .
, , PATH ,
/tmp. /tmp
su, root ,
su. /tmp/su root
, su . root,
su, , .
PATH :
v . PATH
.

51

v (. ) PATH root.
/etc/profile.
v root PATH .profile.
/etc/profile ,
root .
v .profile
.
. .profile 740.
v root su
, PATH .profile
. .profile.
root , ,
, :
/usr/bin/su - root

, root. root
.
v , (IFS),
/etc/profile file. IFS .profile
PATH.
secldapclntd:
secldapclntd LDAP.
secldapclntd , /etc/security/ldap/
ldap.cfg ( LDAP). , secldapclntd ,
LDAP LDAP,
LDAP. ,
. ,
.
secldapclntd LDAP. -
, , ,
.
connectionsperserver /etc/security/ldap/ldap.cfg
. , connectionsperserver numberofthread,
secldapclntd connectionsperserver numberofthread.
connectionsperserver - 1 100. - 10 (connectionsperserver:
10).
connectionmissratio /etc/security/ldap/ldap.cfg
LDAP. connectionmissratio - ,
LDAP (handle-miss) .
connectionmissratio, secldapclntd
LDAP ( , connectionsperserver).
connectionmissratio - 10 90. - 50 (connectionmissratio:
50).
connectiontimeout /etc/security/ldap/ldap.cfg
secldapclntd. connectiontimeout - 5
( ). - 300 (connectiontimeout: 300).

FTP
FTP .

52

AIX 5.3:


AIX 5.3. AIX,
, .

FTP
.
: (CAPP)
4+ (EAL4+).
1. , bos.net.tcp.client:
lslpp -L | grep bos.net.tcp.client

, .
.
2. , bos.net.tcp.client:
lslpp -L | grep bos.net.tcp.client

, .
.
3. , /home 8
:
df -k /home

, 6, 8
/home .
.
4. , /home 8
:
df -k /home

, 6, 8
/home .
.
5. root /usr/samples/tcpip . :
cd /usr/samples/tcpip

6. :
./anon.ftp

7. /home/ftp?, .
:
.
/home/ftp/bin.
/home/ftp/etc.
/home/ftp/pub.
/home/ftp/lib.
/home/ftp/dev/null.
/home/ftp/usr/lpp/msg/en_US.

8. /home/ftp. :
cd /home/ftp

9. , home:
mkdir home

10. , /home/ftp/home drwxr-xr-x:

53

chmod 755 home

11. , /home/ftp/etc:
cd /home/ftp/etc

12. objrepos :
mkdir objrepos

13. , /home/ftp/etc/objrepos
drwxrwxr-x:
chmod 775 objrepos

14. /home/ftp/etc/objrepos root system


:
chown root:system objrepos

15. , security:
mkdir security

16. , /home/ftp/etc/security
drwxr-x:
chmod 750 security

17. /home/ftp/etc/security root security


:
chown root:security security

18. , /home/ftp/etc/security:
cd security

19. SMIT:
smit mkuser

test.
20. SMIT :
[test]
?


[staff]

[staff]
SU ?

[/home/test]

Enter, .
SMIT SMIT.
21. :
passwd test

, .
.
22. , /home/ftp/etc:
cd /home/ftp/etc

23. /etc/passwd /home/ftp/etc/passwd :


cp /etc/passwd /home/ftp/etc/passwd

24. /home/ftp/etc/passwd . :
vi passwd

25. , root, ftp test.


:
root:!:0:0::/:/bin/ksh
ftp:*:226:1::/home/ftp:/usr/bin/ksh
test:!:228:1::/home/test:/usr/bin/ksh

54

AIX 5.3:

26. .
27. , /home/ftp/etc/passwd
-rw-r--r--:
chmod 644 passwd

28. /home/ftp/etc/passwd root security


:
chown root:security passwd

29. /etc/security/passwd /home/ftp/etc/security/passwd


:
cp /etc/security/passwd /home/ftp/etc/security/passwd

30. /home/ftp/etc/security/passwd . :
vi ./security/passwd

31. test.
32. flags = ADMCHG test.
:
test:
password = 2HaAYgpDZX3Tw
lastupdate = 990633278

33. .
34. , /home/ftp/etc/security/passwd
-rw-------:
chmod 600 ./security/passwd

35. /home/ftp/etc/security/passwd root


security :
chown root:security ./security/passwd

36. /home/ftp/etc/group . :
vi group

37. :
system:*:0:
staff:*:1:test

38. .
39. , /home/ftp/etc/group -rw-r--r-:
chmod 644 group

40. /home/ftp/etc/group root security


:
chown root:security group

41. /home/ftp/etc/security/group . :
vi ./security/group

42. :
system:
admin = true
staff
admin = false

43. . :
a. /etc/security/user /home/ftp/etc/security
:
cp /etc/security/user /home/ftp/etc/security
cd /home/ftp/etc/

b. test :
vi user

55

c. .
44. , /home/ftp/etc/security/group
-rw-r-----:
chmod 640 ./security/group

45. /home/ftp/etc/security/group root security


:
chown root:security ./security/group

46. /home/ftp/etc/objrepos:
cp
cp
cp
cp
cp
cp
cp

/etc/objrepos/CuAt ./objrepos
/etc/objrepos/CuAt.vc ./objrepos
/etc/objrepos/CuDep ./objrepos
/etc/objrepos/CuDv ./objrepos
/etc/objrepos/CuDvDr ./objrepos
/etc/objrepos/CuVPD ./objrepos
/etc/objrepos/Pd* ./objrepos

47. , /home/ftp/home:
cd ../home

48. :
mkdir test

ftp.
49. /home/ftp/home/test test staff
:
chown test:staff test

50. /home/ftp/home/test -rwx------ :


chmod 700 test

51. .
:
chuser login=false rlogin=false test

ftp. , :
1. ftp , test. :
ftp MyHost

2. anonymous. ,
Enter.
3. test :
user test

, 21 . 54
4.

pwd . :
ftp> pwd
/home/test

/home/test ftp.
- /home/ftp/home/test.
:
v ftp sub. , test - ftp sub.
v ftp anonymous anon.users.ftp
, username .
v chroot ,
anonymous , , fileftpaccess.ctl,

56

AIX 5.3:

, ~/etc/, .
'writeonly', 'readonly' 'readwrite' /etc/ftpaccess.ctl
chrooted.
:
v " TCP/IP"
v " ftp" AIX 5L 5.3:


AIX ,
root system .
: .
(*)
/etc/security/passwd. root .
root, .
:
adm

adm :
v , /usr/sbin/perf/diag_tool.
v , :
/usr/sbin/acct
/usr/lib/acct

bin

/var/adm
/var/adm/acct/fiscal
/var/adm/acct/nite
/var/adm/acct/sum

bin .
-
, root sys.

daemon
daemon
. ,
.
nobody
nobody (NFS) .
root root. ,
RPC NFS, /etc/public NIS
, . root
:
newkey -u _

nobody,
chkey, root.
root

root UID 0
.

sys

sys (DFS)
, DFS .
, /usr/sys .

57

system system - , .
system .
root.
, :
.
,
.
, .
: (,
CAPP/EAL4). ,
AIX, AIX.
, :
v ,
:
chuser "account_locked=true" <username>

v , , . :
uucp nuucp, bos.net.uucp
.
,
:
5. , .

uucp, nuucp

, uucp. uucp
UNIX-to-UNIX Copy Program,
, ,
AIX .

lpd

guest

, .

, :
6. , .

uucp

uucp nuucp

printq

lpd.

, .
. .
, :
, LDAP OpenSSH
.
:
v Internet (IP): IP ipsec ipsec
. . ,
/usr/lpp/group.id.keymgt .

58

AIX 5.3:

v Kerberos (PKI):
.
v LDAP: LDAP, ldap.
ldap . LDAP,
DB2. DB2 dbsysadm. dbsysadm
400. LDAP mksecldap ldapdb2.
v OpenSSH: OpenSSH, sshd sshd.
.
SSH .

- .
.
AIX , , ,
:
v
v
v
:
.
, :
v ,
v , . , :
~!@#$%^&*()-_=+[]{}|\;:'",.<>?/<>
v
v , /etc/security/passwd (
,
LDAP)
v ,
v ( - qwerty)
v ,
v ,
v ,
v ,

, ,
UNIX, . dictionlist,
bos.data bos.txt.
dictionlist /etc/security/users
:
dictionlist = /usr/share/dict/words

/usr/share/dict/words dictionlist
UNIX .
/etc/passwd:

59

/etc/passwd ,
.
/etc/passwd , :
v
v
v (UID)
v
v
v
v

(GID)
(GECOS)

/etc/passwd:
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
paul:!:201:1::/home/paul:/usr/bin/ksh
jdoe:*:202:1:John Doe:/home/jdoe:/usr/bin/ksh

UNIX, AIX /etc/password,


/etc/security/password 1, root.
/etc/passwd AIX , .
/etc/passwd root ,
- root, -rw-r--r--.
, (!) ( ).
, (*).
/etc/security/passwd.
/etc/security/passwd, /etc/passwd.
guest:
password = *
nobody:
password = *
lpd:
password = *
paul:
password = eacVScDKri4s6
lastupdate = 1026394230
flags = ADMCHG

jdoe /etc/security/passwd,
/etc/passwd.

1. /etc/security/password

60

AIX 5.3:

/etc/passwd pwdck. pwdck


,
.
/etc/passwd :
,
.
, /etc/passwd .
/etc/passwd .
,
/etc/passwd, (NIS) NIS+.
NIS NIS+ NIS
NIS+ . 238.
:
.
.netrc .
. , :
# find `awk -F: '{print $6}' /etc/passwd` -name .netrc -ls

, . - Kerberos.
Kerberos Kerberos . 258.
:
.
.

.
/etc/security/user,
.
. . ,
/etc/security/user,
. .
. pwdchecks
/etc/security/user ()
. ,
.
. 63.
.
: ,
,
, . ,
. ,
-
.

61

,
, /etc/security/user.
7. .

/usr/share/dict/words

dictionlist


UNIX.

histexpire

,


.

26

260*

histsize

20

50

maxage

-

.

52

maxexpired


maxage,

. (
-
root.)

-1

52

maxrepeats

minage

-
.


,




,

.

52

minalpha

mindiff

minlen

6 (8 -
root)

minother


,
, .

pwdwarntime

62

AIX 5.3:

7. . ()

pwdchecks



passwd


.

* 50 .
Controlled Access Protection Profile and Evaluation Assurance Level 4+
(CAPP/EAL4+) . 13.
, dictionlist
/usr/share/dict/words.
minother 0. ,
minother, minother 1
.
: minlen
minalpha minother. 8 .
minalpha minother 8.
minother 8 minalpha.
histexpire histsize, ,
, 50 . .
/etc/security/user
. ,
chuser.
, mkuser, lsuser rmuser. mkuser
/etc/security/user
/usr/lib/security/mkuser.default. lsuser
. rmuser .
:
, (
), .
, ,
. pwdchecks
/etc/security/user.
pwdrestrict_method,
, AIX 5L 5.3: .
,
.
. login,
passwd, su .
.


, , .

63

. ,
(
). , :
. /etc/passwd
/etc/security/passwd.
.
ASCII.
. ,
LDAP,
LDAP. /etc/security/user
( SYSTEM registry).
(, ,
), AIX,
.
, , ,
(newuser, getentry, putentry ..)
SYSTEM,
/etc/security/user. SYSTEM
,
. , (DCE) ,
, etc/passwd /etc/security/passwd.
SYSTEM ,
.
: compat, DCE, files NONE.
compat. SYSTEM=compat ,
( ) , -
NIS. files , , SYSTEM=DCE
DCE.
NONE .
NONE SYSTEM auth1 .

. , SYSTEM=DCE OR compat
, ,
DCE (crypt()).
.
SYSTEM . ,
SYSTEM SYSTEM=KRB5files OR compat, AIX
Kerberos, , ,
AIX.
SYSTEM registry /etc/security/user .
AIX LDAP SYSTEM
registry, /etc/security/user .
SYSTEM registry chuser.
SYSTEM /usr/lib/security/methods.cfg.

64

AIX 5.3:

: root .
SYSTEM root /etc/security/user SYSTEM=compat.
SYSTEM,
/etc/security/user. , (DCE) ,
, /etc/passwd
/etc/security/passwd. /etc/security/user ,
DCE, SYSTEM=DCE.
SYSTEM - compat, files NONE. compat
, ( )
, - NIS. files ,
. NONE .
NONE SYSTEM auth1 .
SYSTEM /usr/lib/security/
methods.cfg.
: root .
SYSTEM root /etc/security/user SYSTEM = "compat".

.


,
.
.

,
AIX .
, ,
. ,
- . ,
.
: PKI Kerberos ,
( LOCAL LDAP). ()
, LOCAL LDAP.
, LOCAL LDAP.
8.

NIS/NIS+

LDAP

PKI

Kerberos

account_locked

admgroups

admin

auditclasses

auth_cert

auth_domain

auth_name

65

8. ()

NIS/NIS+

LDAP

PKI

Kerberos

auth1
: auth1 ;
.

auth2
: auth2 ;
.

capabilities

core

core_compress

core_hard

core_naming

core_path

core_pathname

cpu

daemon

data

data_hard

dce_export

dictionlist

expires

flags

fsize

fsize_hard

funcmode

gecos

groups

groupsids

histexpire

home

host_last_login

host_last_unsuccessful_login

hostsallowedlogin

hostsdeniedlogin

id

krb5_attributes

krb5_kvno

krb5_last_pwd_change

krb5_max_renewable_life

krb5_mknvo

krb5_mod_date

krb5_mod_name

krb5_names

krb5_principal

krb5_principal_name

krb5_realm

66

AIX 5.3:

8. ()

NIS/NIS+

LDAP

PKI

Kerberos

lastupdate

login

loginretries

logintimes

maxage

maxexpired

maxrepeats

maxulogs

minage

minalpha

mindiff

minlen

minother

nofiles

nofiles_hard

password

pgid

pgrp

projects

pwdchecks

pwdwarntime

rcmds

registry

rlogin

roles

rss

rss_hard

screens

shell

spassword

stack

stack_hard

su

sugroups

sysenv

SYSTEM

time_last_login

time_last_unsuccessful_login

tpath

tty_last_login

tty_last_unsuccessful_login

ttys

umask

unsuccessful_login_count

67

8. ()

NIS/NIS+

LDAP

PKI

Kerberos

unsuccessful_login_times

usrenv

9.

NIS/NIS+

LDAP

PKI

Kerberos

admin

adms

dce_export

id

primary

projects

screens

users



, .
:
, Berkeley Disk Quota System,
.
.
(JFS JFS2).
,
edquota ( JFS) j2edlimit (
JFS2):
v
v
v
1 ,
.
,
.
( - ) .

, ,
.
, .
quota.user quota.group.
, .
quotacheck edquota, quota.
:

68

AIX 5.3:


.

:
v , , ,
, .
v , vi, Esc- ,
, .
, C Korn , Ctrl-Z,

fg (foreground).
v , , ,
.
:
, ,
.
:
v .
v .
v ( ).
,
.
.
: /tmp.
:
1. root.
2. , .
:
/tmp, .
3. chfs userquota groupquota /etc/filesystems.
chfs
/home:
chfs -a "quota = userquota" /home

/home :
chfs -a "quota = userquota,groupquota" /home

/etc/filesystems :
/home:
dev
vfs
log

= /dev/hd1
= jfs
= /dev/hd8

69

mount
check
quota
options

=
=
=
=

true
true
userquota,groupquota
rw

4. , .
quota.user quota.group , ,
. .
userquota groupquota /etc/filesystems.
chfs
/home, myquota.user myquota.group:
chfs -a "userquota = /home/myquota.user" -a "groupquota = /home
/myquota.group" /home

/etc/filesystems :
/home:
dev
vfs
log
mount
check
quota
userquota
groupquota
options

=
=
=
=
=
=
=
=
=

/dev/hd1
jfs
/dev/hd8
true
true
userquota,groupquota
/home/myquota.user
/home/myquota.group
rw

5. , .
6. . edquota

.
davec:
davec:
/home: blocks in use: 30, limits (soft = 100, hard = 150)
inodes in use: 73, limits (soft = 200, hard = 250)

30 100 .
200 davec 73.
50 50 .
, edquota -p,
.
davec nanc :
edquota -p davec nanc

7. quotaon. quotaon
, -a, ,
( /etc/filesystems).
8. quotacheck
.
:
.
,
/etc/rc :
echo " "
/usr/sbin/quotacheck -a
/usr/sbin/quotaon -a

70

AIX 5.3:


, ACL , (ACE).
ACE .
ACL,
, , . ACL
- (DAC),
AIX.
,
. ,
:
v
v
v IPC, ,

. System V Interprocess Communication (SVIPC)
, . ,
,
. (
), ( ).
.

.
,
. ,
.
, ACL, ( ),
. , ACL ,
, .
,
. .
, .
:

System V Interprocess Communication (SVIPC)


, . SVIPC ,
( ).
root.
SVIPC , .

(
).

.
-, . ( SVIPC
, .
.)

71

chmod ( )
. chmod, ,
. chmod ACL
. chmod ,
, ACL NSF4,
ACL AIXC.
chmod.
, , ACL,
. ACL .
AIX . ,
ACL, . ACL
ACE; ACE
. ACL,
AIX 5.3, . ACL ACL
AIXC.
, ACL
(PFS). PFS ACL, ,
.
ACL ( )
, ACL . AIX 5.3
, AIX, ACL . JFS2
GPFS ACL NFS 4. AIX
ACL NFS4. ACL ACL
NFS 4. , ACL NFS4
ACL AIXC , .


5.3.0, AIX ACL, ACL
.
ACL .
:
ACL
, aclget, aclput, acledit, aclconvert aclgetttypes.
, ACL .
ACL
ACL ,
ACL.
ACL
AIX ,
AIX (AIXC) NFS4 (nfs4).
:
, , JFS2 ACL
AIX , .
, ,
ACL ( NFS4), . ,
, ACL NFS4, .

72

AIX 5.3:

, AIX
AIX ACL AIXC NFS4.
, AIX , ACL ,
. , JFS2 PFS
ACL NFS4 ,
2.
AIXC:
ACL AIXC , ACL AIX 5.3.0. ACL AIXC
.
(ACL) AIXC , ACL AIX 5.3.0.
ACL AIXC . JFS2
ACL AIXC 4 .
ACL AIXC
- , ,
. : (r read), (w - write) / (x - execute).
rwx (
(-) ):
base permissions:
owner(name):
group(group):
others:

ACL AIXC
AIXC :
setuid (SUID)
Set-user-ID.
.
setgid (SGID)
Set-group-ID.
.
savetext (SVTX)
,
.
:
attributes: SUID, SGID, SVTX

ACL AIXC
.
(,
), , ,
. .
permit, deny specify :

73

permit
deny
specify

deny specify -
, .
ACL enabled.
disabled.
ACL :
extended permissions:
enabled | disabled
permit
...
deny
...
specify ...

permit, deny specify . Mode


rwx ( (-)). UserInfo
u:UserName, g:GroupName, u:UserName
g:GroupName.
: ,
,
.
ACL AIXC
ACL AIXC:
Attributes: { SUID | SGID | SVTX }
Base Permissions:
owner(name):
group(group):
others:
Extended Permissions:
enabled | disabled
permit
...
deny
...
specify ...

ACL AIXC
ACL AIXC /usr/include/sys/acl.h
AIX.
ACL AIXC
AIXC:
attributes: SUID
base permissions:
owner(frank): rwgroup(system): r-x
others: --extended permissions:
enabled

74

AIX 5.3:

permit
deny
specify
permit

rw- u:dhs
r-- u:chas, g:system
r-- u:john, g:gateway, g:mail
rw- g:account, g:finance

ACL:
v , setuid.
v , , .
v .
.
. chown
chgrp.
v , , .
v , .
v .
dhs (r) (w).
v (r) chas
system.
v , john
gateway mail, (r). john
, .
v ,
account finance, (r) (w).
: , ,
, , ,
, , .
acledit AIX 5L 5.3:
.
NFS4:
AIX (ACL) NFS4.
, ACL NFS4, RFC
3530, NFS 4. JFS2 ACL NFS4
64 .
NFS V4 NFS V4 ACL. Cachefs, Proxy, NFS V4 ACL.
ACL NFS4
ACL NFS V4 (ACE),
. ACE
:
IDENTITY

ACE_TYPE

ACE_MASK

ACE_FLAGS

IDENTITY => '-IDENTITY:(IDENTITY- IDENTITY-, IDENTITY-):'

-IDENTITY => :
u :
g :
s : ""
( IDENTITY-
)

75

IDENTITY- => /
IDENTITY- => /
IDENTITY- => "" (, OWNER@, GROUP@, EVERYONE@)
ACE_TYPE => ACE:
a :
d :
l :
u :
ACE MASK => :
r : READ_DATA LIST_DIRECTORY
w : WRITE_DATA ADD_FILE
p : APPEND_DATA ADD_SUBDIRECTORY
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
x : EXECUTE SEARCH_DIRECTORY
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
o : WRITE_OWNER
s : SYNCHRONIZE
ACE_FLAGS ( ) => :
fi : FILE_INHERIT
di : DIRECTORY_INHERIT
oi : INHERIT_ONLY
ni : NO_PROPAGATE_INHERIT
sf : SUCCESSFUL_ACCESS_ACE_FLAG
ff : FAILED_ACCESS_ACE_FLAG

: SYNCHRONIZE Ace_Mask, s, AIX


. AIX s,
AIX.
WRITE_OWNER Ace_Mask Ace_Type allow,
.
: DELETE
DELETE_CHILD . AIX
. DELETE ACL AIXC.
DELETE ACL NFS4.
chdev:
chdev -l sys0 -a nfs4_acl_compat=compatible

, chdev, .
, ACL NFS4, AIX
,
.
:
u:user1(aa@ibm.com):
*s:(OWNER@):
g:staff(jj@jj.com):
s:(GROUP@):
u:2:
g:7:
s:(EVERYONE@):

a
d
a
a
d
a
a

rwp
fidi
x
dini
rx
rwpx fioi
r
di
ac
fi
rca ni

* -
* (uid=2)
* (gid=7)

ACL NFS4
ACL NFS4 /usr/include/sys/acl.h
AIX.

76

AIX 5.3:

ACL NFS4
ACL NFS4 (, j2eav2/d0):
s:(OWNER@):
s:(OWNER@):
s:(GROUP@):
s:(GROUP@):
s:(EVERYONE@):
s:(EVERYONE@):
u:user1:
g:grp1:
u:101:
g:100:

a
d
d
a
a
d
a
d
a
d

rwpRWxDdo
D
x
rx
c
C
wp
wp
C
c

difi
difi
ni
difi
difi
difi
oi

*
*
*
*
*
*
*
*
*
*

ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE

ACL:
v ACE , /j2eav2/d0
, ACL:
READ_DATA ( = LIST_DIRECTORY)
WRITE_DATA (=ADD_FILE )
APPEND_DATA ( = ADD_SUBDIRECTORY )
READ_NAMED_ATTR
WRITE_NAMED_ATTR
EXECUTE (=SEARCH_DIRECTORY)

DELETE_CHILD
DELETE
WRITE_OWNER
ACE , DELETE_CHILD (
, /j2eav2),
ACE, DELETE_CHILD.
ACE , (/j2eav2/d0)
EXECUTE (=SEARCH_DIRECTORY), ACE.
ACE , NO_PROPAGATE_INHERIT.
ACE /j2eav2/d0,
.
ACE , (/j2eav2/d0)
READ_DATA (= LIST_DIRECTORY) EXECUTE (=SEARCH_DIRECTORY)
/j2eav2/d0 . ACE (
) EXECUTE (=SEARCH_DIRECTORY) /j2eav2/d0
.
ACE , READ_ACL
/j2eav2/d0 , ACL.

v ACE , WRITE_ACL
/j2eav2/d0 .
NFS4 WRITE_ACL.
v ACE , user1 WRITE_DATA (=ADD_FILE)
APPEND_DATA (= ADD_SUBDIRECTORY) /j2eav2/d0,
/j2eav2/d0.
v ACE , grp1 WRITE_DATA (=ADD_FILE )
APPEND_DATA ( =ADD_SUBDIRECTORY). ACE
, grp1.
v ACE , UID 101 WRITE_ACL,
, , WRITE_ACL.

77

v ACE , GID 100 READ_ACL,


.


ACL. AIX
ACL WSM (Web- )
.

ACL ACL, .

ACL
ACL :
aclget

ACL FileObject
outAclFile, , .

aclput ACL FileObject,


inAclFile.
acledit ACL FileObject.
aclconvert
ACL . ,
.
aclgettypes
ACL, .

ACL
ACL ,
ACL. (
ACL) ACL .
,
ACL . ,
,
-
AIX.
.
aclx_fget aclx_get
aclx_get aclx_fget
, acl.
acl *acl_sz *acl_type.
aclx_fput aclx_put
aclx_put aclx_fput , acl,
, . ACL;
aclx_convert.
aclx_gettypes
aclx_gettypes ACL,
. ACL.
ACL.
aclx_gettypeinfo
aclx_gettypeinfo ACL ,
. ACL ,

78

AIX 5.3:

ACL. ,
AIXC NFS4, .
aclx_print aclx_printStr
ACL, , .
aclget acledit.
aclx_scan aclx_scanStr
ACL, ,
.
aclx_convert
ACL .
, cp, mv tar.

ACL
ACL . ACL
.
ACL. , AIXC,
AIXC, NFS4. ACL
AIXC , ACL
NFS . ACL
.
: .
.
ACL.
ACL AIX :

ACL ACL
.
aclconvert
ACL.
aclput acledit
ACL.
cp mv
ACL.
ACL.
backup
ACL (ACL AIXC),
. ACL
-U.
.
ACL ,
ACL. , ,
, . .
, NFS4 AIXC, NFS4
16 ,
ACL AIXC). ,
ACL.
: ACL .

79

S-
setuid setgid, S-
.

setuid setgid

. setuid setgid.
AIX uid gid. ACL,
, AIX.
, ACL NFS4
@, UID GID.
, ,
.
, setuid setgid.
, . setuid
, setgid -
. .
, ,
. , setuid setgid
. ,
.
, ,
. ,
, ,
.
: setuid setgid
.

S- ACL
ACL NFS4 S-. ACL NFS4
. AIX S-
, ACL NFS4. S- ,
ACL NFS4, chmod.


.
. ,
0, .
, 0, root-user.
:
v .
v .
v setuid-root.

80

AIX 5.3:

: su
setuid-root. su
root. , su ,
.
setuid-root - , root
setuid. setuid-root
, : ,
.
setuid-root, .


login su,
,
. .
0 root.
. , root ,
, .

ACL AIXC
.
, .
, , , (
others). , : ,
.
, , ( )
:
v (ACE), (ACL),
.
, .
, ACL.
ACL,
, .
v (.. )
(.. ), .
.
ACL ,
.
USER ,
GROUP
. , :
USER:fred, GROUP:philosophers, GROUP:software_programmer

fred
:
philosophers, philanthropists, software_programmer, doc_design

fred
:
philosophers, iconoclasts, hardware_developer, graphic_design

81

,
:
USER:fred, GROUP:philosophers

, ACL ,
, .

. System V Interprocess Communication (SVIPC)
, . ,
,
. (
), ( ).
.

.
,
. ,
.

ACL NFS4
, _ACL, .
WRITE_ACL. ACL
NFS4 :
v ACE .
, "who" (.. ), .
ACE,
who EVERYONE@.
v ACE , ,
. , ,
ACE.
v , ,
ACE .
v ACL ,
, .
ACE ,
, , root,
. , READ_ACL,
WRITE_ACL, READ_ATTRIBUTES WRITE_ATTRIBUTES.
NFS4 . 75.


(ACL).

NFS4
,
ACL NFS4 , .
aclput acledit.

82

AIX 5.3:


echo $? aclput.
:
22 (EINVAL, /usr/include/sys/errno.h)
:
v - 4 .
v ACL NFS4 64 .
v ACL , ACE
w (WRITE_DATA), p (APPEND_DATA ), p (APPEND_DATA), w
(WRITE_DATA).
v ACL , ACE
w (WRITE_DATA), p (APPEND_DATA), p (APPEND_DATA), w ( WRITE_DATA),
fi (FILE_INHERIT).
v ACE OWNER@,
who (Identity), ACE c (READ_ACL), C (WRITE_ACL), a
(READ_ATTRIBUTE) A (WRITE_ATTRIBUTE) ACE d.
124 (ENOTSUP, /usr/include/sys/errno.h)
:
v who (OWNER@, GROUP@
EVERYONE@) ACE.
v u (AUDIT) l (ALARM).
13 (EACCES, /usr/include/sys/errno.h)
:
v , ACE NFS4.
v ,
x ().
v ACL. ACL NFS4,
, , ACE C (WRITE_ACL).


. ,
ACL
NFS4. , /j2v2/file1 ACL NFS4:
s:(EVERYONE@):

acC

input_acl_file ACL:
s:(EVERYONE@):

rwxacC

:
1. , aclput trcrpt, : aclput and trcrpt using the
following commands:
$ trace -j 478 -o trc.raw
$->!aclput -i input_acl_file -t NFS4 /j2v2/file1
$ ->quit
$ trcrpt trc.raw > trc.rpt

2. . ACL
ACL, ACL.
:

83

478 xxx xxx ACL ENGINE: chk_access entry: type=NFS4 obj_mode=33587200 size=68 ops=16384 uid=100
478 xxx xxx ACL ENGINE: chk_access exit: type=NFS4 rc=0 ops=16384 priv=0 against=0
478 xxx xxx ACL ENGINE: set_acl entry: type=NFS4 ctl_flg=2 obj_mode=33587200 mode=0 size=48
478 xxx xxx ACL ENGINE: validate_acl: type=NFS4 rc=22 ace_cnt=1 acl_len=48 size=12
478 xxx xxx ACL ENGINE: set_acl exit: type=NFS4 rc=22 obj_mode=33587200 size=68 cmd=536878912

, chk_access exit, ACL (rc = 0).


, validate_acl, , set_acl exit, , ACL
(rc=22 EINVAL). , validate_acl, ,
ACE (ace_cnt=1). ACE,
s:(EVERYONE@): a
rwxacC), , p.
w p.


( ) ,
ACL NFS4, . ,
.
. ,
/j2v2/file2 ACL NFS4:
s:(EVERYONE@):

rwpx

" ":
ls -l /j2v2/file2

:
1. , ls -l /j2v2/file2, trcrpt :
$ trace -j 478 -o trc.raw
$->!ls -l /j2v2/file2
$ ->quit
$ trcrpt trc.raw > trc.rpt

2. . :
478
478
478
478

xxx
xxx
xxx
xxx

xxx
xxx
xxx
xxx

ACL
ACL
ACL
ACL

ENGINE:
ENGINE:
ENGINE:
ENGINE:

chk_access entry: type=NFS4 obj_mode=33587711 size=68 ps=1024 uid=100


nfs4_chk_access_self: type=NFS4 aceN=1 aceCnt=1 req=128 deny=0
nfs4_mask_privcheck: type=NFS4 deny=128 priv=128
chk_access exit: type=NFS4 rc=13 ops=1024 priv=0 against=0

, = 128 (0x80),
READ_ATTRIBUTES (. /usr/include/sys/acl.h).


,
. , ,
.


, .
v . 85
v . 85
v . 85
.

84

AIX 5.3:


(TCB) (
), ( ).
, . ,
/
. , ,
, .
( ),
( ). ,
, ,
.
/
.
audit, .
, , /etc/security/audit/
config


.
, ,
, .
,
, ( , ,
), , .
.
( ) :

, .

,
. .
- ,
. , .
,
.
,
. , ,
,
, .


.
,
. .
( auditselect ,
SQL). ,
.
, ,
.

85

, , ,
. -,
, -
.


, .
, , ,
.
, -
(TCB). TCB,
,
.
.


.
, TCB
, ,
.


:
. TCB
auditlog auditwrite, TCB, ,
.
.
, ,
. : ,
. ( ).
(, ,
, tty,
), .
, .
.
,
(SVC),
. ,
.


,
, .
/usr/include/sys/audit.h. .
/etc/security/audit/events.
,
, ,
.
. , ,

86

AIX 5.3:

login , ,
auditlog .
( , ) ,
. , -
.


.
, .


:

, ,
.
.
.
,
. ,
, .

.
, (
).
, . ,
,
(//).


(
).
,
.
.

-. ,
. - ,
( ), .
,
. ,
-, . ,
, , .
.
:

87

1. .

-
. -
trace. -,
. . ,
-,
, auditcat.
( auditcat), /etc/security/audit/config
freespace. 512-
, syslog.
, binmode start /etc/security/audit/config
panic. freespace bin ,
25 ,
. bytethreshold binsize 65536 .
. ,
.
/dev/audit.
. , , .
:

88

AIX 5.3:

2. .

,
, , .
- ,
( , - ).

, ,
.


auditselect, auditpr
auditmerge. ,
, .
auditselect
, SQL-like, .
, exec(), afx, :
auditselect -e "login==afx && event==PROC_Execute"

auditpr
, .

89

.
auditpr:
auditpr -v -hhelrtRpPTc

-v, ,
, , (.
/etc/security/audit/events).
auditmerge
.
. auditmerge

.
auditpr. ,
auditmerge auditptr:
auditmerge trail.system1 trail.system2 | auditpr -v -hhelrRtpc

:

watch. ,
.
, FILE_Open vi /etc/hosts, :
watch -eFILE_Open -o /tmp/vi.watch vi /etc/hosts

/tmp/vi.watch FILE_Open .



.
, ,
. ,
, . ,
, (
), (
).
.
,
. ,
( )
. :
v


:
,
v


( )
( )

90

AIX 5.3:

: , ACL
v /

v
,

,





: , ,

v



IPL
RAS





v ()


,
TCB


.
, .
1. () /etc/security/audit/events.
,
.
v ,
( auditwrite auditlog subroutine),
( audit_svcstart, audit_svcbcopy audit_svcfinis
).
v , /etc/security/audit/events
. ,
auditpr
.
2. ( ).
classes /etc/security/audit/config.

91

3. , () :
v ,
/etc/security/audit/config.
chuser.
v ( ) ,
/etc/security/audit/objects.
v
/usr/lib/security/mkuser.default. ,
. ,
general :
user:
auditclasses = general
pgrp = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER

ALL.
.
.
4. /etc/security/audit/config : ,
. ,
.
.
:
v :
a. , binmode = on start.
b. binmode, - ,
, .
/etc/security/audit/bincmds.
c. , - ,
freespace, , .
d. /etc/security/audit/bincmds ,
.
v :
a. , streammode = on start.
b. , .
/etc/security/audit/streamcmds.
c. /etc/security/audit/streamcmds ,
.
5.
audit start. AUD_It 1.
6. audit query.
AUD_It 2.
7. audit shutdown.
AUD_It 4.
:
.

92

AIX 5.3:

,
. IDS
,
. ,
.
:
FILE_Write
PROC_SetUserIDs
AUD_Bin_Def
USER_SU
PASSWORD_Change
AUD_Lost_Rec
CRON_JobAdd
AT_JobAdd
USER_Login
PORT_Locked

,
/etc.


su
passwd

cron
at

-

:
1. , , ,
/etc, FILE_Write objects:
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects

2. auditcat . /etc/security/audit/bincmds
:
/usr/sbin/auditcat -p -o $trail $bin

3. /etc/security/audit/config, ,
. custom.
start:
binmode = on
streammode = off
bin:
cmds = /etc/security/audit/bincmds
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 100000
freespace = 100000
classes:
custom = FILE_Write,PROC_SetUser,AUD_Bin_Def,AUD_Lost_Rec,USER_SU, \
PASSWORD_Change,CRON_JobAdd,AT_JobAdd,USER_Login,PORT_Locked
users:
root = custom
afx = custom
...

4. custom /usr/lib/security/mkuser.default,
:
user:
auditclasses = custom
pgrp = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER

93

5. SMIT crfs /audit.



.
6. audit start /audit.
trail. ,
, trail ,
:
auditpr

-hhelpPRtTc -v | more

.
ALL . .
custom , .
:

.
:
1. , , ,
/etc, FILE_Write objects:
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects

2. . (
,
- ,
.) /etc/security/audit/streamcmds
:
/usr/sbin/auditstream | /usr/sbin/auditselect -e "event == FILE_Write" |
auditpr -hhelpPRtTc -v > /dev/console &

3. /etc/security/audit/config
, , :
start:
binmode = off
streammode = on
stream:
cmds = /etc/security/audit/streamcmds
classes:
filemon = FILE_write
users:
root = filemon
afx = filemon
...

4. audit start. FILE_Write.


:
, .
, ( ,
), :
v ,
v
v

94

AIX 5.3:

v
v
v
v
v

v
.
.
- , ,
, /etc/security/audit/events
. /etc/security/audit/config,
/etc/security/audit/objects.
/etc/security/audit/events.
auditpr.
, ,
. .

,
. /etc/security/audit/config.
:
general () .
.
objects
.
()
kernel ()
kernel .

/etc/security/audit/config:
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename
system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
init = USER_Login,USER_Logout


,
. , .
, .
, ,
.

95

.
, .
- auditbin
,
.
.
, ,
/dev/audit. ,
auditcat.

NFS
AIX .
.
,
.
.

NFS
, ,
, NFS
NFS. ,
. .
,
, .

NFS
, , ,
NFS.


v , NFS , - NFS,
- NFS, .
: ,
, . .
, .
v nfsd, nfs.

File_System mount
server:/File_system /mnt. A File_System
, /File_system/A.
A File_System ,
/mnt/A.
A , , ,
A , , ,
, .
, A, nfsd,
.

96

AIX 5.3:

(LDAP)
(LDAP)
( )
-.
,
X.500. LDAP

. ,

.
LDAP , (DIT).
DIT.
DIT, LDAP .

LDAP
LDAP .
NIS, DCE KRB5 5.
/usr/lib/security/methods.cfg.
LDAP
, LDAP.
, , LDAP,
LDAP , .
LDAP AIX AIX.
LDAP API ,
. , .
-R,
. , LDAP joe
- :
mkuser -R LDAP joe

: , LDAP, ,
, , 25000.
POSIX .
API.
LDAP:
, LDAP AIX.
, LDAP .
, , .
LDAP AIX :
: .
.
: 500 .
: ,
, 25000.

97

POSIX .
API. ,
, .
.
ITDS:
LDAP,
LDAP,
LDAP.
SSL, GSKit.
ikeyman.
SSL SSL.
AIX mksecldap. LDAP
Security Information Server mksecldap. ldapdb2,
DN
LDAP. , SSL
. mksecldap /etc/inittab LDAP
. mksecldap LDAP,
ibmslapd.conf file (IBM Tivoli Directory Server 5.1 ), slapd.conf (SecureWay Directory
3.2 4.1), slapd32.conf (SecureWay Directory 3.2).
mksecldap -u NONE, LDAP
.
LDAP:
AIX
aixAccount aixAccessGroup.
AIX.
RFC 2307
posixAccount, shadowAccount posixGroup.
. RFC 2307
, AIX.
RFC2307AIX
posixAccount, shadowAccount posixGroup, aixAuxAccount,
aixAuxGroup. aixAuxAccount aixAuxGroup ,
AIX, RFC 2307.
RFC2307AIX . RFC2037AIX
RFC 2307
AIX. ITDS RFC2307AIX LDAP AIX
LDAP UNIX Linux, RFC 2307.
AIX 5.1 AIX. AIX
, , AIX 5.1
. ITDS AIX
.
AIX ( ).
"cn=aixdata". mksecldap -d.
, , , ,
sectoldif.cfg. sectoldif.cfg.

98

AIX 5.3:

AIX (ACL). ACL


,
-a. proxy,
-x -X. , proxy ,
/etc/security/ldap/proxy.ldif.template. proxy LDAP
, ,
LDAP.
mksecldap , LDAP , . mksecldap
AIX AIX.
ACL . LDAP
LDAP AIX.
: mksecldap
.
LDAP
, LDAP
LDAP .
LDAP ,
mksecldap -U.
ibmslapd.conf ( slapd.conf, slapd32.conf).
mksecldap -U,
mksecldap.
, .

, mksecldap.
mksecldap , .
mksecldap ,
.
LDAP
mksecldap.
LDAP:
, LDAP
, , LDAP.
SSL, GSKit,
LDAP.
mksecldap , LDAP.
LDAP,
. , DN ,
AIX . mksecldap DN
, , DN AIX , SSL, SSL
/etc/security/ldap/ldap.cfg.
mksecldap SSL ( SSL)
/etc/security/ldap/ldap.cfg . , ..
secldapclntd , .
secldapcIntd /etc/security/ldap/ldap.cfg ,
.

99

mksecldap .
, , ,
.
. LDAP
. , -
.
LDAP
(secldapclntd). LDAP,
API , LDAP.
LDAP. ,
, .
mksecldap - ,
, .
. ,
.
mksecldap
/etc/inittab.
secldapclntd ls-secldapclntd. LDAP
, .
. ,
. :
1. AIX 5.3 ldap.client.
2. LDAP :
# mksecldap -c -h server1.ibm.com -a cn=DN- -p - -d cn=-DN

.
mksecldap AIX 5L 5.3:
.
LDAP:
(netgroups) NIS-LDAP ( ).
LDAP :
1. LDAP,
../../../com.ibm.aix.security/doc/security/ldap_client_setup.htm.
, ,
LDAP, . , nguser - mygroup,
LDAP, lsuser -R LDAP nguser.
2. netgroup LDAP /usr/lib/security/methods.cfg
options netgroup. /usr/lib/security/methods.cfg
LDAP options = netgroup.
LDAP . :
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options = netgroup

lsuser -R LDAP nguser, lsuser nguser lsuser -R LDAP -a ALL


. LDAP ,
, .

100

AIX 5.3:

3. /etc/passwd ,
. , mygroup
LDAP, :
+@mygroup

4. /etc/group +:, NIS:


+:

lsuser nguser , nguser mygroup.


lsuser -R LDAP nguser , lsuser -R compat nguser ,
compat.
5. ,
AIX , .
/etc/security/user SYSTEM = compat,
, /etc/passwd . -
/etc/security/user .
nguser:
nguser:
SYSTEM = compat
registry = compat

.
:
v , /etc/security/user LDAP
(registry=LDAP SYSTEM="LDAP") LDAP.
nis_ldap
NIS.
v compat , .
, LDAP , compat
NIS LDAP. compat.

v NFS
v .rhosts TCP/IP
v hosts.equiv TCP/IP
LDAP:
AIX LDAP: IBM
Tivoli Directory Server, RFC 2307 Microsoft Active Directory.
IBM Tivoli Directory Server
/ AIX IBM
Tivoli Directory Server (ITDS). ITDS
ITDS.
, IBM Directory Server
AIX ,
RFC 2307. LDAP AIX
ITDS RFC 2037.
LDAP 3.

101

RFC 2307 AIX


, LDAP
AIX (, ,
, AIX
hostsallowedlogin hostsdeniedlogin ..).
AIX , RFC 2307. AIX
, RFC 2307, ,
UNIX.
AIX RFC 2307.
. AIX
.
LDAP.
Microsoft Active Directory
AIX Microsoft Active Directory (AD) LDAP,
. AD UNIX.
UNIX Microsoft Service For UNIX (SFU). SFU
. AIX
AD Windows 2000 2003 SFU 3.0 3.5,
AD Windows 2003 R2 UNIX.
, UNIX Windows,
LDAP AD AIX. ,
mkuser mkgroup. ,
, , , AD,
. , lsuser, chuser, rmuser, lsgroup, chgroup, rmgroup, id, groups,
passwd chpasswd.
AIX Windows: LDAP Kerberos. AIX
AD LDAP,
AIX.
AIX Active Directory LDAP:
AIX Microsoft Active Directory (AD) LDAP,
. AD UNIX.
AIX AD mksecldap
ITDS. mksecldap
. AIX AD mksecldap
:
1. AD UNIX.
2. AD UNIX.
UNIX AD UNIX
AD Microsoft.
AD UNIX (,
). , AIX
,
. AIX ,
AD, .
Active Directory:

102

AIX 5.3:

AIX : unix_auth ldap_auth.


unix_auth Microsoft Active Directory (AD) .
AD .
, . ldap_auth
LDAP
. ,
. AD . AIX
AD.
unix_auth
unix_auth AD:
v userPassword
v unixUserPassword
v msSFU30Password
AD AIX
. , UNIX,
. LDAP AIX
.
AIX msSFU30Password AD Windows 2000
2003 userPassword Windows 2003 R2.
/etc/security/ldap/sfu30user.map (
/etc/security/ldap/sfur2user.map, AD Windows 2003 R2).
, spassword, AD.
LDAP.
mksecldap LDAP AIX .
LDAP AIX , restart-secldapclntd secldapclntd
.
unix_auth Windows UNIX,
. AIX
Windows, Windows uncodepwd. AIX passwd
UNIX Windows, AIX
Windows UNIX AIX.
ldap_auth
, Active Directory unicodepwd, Windows
Windows. AD
unicodePwd. , unix_auth, .
ldap_auth , mksecldap
AD unicodePwd .
AIX unicodePwd AD
Windows AIX. AIX Windows
- AIX Windows.
Active Directory:
Microsoft UNIX memberUid, msSFU30MemberUid msSFU30PosixMember.

103

memberUid msSFU30MemeberUid ;
msSFU30PosixMember . ,
foo ( bar), AD:
v memberUid: foo
v msSFU30MemberUid: foo
v msSFU30PosixMember: CN=foo bar,CN=Users,DC=austin,DC=ibm,DC=com
AIX .
AD. mksecldap AIX
msSFU30PosixMember Windows 2000 2003 uidMember
Windows 2003 R2. , AD
Windows. -
.

. AD : /etc/security/ldap/
sfu30group.map (Windows 2000 2003) /etc/security/ldap/sfur2group.map (Windows 2003 R2).
, users, .
LDAP.
mksecldap LDAP AIX ; AIX
, restart-secldapclntd secldapclntd .
:
AD .
AD Windows cn=users,...,
.
DN AIX.
DN.
Kerberos Windows:
LDAP AIX
Windows Kerberos.
AIX Kerberos Windows KDC LDAP Windows Active
Directory KRB5ALDAP.
Microsoft Active Directory,
AIX.
LDAP:
LDAP
LDAP .
-R,
, LDAP, DCE, NIS KRB5 5.
-R .
LDAP, SYSTEM
LDAP chuser. SYSTEM
,

104

AIX 5.3:

(, compat LDAP).
. 63 SYSTEM
/etc/security/user.
LDAP ,
mksecldap -u:
1. :
mksecldap -c -u 1,2,...

,2,... - .
, LDAP. SYSTEM
/etc/security/user LDAP.
LDAP.
LDAP,
. chuser SYSTEM
,
(, local LDAP).
2.
mksecldap -c -u ALL

SYSTEM /etc/security/user
LDAP. LDAP.
LDAP,
. ,
LDAP, ,
. LDAP ,
SYSTEM LDAP chuser.
, LDAP, ,
. "default"
/etc/security/user "LDAP" SYSTEM. ,
SYSTEM , "default". , default
"SYSTEM = "compat"", , "SYSTEM = "compat OR LDAP"",
AIX, LDAP. default
"SYSTEM = "LDAP"", LDAP.
, SYSTEM, default
.
DN:
AIX 5L 5.3 5300-05, AIX LDAP
DN. , /etc/security/ldap/ldap.cfg
DN.
userbasedn
, AIX .
, .
AIX 5L 5.3 5300-05,
DN. /etc/security/ldap/ldap.cfg 10
DN. DN
/etc/security/ldap/ldap.cfg. , AIX,
DN. :

105

v (, lsuser) DN
, DN.
ALL DN.
v (, chuser) .
v (, rmuser) .
v (, mkuser) DN. AIX
DN.

.
AIX .
. ,
.
LDAP mksecldap DN
/etc/security/ldap/ldap.cfg. LDAP
DN, mksecldap .
AIX DN /etc/security/ldap/
ldap.cfg mksecldap.
DN DN. AIX 10 DN
; DN .
, DN AIX .
DN .
, AIX.
AIX , .
SSL LDAP:
SSL LDAP ldap.max_crypto_server GSKit
. -
AIX.
SSL IBM
.
1. IBM Directory GSKit, .
2. IBM gsk7ikm
( GSKit).
(CA), , VeriSign, gsk7ikm.
CA ( ).
3. .
/usr/ldap/etc.
4. :
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -k /usr/ldap/etc/mykey.kdb -w keypwd

mykey.kdb - , keypwd - .
:
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -u NONE -k /usr/ldap/etc/mykey.kdb -w keypwd

SSL LDAP:
SSL LDAP ldap.max_crypto_client GSKit
- AIX.

106

AIX 5.3:

SSL LDAP :
1. gsk7ikm .
2. . SSL
, .
3.
gsk7ikm.
4. SSL :
# mksecldap -c -h servername -a adminDN -p pwd -k /usr/ldap/etc/mykey.kdb -p keypwd

/usr/ldap/etc/mykey.kdb - , keypwd - .
,
. ,
.sth (, mykey.sth).
LDAP:
AIX .
LDAP , AIX LDAP.
SYSTEM .
SYSTEM /etc/security/user.
chuser:
# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo

: LDAP SYSTEM default,


LDAP .
foo . ,
registry LDAP, foo
LDAP.
LDAP ,
.
AIX 5.2, LDAP AIX
- LDAP.
. :
. LDAP.
, ,
, . ,
, .
: ( mkuser) ( chuser).
, ,
, - LDAP.
AIX 5.2.
:
# mkuser -R LDAP hostsallowedlogin=host1,host2 foo

foo, foo host1


host2.
# mkuser -R LDAP hostsdeniedlogin=host2 foo

107

foo, foo
, host2.
# chuser -R LDAP hostsallowedlogin=192.9.200.1 foo

foo ,
192.9.200.1.
# chuser -R LDAP hostsallowedlogin=192.9.200/24 hostsdeniedlogin=192.9.200.1 foo

foo ,
192.9.200/24, 192.9.200.1.
chuser.
SSL:
,
LDAP, (unix_auth), (ldap_auth).
, Internet,
SSL, . AIX
SSL,
.
:
v SSL LDAP . 106
v SSL LDAP . 106
Kerberos:
, DN , secldapclntd
Kerberos V.
Kerberos secldapclntd
keytab. Kerberos, secldapclntd
Kerberos LDAP keytab,
/etc/security/ldap/ldap.cfg. , secldapclntd
DN , /etc/security/ldap/ldap.cfg.
Kerberos secldapclntd
/etc/security/ldap/krb5cc_secldapclntd.
. LDAP
secldapclntd .
LDAP Kerberos
mksecldap, DN .
/etc/security/ldap/ldap.cfg Kerberos.
Kerberos secldapclntd. Kerberos
DN ,
/etc/security/ldap/ldap.cfg .
Kerberos:
Kerberos (KDC)
IDS. - LDAP, - ,
.

108

AIX 5.3:

keytab,
.
IBM. Kerberos
, .
v kadmin KDC root.
#/usr/krb5/sbin/kadmin.local
kadmin.local:

v ldap/-- LDAP. -- -
, LDAP.
kadmin.local: addprinc ldap/plankton.austin.ibm.com
: "ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com":
"ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com":
"ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com" .
kadmin.local:

v keytab. LDAP
. keytab slapd_krb5.keytab :
kadmin.local: ktadd -k /etc/security/slapd_krb5.keytab ldap/plankton.austin.ibm.com
ldap/plankton.austin.ibm.com, - 2,
- Triple DES, cbc HMAC/sha1, keytab
WRFILE:/etc/security/slapd_krb5.keytab.
ldap/plankton.austin.ibm.com, - 2,
- ArcFour HMAC/md5, keytab
WRFILE:/etc/security/slapd_krb5.keytab.
ldap/plankton.austin.ibm.com, - 2,
- AES-256, CTS 96- SHA-1 HMAC,
keytab
WRFILE:/etc/security/slapd_krb5.keytab.
ldap/plankton.austin.ibm.com, - 2,
- DES, cbc RSA-MD5, keytab
WRFILE:/etc/security/slapd_krb5.keytab.
kadmin.local:

v ldapadmin IDS.
kadmin.local: addprinc ldapadmin
: ldapadmin@ud3a.austin.ibm.com; .
, ACL.
"ldapadmin@ud3a.austin.ibm.com":
"ldapadmin@ud3a.austin.ibm.com":
"ldapadmin@ud3a.austin.ibm.com" .
kadmin.local:

v kdapadmin.keytab keytab.
secldapclntd .
kadmin.local: ktadd -k /etc/security/ldapadmin.keytab ldapadmin
ldapadmin, - 2, Triple DES, cbc HMCA/sha1, keytab
WRFILE:/etc/security/ldapadmin.keytab.
ldapadmin, - 2, ArcFour HMAC/md5, keytab
WRFILE:/etc/security/ldapadmin.keytab.
ldapadmin, - 2, AES-256 CTS 96- SHA-1 HMAC, keytab
WRFILE:/etc/security/ldapadmin.keytab.
ldapadmin, - 2, DES, cbc RSA-MD5, keytab
WRFILE:/etc/security/ldapadmin.keytab.
kadmin.local

v ldapproxy, LDAP.
kadmin.local: addprinc ldapproxy
: ldapproxy@ud3a.austin.ibm.com; .
, ACL

109

"ldapproxy@ud3a.austin.ibm.com":
"ldapproxy@ud3a.austin.ibm.com":
"ldapproxy@ud3a.austin.ibm.com" .
kadmin.local:

v ldapproxy keytab ldapproxy.keytab.


secldapclntd .
kadmin.local: ktadd -k /etc/security/ldapproxy.keytab ldapproxy
ldapproxy, - 2, Triple DES, cbc HMAC/sh1, keytab
WRFILE:/etc/security/ldapproxy.keytab.
ldapproxy, - 2, ArcFour HMAC/md5, keytab
WRFILE:/etc/security/ldapproxy.keytab
ldapproxy, - 2, AES-256, CTS 96- SHA-1 HMAC, keytab
WRFILE:/etc/security/ldapproxy.keytab
ldapproxy, - 2,
- DES, cbc RSA-MD5, keytab
WRFILE:/etc/security/ldapproxy.keytab.
kadmin.local:

Kerberos IDS:
Kerberos IDS.
, IDS
Kerberos.
IDS v5.1:
1. krb5.client.
2. , /etc/krb5/krb5.conf .
/usr/sbin/config.krb5.
# config.krb5 -r ud3a.austin.ibm.com -d austin.ibm.com -c KDC -s alyssa.austin.ibm.com
...
/etc/krb5/krb5_cfg_type...
/etc/krb5/krb5.conf...
.
# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ud3a.austin.ibm.com
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
defaut_tgs_enctypes = des3-cbc-shal1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
ud3a.austin.ibm.com = {
kdc = alyssa.austin.ibm.com:88
admin_server = alyssa.austin.ibm.com:749
default_domain = austin.ibm.com
}
[domain_realm]
.austin.ibm.com = ud3a.austin.ibm.com
alyssa.austin.ibm.com = ud3a.austin.ibm.com
[logging]
kdc = FILE:/var/krb5/log/krb5
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

3. keytab ldap:/-- /usr/ldap/etc.


: /usr/ldap/etc/slapd_krb5.keytab.
4. , .

110

AIX 5.3:

# chown ldap:ldap/usr/ldap/etc/slapd_krb5.keytab
#

5. IDS Kerberos,
/etc/ibmslapd.conf :
dn: cn=Kerberos, cn-Configuration
cn: Kerberos
ibm-slapdKrbAdminDN: ldapadmin
ibm-slapdKrbEnable: true
ibm-slapdKrbIdentityMap: true
ibm-slapdKrbKeyTab: /usr/ldap/etc/slapd_krb5.keytab
ibm-slapdKrbRealm: ud3a.austin.ibm.com
objectclass: ibm-slapdKerberos
objectclass: ibm-slapdconfigEntry
objectclass: top

6. ldapproxy DN cn-proxyuser,cn=aixdata.
a. DN IDS , ldapproxy.ldif
:
dn: cn=proxyuser,cn=aixdata
changetype: modify
add: objectclass
objectclass: ibm-securityidentities
add:altsecurityidentities
alsecurityidentities: Kerberos:ldapproxy@ud3a.austin.ibm.com

b. DN IDS , proxyuser.ldif
:
: proxyuserpwd .
dn: cn=proxyuser,cn=mytest
cn: proxyuser
sn: proxyuser
userpassword: proxyuserpwd
objectclass: person
objectclass: top
objectclass: ibm-securityidentities
altsecurityidentities: Kerberos:ldapproxy@ud3a.austin.ibm.com

DN IDS ldapmodify.
# ldapmodify -D cn-admin -w adminPwd -f /tmp/proxyuser.ldif
( cn=proxyuser,cn=mytest)
#

7. IDS.
Kerberos LDAP AIX:
LDAP AIX Kerberos LDAP.
IDS , .
IDS v 5.1:
1. krb5.client.
2. , /etc/krb.conf .
/usr/sbin/config.krb5.
3. keytab /etc/security/ldap.
4. 600.

111

5. mksecldap, DN
. , AIX LDAP.
6. /etc/security/ldap/ldap.cfg Kerberos.
ldapproxy keytab ldapproxy.keytab.
IDS ldapproxy ldapadmin, ldapproxy.keytab
ldapadmin.keytab.
useKRB5:yes
krbprincipal:ldapproxy
krbkeypath:/etc/security/ldap/ldapproxy.keytab
krbcmddir:/usr/krb5/bin/

DN ldap.cfg ,
secldapclntd Kerberos.
7. secldapclntd.
8. /etc/security/ldap/ldap.cfg .
LDAP:
SecureWay Directory 3.2
. ,
LDAP. LDAP
LPP.
AIX 5.1, LDAP
LDAP. SecureWay Directory,
. AIX
, ,
AIX, LDAP. AIX.
/etc/security/audit/event LDAP:
v LDAP_Bind
v LDAP_Unbind
v LDAP_Add
v LDAP_Delete
v LDAP_Modify
v LDAP_Modifydn
v LDAP_Search
, /etc/security/audit/config ldapserver.
LDAP,
/etc/security/audit/config:
ldap = ldapserver

LDAP
AIX, AIX.
audit start audit shutdown.
, auditpr.
. 84.
LDAP:
LDAP.

112

AIX 5.3:

lsldap
lsldap LDAP.
, automount, , ether, ,
, , , passwd, , rpc .
mksecldap
mksecldap
IBM SecureWay Directory. .
secldapclntd
secldapclntd LDAP, LDAP Security
Information Server, , ,
LDAP.
LDAP LDAP
attribute mapping file format AIX 5L 5.3: .

mksecldap, start-secldapclntd, stop-secldapclntd, restart-secldapclntd, ls-secldapclntd, sectoldif
flush-secldapclntd.
secldapclntd.
/etc/security/ldap/ldap.cfg.
LDAP.
NIS LDAP, ,
Network Information Services (NIS and NIS+) Guide: Appendix B. Migrating from NIS and NIS+ to RFC
2307-compliant LDAP services.
LDAP:
LDAP.
start-secldapclntd
start-secldapclntd secldapclntd, .
stop-secldapclntd
stop-secldapclntd secldapclntd.
restart-secldapclntd
restart-secldapclntd secldapclntd, .
secldapclntd , .
ls-secldapclntd
ls-secldapclntd secldapclntd.

113

flush-secldapclntd
flush-secldapclntd secldapclntd.
sectoldif
sectoldif , ,
ldif.
ldap.cfg:
/etc/security/ldap/ldap.cfg ,
secldapclntd, , .
AIX 5L 5.3 5300-05, AIX
DN. ,
userbasedn. AIX 5L 5.3 5300-05,
secldapclntd DN ( 10 DN).
DN :
userbasedn: ou=people, ou=dept1, cn=aixdata
userbasedn: ou=people, out=dept2, cn=aixdata

DN ,
DN, , . ,
. ALL (, lsuser -R LDAP ALL),
DN.
. AIX
DN.
, AIX 5L 5.3 5300-05
DN, DN
. DN:
1.
2.
3.
4.

userbasedn: ou=people, cn=aixdata


userbasedn: ou=people, cn=aixdata?scope
userbasedn: ou=people, cn=aixdata??filter
userbasedn: ou=people, cn=aixdata?scope?filter

, secldapclntd.
scope filter
. scope, filter.
scope :
v sub
v one
v base
scope , sub.
filter , LDAP.
.
, - LDAP, -
. "*".
v (=)
v (&(=)(=))

114

AIX 5.3:

v (|(=)(=))
/etc/security/ldap/ldap.cfg mksecldap .
/etc/security/ldap/ldap.cfg /etc/security/ldap/
ldap.cfg AIX 5L 5.3: .
LDAP:
/usr/lib/security/LDAP secldapclntd
AIX LDAP.
.
, :
AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type
AIX_Attribute_Name
AIX_Attribute_Type
LDAP_Attribute_Name
LDAP_Value_Type

AIX.
AIX. SEC_CHAR, SEC_INT, SEC_LIST SEC_BOOL.
LDAP.
LDAP. s ( ) m ( ).

LDAP KRB5LDAP
LDAP , KRB5LDAP,
, . ,
/usr/lib/security/methods.cfg, LDAP , KRB5LDAP,
. :
1. LDAP KRB5LDAP .
2. /usr/lib/security/methods.cfg :
LXAP:

program = /usr/lib/security/LDAP program_64


=/usr/lib/security/LDAP64

LDAP:

program = /usr/lib/security/LDAP program_64


=/usr/lib/security/LDAP64

NIS:

program = /usr/lib/security/NIS program_64 =


/usr/lib/security/NIS_64

DCE:

program = /usr/lib/security/DCE

KRB5:

program = /usr/lib/security/KRB5

KRB5LXAP: options = db=LXAP,auth=KRB5

3. /etc/security/user :
SYSTEM = "KRB5LXAP OR LDAP OR compat"

LDAP .
KRB5LDAP:
mkuser
rmuser
lsuser
passwd

-R
-R
-R
-R

KRB5LXAP
KRB5LXAP
KRB5LXAP
KRB5LXAP

<_>
<_>
<_>
<_>

#11
(PKCS #11)
().
2.01 PKCS #11.

115

PKCS #11 :
v (pkcsslotd),
. .
v API (/usr/lib/pkcs11/pkcs11_API.so) - ,
PKCS #11.
v , PKCS #11 .
PKCS #11,
.

IBM 4758, 2
IBM 4758, 2 .
PKCS #11 , .

IBM 4960
IBM 4960 .
PKCS #11 .
IBM 4758, 2 PKCS #11:
PKCS #11 , PKCS #11,
. ,
IBM 4758 2 PKCS #11,
.
:
1. , :
lsdev -Cc adapter | grep crypt

IBM 4758, 2,
,
.
2. , ,
:
csufclu /tmp/l ST --

, 3 PKCS #11. ,
,
.
:
.
IBM 4960, 2
#11:
PKCS #11 , PKCS #11,
.
IBM 4960 PKCS #11,
.
:
lsdev -Cc adapter | grep ica

116

AIX 5.3:

IBM 4960, ,
.

#11
PKCS #11 , PKCS #11.
.
API ( PKCS #11) SMIT.
PKCS #11 SMIT , PKCS11
smit pkcs11.
:
PKCS #11 ( ) .
.
. , . API
. PKCS #11
SMIT. PIN ,
- 87654321. PKCS #11
.
:
1. , smit pkcs11.
2. .
3. PKCS #11.
4.

, Enter.

: .
5. PIN- (SO PIN) .
PIN-, .
PIN- :
PIN- SO .
PIN- :
1. smit pkcs11.
2.
3.
4.
5.

PIN- .
, PIN-.
PIN-.
PIN-.

PIN-:
PIN-,
.
, ,
.
PIN- :
1. , smit pkcs11.

117

2.
3.
4.
5.
6.

PIN-.
PKCS #11.
PIN- PIN-.
PIN-.
, , PIN- .

PIN-:
PIN- PIN-
, PIN-
.
PIN- :
1. , smit pkcs11.
2. PIN-.
3. , PIN-.
4. PIN-.
5. PIN-.

#11
PKCS #11,
, API.
inittab,
/etc/rc.pkcs11. ,
. , ,
.
.
API ,
. , PKCS #11
:
d CK_RV (*pf_init)();
void *d;
CK_FUNCTION_LIST *functs;
d = dlopen(e, RTLD_NOW);
if ( d == NULL ) {
return FALSE;
}
pfoo = (CK_RV (*)())dlsym(d, C_GetFunctionList);
if (pfoo == NULL) {
return FALSE;
}
rc = pf_init(&functs);


X.509
AIX
X.509 (PKI)
. (LAMF),
AIX , DCE, Kerberos ..

118

AIX 5.3:

-
, PKI,
PKI.
.
PKI .
. ,
, .
. . .
. .
LDAP, (
) Internet (
).
, ,
. ,
.
.
.
,
. ,
.
.
- , , ,
PIN-. ,
PKI. , .

.
; ,
;
, .
.
, . ,
,
.
:
,
, .
, X.509. 3 (X.509v3) -
. ,
(CA), ,
. .
.
:
v - X.509 ( 1, 2 3)
v - , ,
CA.
v - CA, .
v - .

119

v
v
v
v

- .
- .
- .
URI - URI/URL Web- .

, , X.509
. ,
, CA.
CA, . CA .
: ,
, , . ,
, .
3 5 .
- , ,
(DN). DN , , , ,
, (
). - , URI -
Web- .

(CA) , , , .
LDAP,
. ,
(CRL). ,
, ,
. CA,
, CA (CRL),
. , , ,
CRL, ,
. CA ,
CA. , CA.
:
v .
v .
v CA.
CA . CA
(, ).
CA
(CMP).
( ) CA. CA
. ,
, CA.
, , , , CA.
,
.
CMP ,
CRL. CRL . CRL

120

AIX 5.3:

LDAP, CRL LDAP .


- (OCSP), CA
.
, CA
, ,
, .
, .


1 (ASN.1), (DER).
DER.
:
( ) ,
.
,
. ,
. ,
. .
-, LDAP, .. ,
, .
, .



(CRL), LDAP.
,
.
-.
(CA), X.509 3
(CRL). ( , CA.)
(, ,
), PKI.
cas.server, - cas.client.
PKI:
PKI AIX mkuser.
. (
PKI, .)
,
.
:
.
, .
.

121

, , auth_cert.
auth_cert .
, , ,
LDAP. . ,
LDAP.
LDAP PKI LDAP PKI ( ) .
124.
. ,
, , auth_cert.
, ,
LDAP.
, , ,
, . ,
, .
, ,
. , PKI
. ( , .
AIX,
.)
, ,
. LDAP
. ,
auth_cert.
CRL.
( CRL ; ,
) , CRL (CA CRL
,
, ).
, CA. ,
LDAP, .
:
CA, Java,
(RA) .
CRL LDAP.
CA ( Java).
, runpki.
, ,
, CMP . CA
Java 1.3.1, IBM DB2 7.1 IBM Directory 4.1. ,
DB2, CA root.
cas.server :
mksecpki
PKI AIX.
, .
runpki .
JavaPKI, . runpki

122

AIX 5.3:

lb. ,
runpki , lb
l.
runpki su -,
, .
javapki, ,
. ( , ,
mksecpki.)
, pkiinst,
root:
1. su - pkiinst
2. cd javapki
3. runpki
:
,
.

(,
mkuser, chuser, passwd login).
AIX (LAMF). , , ,
.
AIX
LDAP AIX .
LDAP, . ,
,
. 132.

, . ,
,
PKI.
:

.
:
v
v
v
v
v

PKI


CA
AIX (,
login, passwd mkuser)
v

v LDAP AIX,

123

v
v (PAG).
:
.
Java:
Java, JCE.
Java , ,
CMP . API
PKI, C, , API
, (SML)
API.
:
, ,
.
SML Java /usr/lib/security/pki/JSML.sml.
LDAP PKI.
SML
Java PKCS#12.
,
. URI.
/var/pki/security/keys.
. ,
. SML API .
,
. - LDAP.

, .
LDAP PKI ( ):

LDAP. LDAP PKI.
.
.
,
LDAP.
LDAP (URI)
, :
. ,
.
, CA LDAP.

124

AIX 5.3:

URI LDAP.
DER URI.
LDAP
.
,
.
.
LDAP
auth_cert. , .
LDAP .
auth_cert, LDAP ldappkiadmin. root
LDAP ldappkiadmin acct.cfg, ,
root, auth_cert. (
URI, , . ,
URI, .) API
libpki.a.
libpki.a:
API SML API LDAP PKI, libpki.a .
, API :
v
v
v
v SML
: API .
:
API SML API LDAP PKI
(LAMF). LAMF AIX
API ,
(, Kerberos, LDAP, DCE ).
LAMF PKI API SML API LDAP PKI.
, API LAMF
. login, telnet , passwd, mkuser
API LAMF,
.
LAMF
/usr/lib/security/PKI. PKI
/usr/lib/security/methods.cfg.
methods.cfg (, LDAP).
methods.cfg, LAMF ,
methods.cfg . 145.
methods.cfg
registry SYSTEM /etc/security/user ,
PKI.

125

:
API (LAMF, PKI LDAP SML) .
AIX,
( LAMF),
.
. .
certadd
LDAP ,
.
certcreate
.
certdelete
, , LDAP.
certget , , LDAP.
certlink

LDAP , .
certlist , LDAP.
certrevoke
.
certverify
, ,
.
keyadd
.
keydelete
.
keylist , .
keypasswd
.
AIX 5L 5.3:
.
:
(PAG) AIX. PAG -
, .
,
, . PAG
, .
PAG , /usr/sbin/certdaemon.
. PAG ,
, .
certdaemon, /etc/inittab:

126

AIX 5.3:

certdaemon:2:wait:/usr/sbin/certdaemon

PAG :
paginit PAG.
pagdel , .
paglist PAG .
AIX 5L 5.3:
.
:
,
AIX LAMF AIX.
chuser, lsuser, mkuser passwd API LAMF. ,

.
, PKI
.
PKI :
chuser auth_cert.
, .
. (
,
.)
lsuser

auth_cert,
. auth_cert ,
. ( ,
.)
lsuser :
DN-
, .
--
.
-
, .
-
.

mkuser
.
mkuser ,
, .
, ,
( ) .
cert newuser
/usr/lib/security/pki/policy.cfg.

127

, ,
mkuser .
newuser /usr/lib/security/pki/policy.cfg.
newuser. :
v CA
v auth_cert
v
v
v
v ,
PKI
, mkuser
, . mkuser
, policy.cfg
( ); ,
.
mkuser , .
passwd
PKI,
. ,
/etc/security/user, , /etc/security/passwd, ,
PKI.

, root ,
. , root
, .
.
:

acct.cfg, ca.cfg policy.cfg.
SMIT.
.
acct.cfg
acct.cfg CA LDAP. CA CA,
ca.cfg, .
. LDAP
LDAP, , ,
LDAP PKI.
CA ca.cfg CA
acct.cfg. CA . LDAP
ldap, CA ldap. ,
default. LDAP
CA, local.
CA :
capasswd
CMP . CA.

128

AIX 5.3:

carefnum
CMP CA.
keylabel
, ,
.
keypasswd
.
rvpasswd
, CMP .
CA.
rvrefnum
, CMP.
LDAP :
ldappkiadmin
LDAP, ldapservers.
ldappkiadmpwd
LDAP.
ldapservers
LDAP.
ldapsuffix
DN, DN mkuser.
acct.cfg:
local:
carefnum = 12345678
capasswd = password1234
rvrefnum = 9478371
rvpasswd = password4321
keylabel = "Trusted Key"
keypasswd = joshua
ldap:
ldappkiadmin = "cn=admin"
ldappkiadmpwd = secret
ldapservers = "LDAP server.austin.ibm.com"
ldapsuffix = "ou=aix,cn=us"

AIX 5L 5.3: .
ca.cfg
ca.cfg CA. CA,

.
CA ca.cfg CA
acct.cfg. CA ca.cfg .
local. ldap default CA.
CA :
algorithm
(, RSA).

129

crl

URI CRL .

dn

DN, .

keysize
.
program
PKI.
retries CA.
server URI CA.
signinghash
, (,
MD5).
trustedkey
, ,
, .
URI .

url

CA, , local. ca.cfg:


local:
program = /usr/lib/security/pki/JSML.sml
trustedkey = file:/usr/lib/security/pki/trusted.p15
server = "cmp://9.53.230.186:1077"
crl = "ldap://dracula.austin.ibm.com/o=aix,c=us"
dn = "o=aix,c=us"
url = "http://www.ibm.com/"
algorithm = RSA
keysize = 512
retries = 5
signinghash = MD5

AIX 5L 5.3: .
policy.cfg
policy.cfg : newuser, storage, crl comm.
.
newuser mkuser. storage certlink .
comm crl certadd certlink.
newuser :
ca

CA, mkuser .

cert

, mkuser (new) (get).

domain
, mkuser
.
keysize
, mkuser
.
keystore
URI , mkuser .

130

AIX 5.3:

keyusage
, mkuser .
label

, mkuser .

passwd
, mkuser .
subalturi
URI , mkuser .
tag

auth_cert, mkuser ,
cert = new.

validity
, mkuser .
version
. 3.
storage :
replicate
, certlink (yes)
(no).
crl check, , certadd certlink
CRL (yes no).
comm timeout, - ,
certadd certlink , HTTP
(, CRL).
policy.cfg:
newuser:
cert = new
ca = local
passwd = pki
version = "3"
keysize = 512
keystore = "file:/var/pki/security/keys"
validity = 86400
storage:
replicate = no
crl:
check = yes
comm:
timeout = 10

AIX 5L 5.3: .
:
(CAS).
v CERT_Create
v CERT_Add
v CERT_Link
v CERT_Delete

131

v
v
v
v
v

CERT_Get
CERT_List
CERT_Revoke
CERT_Verify
KEY_Password

v KEY_List
v KEY_Add
v KEY_Delete
:
(CAS).
CAS , 3B7 3B8.


(CAS) AIX 5.2.
DB2, IBM Directory .
.
.

:
:
X.509 3. ,
3.
certcreate ca.cfg.
Teletex.
7- Teletex ( ASCII).
:
. -,
LDAP .
/var/pki/security/keys
. , . ,
,
.
,
, .
: ,
. ( AIX LDAP
, .
, .)
:
LDAP. ,
LDAP.

132

AIX 5.3:

, .
PKI
. , , PKI,
, .
, Bob A Bob B
Bob. ,
LDAP .
. ,
, , LDAP ,
, PKI,
LDAP. Bob A
Bob B, Bob PKI,
Bob LDAP,
.
:
(acct.cfg, ca.cfg
policy.cfg) , .
.
.
, .
:
acct.cfg ca.cfg , .
acct.cfg
acct.cfg CA (. carefnum,
capasswd, rvrefnum rvpasswd acct.cfg).
CMP CA . ,
.
,
. carefnum capasswd
, ( certcreate
mkuser). ,
.
: mkuser ,
. .
, rvrefnum rvpasswd ,
( certrevoke).
acct.cfg (.
keylabel keypasswd acct.cfg).
. ,
.
, ,
. keylabel keypasswd acct.cfg,
trustedkey ca.cfg ,
. , ,

133

mkuser ( ) certverify.

PKI cert newuser policy.cfg
new, mkuser PKI
. passwd newuser.
.
,
.
root
, root
PKI, . ,
,
, . ,
.
:
(CAS)
:
v (CA).
CA .
v ,
. .
v LDAP IBM Directory.
LDAP .
v DB2.
.
v , ,
Unicode.


(CAS).
10.

cas.server

cas.server.rte

(CA)

v AIX 5.2

v Java131 (
AIX)
v Java131 Security Extensions
( -
Expansion Pack)
v IBM Directory Server (LDAP)
v DB2 7.1

134

AIX 5.3:

10. ()

cas.client

cas.client.rte

v AIX 5.2

v
PKI

v Java131 (
AIX)

v SML

v Java131 Security Extensions


( -
Expansion Pack)

v IBM Directory Client (LDAP)

v Java

v PAG ( )

v libpki.a

cas.msg

cas.msg.[lang].client

cas.client

bos

bos.security.rte

PAG

cas.server CA. /usr/cas/server /usr/cas/client.


CA, .
, IBM Directory,
db2_07_01.client, Java131.rte Java131.ext.security. Java131.rte
AIX 5.2, .
db2_07_01.client , , ,
db2_07_01.server.
cas.client ,
. ,
PKI AIX.


(CAS)
.
LDAP PKI:
LDAP,
PKI.
LDAP:
IBM Directory Server
, ldap.html.en_US.config.
ldap.html.en_US.config Web-, :
file:/usr/ldap/web/C/getting_started.htm.
LDAP :
1. root.
2. AIX
-.
3. smitty install_latest Enter.
4. .
5. , IBM Directory Server
Enter.
6. F4
.

135

7. LDAP Enter.
8. ,
, Enter. LDAP,
DB2.
:
v LDAP .adt (SDK LDAP)
v LDAP .dmt (DMT LDAP)
v LDAP .java ( Java)
v LDAP .rte ( LDAP)
v LDAP .rte ( LDAP)
v LDAP .admin ( LDAP)
v LDAP .cfg ( LDAP)
v LDAP .com ( LDAP)
v db2_07_01.* ( DB2 )
9. DB2, db2_07_01.jdbc. DB2 db2_07_01.jdbc -
. .
LDAP:
LDAP DB2 LDAP.
,
Web- LDAP.
Web-.
- AIX Toolbox for LINUX Applications Web- Apache.
Web- SMIT geninstall.
Web-. LDAP.
LDAP ,
HTML. LDAP :
1. ldapcfg DN LDAP.
LDAP root. DN
cn=admin, - secret, :
# ldapcfg -u cn=admin -p secret

DN . , DN
ldappkiadmin ldappkiadmpwd ldap acct.cfg.
2. Web-, Web-:
# ldapcfg -s apache -f /etc/apache/httpd.conf

3. Web-. Apache :
# /usr/local/bin/apachectl restart

4. Web-, http:// hostname/ldap.


, DN LDAP, 2.
5. DB2, Web-,
LDAP.
LDAP PKI:
LDAP.
CA CRL.
PKI .

136

AIX 5.3:

LDAP,
PKI .
1. LDAP. PKI
cn=aixdata. , PKI ,
AIX. PKI
ou=pkidata,cn=aixdata. PKI .
PKI
cn=aixdata
AIX. LDAP AIX,
, , .
Web-,
LDAP.
Web-,
:
a. .
b. .
c. PKI .
d. LDAP .
LDAP
:
a. /usr/ldap/etc/slapd32.conf , :
ibm-slapdSuffix: cn=localhost

.
b. ibm-slapdSuffix PKI. ,
:
ibm-slapdSuffix: cn=aixdata

c. , .
d. LDAP.
2. PKI, ACL.
- LDAP, PKI. ACL
- ,
PKI. , ACL
pkiconfig.ldif.
a. ,
PKI.
:
dn: cn=aixdata
objectclass: top
objectclass: container
cn: aixdata
dn: ou=pkidata,cn=aixdata
objectclass: organizationalUnit
ou: cert
userPassword: <<>>

b.

pkiconfig.ldif <<>> userPassword


PKI.
DN userPassword . , DN
(ou=pkidata,cn=aixdata) ldappkiadmin ldappkiadmpwd
ldap acct.cfg.

137

ACL PKI:
dn: ou=pkidata,cn=aixdata
changetype: modify
add: entryOwner
entryOwner: access-id:ou=pkidata,cn=aixdata
ownerPropagate: true
dn: ou=pkidata,cn=aixdata
changetype: modify
add: aclEntry
aclEntry: group:cn=anybody:normal:grant:rsc:normal:deny:w
aclEntry: group:cn=anybody:sensitive:grant:rsc:sensitive:deny:w
aclEntry: group:cn=anybody:critical:grant:rsc:critical:deny:w
aclEntry: group:cn=anybody:object:deny:ad aclPropagate: true

: PKI,
ACL.
, pkiconfig.ldif,
, LDAP. ldif
ldapadd.
c. -D -w DN LDAP:
# ldapadd -c -D cn=admin -w secret -f pkiconfig.ldif

3. LDAP. LDAP Web-,


slapd.
:

.
,
:
1.

Java (Java131.ext.security.*) -
. :
v Java131.ext.security.cmp-us ( Java)

v Java131.ext.security.jce-us ( Java)
v Java131.ext.security.jsse-us ( Java)
v Java131.ext.security.pkcs-us ( Java)
2. ibmjcaprovider.jar /usr/java131/jre/lib/ext .
Java,
.
3. (cas.server.rte)
- Expansion Pack.
LDAP:
(CAS) LDAP,
CAS LDAP.
CAS LDAP :
1. , IBM Directory ,
cas.server.
2. , IBM Directory :
# ldapcfg -l /home/ldapdb2 -u "cn=admin" -p secret -s apache \
-f /usr/local/apache/conf/httpd.conf

138

AIX 5.3:

, Web- Apache.
3. slapd.conf:
ibm-slapdSuffix: o=aix,c=us

o=aix,c=us .
4. slapd:
# /usr/bin/slapd -f /etc/slapd32.conf

5. :
# ldapmodify -D cn=admin -w secret -f setup.ldif

, setup.ldif :
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 2.5.6.21 NAME 'pkiuser' DESC 'auxiliary class for non-CA certificate owners'
SUP top AUXILIARY MAY userCertificate )
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'class for Cartification Authorities' SUP top
AUXILIARY MAY ( authorityRevocationList $ caCertificate $ certificateRevocationList $
crossCertificatePair ) )
dn:cn=schema
changetype: modify
replace: attributetypes
attributetypes: ( 2.5.4.39 NAME ( 'certificateRevocationList'
'certificateRevocationList;binary' ) DESC ' ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
SINGLE-VALUE )
replace:ibmattributetypes
ibmattributetypes:( 2.5.4.39 DBNAME ( 'certRevocationLst' 'certRevocationLst' )
ACCESS-CLASS NORMAL)

6.

:
# ldapadd -D cn=admin -w secret -f addentries.ldif

, addentries.ldif :
dn: o=aix,c=us
changetype: add
objectclass: organization
objectclass: top
objectclass: pkiCA
o: aix

: addentries.ldif setup.ldif cas.server.


7. slapd .
:
.
1. . ,
. ,

( CMP).
. :

139

12345678
password1234
87654321
password4321

12345678 87654321 - , password1234 password4321 - .


. ,
. .
/usr/cas/server/iafile. .
2. CA mksecpki:
# mksecpki -u pkiuser -f /usr/cas/server/iafile -p 1077 -H ldap.cert.mydomain.com \
-D cn=admin -w secret -i o=aix,c=us

mksecpki :
-u

,
.

-f

, .

-p

LDAP.

-H

IP- LDAP.

-D

LDAP.

-w

LDAP.

-i
LDAP, .
mksecpki TrustedKey
CA, /usr/lib/security/
pki/trusted.pkcs12. , ,
,
, .
:
mksecpki TrustedKey
CA, /usr/lib/security/pki/
trusted.pkcs12.
, .
,
,
, .
, .
.
.
/usr/java131/bin/keytool.
. keytool
. ,
. keytool:
keytool -genkey -dname `cn=trusted key' -alias `TrustedKey' -keyalg RSA \
-keystore .pkcs12 -storetype pkcs12ks

TrustedKey,
. ,
. ,
keylabel and keypasswd
acct.cfg.

140

AIX 5.3:

(.pkcs12)
. root.
.
:

. . ,
PKI.


. 140.
/usr/lib/security/pki.
.
root.
acct.cfg
/usr/lib/security/pki/acct.cfg (, vi)
ldap.
:
CA .
,
.
, ,
CA. CA local
, .
local
. CA local.
, CA, . ldap default
CA.
CA SMIT.
/ :
(CA) .
/ (CA) :
1. PKI SMIT :
smitty pki

2. .
3. local Enter.
4. /usr/lib/security/pki/JSML.sml.
SML . program /usr/lib/security/
pki/ca.cfg.
5. CA . certfile
/usr/lib/security/pki/ca.cfg.

141

6. CA URI,
. .
/usr/lib/security/pki.
(
. 141.) trustedkey /usr/lib/security/
pki/ca.cfg.
7. URI CA (cmp://:1077).
server /usr/lib/security/pki/ca.cfg.
8. . cdp
/usr/lib/security/pki/ca.cfg.
9. URI (CRL). URI,
CA. URI
LDAP, :
ldap://crlserver/o=XYZ,c=us

10.

11.

12.

13.

14.

15.

16.

crl /usr/lib/security/pki/ca.cfg.
DN,
(, o=XYZ,c=us). . dn
/usr/lib/security/pki/ca.cfg.
URI URI
, ,
. . url
/usr/lib/security/pki/ca.cfg.
, .
RSA DSA. ,
RSA. algorithm /usr/lib/security/pki/ca.cfg.
( ) .
, , ,
. (
, 8). 512, 1024 2048.
, 1024 .
keysize /usr/lib/security/pki/ca.cfg.
. , CA
( ). 5 .
retries /usr/lib/security/pki/ca.cfg.
,
, . MD2,
MD5 SHA1. MD5. signinghash
/usr/lib/security/pki/ca.cfg.
, Enter.

:
/ (CA)
:
1. PKI SMIT :
smitty pki

2. CA.
3. local Enter.
4. CA,
. , 7 .

142

AIX 5.3:

CA. (
. 139.) carefnum
/usr/lib/security/pki/acct.cfg.
5. , .
7- ASCII.
12 . CA. ,
. ( .
139.) capasswd /usr/lib/security/pki/acct.cfg.
6. ,
. , 7 .
CA . CA
.
( ), .
rvrefnum /usr/lib/security/pki/acct.cfg.
7. ,
. 7- ASCII.
12 . CA
. CA .
(
), . rvpasswd
/usr/lib/security/pki/acct.cfg.
8. ( ) ,
.
. 140.
keylabel /usr/lib/security/pki/acct.cfg.
9. ,
.
. 140. keypasswd
/usr/lib/security/pki/acct.cfg.
10. , Enter.
LDAP :
LDAP CA.
1. PKI SMIT :
smitty pki

2. LDAP.
3. DN LDAP. LDAP
CA LDAP . 136
LDAP . 138.
cn=admin. LDAP CA.
ldappkiadmin /usr/lib/security/pki/acct.cfg. :
ldappkiadmin = "cn=admin"

4. LDAP.
LDAP . 136
LDAP . 138.
ldappkiadmpwd /usr/lib/security/pki/acct.cfg. :
ldappkiadmpwd = secret

5. LDAP. LDAP.
LDAP. ldapservers
/usr/lib/security/pki/acct.cfg. :
ldapservers = ldapserver.mydomain.com

143

6. DN , .
ibm-slapdSuffix
LDAP . 138.
LDAP. ldapsuffix /usr/lib/security/pki/acct.cfg. :
ldapsuffix = "ou=aix,cn=us"

7. , Enter.
LDAP PKI:
LDAP PKI.
, LDAP
. 143, , PKI ACL
LDAP PKI . 136.
:
v (ou=pkidata,cn=aixdata),
v (password),
v (site specific),
v (ou=pkidata,cn=aixdata).
, Enter.
:
/ (CA) :
1. PKI SMIT :
smitty pki

2. .
v ,
(new) mkuser ,
(get).
cert newuser /usr/lib/security/pki/policy.cfg.
v , mkuser
.
ca.cfg; , local. ca newuser
/usr/lib/security/pki/policy.cfg.
v , mkuser
. passwd newuser
/usr/lib/security/pki/policy.cfg.
v , mkuser
. 3,
X.509v3. version newuser /usr/lib/security/pki/
policy.cfg.
v .
mkuser . keysize newuser
/usr/lib/security/pki/policy.cfg.
v URI,
mkuser .
keystore newuser /usr/lib/security/pki/policy.cfg.
v , mkuser
. CA
. , .

144

AIX 5.3:

, , . d,
. y,
. :
1y (1 )
30d (30 )
2592000 ( , 30 )
validity newuser /usr/lib/security/pki/policy.cfg.
v , certlink
() (). replicate
storage /usr/lib/security/pki/policy.cfg.
v , certadd certlink
CRL () ().
check crl /usr/lib/security/pki/policy.cfg.
v - - , certadd
certlink HTTP (, CRL).
timeout comm /usr/lib/security/pki/policy.cfg.
methods.cfg:
methods.cfg ,
registry SYSTEM. ,
PKILDAP (PKI LDAP) FPKI (PKI ).
methods.cfg. PKI, LDAP
PKILDAP . .
.
PKI:
program = /usr/lib/security/PKI
options = authonly
LDAP:
program = /usr/lib/security/LDAP
PKILDAP:
options = auth=PKI,db=LDAP


methods.cfg .
:
.
PKI
PKI mkuser,
/usr/lib/security/methods.cfg (PKILDAP).
, /usr/lib/security/pki/policy.cfg, mkuser
. mkuser,
bob:
mkuser -R PKILDAP SYSTEM="PKILDAP" registry=PKILDAP bob

145

PKI
PKI
.
. , .
,
.
:
v cas.server cas.client , .
v PKILDAP methods.cfg, methods.cfg . 145.
1:
root
bob:
certcreate -f cert1.der -l auth_lbl1 cn=bob bob
certadd -f cert1.der -l auth_lbl1 auth_tag1 bob
certverify auth_tag1 bob
chuser SYSTEM="PKILDAP" registry=PKILDAP bob
chuser -R PKILDAP auth_cert=auth_tag1 bob

#
#
#
#
#
#
#

cert1.der.
auth_tag1
LDAP.
LDAP.
PKILDAP.

.

bob keypasswd.
2:
bob 1 (certcreate,
certadd, certverify), .
chuser 1.

PKI ,

. bob ,
.
# bob:
certcreate -f cert1.der -l auth_lbl1 cn=bob # cert1.der.
certadd -f cert1.der -l auth_lbl1 auth_tag1 # auth_tag1 LDAP.
certverify auth_tag1
# LDAP.
# :
chuser -R PKILDAP auth_cert=auth_tag1 bob
#
# .


,
PKI, passwd newuser stanza /usr/lib/security/pki/
policy.cfg.

, ,
.

146

AIX 5.3:


,
, , ,
.
. ,
(
, ).

. .
, .
.

, LDAP, ,
.

, LDAP.
, ,
.
/var/pki/security/keys/user1.p12 /var/pki/security1/keys/
user1.p12:
# root...
cp /var/pki/security/keys/user1.p12 /var/pki/security1/keys/user1.p12
# .
certlist ALL user1
#
#
#
#
#
#
#

, , :
A) .
B) LDAP.
C) LDAP,
.
D) , .
( D .)

# .
# , :
# : user1
# : tag1
# : label1
# .
certlist -a label tag1 user1
# LDAP cert.der.
certget -f cert.der tag1 user1
# LDAP.
certadd -r -f cert.der -p /var/pki/security1/keys/user1.p12 -l label1 tag1 user1
# , .
# ( .)
certverify tag1 user1

147

, :
, AIX
.
.
DER x509 v3, pkcs12.
- aixtest.cer, - aixtest.p12,
AIX - aixuser. aixuser . aixtest, .
.
, ,
Java.
,
, :
1. , , /usr/bin/keylist,
.
# keylist -v -p aixtest.p12
:
: aixtest
: aixtest
#

keytool .
keytool , ,
.
# keytool -list -keystore aixtest.p12 -storepass secret -storetype pkcs12
: pkcs12
: IBMJCE
1

2. AIX keyadd.
. ,
. , .
# keyadd -l aixtest -s aixtest.p12 aixuser
:
:
:
#

, , AIX:
# keylist -v aixuser
:
: aixtest
: aixtest
#

3. AIX LDAP:
# certadd -c -f aixtest.cer -l aixtest logincert aixuser

, :
# certlist -f logincert aixuser
aixuser:
auth_cert=
distinguished_name=c=US,o=IBM,ou=Sec Team,cn=AIX test
alternate_name=
validafter=0412230006

148

AIX 5.3:

validuntil=1231215916
issuer=c=US,o=IBM,ou=Sec Team,cn=AIX test
tag=logincert
verified=false

4. , :
# certverify logincert puser1
:

, :
# certlist -f -a verified logincert aixuser
aixuser:
verified=true

5. :
# chuser -R PKIfiles auth_cert=logincert aixuser

, auth_cert :
# lsuser -R PKIfiles -a auth_cert aixuser
aixuser auth_cert=logincert

6. SYSTEM registry:
# chuser -R PKIfiles SYSTEM=PKIfiles registry=PKIfiles aixuser

, :
# lsuser -f -R PKIfiles -a SYSTEM registry auth_cert aixuser
aixuser:
SYSTEM=PKIfiles
registry=PKIfiles
auth_cert=logincert

7. ca.cfg, .
dn program. certlist
, , .
# certlist -f -a issuer logincert aixuser
aixuser:
issuer=c=US,o=IBM,ou=Sec Team,cn=AIX test
#

/usr/lib/security/pki/JSML.sml.
/usr/lib/security/pki/ca.cfg :
remoteCA:
program = /usr/lib/security/pki/JSML.sml
dn
= "c=US,o=IBM,ou=Sec Team,cn=AIX test"
# telnet testsystem.ibm.com
AIX Version 5
(C) Copyrights by IBM and by others 1982, 2006.
login: aixuser
aixuser's Password:

8. , aixuser , :
# telnet testsystem.ibm.com
AIX Version 5
(C) Copyrights by IBM and by others 1982, 2006.
login: aixuser
aixuser's Password:
......
Last login: Fri Apr 14 10:46:29 CDT 2006 on /dev/pts/3 from localhost
$ echo $AUTHSTATE
PKIfiles
$

149


(PAM)

.
PAM ,
. :
v
v
v
v
PAM , . PAM
(API) PAM PAM
(SPI) PAM, .

. ,
.
. ,
.
AIX PAM, auth_type usw
/etc/security/login.cfg. auth_type = PAM_AUTH PAM
, AIX, API PAM.
. .
auth_type /etc/security/login.cfg.
auth_type PAM
AIX:
v login
v passwd
v su
v ftp
v telnet
v rlogin
v rexec
v rsh
v snappd
v
v
v
v

imapd
dtaction
dtlogin
dtsession

, PAM,
PAM , PAM. PAM,
API PAM PAM.
SPI PAM . PAM
, . ,
, ,
, .
, ; .

150

AIX 5.3:

3. PAM. ,
PAM PAM .

PAM
PAM /usr/lib/libpam.a API PAM,
PAM .
PAM , /etc/pam.conf
API PAM SPI PAM, PAM.
, API pam_authenticate PAM SPI pam_sm_authenticate.
v pam_authenticate
v pam_setcred
v pam_acct_mgmt
v pam_open_session
v pam_close_session
v pam_chauthtok
, PAM API,
PAM . API
PAM, AIX :
pam_start
pam_end
pam_get_data
pam_set_data
pam_getenv
pam_getenvlist
pam_putenv
pam_get_item
pam_set_item
pam_get_user
pam_strerror

PAM
PAM


PAM
PAM

PAM
PAM
PAM

PAM

PAM
PAM
.

151

PAM .
SPI PAM,
.

, ,
.
.
:
v pam_sm_authenticate
v pam_sm_setcred


.
.
:
v pam_sm_acct_mgmt

. ,
.
:
v pam_sm_open_session
v pam_sm_close_session

.
:
v pam_sm_chauthtok

PAM
/etc/pam.conf PAM
.
, :
- - - -- -

-
-
-
--

152

AIX 5.3:

. , ,
, OTHER.
. : auth, account, session password.
.
. : required, requisite, sufficient
optional.
, . --
: .
, PAM
/usr/lib/security ( 32- ), /usr/lib/security/64 ( 64-
).
.
, ,
--. .

, -
-, PAM. , (#),
.
PAM , .

-. , ;
- .
- ,
:
required

requisite

sufficient

optional

.
.
,
,
.
. required, ,
,
,
.
. , , ,
,

.
.
,
, .
- ,
.

/etc/pam.conf auth
.
#
# PAM /etc/pam.conf
#
#
login auth
required
login auth
required
login auth
optional
OTHER auth
required

/usr/lib/security/pam_ckfile
/usr/lib/security/pam_aix
/usr/lib/security/pam_test
/usr/lib/security/pam_prohibit

file=/etc/nologin
use_first_pass

.
pam_ckfile pam_aix ,
. pam_test .
. use_first_pass
pam_test , ,
.
OTHER
, . ,
. ,
, , pam_prohibit
PAM.

pam_aix
pam_aix - PAM, PAM
AIX , , AIX (
).

153

AIX
methods.cfg. ,
AIX, PAM.

4. PAM AIX

API PAM ,
/etc/pam.conf pam_aix. ,
(DCE, LDAP
KRB5), AIX ().
pam_aix /usr/lib/security. pam_aix
/etc/pam.conf. /etc/pam.conf
, :
#
#
#
OTHER auth
required

/usr/lib/security/pam_aix

#
#
#
OTHER account required
/usr/lib/security/pam_aix
#
#
#
OTHER session required

/usr/lib/security/pam_aix

#
#
#
OTHER password required

/usr/lib/security/pam_aix

pam_aix SPI pam_sm_authenticate, pam_sm_chauthok pam_sm_acct_mgmt.


pam_sm_setcred, pam_sm_open_session pam_sm_close_session pam_aix,
PAM_SUCCESS.

154

AIX 5.3:

SPI PAM
AIX:
PAM SPI
=========
pam_sm_authenticate
pam_sm_chauthtok

-->
-->

pam_sm_acct_mgmt
-->
pam_sm_setcred
-->
pam_sm_open_session
-->
pam_sm_close_session -->

AIX
=====
authenticate
passwdexpired, chpass
: passwdexpired

PAM_CHANGE_EXPIRED_AUTHTOK.
loginrestrictions, passwdexpired
, PAM_SUCCESS
, PAM_SUCCESS
, PAM_SUCCESS

, AIX,
pam_set_item , , ,
pam_aix.

PAM
AIX , PAM
AIX.
: AIX 5.3 PAM
PAM AIX.
PAM, PAM
PAM AIX.
PAM AIX auth_type usw
/etc/security/login.cfg PAM_AUTH. auth_type
/etc/security/login.cfg.
PAM - , .
PAM auth_type.
/usr/lib/security/methods.cfg PAM
AIX (passwd, login, ..) PAM. PAM
/etc/pam.conf, , PAM , SPI
PAM. PAM AIX
.

155

5. AIX PAM

AIX
PAM. PAM (pam_krb, pam_ldap pam_dce)
, .
PAM /usr/lib/security
. PAM
. , methods.cfg
PAM, files. BUILTIN,
db, , UNIX.
PAM:
program = /usr/lib/security/PAM
PAMfiles:
options = auth=PAM,db=BUILTIN

-R ,
SYSTEM . :
mkuser -R PAMfiles SYSTEM=PAMfiles registry=PAMfiles pamuser

, AIX (login, passwd, ..)


PAM. files,
, , LDAP.
AIX API PAM:
AIX
=====
authenticate
chpass
passwdexpired
passwdrestrictions

-->
-->
-->
-->

PAM API
=========
pam_authenticate
pam_chauthtok
pam_acct_mgmt
,

/etc/pam.conf API PAM PAM


. .

156

AIX 5.3:

, AIX, PAM pam_set_item, PAM


. PAM,
PAM, pam_get_item
.
, : AIX
PAM, PAM, , AIX.
.
: /etc/pam.conf pam_aix PAM
AIX, .

PAM
PAM.
1. 32- /usr/lib/security; 64-
/usr/lib/security/64.
2. root, - 555.
PAM , root.
3. /etc/pam.conf, .
4. . ,
.

the /etc/pam.conf
, /etc/pam.conf, .
/etc/pam.conf :
v root security.
644, ,
- root.
v PAM,
pam_prohibit ( OTHER).
v ,
, .
v ,
required, requisite, sufficient optional.
: PAM , ,
, root.

. , ,
/etc/pam.conf

PAM
PAM .
PAM-API
PAM.
PAM :
1. /etc/pam_debug. PAM
/etc/pam_debug, , , syslog.
2. /etc/syslog.conf, ,
.
3. syslogd .

157

4. PAM ,
/etc/syslog.conf

OpenSSH
OpenSSH SSH1 SSH2.
.
OpenSSH /. OpenSSH AIX sshd
.
,
.
OpenSSH, man, Web-:
http://www.openssh.org
http://www-128.ibm.com/developerworks/eserver/articles/openssh_updated.html
installp AIX Web-: http://sourceforge.net/projects/openssh-aix.
OpenSSH AIX.
OpenSSH AIX 5.3.
OpenSSH installp
openssh-3.8.p1. installp man
. OpenSSH, ,
IBM (IPLA)
.
OpenSSH installp
Open Secure Sockets Layer (OpenSSL) . OpenSSL RPM
- AIX Toolbox Linux. , Web-
AIX Toolbox Linux: http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
OpenSSL ,
Web-. :
1. AIX Toolbox Cryptographic Content Web- AIX Toolbox
Linux.
2. I have not registered before.
3. .
4. Accept License,
. .
5. openssl-0.9.6m-1.aix4.3.ppc.rpm
OpenSSL SSL Cryptographic Libraries.
6. Download now! openssl-0.9.6m-1.aix4.3.ppc.rpm.
OpenSSL OpenSSL OpenSSH.
1. OpenSSL RPM geninstall:
# geninstall -d/dev/cd0 R:openssl-0.9.6m

--------openssl-0.9.6m-3

2. OpenSSH installp geninstall:


# geninstall -I"Y" -d/dev/cd0 I:openssh.base

158

AIX 5.3:

Y,
OpenSSH.
:

-------------------

------------------------------------------------------------------------------openssh.base.client
3.8.0.5200
USR

openssh.base.server
3.8.0.5200
USR

openssh.base.client
3.8.0.5200
ROOT

openssh.base.server
3.8.0.5200
ROOT

OpenSSL OpenSSH SMIT install_software.


OpenSSH:
scp

, rcp.

sftp

, FTP, SSH1 SSH2.

sftp-server
SFTP ( sshd).
ssh

rlogin rsh.

ssh-add
ssh-agent.
ssh-agent
.
ssh-keygen
.
ssh-keyscan
.
ssh-keysign
.
ssh-rand-helper
, OpenSSH .
AIX 5.1.
sshd

OpenSSH:
v /etc/ssh sshd ssh.
v /usr/openssh readme OpenSSH
. Kerveros
ssh.
v sshd AIX SRC. ,
:
startsrc -s sshd
stopsrc -s sshd
lssrc -s sshd

startsrc -g ssh
stopsrc -g ssh
lssrc -s ssh

()

:
/etc/rc.d/rc2.d/Ksshd start

/etc/rc.d/rc2.d/Ssshd start

159

/etc/rc.d/rc2.d/Ksshd stop

/etc/rc.d/rc2.d/Ssshd stop

v OpenSSH /etc/rc.d/rc2.d .
inittab (l2:2:wait:/etc/rc.d/rc 2),
sshd .
, /etc/rc.d/rc2.d/Ksshd /etc/rc.d/rc2.d/Ssshd.
v OpenSSH SYSLOG.
v OpenSSH AIX (IBM Redbook),
Managing AIX Server Farms, Web-:
http://www.redbooks.ibm.com

v AIX, OpenSSH ( 256


).
mkuser.
v , AllowUsers, DenyUsers, AllowGroups DenyGroups
ssh_config sshd_config.
, .

OpenSSH
OpenSSH:
1. Web- http://sourceforge.net/projects/openssh-aix
2. , , uncompress - command.
:
uncompress openssh361p2_52_nologin.tar.Z

3. tar -xvf -. :
tar -xvf openssh361p2_52_nologin.tar

4. inutoc.
5. smitty install.
6. .
7. ( ).
8. (.) Enter.
9. Tab
.
10. Enter, .
OpenSSH - , PTF.
.

OpenSSH
OpenSSH AIX.
OpenSSH AIX 5.1 :
OpenSSH :
: /usr/bin
: /usr/sbin
: /etc/ssh
Askpass: /usr/sbin/ssh-askpass
man: /usr/man
PID: /etc/ssh
chroot : /var/empty
PATH sshd: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
man: man

160

AIX 5.3:

PAM:
KerberosIV:
KerberosV:
Smartcard:
AFS:
S/KEY:
TCP:
MD5:
IP- $DISPLAY:
IPv4 :
v4 v6:
BSD:
: ssh-rand-helper
ssh-rand-helper : (- 200)
: powerpc-ibm-aix5.1.0.0
: cc
: -O -D__STR31__
: -I. -I$(srcdir) -I/home/BUILD/test2debug/zlib-1.1.3/ -I/o
pt/freeware/src/packages/SOURCES/openssl-0.9.6m/include -I/usr/include -I/usr/in
clude/gssapi -I/usr/include/ibm_svc -I/usr/local/include $(PATHS) -DHAVE_CONFIG_
H
: -L. -Lopenbsd-compat/ -L/opt/freeware/lib/ -L/usr/local/lib
-L/usr/krb5/lib -blibpath:/opt/freeware/lib:/usr/lib:/lib:/usr/local/lib:/usr/kr
b5/lib
: -lz -lcrypto -lkrb5 -lk5crypto -lcom_err
: . WARNING.RNG

.

OpenSSH AIX 5.2 :


OpenSSH :
: /usr/bin
: /usr/sbin
: /etc/ssh
Askpass: /usr/sbin/ssh-askpass
man: /usr/man
PID: /etc/ssh
chroot : /var/empty
PATH sshd: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
man: man
PAM:
KerberosIV:
KerberosV:
Smartcard:
AFS:
S/KEY:
TCP:
MD5:
IP- $DISPLAY:
IPv4 :
v4 v6:
BSD:
: OpenSSL
: powerpc-ibm-aix5.2.0.0
: cc
: -O -D__STR31__
: -I/opt/freeware/src/packages/BUILD/openssl-0.9.6m/includ
e -I/usr/local/include -I/usr/local/include
: -L/opt/freeware/src/packages/BUILD/openssl-0.9.6m -L/usr/lo
cal/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib:/usr/local/lib
: -lz -lcrypto -lkrb5 -lk5crypto -lcom_err

OpenSSH AIX 5.3 :


OpenSSH :
: /usr/bin
: /usr/sbin

161

: /etc/ssh
Askpass: /usr/sbin/ssh-askpass
man: /usr/man
PID: /etc/ssh
chroot : /var/empty
PATH sshd: /usr/bin:/bin:/usr/sbin:/sbin:/usr/
local/bin
man: man
PAM:
KerberosIV:
KerberosV:
Smartcard:
AFS:
S/KEY:
TCP:
MD5:
IP- $DISPLAY:
IPv4 :
v4 v6:
BSD:
: OpenSSL
: powerpc-ibm-aix5.3.0.0
: cc
: -O -D__STR31__
: -I/opt/freeware/src/packages/BUILD/openssl-0.9.6m/
include -I/usr/local/include -I/usr/local/include
Linker flags: -L/opt/freeware/src/packages/BUILD/openssl-0.9.6m
-L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/
lib:/usr/local/lib
: -lz -lcrypto -lkrb5 -lk5crypto -lcom_err

OpenSSH Kerberos 5
Kerberos ,
. , ,
. , Kerberos
.
Kerberos kinit,
Kerberos,
KDC (Key Distribution Center - ). KDC
, TGT (Ticket-Granting Ticket -
). ,
Telnet Kerberos OpenSSH. Kerberos ,
KDC . Kerberos
, . Kerberos, IBM,
(NAS). NAS -
AIX. krb5.client.rte krb5.server.rte. 2003
OpenSSH 3.6 Kerberos 5
NAS 1.3.
OpenSSH 3.8 Kerberos 5
NAS 1.4. OpenSSH NAS
(Kerberos). OpenSSH 3.8.x NAS 1.4 .
AIX OpenSSH Kerberos .
Kerberos , OpenSSH Kerberos
(,
AIX).

162

AIX 5.3:

Kerberos Kerberos
. Kerberos
IBM Network Authentication Service Version 1.3 for AIX : Administrator's and User's Guide,
/usr/lpp/krb5/doc/html//ADMINGD.htm
OpenSSH Kerberos:
, OpenSSH Kerberos.
, OpenSSH
Kerberos:
1. OpenSSH /etc/krb5.conf.
Kerberos, KDC ,
.. krb5.conf:
[libdefaults]
ticket_lifetime = 600
default_realm = OPENSSH.AUSTIN.XYZ.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
OPENSSH.AUSTIN.xyz.COM = {
kdc = kerberos.austin.xyz.com:88
kdc = kerberos-1.austin.xyz.com:88
kdc = kerberos-2.austin.xyz.com:88
admin_server = kerberos.austin.xyz.com:749
default_domain = austin.xyz.com
}
[domain_realm]
.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
kdc.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM

2. , /etc/services
Kerberos:
kerberos
88/udp
kerberos
88/tcp
kerberos-adm 749/tcp
kerberos-adm 749/udp
krb5_prop
754/tcp

kdc
kdc

#
#
#
#
#
#

Kerberos V5 KDC
Kerberos V5 KDC
Kerberos 5 admin/changepw
Kerberos 5 admin/changepw
Kerberos slave
propagation

3. KDC LDAP,
LDAP . 97
Kerberos. , :
v KDC LDAP. LDAP
secldapclntd.
v LDAP LDAP slapd.
4. OpenSSH /etc/ssh/sshd_config, :
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UseDNS yes

UseDNS Yes, ssh


. , ,
IP-.

163

5.
6.

7.
8.

: SSH -
DNS. ,
DNS, UseDNS no. UseDNS
/etc/ssh/sshd_config, yes.
SSH startsrc -g ssh, SSH.
SSH kinit (TGT).
TGT klist.
.
ssh @.
Kerberos
SSH.


IP;
; .

TCP/IP
TCP/IP NFS .
TCP/IP,
. TCP/IP TCP/IP
in .
. ,
. ,
. ,
, , .
TCP/IP ,
.
TCP/IP NFS WSM (Web- )
SMIT tcpip.
dacinet AIX 5L 5.3:
.


TCP/IP (, )
.
TCP/IP.
:

, .
:
v
, . TCP/IP, ftp, rexec
telnet, ,
.

164

AIX 5.3:

v , IP-
. , .
v ,
. ,
, .
:
TCP/IP .
, .
- ,
, , .
:

v
v
v
v
v

v
v

v
v
v
v
v

v
v
v
v
.
, .
, :
,
. , ,
.
, (tsh),
, . TCP/IP ,
(SAK),
. TCP/IP SAK. SAK
telnet.

165

SAK telnet ,
: telnet , ,
telnet. , telnet
telnet send sak ( telnet). telnet set sak
, SAK.

. 1.

TCP/IP
TCP/IP . ftp,
rexec telnet.
ftp . rexec
. telnet
.
ftp, rexec telnet . ,
.
securetcpip.
; ,
IP.
ftp, rexec, securetcpip telnet :
ftp .
ftp ,
.
.
.

ftp


$HOME/.netrc.
$HOME/.netrc 600 (
). ,
.
: .netrc
,
ftp securetcpip.
ftp tcpip
/etc/security/config.
ftp TCP/IP:
(FTP), .
,
. ,
, , .
, ftp
.
.
rexec
. .

rexec


$HOME/.netrc rexec.
$HOME/.netrc 600
( ). ,
.
: .netrc
,
rexec
. rexec tcpip
/etc/security/config.

166

AIX 5.3:

securetcpip TCP/IP.
. securetcpip
:

securetcpip

v rlogin rlogind
v rcp, rsh rshd
v tftp tftpd
v trpt
securetcpip .
securetcpip ,
TCP/IP.
telnet (TELNET)
. .
, , .
, .
, ,
. , telnet
SAK.
, ,
telnet.

telnet tn

:
, /etc/hosts.equiv,
, .
, ,
Web- , WSM (Web- ) .
11.

SMIT

WSM (Web- )

smit lshostsequiv


/etc/hosts.equiv

TCPIP (IPv4 IPv6)


TCPIP TCP/IP TCP/IP
hosts /etc/hosts .

smit mkhostsequiv
/etc/hosts.equiv .

smit rmhostsequiv


/etc/hosts.equiv .

TCPIP (IPv4 IPv6)


TCPIP TCP/IP TCP/IP
hosts. / :
IP-, , .
/ OK.
TCPIP (IPv4 IPv6)
TCPIP TCP/IP TCP/IP
hosts. /etc/host.
OK.

: "hosts.equiv File
Format for TCP/IP" AIX 5L 5.3: .
FTP:

167

, /etc/ftpusers, FTP. ,
, A B .
B /etc/ftpusers, A
FTP, .
, ,
WSM (Web- ), SMIT .
FTP

SMIT

WSM (Web- )

FTP

smit lsftpusers


/etc/ftpusers

smit mkftpusers


/etc/ftpusers
file.

Selected
. OK.

smit rmftpusers


/etc/ftpusers
file.


Delete.

: "ftpusers File Format


for TCP/IP" AIX 5L 5.3: .


( ) - , ,
.
, .
. A1, B1, B2, B3, C1, C2 D, A1 . .
, C2 :

, , .
, ,
.
,
. ,
,
.
, ,
,
, .

TCP/IP .
:
v ftpd
v rexecd
v telnetd
:
v rshd
v rlogind
v tftpd

168

AIX 5.3:

,
. , .


(NTCB) ,
. NTCB, TCP/IP.
, TCP/IP.
, , .
NTCB . ,
, :
/etc

gated.conf

root

system

0664

rw-rw-r

gateways

root

system

0664

rw-rw-r

hosts

root

system

0664

rw-rw-r

hosts.equiv

root

system

0664

rw-rw-r

inetd.conf

root

system

0644

rw-rr

named.conf

root

system

0644

rw-rr

named.data

root

system

0664

rw-rw-r

networks

root

system

0664

rw-rw-r

protocols

root

system

0644

rw-rr

rc.tcpip

root

system

0774

rwxrwxr

resolv.conf

root

system

0644

rw-rw-r

services

root

system

0644

rw-rr

3270.keys

root

system

0664

rw-rw-r

3270keys.rt

root

system

0664

rw-rw-r

host

root

system

4555

r-sr-xr-x

hostid

bin

bin

0555

r-xr-xr-x

hostname

bin

bin

0555

r-xr-xr-x

finger

root

system

0755

rwxr-xr-x

ftp

root

system

4555

r-sr-xr-x

netstat

root

bin

4555

r-sr-xr-x

rexec

root

bin

4555

r-sr-xr-x

ruptime

root

system

4555

r-sr-xr-x

rwho

root

system

4555

r-sr-xr-x

talk

bin

bin

0555

r-xr-xr-x

telnet

root

system

4555

r-sr-xr-x

/usr/bin

169

/usr/sbin

arp

root

system

4555

r-sr-xr-x

fingerd

root

system

0554

r-xr-xr

ftpd

root

system

4554

r-sr-xr

gated

root

system

4554

r-sr-xr

ifconfig

bin

bin

0555

r-xr-xr-x

inetd

root

system

4554

r-sr-xr

named

root

system

4554

r-sr-x

ping

root

system

4555

r-sr-xr-x

rexecd

root

system

4554

r-sr-xr

route

root

system

4554

r-sr-xr

routed

root

system

0554

r-xr-x-

rwhod

root

system

4554

r-sr-xr

securetcpip

root

system

0554

r-xr-xr

setclock

root

system

4555

r-sr-xr-x

syslogd

root

system

0554

r-xr-xr

talkd

root

system

4554

r-sr-xr

telnetd

root

system

4554

r-sr-xr

tn

root

system

4555

r-sr-xr-x

rwho ()

root

system

0755

drwxr-xr-x

/usr/ucb

/var/spool/rwho


TCP/IP .
,
(, ), .
TCP/IP (DOD)
DOD 5200.5 NCSD-11, .

TCP
Internet
Internet (DACinet)
TCP AIX 5.2.
AIX 5.2
TCP. DACinet
, .
: DACinet CAPP/EAL4+, AIX systems.
, DACinet
, root. UNIX, AIX,

170

AIX 5.3:

1024 root. AIX 5.2


1024 ( root).
DACinet
DACinet. . DACinet,
.
dacinet , IP-
.
host.domain.org:
host.domain.org

IP- 10.0.0.1:
10.0.0.1

, 24 ( ) 10.0.0.0:
10.0.0.0/24

10.0.0.1 10.0.0.254.
TCP:
DACinet /etc/rc.dacinet /etc/security/priv,
/etc/security/services /etc/security/acl.
/etc/security/services , ACL.
, /etc/services.
/etc /etc/security , ACL.
ACL . ACL ;
dacinet aclls. ACL, /etc/rc.tcpip,
/etc/security/acl. :
/_ [|]

/etc/services, -
, - u: or g:.
, ACL .
-. ACL . ,
, ,
.
/etc/services , AIX 5.2.
mkCCadmin .
/etc/services :
sco_printer
sco_s5_port

70000/tcp
70001/tcp

sco_spooler
lpNet_s5_port

# For System V print IPC


# For future use

DACinet:
, DACinet TCP/25
root DACinet, root
AIX 5.2.
TCP/25.

171

X11 root. ,
X11 /etc/security/services, ACL
.
10.1.1.0/24, , X
(TCP/6000) root, /etc/security/acl
ACL:
6000

10.1.1.0/24 u:root

Telnet friends ,
telnet /etc/security/services ACL:
telnet

0.0.0.0/0

g:friends

Web- fred,
:
-80
80

0.0.0.0/0 u:fred
0.0.0.0/0

:
,
.
1024. ,
Web- 8080, SOCKS - 1080.
dacinet setpriv. /etc/security/priv
, .
, /etc/services, .
, root, SOCKS Lotus Notes
:
1080
lotusnote

: .
.


,
, .


AIX.
: AIX
.
AIX:

172

AIX 5.3:

13/tcp

daytime

Daytime (RFC 867)

13/udp

daytime

Daytime (RFC 867)

21/tcp

ftp

File Transfer [Control]

21/udp

ftp

File Transfer [Control]

23/udp

telnet

Telnet

23/udp

telnet

Telnet

25/tcp

smtp

Simple Mail Transfer

25/udp

smtp

Simple Mail Transfer

37/tcp

time

Time

37/udp

time

Time

111/tcp

sunrpc

SUN Remote Procedure Call

111/udp

sunrpc

SUN Remote Procedure Call

161/tcp

snmp

SNMP

161/udp

snmp

SNMP

199/tcp

smux

SMUX

199/udp

smux

SMUX

512/tcp

exec

513/tcp

login

, telnet;

514/tcp

shell

cmd

514/udp

syslog

Syslog

518/tcp

ntalk

Talk

518/udp

ntalk

Talk

657/tcp

rmc

RMC

657/udp

rmc

RMC

1334/tcp

writesrv

writesrv

1334/udp

writesrv

writesrv

2279/tcp

xmquery

xmquery

2279/udp

xmquery

xmquery

9090/tcp

wsmserver

WebSM

32768/tcp

filenet-tms

Filenet TMS

32768/udp

filenet-tms

Filenet TMS

32769/tcp

filenet-rpc

Filenet RPC

32769/udp

filenet-rpc

Filenet RPC

32770/tcp

filenet-nch

Filenet NCH

32770/udp

filenet-nch

Filenet NCH

32771/tcp

filenet-rmi

FileNET RMI

32771/udp

filenet-rmi

FileNet RMI

32772/tcp

filenet-pa

FileNET Process Analyzer

32772/udp

filenet-pa

FileNET Process Analyzer

32773/tcp

filenet-cm

FileNET

32773/udp

filenet-cm

FileNET

32774/tcp

filenet-re

FileNET

32774/udp

filenet-re FileNET Rules Engine

FileNET

173


- ,
.
,
, , , ,
. , ,
Internet.
:
1. netstat:
# netstat -af inet
. netstat
. , ,
(LISTEN).
Internet ( )

Recv-Q

Send-Q

()

tcp4

*.echo

*.*

tcp4

*.discard

*.*

tcp4

*.daytime

*.*

tcp

*.chargen

*.*

tcp

*.ftp

*.*

tcp4

*.telnet

*.*

tcp4

*.smtp

*.*

tcp4

*.time

*.*

tcp4

*.www

*.*

tcp4

*.sunrpc

*.*

tcp

*.smux

*.*

tcp

*.exec

*.*

tcp

*.login

*.*

tcp4

*.shell

*.*

tcp4

*.klogin

*.*

udp4

*.kshell

*.*

udp4

*.echo

*.*

udp4

*.discard

*.*

udp4

*.daytime

*.*

udp4

*.chargen

*.*

udp4

*.time

*.*

udp4

*.bootpc

*.*

udp4

*.sunrpc

*.*

udp4

255.255.255.255.ntp

*.*

udp4

1.23.123.234.ntp

*.*

174

AIX 5.3:

Internet ( )

Recv-Q

Send-Q

udp4

localhost.domain.ntp

*.*

udp4

name.domain..ntp

*.*

()

....................................

2.

/etc/services , Internet
Assigned Numbers Authority (IANA).
/etc/services:

tcpmux

1/tcp

# TCP Port Service Multiplexer

tcpmux

1/tcp

# TCP Port Service Multiplexer

Compressnet

2/tcp

# Management Utility

Compressnet

2/udp

# Management Utility

Compressnet

3/tcp

# Compression Process

Compressnet

3/udp

Compression Process

Echo

7/tcp

Echo

7/udp

discard

9/tcp

sink null

discard

9/udp

sink null

rfe

5002/tcp

# Radio Free Ethernet

rfe

5002/udp

# Radio Free Ethernet

rmonitor_secure

5145/tcp

rmonitor_secure

5145/udp

pad12sim

5236/tcp

pad12sim

5236/udp

sub-process

6111/tcp

# HP SoftBench Sub-Process Cntl.

sub-process

6111/udp

# HP SoftBench Sub-Process Cntl.

xdsxdm

6558/ucp

xdsxdm

6558/tcp

afs3-fileserver

7000/tcp

# File Server Itself

afs3-fileserver

7000/udp

# File Server Itself

af3-callback

7001/tcp

# Callbacks to Cache Managers

af3-callback

7001/udp

# Callbacks to Cache Managers

..............

3. , .
: 657 (RMC)
. , - .

TCP UDP
TCP, , UDP,
, lsof, netstat -af.

175

, TCP, ,
UDP, , lsof:
# lsof -i | egrep "||UDP"

PID

FD

dtlogin

2122

root

5u

IPv4

0x70053c00

0t0

UDP

*:xdmcp

dtlogin

2122

root

6u

IPv4

0x70054adc

0t0

TCP

*:32768(.)

syslogd

2730

root

4u

IPv4

0x70053600

0t0

UDP

*:syslog

2880

root

6u

IPv4

0x70054adc

0t0

TCP

*:32768(.)

2880

root

8u

IPv4

0x700546dc

0t0

TCP

*:6000(.)

dtlogin

3882

root

6u

IPv4

0x70054adc

0t0

TCP

*:32768(.)

glbd

4154

root

4u

IPv4

0x7003f300

0t0

UDP

*:32803

glbd

4154

root

9u

IPv4

0x7003f700

0t0

UDP

*:32805

dtgreet

4656

root

6u

IPv4

0x70054adc

0t0

TCP

*:32768(.)

(PID)
:
" # ps -fp PID#"

, .

IP
IP- , IP Internet
.

IP -
IP ,
.
.
IP :
IP (IPsec),
, Internet Engineering Task Force (IETF).
IPsec IP .
. IPsec IETF
IPv4, IPv6.
IPsec :

, .

, ,
.

176

AIX 5.3:


,
IP- .
,
. (
IP) - ,
. . ,
,
.
.
. ,
, .
,
, .
.
IPsec ESP (Encapsulating Security Payload)
AH (Authentication Header). ESP IP.
ESP ESP.
AH ESP,
. AH IP
, -
, .
, . ,
.
IP:
IP.
v
v
v
v

AES 128-, 192- 256- .


10/100 Ethernet PCI Adapter II.
AH RFC 2402 ESP RFC 2406.
,
IKE, IPv6.
v .
v HMAC (Hashed Message Authentication Code) MD5 (Message Digest 5) HMAC
SHA (Secure Hash Algorithm).
v DES 56- , CBC 64-bit- (IV),
Triple DES, DES CBC 4 (32- IV) AES CBC.
v IP (IPv4 IPv6).
v IPv4 IPv6. IP
, IP .
v , ,
IP- , , , ..
v .
v ( IP-) . IP-
( DNS).
v IP syslog.
v .

177

v ,
.
Internet Key Exchange (IKE):
AIX 4.3.3 IKE,
.
v ESP DES, Triple DES, AES, Null Encryption;
ESP HMAC MD5 HMAC SHA1.
v PKCS #7 (AIX 5.1 ).
v
HTTP LDAP.
v IKE IETF.
v X.509 IKE
.
v IKE Linux ( AIX 5.1 ).
v X.509.
v ( ) .
v 1, 2 5 Diffie-Hellman.
v AH HMAC MD5 HMAC SHA1.
v IPv4 IPv6.
:
- .
.
(AH ESP)
. IP-
, SPI ( ),
, .
.
A B. B

6. A B

, B A. , SPI, ,
, , .

178

AIX 5.3:


.
:
,
, .
, :
v IKE ( , IETF)
v ( , IETF)
IKE:
IKE ISAKMP/Oakley (Internet Security Association and Key Management
Protocol), IETF.
.
:
X.509v3.
.
.
IP ,
.
,
AH ESP IKE.

AH IP 4 6

ESP IP 4 6

HMAC MD5

HMAC SHA1

DES CBC 8

Triple DES CBC

AES CBC (128, 192, 256)

ESP Null

:
,
.
.
.
,
AH ESP .

179

AH IP 4

AH IP 6

ESP IP 4

ESP IP 6

HMAC MD5

HMAC SHA1

AES CBC (128, 192,


256)

Triple DES CBC

DES CBC 8

DES CBC 4

IKE ,
.
:
-
.
.
, , IP-
, IP (4 6), , ,
, , , .
, .

, .
(, , ),
.
IKE
.
IP
. ,
,
.
, ,
.
,
, .
.
.
,
, . ,
, .
, ,
.
IP , ,
.
:

180

AIX 5.3:

IP X.509 3.
,
.
.
IBM.
IP:
(VPN)
(, Internet).
VPN ,
(, ).
,
, ,
.
IPsec, IETF
IPv4 IPv6.
9 A Comprehensive Guide to Virtual Private Networks, Volume III:
Cross-Platform Key and Policy Management, ISBN SG24-5309-00.
AIX.
Internet http://www.redbooks.ibm.com/redbooks/SG245309.html.

IP-
IP- AIX .
:
v bos.net.ipsec.rte ( IP- )
v bos.msg.LANG.net.ipsec ( LANG - , , ru_ru)
v bos.net.ipsec.keymgt
v bos.net.ipsec.websm
v bos.crypto-priv ( DES, DES AES)
bos.crypto-priv . IKE
gskit.rte (AIX 4) gskkm.rte (AIX 5.1)
.
IP WSM (Web- ),
Java131.ext.xml4j 1.3.1.1 .
IP- IP 4 6
, IP-, mkdev.
IP-:
IP- , SMIT WSM
(Web- ). , SMIT WSM (Web- )
IKE .
: IP- .
. .

181

, lsdev IP .
lsdev -C -c ipsec
ipsec_v4 : IP- 4
ipsec_v6 : IP- 6

IP-
.

IP
IP .
,
. ,
.
IP WSM (Web- ),
(SMIT). SMIT
:
smit ips4_basic
IP 4.
smit ips6_basic
IP 6.
IP : ,
/ , .. ,
:
:
10/100 Mbps Ethernet PCI Adapter II ( 4962) IP
AIX IP.
AIX 10/100 Mbps Ethernet PCI Adapter II, IP
:
v DES Triple DES.
v MD5 SHA-1.
v ,
. 10/100 Mbps Ethernet PCI
Adapter II IKE.
IP bos.net.ipsec.rte
devices.pci.1410ff01.rte 5.1.0.25 .
,
. , ,
.
.
10/100 Mbps Ethernet PCI Adapter II :
v DES, 3DES NULL ESP

182

AIX 5.3:

v HMAC-MD5 HMAC-SHA-1 ESP AH, .


( ESP AH, ESP.
IKE,
.)
v
v IPV4
: 10/100 Mbps Ethernet PCI Adapter II IP.
IP 10/100 Mbps Ethernet PCI Adapter II
IPsec.
SMIT :
IPsec SMIT :
1.
2.
3.
4.
5.

root.
smitty eadap Enter.
/ Ethernet Enter.
10/100 Mbps Ethernet PCI Adapter II Enter.
IPsec Enter.

:
# ifconfig enX detach

IPsec :
# chdev -l entX -a ipsec_offload=yes

IPsec :
# lsattr -El entX detach

IPsec :
# chdev -l entX -a ipsec_offload=no

enstat , IPsec.
enstat IPsec
IPsec. , Ethernet ent1,
:
# entstat -d ent1

:
.
.
.
10/100 Mbps Ethernet PCI Adapter II (1410ff01):
-------------------------------------------.
.
.
IPsec: 3
IPsec: 0
IPsec: 2
IPsec: 0

183

IP - .
, .
- ,
, .
.
,
, IP (4 6), , , , ,
, . IP,
.
.
, .
IP.
, , .
, .
, .
.
,
, .
.

7.

. IP, .
, IP
.
:
,
. ,
. ,
.
A B.

184

AIX 5.3:

A B. B

8. A B

, B A. , SPI, ,
, , .
(SPI)
. . ,
, , ,
.
:
, IP, .
IKE ,
.
IKE .
.
Internet
. .

. ,
, .
IKE .
, IKE
AH ESP, .
, IP. ,
:
v
v
v

185

IKE.

9. IKE

(IKE)
( IP). IKE ,
. IP ,
IP. ,
,
. , IKE
, IP ,
.
:
, ,
IKE. ,
.
, .
( ) IKE
(. ):

186

AIX 5.3:

( )

IKE.
. , IKE.
, , VPN
VPN .

, IKE.
, ,
.
,
, - KEY_ID.
KEY_ID ,
.

IP-, (FQDN),
(user@FQDN). :
jdoe@studentmail.ut.edu.

IP-

IP- . ,
KEY_ID, IP-. ,
,
IP- .

:
IKE.
IP, ,
, .
.
, IP:
,

,
, .

,
. ,
, .

IP- (, 9.53.250.96 255.255.255.0)

IP-

IP- ,
(, 9.53.250.96 - 9.53.250.96 9.53.250.93)

IP-

IP- ,
(, 9.53.250.93 - 9.53.250.96 9.53.250.93)

, (, 21 23)

,
(, TCP UDP). ,
,
.
.

:
IKE ,
, .
IKE,
.
IETF ESP AH.
.
, ,
.

187

.
, .
, ,
, IP .
MD5 DES, HMAC MD5 DES.
IP.
,
( ).
.
, .
, , - ,
. ,
.
IKE DHCP :
IP IKE
, IP-.
, ,
, IP.
, , ,
(FQDN) (@FQDN).
( 1) RSA
, IP-. ,
,
IP- .
DHCP, IPsec,
DHCP ,
RSA.
, DHCP (.
/usr/samples/ipsec/group_aix_responder.xml ).
IPsec AIX.
IKE ( IP-), FQDN, FQDN,
IP- .
.
: .
, DHCP.
( ) TCP
UDP, . , ,
, , IP-
. ,
, .
XML:
XML,
ikedb.
IKE XML ikedb
IKE . 193.

188

AIX 5.3:

DHCP. XML IPSecTunnel, WSM


(Web- ) .
. ,
IPSecProtection, ,

.
, AIX . IPSecProtection
.
IKEProtection.
XML IKE_IPSecDefaultProtectionRef IKE_IPSecDefaultAllowedTypes.
-, IPSecProtection,
IPSecTunnels. IPSecProtection
IPSec_ProtectionName, _defIPSprot_.
IKEProtection, IPSecProtection .
IKE_IPSecDefaultProtectionRef, IPSec_Protection .
IKEProtection IKE_IPSecDefaultAllowedTypes.
( ):
Local_IPV4_Address
Local_IPV6_Address
Local_IPV4_Subnet
Local_IPV6_Subnet
Local_IPV4_Address_Range
Local_IPV6_Address_Range
Remote_IPV4_Address
Remote_IPV6_Address
Remote_IPV4_Subnet
Remote_IPV6_Subnet
Remote_IPV4_Address_Range
Remote_IPV6_Address_Range

. IKE
. IPSecProtection ,
IKE_IPSecDefaultAllowedTypes , Local_,
, , Remote_,
. , IPSec_Protection
IKE_IPSecDefaultAllowedTypes Local_
Remote_.
:
.
( ) AIX :
:
:

IPV4_Address
192.168.100.104

:
IPV4_Subnet
:
10.10.10.2
: 255.255.255.192

AIX , . IPSecProtection
:

189

IKE_IPSecDefaultProtectionRef="_defIPSprot_protection4"
IKE_IPSecDefaultAllowedTypes="Local_IPV4_Address
Remote_IPV4_Address
Remote_IPV4_Subnet
Remote_IPV4_Address_Range"

(IPV4_Address)
Local_ (Local_IPV4_Address). , (IPV4_Subnet)
Remote_IPV4_Subnet. ,
_defIPSprot_protection4 IPSecProtection.
/usr/samples/ipsec/default_p2_policy.xml XML
IPSecProtection.
WSM (Web- ):
WSM (Web- ).
WSM (Web- )
:
1. IKE,
.
2. .
. .
. IP V4 V6,
IP V4 V6, IP V4 V6
.
3.
OK. .
:
AIX.

IKE ( Internet-)
IKE WSM (Web- ), SMIT
.
IKE WSM (Web- ):
IKE WSM (Web- )
:
IKE WSM (Web-
) .
WSM (Web- ) IKE
IP-, ;
, , .
:
v . ,
IKE .
v , .
, hostA_to_hostB,
IP-.

190

AIX 5.3:

v 1 2 .
v ( 0x) .
v ,
.
v IP-.
v ,
. WSM (Web- )
VPN IKE.
:
1. WSM (Web- ) wsm.
2. .
3. ( IP-).
4. .
5. .
6. , , IKE.
( F1).

IKEWSM (Web- ), .
IKE:

.
:
IKE WSM (Web- ).
:
1. WSM (Web- ) wsm.
2. .
3. ( IP-).
4. .
5.

IP-. ,
IP-, isakmpd, tmd cpsd.
,
.

v - .
, .
v , .
(
IP-), .

, (,
).
6.
IKE.
7. , , .
IP-, , .

191

,
.
.
8. ,
. .
9. , ,
.

RSA RSA CRL.

. 196.
:
, IKE,
.
WSM (Web- ), IKE,
. 205.
:
1. .
.
2. (IP-, IP-).
, .
3. ,
OK.
.
:
IP- IKE

.
,
. ,
.
. 1
.
.
,
.
, IKE.
, :
v IPv4
v IPv6
v
v @
v DN X500

192

AIX 5.3:


.
WSM (Web- )
. WSM (Web- )
:
1.
2.
3.
4.
5.

IKE.
.
.
.
.

IKE
.
IKE SMIT:
IKE
SMIT.
SMIT , IKE XML.
SMIT IKE
XML, IKE. IKE SMIT ,
IKE.
IPv4 smitty ike4. IPv6
smitty ike6. IKE
IP-.
IKE, SMIT, WSM
(Web- ).
IKE :
ikedb , , ,
IKE XML.
ikedb () ()
IKE. XML. XML
(DTD). ikedb DTD,
XML . ,
DTD - -e. DOCTYPE
XML , DOCTYPE
. XML DTD XML.
/usr/samples/ipsec XML, .
ikedb AIX 5L 5.3:
.
ike , IKE. ike
, .
ike AIX 5L 5.3: .
ike, ikedb IKE
:

193

1. ( )
( ), ike :
# ike cmd=activate numlist=1

IP-:
# ike cmd=activate remid=9.3.97.256
# ike cmd=activate ipaddr=9.3.97.100, 9.3.97.256

, .
2. ike:
# ike cmd=list

:
1
2

[1]
[1]

1 2, .
3. ike:
# ike cmd=list verbose

:
1
:
:
:
:
:
:
:
:
:
:
:
:
:
:
. . :
:
:
:
:

1
Fully_Qualified_Domain_Name
bee.austin.ibm.com
Fully_Qualified_Domain_Name
ipsec.austin.ibm.com

BOTH_AGGR_3DES_MD5

3DES-CBC

MD5
28800
0
28737
0
5%
2592000
0
2591937

2
1
:
IPv4_Address
:
10.10.10.1
:
:

:
IPv4_Address
:
10.10.10.4
:
:

:
Oakley_quick
:
ESP_3DES_MD5_SHA_TUNNEL_NO_PFS
:

:
ESP_3DES
AH:

: HMAC-MD5
PFS:

SA:
600
SA:
0
: 562
:
0
. . : 15%

194

AIX 5.3:

:
:
:
P1:
:
:

2592000
0
2591962
0
ESP_tunnel

4. IKE
lsfilt:
# lsfilt -d

:
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all
2 *** *** no
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all
packets 0 all
*** ***
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 500 eq 500 local both no all
packets 0
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both inbound no all
packets 0
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both inbound no all
packets 0
1 permit 10.10.10.1 255.255.255.255 10.10.10.4 255.255.255.255 no all any 0 any
0 both outbound yes all packets 1
1 permit 10.10.10.4 255.255.255.255 10.10.10.1 255.255.255.255 no all any 0 any
0 both inbound yes all packets 1

IKE .
( 2
)
.
. , .
5. #2 yes,
chfilt:
# chfilt -v 4 -n 2 -l y

IKE
. 218.
6. ike:
# ike cmd=remove numlist=1

7. ikedb:
# ikedb -g

8. IKE XML, ,
, ,
ikedb:
# ikedb -pFs peer_tunnel_conf.xml

peer_tunnel_conf.xml - XML, .
9. 1 tunnel_sys1_and_sys2
2 ikedb:
# ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2

10. ikedb:
# ikedb -d -t IKEPresharedKey

IKE . 192.
ikedb .

195

AIX IKE Linux:


AIX IKE Linux.
IKE AIX Linux (AIX 5.1 ),
ikedb -c ( ), Linux
/etc/ipsec.conf /etc/ipsec.secrets, IKE. ikedb
Linux, XML () XML
IKE. ikedb -g, WSM
(Web- ).
IKE:
,
. ,
.
v ,
. ,
.
.
IKE IKE.
, , - ,
.
. ike.
v ,
.
.
AH ESP. - -.
v
. IP- ,
, , (user@).
KEYID.


- ,
.
AIX 4.3.2, IP
( ), ,
, , -
. . - ,
.
,
. ,
.
. ,
.
,
(CA), .
.
, .

196

AIX 5.3:

AIX 4.3.2 -
. .
:
,
. .
. ,

10.

, .
:

().
:
country=RU ( - ), organization=IJK ( - IJK), lower organization=SERV
( - SERV). :
/C=RU/O=IJK/OU=SERV/CN=petrov.serv.ijk.ru

197

11.

, O=IJK
. OU=AIX, - OU=Acctg.
. CN=Petrov, CN=Nikolaev.

.

: IP-, , ..

.

.

.

, .
:
.
,
.
, , ,
. . -
, ,
. .
:
,
, .

198

AIX 5.3:

,
.
- .
,
.
,
, . ,
- , .
, .
, .
:
, .
.
,
, .
,
. ,
.

.
HTTP LDAP.
. .
IKE,
RSA
CRL. CRL,
.
: , SOCKS
( 4 HTTP) () LDAP. SOCKS LDAP,
,
WSM (Web- ).
CRL .
Internet:
Internet, ,
.
:
(VPN)
( ) -
,
() . ,
, .
, IKE IP.

(, )
.

199

SSL
SSL .
Web- - Web-
Web-, LDAP - LDAP
LDAP, Host-on-Demand V.2 -
. SSL ,
, , .

(, PEM S/MIME)

.
:
,
.
,
.
, , .
, .
, ,
, :
v .
v , ,
.
, -
.
.
:
- , .
gskkm.rte, .
, ,
1, 2, 3, 4, 6 7. WSM (Web- )
IKE ,
RSA.
WSM (Web- ).
VPN certmgr
.
:
:
VPN. IP AIX
*.kdb.
CA:
v RSA Secure Server Certification Authority

200

AIX 5.3:

v
v
v
v
v

Thawte Personal Premium Certification Authority


Thawte Personal Freemail Certification Authority
Thawte Personal Basic Certification Authority
Thawte Personal Server Certification Authority
Thawte Server Certification Authority

v
v
v
v

Verisign Class 1 Public Primary Certification Authority


Verisign Class 2 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority
Verisign Class 4 Public Primary Certification Authority

,
. .
, ,
.
CA.
certmgr :
1. , :
# certmgr

2. .
3. ( CMS) .
4. :
ikekey.kdb

5. :
/etc/security

: ikekey.kbd /etc/security.
IP.
6. . .
7. .
8. ,
? . 60 .
, ? .
9. ,
? .
: IP
.
10. . .
11. OK IBM.
.
CA:
, .
*.arm, :
cert.arm

CA , :

201

1. , :
# certmgr

2. .
3. , CA,
.
4. . ,
IBM. .
, .
5. CA from the list.
6. .
7. , :
ASCII Base64

8.
.
9. .
10. CA, , CA,
OK. . CA
CA.
.
:
CA .
.
:
1. , :
# certmgr

2. .
3. , ,
.
4. . ,
IBM. . ,
.
5. CA from the list.
6. ().
.
7. ,
OK.
, .
8. OK CA. IBM.
.
CA:
, ,
.
:
, .

202

AIX 5.3:

CA , :
1. , :
# certmgr

2. .
3. , CA,
.
4. . ,
. . ,
.
5. CA from the list.
6. . .
7. . IBM.
CA.
.
:
,
. PKCS#10.
.
, :
1. , :
# certmgr

2. .
3. /etc/security/ikekey.kdb, ,
.
4. . ,
IBM. .
, .
5. (AIX 4)
( AIX 5.1).
6. .
7. , :
keytest

8. ( ) , .
.
9. . , IP-
DNS. IP- IP-
. user@FQDN . FQDN
DNS (, ..com).
10. , :
certreq.arm

11. . ,
.
12. . IBM.
.
13. .
.

203

:
, ,
.
, :
1. , :
# certmgr

2. .
3. , ,
.
4. . ,
IBM. .
, .
5. .
6. , .
7. .
ASCII Base64.
8.
.
9. .
10. , :
VPN Branch Certificate

11. . IBM.
.
. , ,
-BEGIN CERTIFICATE- -END
CERTIFICATE-.
:
-----BEGIN CERTIFICATE----ajdkfjaldfwwwwwwwwwwadafdw
kajf;kdsajkflasasfkjafdaff
akdjf;ldasjkf;safdfdasfdas
kaj;fdljk98dafdas43adfadfa
-----END CERTIFICATE-----

, .
:
.
: ,
.
:
1. , :
# certmgr

2. .
3. , , .
4. . ,
IBM. . ,
.

204

AIX 5.3:

5. .
6. . .
7. . IBM.
.
.
:
.
:
1. , :
# certmgr

2. .
3. .
4. ,
? . 60 .
, ? .
5. ,
? .
: IP
.
6. . .
7. OK IBM.
.
IKE, :
IKE, , WSM
(Web- ) .
IKE,
, .
RSA. ( RSA RSA
CRL) " () " WSM (Web-
).
,
. WSM (Web- )
.
IP IKE (
):
v IP-
v (FQDN)
v user@FQDN
v X.500
v
-
WSM (Web- ). IP-, FQDN user@FQDN,

205

WSM (Web- )
.
.
, WSM (Web- )
X.500,
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com,
:
v : name.austin.ibm.com
v : IJK
v : SERV
v : RU
X.500 ,
LDAP. .
.
: IP-,
10.10.10.1, :
v : name.austin.ibm.com
v : IJK
v : SERV
v : RU
v IP-: 10.10.10.1
.
:
v X.509.
v - MD5 RSA.
v . :
IP-
(FQDN)
user@FQDN
:
v ( ).
v ( PKCS#10).
. 203.
IKE
(ikekey.kdb).
. 204.
IP :

:
/C=RU/O=IJK/OU=SERV/CN=name.serv.ijk.ru

OU.

206

AIX 5.3:

DN IP-
IP-:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com 10.10.10.1
DN FQDN

:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com bell.austin.ibm.com.
DN user@FQDN

(@--):
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com name@austin.ibm.com.
DN
:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com bell.austin.ibm.com, 10.10.10.1
user@name.austin.ibm.com.


IP ,
(NAT).
NAT
Internet .
IP
IP-. ,
, IP
, IP .
NAT IP , ,
, IP.
IP , .
IP NAT VPN
, Internet, NAT.

12. IP NAT

IP NAT
NAT UDP.
IP NAT:
NAT IP
ENABLE_IPSEC_NAT_TRAVERSAL /etc/isakmpd.conf. ,
4500.

207

, ,
ENABLE_IPSEC_NAT_TRAVERSAL.
2:

:

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()
:

:

: 0 ()

: 4500

:

: 0
3:

:

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()
:

:

: 4500

: 0 ()

:

: 0

ENABLE_IPSEC_NAT_TRAVERSAL
. IPSEC NAT UDP,
. , 1
. IP-,
IP-.
IP NAT IP
NAT. NAT_KEEPALIVE_INTERVAL
/etc/isakmpd.conf.
NAT. NAT_KEEPALIVE_INTERVAL ,
, 20 .
NAT:
NAT ESP
.
ESP IP,
. ESP , IP.
AH
. , NAT, ,
. 2
AH, 1 NAT,
NO_PROPOSAL_CHOSEN.
, , NAT,
IP- . NAT.
NAT, 2 ,
NO_PROPOSAL_CHOSEN.

208

AIX 5.3:

:
, .
.
.

13.

(SA) IP- 10.1.2.3.


, , .
IP-,
, IP-.
, IP-.
,
,
.


.
:
,
.
.
.
.
, . ,
, ,
, .
:
IP rmdev.
,
mkfilt -d. ,
, .
- DENY. mkfilt -d, ,
lsfilt , ,
. , IP, rmdev.
:

209

WSM (Web- ) ,
SMIT ips4_basic ( IP 4), ips6_basic ( IP 6). ,
.
gentun :
gentun -v 4 -t manual -s 5.5.5.19 -d 5.5.5.8 \
-a HMAC_MD5 -e DES_CBC_8 -N 23567

, ,
lstun -v 4. :

:
IP :

:

:
AH :
ESP:
AH
:
ESP :
SPI AH
:
SPI ESP
:
SPI AH
:
SPI ESP
:
:

:

:

:

:
. ENC-MAC:
. ENC-MAC :

1
IP 4
5.5.5.19
5.5.5.8
/

HMAC_MD5
DES_CBC_8
HMAC_MD5
DES_CBC_8
300
300
23576
23576
480

:
mktun -v 4 -t1

, , .
lsfilt -v 4. :
4:

:

: 5.5.5.19

: 255.255.255.255

: 5.5.5.8

: 255.255.255.255
.
:

:

: 0

: 0

:

: 1

:
5:




210

:
: 5.5.5.8
: 255.255.255.255
: 5.5.5.19
: 255.255.255.255

AIX 5.3:

.
:

:

: 0

: 0

:

: 1

, , mktun -v 4 -t 1.
( )
A, B.
ipsec_tun_manu.exp,
- ipsec_fltr_rule.exp , -f:
exptun -v 4 -t 1 -f /tmp

:
.
:
imptun -v 4 -t 1 -f /tmp

/tmp

. gentun lstun
. ,
, -t .
,
, SPI.
, .
-n:
imptun -v 4 -f /tmp -n

IP
, , ,
, ,
IP-.
. ,
, - .
SPI ,
. , .
, , ,
, , , , .
:

211

v ,
. , , .
.
v , , (
) - IKE.
,
.
v , ,
; , , ah, esp.
.
(-w) genfilt ,
. both, ,
, . AIX IPsec ,
(, ).
, ( ) ,
-w genfilt. , A B,
IP A, B.
IPsec, A, B. , A
B G. G ( )
: ( ipforwarding). ,
A B G, :
v A src addr A, dest addr B,
v B src addr A, dest addr B,
G :
1. src addr A, dest addr B,
2. src addr A, dest addr B,
: src addr A, dest addr B both (
, ). , both
, ipforwarding no. , ,
, A B G. ,
( B A G), .
: both ,
, . , ,
, . , A
A B, both,
A B A . both
, .
,
--. .
IP AIX:
IPFilter - ,
(NAT).
IPFilter 4.1.13, AIX,
, Web- IP Filter (http://coombs.anu.edu.au/
~avalon/). IPFilter AIX 5.3, AIX 5L
5.3 5300-05. installp (ipfl)
.

212

AIX 5.3:

IPFilter AIX (/usr/lib/drivers/ipf).


ipf, ipfs, ipfstat, ipmon ipnat.
:
/usr/lib/methods/cfg_ipf -l

:
/usr/lib/methods/cfg_ipf -u

, ipforwarding.
IPFilter,
, Web- IPFilter (http://coombs.anu.edu.au/~avalon/).
:
.
( 1):
v Rule_number - (1)
v
v
v
v
v

Action - (permit - )
Source_addr - (0.0.0.0)
Source_mask - (0.0.0.0)
Dest_addr - (0.0.0.0)
Dest_mask - (0.0.0.0)

v Source_routing - (no - )
v Protocol - (udp)
v
v
v
v
v

Src_prt_operator - (eq - )
Src_prt_value - (4001)
Dst_prt_operator - (eq - )
Dst_prt_value - (4001)
Scope - (both - )

v Direction - (both - )
v Logging - (no - )
v Fragment - (all packets - )
v Tunnel - (0)
v Interface - (all - ).

1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all
2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both both no all packets
0 all
3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both both no all packets
0 all
4 permit 10.0.0.1 255.255.255.255 10.0.0.2 255.255.255.255 no all any 0 any 0 both
outbound no all packets 1 all
5 permit 10.0.0.2 255.255.255.255 10.0.0.1 255.255.255.255 no all any 0 any 0 both
inbound no all packets 1 all

213

6 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp lt 1024 eq 514 local


outbound yes all packets 2 all
7 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 514 lt 1024
local inbound yes all packets 2 all
8 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp/ack lt 1024 lt 1024
local outbound yes all packets 2 all
9 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp lt 1024 lt 1024 local
inbound yes all packets 2 all
10 permit 10.0.0.1 255.255.255.255 10.0.0.4 255.255.255.255 no icmp any 0 any 0 local
outbound yes all packets 3 all
11 permit 10.0.0.4 255.255.255.255 10.0.0.1 255.255.255.255 no icmp any 0 any 0 local
inbound yes all packets 3 all
12 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 eq 21 local
outbound yes all packets 4 all
13 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 21 gt 1023 local
inbound yes all packets 4 all
14 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp eq 20 gt 1023 local
inbound yes all packets 4 all
15 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp/ack gt 1023 eq 20 local
outbound yes all packets 4 all
16 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 gt 1023 local
outbound yes all packets 4 all
17 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack gt 1023 gt 1023 local
inbound yes all packets 4 all
18 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no all any 0 any 0 both both yes all
packets

:
1
.
IP 4. 4001 .
1 , .
: , .
2 3
AH ESP.
: 2 3, .

214

AIX 5.3:

4 5
, 10.0.0.1
10.0.0.2 1. 4 , 5 - .
: 4 .
6-9
,
rsh, rcp, rdump, rrestore rdist 10.0.0.1 10.0.0.3 2.
yes (),
.
10 11
,
icmp 10.0.0.1 10.0.0.4 3.
12 17
, FTP
10.0.0.1 10.0.0.5 4.
18
, .
, , , .
, , ,
.
( lsfilt);
. :
1:

:

: 0.0.0.0

: 0.0.0.0

: 0.0.0.0

: 0.0.0.0
.
:

:

: eq 4001

: eq 4001

:

: 0

, , :
-v
-a

IP: 4 6.
:
d

-s
-m
-d
-M
-g
-c
-o
-p

. IP- .
.
. IP- .
.
: y () n ().
. : udp, icmp, tcp, tcp/ack, ospf, pip, esp, ah all.
ICMP.
ICMP.

215

ICMP.
ICMP.
:

-O
-P
-r

/ .

b
.
.

-l

n
.
.

-f

,
.


.
.
; , tr0 en0.
h

-t
-i

genfilt chfilt.
:
, IP- , .
:
v , IP4 IKE ( AIX 4.3.3 )
v AH ESP.
, .
,
. .
IKE ,
IKE. IKE ,
, . IKE
, .
, .
.
, IP-
. ,
ICMP.
1 permit 10.0.0.1 255.255.255.255 10.0.0.4
local outbound no all packets 3 all
2 permit 10.0.0.4 255.255.255.255 10.0.0.1
inbound no all packets 3 all
3 permit 10.0.0.4 255.255.255.255 10.0.0.1
inbound no all packets 3 all
4 permit 10.0.0.1 255.255.255.255 10.0.0.4
outbound no all packets 3 all

216

AIX 5.3:

255.255.255.255 no icmp any 8 any 0


255.255.255.255 no icmp any 0 any 0 local
255.255.255.255 no icmp any 8 any 0 local
255.255.255.255 no icmp any 0 any 0 local

,
. , gentun -g.
genfilt TCP/IP
/usr/samples/ipsec/filter.sample.
:
.
,
ipsec_v4 ipsec_v6. ,
, .
: , ,
.
, IP-
.
IP 4, IP 6.
, . ,
.
- chfilt -l, ,
.
IKE
IP4. , .

. isakmpd,
IKE, ,
IKE, AH ESP.
:
,
.
.
, IP- 10.10.10.4 255.255.255.255
, IP-, :

IP-

1010.1010.1010.0100

10.10.10.4

11111111.11111111.11111111.11111111

255.255.255.255

10.10.10.x 11111111.11111111.11111111.0 255.255.255.0.


,
. , 10.10.10.100
10.10.10.0, .
255.255.255.240 .
--:

217

-- ,

, .
,
. UDP, AH ESP
.
. SPI ,
, .
--. A

14. --

Internet. B C.


, , syslogd. ,
IP.
, .
.
1. /etc/syslog.conf :
local4.debug var/adm/ipsec.log

IP local4.
. IP ,
debug.
:
.
2. /etc/syslog.conf.
3. , , .
/var/adm :
touch ipsec.log

4. refresh syslogd:
refresh -s syslogd

5. IKE isakmpd
/etc/isakmpd.conf. ( IKE
IP . 223.)
6. , ,
, -l Y (Yes)
genfilt chfilt.
7. ipsec_logd :
mkfilt -g start

:
mkfilt -g stop

218

AIX 5.3:

, IP:
1. Aug 27 08:08:40 host1 : Filter logging daemon ipsec_logd (level 2.20)
initialized at 08:08:40 on 08/27/97A
2. Aug 27 08:08:46 host1 : mkfilt: Status of packet logging set to Start
at 08:08:46 on 08/27/97
3. Aug 27 08:08:47 host1 : mktun: Manual tunnel 2 for IPv4, 9.3.97.244, 9.3.97.130
activated.
4. Aug 27 08:08:47 host1 : mkfilt: #:1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
udp eq 4001 eq 4001 both both l=n f=y t=0 e= a=
5. Aug 27 08:08:47 host1 : mkfilt: #:2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ah any 0 any 0 both both l=n f=y t=0 e= a=
6. Aug 27 08:08:47 host1 : mkfilt: #:3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
esp any 0 any 0 both both l=n f=y t=0 e= a=
7. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.1 255.255.255.255 10.0.0.2
255.255.255.255 icmp any 0 any 0 local outbound l=y f=y t=1 e= a=
8. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.2 255.255.255.255 10.0.0.1
255.255.255.255 icmp any 0 any 0 local inbound l=y f=y t=1 e= a=
9. Aug 27 08:08:47 host1 : mkfilt: #:6 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
all any 0 any 0 both both l=y f=y t=0 e= a=
10. Aug 27 08:08:47 host1 : mkfilt: Filter support (level 1.00) initialized at
08:08:47 on 08/27/97
11. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.20 p:udp
sp:3327 dp:53 r:l a:n f:n T:0 e:n l:67
12. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.20 d:10.0.0.1 p:udp
sp:53 dp:3327 r:l a:n f:n T:0 e:n l:133
13. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcp
sp:4649 dp:23 r:l a:n f:n T:0 e:n l:43
14. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.15 p:tcp
sp:23 dp:4649 r:l a:n f:n T:0 e:n l:41
15. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcp
sp:4649 dp:23 r:l a:n f:n T:0 e:n l:40
16. Aug 27 08:08:51 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmp
t:8 c:0 r:l a:n f:n T:1 e:n l:84
17. Aug 27 08:08:51 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmp
t:0 c:0 r:l a:n f:n T:1 e:n l:84
18. Aug 27 08:08:52 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmp
t:8 c:0 r:l a:n f:n T:1 e:n l:84
19. Aug 27 08:08:52 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmp
t:0 c:0 r:l a:n f:n T:1 e:n l:84
20. Aug 27 08:32:27 host1 : Filter logging daemon terminating at 08:32:27 on
08/27/97l

.
1

mkfilt -g start.

, .

4-9

. .

10

11-12

DNS.

13-15

, Telnet ( ).

16-19

ping.

20


. ( isakmpd isakmp_events.)
1. Dec 6 14:34:42 host1 Tunnel Manager: 0: TM is processing a
Connection_request_msg
2. Dec 6 14:34:42 host1 Tunnel Manager: 1: Creating new P1 tunnel object (tid)

219

3. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( SA PROPOSAL


TRANSFORM )
4. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( SA
PROPOSAL TRANSFORM )
5. Dec 6 14:34:42 host1 isakmpd: Phase I SA Negotiated
6. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( KE NONCE )
7. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( KE
NONCE )
8. Dec 6 14:34:42 host1 isakmpd: Encrypting the following msg to send: ( ID HASH
)
9. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )
10. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 (
Encrypted Payloads )
11. Dec 6 14:34:42 host1 Tunnel Manager: 1: TM is processing a P1_sa_created_msg
(tid)
12. Dec 6 14:34:42 host1 Tunnel Manager: 1:
Received good P1 SA, updating P1
tunnel (tid)
13. Dec 6 14:34:42 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need
to start
14. Dec 6 14:34:42 host1 isakmpd: Decrypted the following received msg: ( ID HASH
)
15. Dec 6 14:34:42 host1 isakmpd: Phase I Done !!!
16. Dec 6 14:34:42 host1 isakmpd: Phase I negotiation authenticated
17. Dec 6 14:34:44 host1 Tunnel Manager: 0: TM is processing a
Connection_request_msg
18. Dec 6 14:34:44 host1 Tunnel Manager: 0: Received a connection object for an
active P1 tunnel
19. Dec 6 14:34:44 host1 Tunnel Manager: 1: Created blank P2 tunnel (tid)
20. Dec 6 14:34:44 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need
to start
21. Dec 6 14:34:44 host1 Tunnel Manager: 1: Starting negotiations for P2 (P2 tid)
22. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH SA
PROPOSAL TRANSFORM NONCE ID ID )
23. Dec 6 14:34:45 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )
24. Dec 6 14:34:45 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 (
Encrypted Payloads )
25. Dec 6 14:34:45 host1 isakmpd: Decrypted the following received msg: ( HASH SA
PROPOSAL TRANSFORM NONCE ID ID )
26. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH )
27. Dec 6 14:34:45 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )
28. Dec 6 14:34:45 host1 isakmpd: Phase II SA Negotiated
29. Dec 6 14:34:45 host1 isakmpd: PhaseII negotiation complete.
30. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a P2_sa_created_msg
31. Dec 6 14:34:45 host1 Tunnel Manager: 1: received p2_sa_created for an existing
tunnel as initiator (tid)
32. Dec 6 14:34:45 host1 Tunnel Manager: 1: Filter::AddFilterRules: Created filter
rules for tunnel
33. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a List_tunnels_msg

.
1-2

ike cmd=activate phase=1 .

3-10

isakmpd .

11-12

1 .

13

, ike cmd=activate 2 (
). .

14-16

isakmpd .

17-21

ike cmd=activate phase=2 .

22-29

isakmpd .

220

AIX 5.3:

30-31

2 .

32

33

ike cmd=list.

:
DASD
.
#
R

, .

p

i/o

. IP- , :
v (i) - , .

s
d
p
sp/t
dp/c
r

l
f
T
i

v (o) - , IP .
IP- ( IP).
IP- ( IP).
, .
, : udp, icmp, tcp, tcp/ack, ospf, pip, esp, ah all.
( TCP/UDP). ICMP OSPF
t, IP.
( TCP/UDP). ICMP
c, IP.
, .
, .
f

b
,
.
, .
.
, .

Internet-:
Internet- SYSLOG
isakmpd.
isakmpd ike cmd=log.
/etc/isakmpd.conf log_level.
, ,
: none (), errors (), isakmp_events ( isakmp) information ().
, ,
:
log_level=INFORMATION

: AIX 5.1 , isakmpd .


/etc/isakmpd.conf.
isakmpd : , .
, .

221

, , isakmpd
. , , tmd
SYSLOG. , , SYSLOG.
, /etc/syslog.conf.
SYSLOG , , ,
. googly isakmpd:
Nov
Nov
Nov
Nov
Nov

20
20
20
20
20

09:53:50
09:53:50
09:53:51
09:53:51
09:53:51

googly
googly
googly
googly
googly

isakmpd: ISAKMP_MSG_HEADER
isakmpd: Icookie : 0xef06a77488f25315, Rcookie :0x0000000000000000
isakmpd: Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0
isakmpd: Xchg Type : 2 (ID protected), Flag= 0, Encr : No,COMMIT : No
isakmpd: Msg ID : 0x00000000

grep
(, isakmpd), cut.
/etc/isakmpd.conf:
isakmpd /etc/isakmpd.conf.
/etc/isakmpd.conf .

, . .
IKE .
: none | error | isakmp_events | information
:
none

. .

error

(API).

isakmp_events
IKE. .
information
.
IP-
YES NO. YES
IKE IP- 1. YES,
. IP-
IP-, .
NO.
IKE IP-
1. ,
. IP-
.
, NO.
: MAIN_MODE_REQUIRES_IP= YES | NO
SOCKS4
SOCKS4_PORTNUM . ,
SOCKS 1080. SOCKS HTTP.
: = ,
:
SOCKS4_SERVER= -

222

AIX 5.3:

SOCKS4_PORTNUM= SOCKS
SOCKS4_USERID=
LDAP
: = ,
:
LDAP_SERVER= LDAP
LDAP_VERSION= LDAP (2 3)
LDAP_SERVERPORT= LDAP
LDAP_SEARCHTIME= -
CRL
HTTP LDAP, .
CRL_FETCH_ORDER . , - HTTP,
LDAP, HTTP, LDAP.
: CRL_FETCH_ORDER= #, #,
# HTTP LDAP.

IP
,
.
IPSec .
. (
. 218.)
:
.
:

mktun :
insert_tun_man4(): : .
: , , , SPI.

: rmtun , mktun . ,
SPI , .
SPI.
mktun :
ipsec_v4 .
IP 4 .
: IP .
: :
mkdev -l ipsec -t 4
IP 6, -t 6.
. IP
:
lsdev -Cc ipsec

223

gentun :
IP-.
: IP-.
: IP 4 , IP- 4 .
;
.

IP 6 , IP- . netstat -in


IP- 6, /usr/sbin/autoconf6 ()
( MAC) ifconfig.
gentun :
IP-.
: IP-.
: IP 4 , IP- 4 .
;
.

IP 6 , IP- . netstat -in


IP- 6, /usr/sbin/autoconf6 ()
( MAC) ifconfig.
mktun :
insert_tun_man4(): : .
: ESP AH,
.

: , . ,
HMAC_MD5 HMAC_SHA .
SMIT ips4_basic -z chtun. ,
DES_CBC_4 .
IP WSM (Web- ) .
: IP.
: ps -ef . IP
:
v tmd
v isakmpd
v cpsd
cpsd , (
gskit.rte gskkm.rte)
.

, IP WSM (Web- ).
.
IP :
bos.crypto.
: bos.net.ipsec.* , bos.crypto.*
.
: bos.crypto.* , bos.net.ipsec.*

Internet- (IKE):
, IKE.
IKE:

224

AIX 5.3:

Internet- (IKE).
IKE ike VPN WSM (Web- );
:
12. , IKE.
tmd

isakmpd

IKE.

cpsd

Proxy .

IKE tmd isakmpd . IP


, .
WSM (Web- ).
isakmpd.
(, ),
. ,
, .
ike cmd=list. syslog debug,
event information, .
:
1. WSM (Web- ) ike.
2. tmd isakmpd
( ).
3. isakmpd SA .
4. tmd isakmpd
( ).
5. isakmpd SA .
6. .
7. .
, isakmpd tmd
.
3 7
tmd.
:
(SA) IKE.
,
.

/etc/isakmpd.conf. /etc/isakmpd.conf
:
information

IKE
IKE. SA Payload, Key Exchange Payload, Certificate Request Payload,
Certificate Payload Signature Payload. ,
ISAKMP_MSG_HEADER :

225

ISAKMP_MSG_HEADER
Icookie : 0x9e539a6fd4540990, Rcookie : 0x0000000000000000
Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0
Xchg Type : 4 (Aggressive), Flag= 0, Encr : No,COMMIT : No
Msg ID : 0x00000000
len
: 0x10e(270)
SA Payload:
Next Payload : 4(Key Exchange), Payload len : 0x34(52)
DOI
: 0x1(INTERNET)
bitmask
: 1(SIT_IDENTITY_ONLY
Proposal Payload:
Next Payload : 0(NONE), Payload len : 0x28(40)
Proposal # : 0x1(1), Protocol-ID : 1(ISAKMP)
SPI size : 0x0(0), # of Trans : 0x1(1)
Transform Payload:
Next Payload : 0(NONE), Payload len : 0x20(32)
Trans # : 0x1(1), Trans.ID : 1(KEY_IKE)
Attr : 1(Encr.Alg
), len=0x2(2)
Value=0x1(1),(DES-cbc)
Attr : 2(Hash Alg
), len=0x2(2)
Value=0x1(1),(MD5)
Attr : 3(Auth Method ), len=0x2(2)
Value=0x3(3),(RSA Signature)
Attr : 4(Group Desc
), len=0x2(2)
Value=0x1(1),(default 768-bit MODP group)
Attr : 11(Life Type
), len=0x2(2)
Value=0x1(1),(seconds)
Attr : 12(Life Duration), len=0x2(2)
Value=0x7080(28800)
Key Payload:
Next Payload : 10(Nonce), Payload len : 0x64(100)
Key Data
33 17 68
a0 e1 1f
9f 13 62
8a 59 97
d9 8b 39
ab d3 5a

:
10
42
aa
1f
d1
39

91
c2
27
3b
cb
7d

1f
10
d8
1c
39
67

ea
aa
e5
08
c2
5b

da
8d
52
3e
a4
a6

38
9d
8d
2a
05
2e

a0
14
5c
55
8d
37

22
0f
c3
9b
2d
d3

2d
58
cf
3c
a1
07

84
3e
d5
50
98
e6

a3
c4
45
cc
74
98

5d
ec
1a
82
7d
1a

5d
a3
79
2c
95
6b

Nonce Payload:
Next Payload : 5(ID), Payload len : 0xc(12)
Nonce Data:
6d 21 73 1d dc 60 49 93
ID Payload:
Next Payload : 7(Cert.Req), Payload len : 0x49(73)
ID type
: 9(DER_DN), Protocol : 0, Port = 0x0(0)
Certificate Request Payload:
Next Payload : 0(NONE), Payload len : 0x5(5)
Certificate Encoding Type: 4(X.509 Certificate - Signature)

( Next Payload) .
IKE, Next Payload (None).
,
. , SA Payload Proposal Payload Transform Payload, ,
, , ,
, SA.
, SA Payload Proposal Payload
Transform Payload. Next Payload Proposal Payload 0,
Proposal Payload, 2,
Proposal Payload. , Next Payload Transform Payload 0,

226

AIX 5.3:

Transform Payload, 3,
Transform Payload, :
ISAKMP_MSG_HEADER
Icookie : 0xa764fab442b463c6, Rcookie : 0x0000000000000000
Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0
Xchg Type : 2 (ID protected), Flag= 0, Encr : No,COMMIT : No
Msg ID : 0x00000000
len
: 0x70(112)
SA Payload:
Next Payload : 0(NONE), Payload len : 0x54(84)
DOI
: 0x1(INTERNET)
bitmask
: 1(SIT_IDENTITY_ONLY
Proposal Payload:
Next Payload : 0(NONE), Payload len : 0x48(72)
Proposal # : 0x1(1), Protocol-ID : 1(ISAKMP)
SPI size : 0x0(0), # of Trans : 0x2(2)
Transform Payload:
Next Payload : 3(Transform), Payload len : 0x20(32)
Trans # : 0x1(1), Trans.ID : 1(KEY_IKE)
Attr : 1(Encr.Alg
), len=0x2(2)
Value=0x5(5),(3DES-cbc)
Attr : 2(Hash Alg
), len=0x2(2)
Value=0x1(1),(MD5)
Attr : 3(Auth Method ), len=0x2(2)
Value=0x1(1),(Pre-shared Key)
Attr : 4(Group Desc
), len=0x2(2)
Value=0x1(1),(default 768-bit MODP group)
Attr : 11(Life Type
), len=0x2(2)
Value=0x1(1),(seconds)
Attr : 12(Life Duration), len=0x2(2)
Value=0x7080(28800)
Transform Payload:
Next Payload : 0(NONE), Payload len : 0x20(32)
Trans # : 0x2(2), Trans.ID : 1(KEY_IKE)
Attr : 1(Encr.Alg
), len=0x2(2)
Value=0x1(1),(DES-cbc)
Attr : 2(Hash Alg
), len=0x2(2)
Value=0x1(1),(MD5)
Attr : 3(Auth Method ), len=0x2(2)
Value=0x1(1),(Pre-shared Key)
Attr : 4(Group Desc
), len=0x2(2)
Value=0x1(1),(default 768-bit MODP group)
Attr : 11(Life Type
), len=0x2(2)
Value=0x1(1),(seconds)
Attr : 12(Life Duration), len=0x2(2)
Value=0x7080(28800)

IKE Parse Payload ( ),


, ..
Certificate Request Payload .
. Certificate Payload
Signature Payload, SA.
.
ISAKMP_MSG_HEADER
Icookie : 0x9e539a6fd4540990, Rcookie : 0xc7e0a8d937a8f13e
Next Payload : 6(Certificate), Maj Ver : 1, Min Ver : 0
Xchg Type : 4 (Aggressive), Flag= 0, Encr : No,COMMIT : No
Msg ID : 0x00000000
len
: 0x2cd(717)
Certificate Payload:
Next Payload : 9(Signature), Payload len : 0x22d(557)
Certificate Encoding Type: 4(X.509 Certificate - Signature)

227

Certificate: (len 0x227(551) in bytes


82 02 24 30 82 01 8d a0 03 02 01 02 02 05 05 8e
fb 3e ce 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04
05 00 30 5c 31 0b 30 09 06 03 55 04 06 13 02 46
49 31 24 30 22 06 03 55 04 0a 13 1b 53 53 48 20
43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 20 53
65 63 75 72 69 74 79 31 11 30 0f 06 03 55 04 0b
13 08 57 65 62 20 74 65 73 74 31 14 30 12 06 03
55 04 03 13 0b 54 65 73 74 20 52 53 41 20 43 41
30 1e 17 0d 39 39 30 39 32 31 30 30 30 30 30 30
5a 17 0d 39 39 31 30 32 31 32 33 35 39 35 39 5a
30 3f 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
10 30 0e 06 03 55 04 0a 13 07 49 42 4d 2f 41 49
58 31 1e 30 1c 06 03 55 04 03 13 15 62 61 72 6e
65 79 2e 61 75 73 74 69 6e 2e 69 62 6d 2e 63 6f
6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b2 ef
48 16 86 04 7e ed ba 4c 14 d7 83 cb 18 40 0a 3f
55 e9 ad 8f 0f be c5 b6 6d 19 ec de 9b f5 01 a6
b9 dd 64 52 34 ad 3d cd 0d 8e 82 6a 85 a3 a8 1c
37 e4 00 59 ce aa 62 24 b5 a2 ea 8d 82 a3 0c 6f
b4 07 ad 8a 02 3b 19 92 51 88 fb 2c 44 29 da 72
41 ef 35 72 79 d3 e9 67 02 b2 71 fa 1b 78 13 be
f3 05 6d 10 4a c7 d5 fc fe f4 c0 b8 b8 fb 23 70
a6 4e 16 5f d4 b1 9e 21 18 82 64 6d 17 3b 02 03
01 00 01 a3 0f 30 0d 30 0b 06 03 55 1d 0f 04 04
03 02 07 80 30 0d 06 09 2a 86 48 86 f7 0d 01 01
04 05 00 03 81 81 00 75 a4 ee 9c 3a 18 f2 de 5d
67 d4 1c e4 04 b4 e5 b8 5e 9f 56 e4 ea f0 76 4a
d0 e4 ee 20 42 3f 20 19 d4 25 57 25 70 0a ea 41
81 3b 0b 50 79 b5 fd 1e b6 0f bc 2f 3f 73 7d dd
90 d4 08 17 85 d6 da e7 c5 a4 d6 9a 2e 8a e8 51
7e 59 68 21 55 4c 96 4d 5a 70 7a 50 c1 68 b0 cf
5f 1f 85 d0 12 a4 c2 d3 97 bf a5 42 59 37 be fe
9e 75 23 84 19 14 28 ae c4 c0 63 22 89 47 b1 b6
f4 c7 5d 79 9d ca d0
Signature Payload:
Next Payload : 0(NONE), Payload len : 0x84(132)
Signature: len
9d 1b 0d 90 be
b4 ca a2 85 0f
5c b6 9c e2 a5
e3 a2 87 f4 7c
7d b4 8c 4e 19
f0 5a 81 58 2e
4d 19 7e e0 e7
5b cb 07 ea 36

0x80(128) in bytes
aa dc 43 95 ba 65 09
15 9e 3e 8d 5f e1 f0
64 f4 ef 0b 31 c3 cb
9d 20 49 b2 39 00 fa
3a b8 70 90 88 2c cf
15 40 37 b7 c8 d6 8c
c7 c2 93 42 89 46 6b
e5 82 9d 70 79 9a fe

b9
43
48
8e
89
5c
5f
bd

00
98
7c
bf
69
e2
f8
6c

6d
69
d8
d9
5d
50
8b
86

67
d8
30
b0
07
c3
7d
36

:
,
.

228

AIX 5.3:

cpsd ( Proxy ). , :
Sep 21 16:02:00 ripple CPS[19950]: Init():LoadCaCerts() failed, rc=-12
: .
: , /etc/security .
: ikekey.crl, ikekey.kdb, ikekey.rdb ikekey.sth.

ikekey.sth, , .
IP . (
.)
:
Base64
: , .
: 'DER' .
, BEGIN CERTIFICATE END CERTIFICATE, .
-----BEGIN CERTIFICATE----MIICMTCCAZqgAwIBAgIFFKZtANowDQYJKoZIhvcNAQEFBQAwXDELMAkGA1UEBhMC
RkkxJDAiBgNVBAoTG1NTSCBDb21tdW5pY2F0aW9ucyBTZWN1cml0eTERMA8GA1UE
CxMIV2ViIHRlc3QxFDASBgNVBAMTC1Rlc3QgUlNBIENBMB4XDTk5MDkyMTAwMDAw
MFoXDTk5MTAyMTIzNTk1OVowOzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEe
MBwGA1UEAxMVcmlwcGxlLmF1c3Rpbi5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC5EZqo6n7tZrpAL6X4L7mf4yXQSm+m/NsJLhp6afbFpPvXgYWC
wq4pvOtvxgum+FHrE0gysNjbKkE4Y6ixC9PGGAKHnhM3vrmvFjnl1G6KtyEz58Lz
BWW39QS6NJ1LqqP1nT+y3+Xzvfv8Eonqzno8mglCWMX09SguLmWoU1PcZQIDAQAB
oyAwHjALBgNVHQ8EBAMCBaAwDwYDVR0RBAgwBocECQNhhzANBgkqhkiG9w0BAQUF
AOBgQA6bgp4Zay34/fyAlyCkNNAYJRrN3Vc4NHN7IGjUziN6jK5UyB5zL37FERW
hT9ArPLzK7yEZs+MDNvB0bosyGWEDYPZr7EZHhYcoBP4/cd0V5rBFmA8Y2gUthPi
Ioxpi4+KZGHYyLqTrm+8Is/DVJaQmCGRPynHK35xjT6WuQtiYg==
-----END CERTIFICATE---- .
v , .

v ASN.1, Internet, .
:
.
: .

: .
IKE WSM (Web- ) :
171 ( ):
PUT_IRL_FAILED
: , IKE
. ,
, . ,
X500,
.

: , .
IKE , :
inet_cert_service::channelOpen():clientInitIPC():error,rc =2
( )
: cpsd .
: IP WSM (Web- ).
.

229

IKE , :
CertRepo::GetCertObj:

DN:

("/C=US/O=IBM/CN=ripple.austin.ibm.com")

: IKE (DN) X.500, DN X.500,


.

: IKE WSM (Web- ) ,


.
IKE WSM (Web- )
.
: RSA.
: , RSA. ,
IKE IBM_low_CertSig.

:
.
, .
IP SMIT
IP. : , , ,
, , /, ,
.
. ,
.
. ,
. SMIT smit ips4_tracing (
IPv4) smit ips6_tracing ( IPv6).
ipsecstat:
ipsecstat ,
IP Security packets.
ipsecstat , , IP ,
,
.
IP.
IP:
ipsec_v4
ipsec_v6
:
HMAC_MD5 -- Hashed MAC MD5 Authentication Module
HMAC_SHA -- Hashed MAC SHA Hash Authentication Module
KEYED_MD5 -- Keyed MD5 Hash Authentication Module
:
CDMF -- CDMF Encryption Module
DES_CBC_4 -- DES CBC 4 Encryption Module
DES_CBC_8 -- DES CBC 8 Encryption Module
3DES_CBC -- Triple DES CBC Encryption Module
IP : 1106
AH: 326
ESP: 326
Srcrte: 0
: 844

230

AIX 5.3:

AH: 527
ESP: 527
: 12
: 12
AH: 0
ESP: 0
AH: 0
ESP: 0
: 0
: 0
: 7
: 0
: 6

: AIX 4.3.2, CDMF ,


DES. , CDMF,
DES Triple DES.

IP
IP. ,
IKE.
:
.
ike cmd=activate
ike cmd=remove
ike cmd=list
ikedb
gentun
mktun
chtun
rmtun
lstun
exptun
imptun
genfilt
mkfilt
mvfilt
chfilt
rmfilt
lsfilt
expfilt
impfilt
ipsec_convert
ipsecstat
ipsectrcbuf
unloadipsec

IKE ( AIX 4.3.3 ).


IKE ( AIX 4.3.3 )
IKE ( AIX 4.3.3 )
IKE ( AIX 5.1
)















IP
IP
IP

:
.

231

defipsec
cfgipsec
ucfgipsec

IP IP 4 6
ipsec_v4 ipsec_v6
ipsec_v4 ipsec_v6

IP:
IKE, AIX 4.3 AIX 5.2.
IKE:
AIX 4.3 :
1. bos.net.ipsec.keymgt.pre_rm.sh. /tmp
:
a. p2proposal.bos.net.ipsec.keymgt
b. p1proposal.bos.net.ipsec.keymgt
c. p1policy.bos.net.ipsec.keymgt
d. p2policy.bos.net.ipsec.keymgt
e. p1tunnel.bos.net.ipsec.keymgt
f. p2tunnel.bos.net.ipsec.keymgt
: .
.
,
bos.net.ipsec.keymgt.pre_rm.sh . 233.
2. , , /tmp/lpplevel - ,
, - .
:
.
IKE .
,
AIX 5.2:
1. ikedb -g, :
ikedb -g > out.keys

2. out.keys FORMAT=ASCII
FORMAT=HEX.
3. XML :
ikedb -pF out.keys

:
.
1. /tmp SMIT,
:
a. smitty ipsec4.
b. IP>
IP> IP.
c. /tmp.
d. F4 .

232

AIX 5.3:

e. Enter, /tmp/ipsec_fltr_rule.exp
.
, AIX 4.3 AIX 5.2.
2. , , /tmp/lpplevel
/tmp/ipsec_fltr_rule.exp /tmp .
3. bos.net.ipsec.keymgt.post_i.sh
.
4.

ikedb -g, .
: , ,
*.loaded /tmp .

AIX 5.2 . lsfilt


:
ipv4

:
1. AIX 5.2 ipsec_filter ipsec_filter.vc /etc/security
. ,
IBM.
2. /tmp SMIT,
:
a. smitty ipsec4.
b. IP>
IP> IP.
c. /tmp.
d. F4 .
e. Enter.
SMIT lsfilt.
bos.net.ipsec.keymgt.pre_rm.sh:
bos.net.ipsec.keymgt.pre_rm.sh ,
AIX 4.3.
#!/usr/bin/ksh
keymgt_installed=`lslpp -Lqc bos.net.ipsec.keymgt 2>/dev/null | awk -F: '{print $6}' | head -1`
if [ ! "$keymgt_installed" ]
then
exit 0
fi
#
if [ -d /etc/ipsec/inet/DB ]
then
cp -R /etc/ipsec/inet/DB /etc/ipsec/inet/DB.sav || exit $?
fi
# ,
VRM=$(LANG=C lslpp -Lqc bos.net.ipsec.keymgt 2>/dev/null | awk -F: '{print $3}' | \
awk -F. '{print $1"."$2"."$3}')
VR=${VRM%.*}
echo $VRM > /tmp/lpplevel
IKEDB=$(which ikedb) || IKEDB=/usr/sbin/ikedb

233

XMLFILE=/tmp/full_ike_database.bos.net.ipsec.keymgt
PSKXMLFILE=/tmp/psk_ike_database.bos.net.ipsec.keymgt
# , ikedb.
if [ -f $IKEDB ]
then

#
#
#
#

# - ikedb , .
# ( ) .
post_i .
IKE , ,

.

$IKEDB -g > $XMLFILE


if [ $? -ne 0 ]
then
rm -f $XMLFILE || exit $?
fi
if [[ $VR = "5.1" ]]; then
# . 5.1 ikedb ,
# .
# .
$IKEDB -g -t IKEPresharedKey > $PSKXMLFILE
if [ $? -ne 0 ]
then
rm -f $PSKXMLFILE || exit $?
fi
fi
# ikegui
elif [ -f /usr/sbin/ikegui ]
then
# /tmp
/usr/sbin/ikegui 0 1 0 0 > /tmp/p1proposal.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p1proposal.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 1 1 0 > /tmp/p1policy.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p1policy.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 2 0 0 > /tmp/p2proposal.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p2proposal.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 2 1 0 > /tmp/p2policy.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p2policy.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 1 2 0 > /tmp/p1tunnel.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]

234

AIX 5.3:

then
rm -f /tmp/p1tunnel.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 2 2 0 > /tmp/p2tunnel.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p2tunnel.bos.net.ipsec.keymgt || exit $?
fi
fi

bos.net.ipsec.keymgt.post_i.sh:
bos.net.ipsec.keymgt.post_i.sh
AIX 5.2.
#!/usr/bin/ksh
function
echo
echo
echo
echo
echo
}

PrintDot {
"echo \c"
"\".\c"
"\\\c\c"
"\"\c"

function P1PropRestore {
while :
do
read NAME
read MODE
if [[ $? = 0 ]]; then
echo "ikegui 1 1 0 $NAME $MODE \c"
MORE=1
while [[ $MORE = 1 ]];
do
read AUTH
read HASH
read ENCRYPT
read GROUP
read TIME
read SIZE
read MORE
echo "$AUTH $HASH $ENCRYPT $GROUP $TIME $SIZE $MORE \c"
done
echo " > /dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
function P2PropRestore {
while :
do
read NAME
FIRST=yes
MORE=1
while [[ $MORE = 1 ]];
do
read PROT
if [[ $? = 0 ]]; then
read AH_AUTH
read ESP_ENCR

235

read ESP_AUTH
read ENCAP
read TIME
read SIZE
read MORE
if [[ $FIRST = "yes" ]]; then
echo "ikegui 1 2 0 $NAME $MODE \c"
fi
echo "$PROT $AH_AUTH $ESP_ENCR $ESP_AUTH \
$ENCAP $TIME $SIZE $MORE \c"
FIRST=no
else
return 0
fi
done
echo " > /dev/null 2>&1"
PrintDot
done
}
function P1PolRestore {
while :
do
read NAME
read ROLE
if [[ $? = 0 ]]; then
read TIME
read SIZE
read OVERLAP
read TTIME
read TSIZE
read MIN
read MAX
read PROPOSAL
echo "ikegui 1 1 1 $NAME $ROLE $OVERLAP $TTIME $TSIZE \
$MIN $MAX 1 0 0 $PROPOSAL > \
/dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
function P2PolRestore {
while :
do
read NAME
read ROLE
if [[ $? = 0 ]]; then
read IPFS
read RPFS
read TIME
read SIZE
read OVERLAP
read TTIME
read TSIZE
read MIN
read MAX
echo "ikegui 1 2 1 $NAME $ROLE $IPFS $RPFS \
$OVERLAP $TTIME $TSIZE $MIN $MAX 1 0 0 \c"
MORE=1
while [[ $MORE = 1 ]];
do
read PROPOSAL
read MORE
echo "$PROPOSAL $MORE \c"

236

AIX 5.3:

FIRST=no
done
else
return 0
fi
echo " > /dev/null 2>&1"
PrintDot
done
}
function P1TunRestore {
while :
do
read TUNID
read NAME
if [[ $? = 0 ]]; then
read LID_TYPE
read LID
if [[ $LPPLEVEL = "4.3.3" ]]; then
read LIP
fi
read RID_TYPE
read RID
read RIP
read POLICY
read KEY
read AUTOSTART
echo "ikegui 1 1 2 0 $NAME $LID_TYPE \"$LID\" \
$LIP $RID_TYPE \"$RID\" \
$RIP $POLICY $KEY $AUTOSTART > /dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
function P2TunRestore {
while :
do
read TUNID
read NAME
if [[ $? = 0 ]]; then
read P1TUN
read LTYPE
read LID
read LMASK
read LPROT
read LPORT
read RTYPE
read RID
read RMASK
read RPROT
read RPORT
read POLICY
read AUTOSTART
echo "ikegui 1 2 2 0 $NAME $P1TUN $LTYPE $LID \
$LMASK $LPROT $LPORT $RTYPE
\$RID $RMASK $RPROT $RPORT $POLICY $AUTOSTART \
> /dev/null 2>&1"
PrintDot
else
return 0
fi
done
}

237

function allRestoreWithIkedb {
ERRORS=/tmp/ikedb_msgs.bos.net.ipsec.keymgt
echo > $ERRORS
$IKEDB -p $XMLFILE 2>> $ERRORS
if [ -f $PSKXMLFILE ]
then
$IKEDB -p $PSKXMLFILE 2>> $ERRORS
fi
}
P1PROPFILE=/tmp/p1proposal.bos.net.ipsec.keymgt
P2PROPFILE=/tmp/p2proposal.bos.net.ipsec.keymgt
P1POLFILE=/tmp/p1policy.bos.net.ipsec.keymgt
P2POLFILE=/tmp/p2policy.bos.net.ipsec.keymgt
P1TUNFILE=/tmp/p1tunnel.bos.net.ipsec.keymgt
P2TUNFILE=/tmp/p2tunnel.bos.net.ipsec.keymgt
XMLFILE=/tmp/full_ike_database.bos.net.ipsec.keymgt
PSKXMLFILE=/tmp/psk_ike_database.bos.net.ipsec.keymgt
CMD_FILE=/tmp/commands
IKEDB=$(which ikedb) || IKEDB=/usr/sbin/ikedb
echo "building ISAKMP database \n"
$IKEDB -x || exit $?
if [ -f $XMLFILE ]; then
echo "\nRestoring database entries\c"
allRestoreWithIkedb
echo "\ndone\n"
elif [ -f /tmp/*.bos.net.ipsec.keymgt ]; then
echo "\nRestoring database entries\c"
LPPLEVEL=`cat /tmp/lpplevel`
echo > $CMD_FILE
touch $P1PROPFILE; P1PropRestore
touch $P2PROPFILE; P2PropRestore
touch $P1POLFILE; P1PolRestore <
touch $P2POLFILE; P2PolRestore <
touch $P1TUNFILE; P1TunRestore <
touch $P2TUNFILE; P2TunRestore <
mv
mv
mv
mv
mv
mv

< $P1PROPFILE
< $P2PROPFILE
$P1POLFILE >>
$P2POLFILE >>
$P1TUNFILE >>
$P2TUNFILE >>

>> $CMD_FILE
>> $CMD_FILE
$CMD_FILE
$CMD_FILE
$CMD_FILE
$CMD_FILE

$P1PROPFILE ${P1PROPFILE}.loaded
$P2PROPFILE ${P2PROPFILE}.loaded
$P1POLFILE ${P1POLFILE}.loaded
$P2POLFILE ${P2POLFILE}.loaded
$P1TUNFILE ${P1TUNFILE}.loaded
$P2TUNFILE ${P2TUNFILE}.loaded

ksh $CMD_FILE
echo "done\n"
fi

NIS NIS+
NIS+ NIS+ namespace.
. ,
.


,
, , ,
. RPC .

238

AIX 5.3:

:


.


.
Root
root root.
RPC
NIS+, 2 ( ),
NIS+ NIS+ (, , ,
, ..) NIS+ RPC.
RPC RPC.
, RPC .
, ,
. ( RPC .
Administering NIS+ Credentials
AIX 5L 5.3: (NIS NIS+).)
RPC
. ,
,
RPC.
NIS+.
NIS+, NIS,
RPC ,
NIS+ , ,
(.. ,
RPC).
, NIS+,
, , . (
RPC,
.
. 244.)
NIS+
Administering NIS+ Credentials AIX 5L 5.3:
(NIS NIS+).

, ,
, , ,
.
NIS+
NIS+ , ,
NIS+ .
NIS+.
NIS+ Administering
NIS+ Access Rights AIX 5L 5.3: (NIS NIS+).

239

NIS+
NIS+, , ,

.
NIS+
. NIS+ ,
.
NIS+ :

NIS+.
( ) NIS+ RPC
. ( , .
, - RPC
, NIS+
.
RPC. . Administering NIS+ Credentials AIX 5L
5.3: (NIS NIS+).)

.
NIS+ NIS+ (, ,
). NIS+ NIS+
NIS+ , , . ,
passwd,
,
.
, NIS+
, - ,
.
. (
. 244.)
, root A,
su ,
B, NIS+ NIS+ .
, NIS+
NIS+ , .
NIS+ root
, .
NIS+.

240

AIX 5.3:

15. NIS+

1.
2.
3.
4.

/ NIS+ NIS+.
, .
.
.

5. , .
6. , ,
.
NIS+:
NIS+ - , NIS+.
NIS+ ,
root, , root NIS+.
, NIS+ .
, NIS+ , NIS+ NIS+.
NIS+ NIS+,
.
NIS+:
NIS+ . ,
.
NIS+ 2. 0
, .
.
: WSM (Web- ),
SMIT passwd .

241

NIS+

0 NIS+.
NIS+, 0, NIS+
NIS+ . 0
. 0
.

1 AUTH_SYS. NIS+
.

2 . ,
NIS+; ,
Data Encryption Standard (DES). DES
, .
DES .
DES ,
. ( , : ,
, ; ;
..)

NIS+
NIS+ , NIS+
NIS+.
NIS+ credential
RPC.
.
, , root ,
su ,
, NIS+ NIS+ .
: NIS+
NIS+ , . NIS+
root ,
.
NIS+.
( NIS+ . 244.)
:

, , :

NIS+ ,
NIS+ .

NIS+ root,
.
DES :
NIS+ DES .
DES:

242

AIX 5.3:

Data Encryption Standard (DES) .


NIS+ NIS+,
DES.
: DES - .
DES NIS+.
NIS+ NIS+,
. DES
, NIS+.
Administering NIS+ Credentials AIX 5L
5.3: (NIS NIS+).
v NIS+ DES ,
.
v , .
,
DES. ( DES
.)
v DES cred ,
, .
:
- NIS+,
.
, ,
, DES.
DES .
, ,
. , NIS+
DES.
, DES
. .
.

16.

DES. .
.
.
cred
. ,

243

, NIS+
DES. , .
:
,
DES.
root NIS+ root ,
(UID) root . root (UID=0) A
B root,
root (UID=0) B.
; .

NIS+
NIS+ - NIS+
NIS+.
, NIS+, NIS+
. , ,
NIS+, . ,
.
: , , .
: , , .
:
NIS+ NIS+.
NIS+ :

, , .

NIS+ . , ,
NIS+. , ,
. ( ,
NIS+, .)
NIS+ . 245.

NIS+, . ( ,
, .)

, .
:

244

AIX 5.3:

17.

. , , ,
, , , - .
NIS+,
.
. ,
, , ,
.
, , , , , - .
:
:
NIS+.
, NIS+,
( DES).
.
:
v (. Administering NIS+ Access Rights AIX
5L 5.3: (NIS NIS+)).
v (. Administering NIS+ Access Rights
AIX 5L 5.3: (NIS NIS+)).
,
, .
:
NIS+. ( , NIS+,
.)

245

, NIS+,
( DES)
.
NIS+ - NIS+,
. , NIS+,
. ( .)
, .
, .
NIS+ NIS+, groups_dir
NIS+. ( , NIS+ NIS+.
.)
NIS+ Administering NIS+ Groups AIX 5L 5.3:
(NIS NIS+).
:
NIS+, ,
, , DES.
, , .
:
, ,
DES.
NIS+:
NIS+ .
,
, - , - .
:

NIS+ NIS+: groups_dir org_dir.
groups_dir . org_dir - .

.
.

.
()
.
. , .
,
.
, .
NIS+:

246

AIX 5.3:

NIS+ NIS+ ,
.
, NIS+
NIS+. ( niscat -o.)
NIS+,
: , , .
.


. , NIS+
. NIS+ .
NIS+ NIS+ ,
NIS+. , IP-
, NIS+ hosts,
. NIS+,
.
, -
. , NIS+,
. ,
. ,
, . ,
. ,
. ,
. , , , .
, .

NIS+
NIS+ NIS+.
, .. , , , ,
NIS+ .
NIS+ .
( ),
. ,
,
.
, .
.
NIS+. NIS+.

NIS+
, .
chkey

RPC . ,
, passwd.
chkey passwd /etc/passwd.

247

keylogin
keyserv.
keylogout
keyserv.
keyserv
keyserv, .
newkey
.
nisaddcred
NIS+.
nisupdkeys
.
passwd
.


(NFS) - ,
.
AIX 5.3.0, NFS, DES, Kerberos 5.
Kerberos 5 RPCSEC_GSS.
UNIX NFS
.
DES .
AIX 5L 5.2, NFS DES Kerberos 5.
Kerberos 5 RPCSEC_GSS.
Kerberos NFS NFS.


(NFS).
v , .
, .
, . ,
, Web- ,
, ,
Web-. (Security Alerts) IBM System p
, Web-: http://
www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd.
v NFS ,
.
, .
,
. SMIT
/etc/exports.
v NFS ,
. NFS , NFS
.
. ,
NFS, .

248

AIX 5.3:

v .
,
, .
, .
v NFS root
. NFS
.

.
v NFS suid sgid .
.
,
, NFS .
, mknfsmnt -y.
v NFS. NFS ,
RPC, DES. RPC - , NFS
. NFS RPC
, RPC.
, , RPC
.
v NFS, . .
AIX 5.3 AIX 6.1, NFS Triple DES Single DES
AES Kerberos 5. Kerberos 5
AES NFS. AIX 5.3 NFS V4
:
v des-cbc-crc
v des-cbc-md4
v des-cbc-md5
v des3-cbc-sha1
v aes256-cts
:
v AIX 5L 5.1
NFS: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/commadmn/
nfs_install.htm
NFS: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/files/aixfiles/exports.htm
NFS: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/commadmn/
nfs_secure.htm
mknfsmnt: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds3/mknfsmnt.htm
v AIX 5L 5.2
NFS: http://publib16.boulder.ibm.com/pseries/en_US/aixbman/commadmn/
nfs_install.htm
NFS: http://publib16.boulder.ibm.com/pseries/en_US/files/aixfiles/exports.htm
(NFS): http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/
secure_nfs.htm
mknfsmnt: http://publib16.boulder.ibm.com/pseries/en_US/cmds/aixcmds3/mknfsmnt.htm

249


NFS DES . DES
(RPC),
NFS.
.
RPC
.
UNIX. ,
secure.
NFS:
publickey.byname, .
DES .
keylogin
RPC. ,
yppasswd .
keyserv RPC, NIS NIS+.
, keyserv NIS+, AIX 5L 5.3:
(NIS NIS+). NIS, keyserv
:
v key_setsecret
v key_encryptsession
v key_decryptsession
key_setsecret ( SKA) .
keylogin. key_encryptsession
,
RPC.
( key_setsecret) .
key_decryptsession.
,
. DES,
. ,
root. root
setuid .
:
NFS , ,
.
:
v .
v DES.
:
,
timed. .

250

AIX 5.3:

RPC
. .
RPC ,
.
DES:
DES
.
A B , ,
A B. :
KAB = PKBSKA
K - , PK - , SK - . - 128 .
:
KAB = PKASKB
,
. 128 , DES
56- , DES 56
.
:
,
. (CK).
DES (.
) RPC.
.

18. . ,
.

A B. K(CK) , CK
DES K.
RPC (A), (CK) win (),
CK. ( 30 .)

251

(win + 1).

.
:
v A
v CK
v
v
,
.
, 1 CK.
, ,
, .
,
. RPC
, ,
1 CK.

DES
DES .
DES NIS+ AIX 5L 5.3:
(NIS NIS+).
- , .
, .
netid.byname NIS.
.
NIS Internet.
Internet (, com, edu, gov, mil).
, .
. , hal eng.xyz.com
unix.hal@eng.xyz.com.
, , .
NIS.
, -
.
, , NFS rlogin.

/etc/publickey
/etc/publickey , NIS NIS+
publickey.
publickey .
, ( ),
( ).
/etc/publickey nobody.
/etc/publickey ,
. /etc/publickey chkey
newkey.

252

AIX 5.3:


- ,
. root , -
root.
root - , .
setuid . , setuid
- A, ,
A. setuid
root, .

NFS
NFS .
v . .
RPC .
, .
v RPC :
1. .
2. .
3. .
4. .
NFS ,
.


NFS.
v -secure
, /etc/hosts. DNS, ,
/etc/hosts. ,
,
/etc/hosts, publickey .
v .
. ,
-secure
-secure, nobody,
. , , NIS
NIS+, .
v NIS
chkey newkey,
.
v /etc/keystore /etc/.rootkey.
, ,
/etc/keystore /etc/.rootkey.
v , ppasswd
yppasswd.
.
v login keyserv publickey,
keylogin. keylogin profile ,
. keylogin
.

253

v root newkey -h chkey


keyserv keylogin. /etc/.rootkey,
keyserv .
v , yppasswdd ypupdated NIS.
publickey.
v , keyserv, , NFS.


NFS NIS
WSM (Web- ) .
NFS NIS+, AIX 5L 5.3:
(NIS NIS+).
1. NIS NIS /etc/publickey
newkey:
v :
smit newkey

newkey -u -

root :
newkey -h -

v , chkey newkey .
NIS publickey AIX 5L 5.3:
(NIS NIS+). publickey.byname NIS
NIS.
3. /etc/rc.nfs:

2.

#if [ -x /usr/sbin/keyserv ]; then


# startsrc -s keyserv
#fi
#if [ -x /usr/lib/netsvc/yp/rpc.ypupdated -a -d /etc/yp/`domainname` ]; then
# startsrc -s ypupdated
#fi
#DIR=/etc/passwd
#if [ -x /usr/lib/netsvc/yp/rpc.yppasswdd -a -f $DIR/passwd ]; then
# startsrc -s yppasswdd
#fi

4. keyserv, ypupdated yppasswdd startsrc.


NFS NIS keyserv
startsrc.

NFS
NFS WSM (Web-
) .
v NFS SMIT,
:
1. lssrc -g nfs , NFS. nfsd
rpc.mountd .
2. , publickey, keyserv.
.
3. smit mknfsexp.

254

AIX 5.3:

4. , (,
, ). .
5. .
6. SMIT. /etc/exports , .
7. 3-6 , .
v NFS ,
:
1. /etc/exports .
2. , . ,
. .
.
/etc/exports, secure, /etc/exports.
3. /etc/exports .
4. NFS , :
/usr/sbin/exportfs -a

-a exportfs, NFS
/etc/exports.
v ( /etc/exports),
:
exportfs -i -o secure /

- . exportfs -i
/etc/exports ,
.

NFS
NFS .
NFS, :
1. , NFS, :
showmount -e

- NFS. ,
NFS . , , ,
.
2. mkdir.
NFS, , .
. , ,
.
3. , publickey, keyserv.
. 254.
4.
mount -o secure :/remote/directory /local/directory

- NFS, /remote/directory - NFS,


, /local/directory - NFS.
: NFS root.

255


,
.
, , , .
(EIM)
.
,
, EIM.


, ,

.

. ,
, .
, .

,
, ,
.
,
.
, .

. ,
.



, . ,
(LDAP) ,
. , , LDAP,
,
, .

,
, .
, ,

. , ,
, ,
.
, ,
. ,
,
.
, .

256

AIX 5.3:

.
, ,
. :
v . ,
,
.
v ,
.
, .
v ,
. -
.
, ,
, .


EIM (,
) ,
. , EIM API,
.
, , ,
.

,
. , -
. , EIM
.

. , -
, - . ,
SAP SAP.
:
1. EIM, .
2. EIM, .
3.
EIM.
.
. EIM
- ( ,
). EIM - (..
),
. EIM .
EIM
. , EIM, - .
LDAP, ,
, ,
.
EIM Web-:

257

v http://publib.boulder.ibm.com/eserver/
v http://www.ibm.com/servers/eserver/security/eim/

Kerberos
Kerberos - ,
. Kerberos ,
, , .
Kerberos .
: .
. ,
, .
.
Kerberos.
Kerberos,
.
Kerberos (KDC). KDC
Kerberos.
Kerberos , , ,
, .
KDC , KDC.
Kerberos:
,
IBM Network Authentication Service developerWorks


.
: (DCE) 2.2, DCE
Kerberos 5.
: AIX 5.2, (rcmds)
Kerberos 5, (NAS) 1.3. DCE
ftp GSSAPI DCE libdce.a,
ftp GSSAPI NAS 1.3. NAS 1.3 -
Expansion Pack. krb5.client.rte.
: AIX 5.2 Kerberos 5 4,
krb5.client.rte.
: rlogin, rcp, rsh, telnet ftp.
AIX. ( , AIX 4.3
.) Kerberos 5
Kerberos 4.
Kerberos 5 DCE
Kerberos Kerberos 5. DCE
, TCP/IP,
. TCP/IP .
TCP/IP . DCE
, , ,

258

AIX 5.3:

.
Kerberos, Kerberos 5 DCE.
Kerberos 5
TCP/IP. ,
Kerberos (TGT).
DCE, TCP/IP TGT DCE
k5dcecreds.
ftp ,
. GSSAPI
ftp ftpd. ftp
clear, safe private.
ftp
.
.
ftp .
:

. , .
libauthm.a, lsauthent chauthent,
get_auth_methods
set_auth_methods.
, .
:
v Kerberos 5 DCE.
v Kerberos 4, rlogin, rsh rcp.
SP . Kerberos 4
DCE.
v AIX, AIX 4.3 .

, .
.
AIX, .
AIX ,
.
- .

. , Kerberos 4 rlogin, rsh rcp,
, Kerberos 4,
telnet FTP.
Kerberos 5:
Kerberos 5
.

259

Kerberos 5 TCP/IP
TCP/IP. ,
( DCE ).
- , DCE
. DCE
libvaliduser.a,
, kvalid_user. ,
libvaliduser.a.
DCE:
DCE
, .
DCE :
host/__
ftp/__

--

:

, .
:
host/__@_
ftp/__@_

--

_
Kerberos 5
:
v get_auth_method set_auth_method AIX 5L 5.3:
, 2
v chauthent AIX 5L 5.3: , 1
v lsauthent AIX 5L 5.3: , 3

AIX Kerberos
AIX KRB5 KRB5A. ,
Kerberos, KRB5
Kerberos, KRB5A .
Kerberos KRB5 Kerberos
IBM. KRB5 AIX
, Kerberos,
Kerberos AIX -
. , AIX Kerberos
mkuser.

260

AIX 5.3:

KRB5A . Kerberos
, . KRB5A ,
Kerberos AIX AIX
Kerberos. KRB5A Microsoft Windows
2000 Active Directory, Kerberos
API.
Kerberos
KRB5:
( IBM Kerberos) .
Kerberos 5 krb5.client.rte Kerberos
5 krb5.server.rte Kerberos 5
krb5
DCE Kerberos (, klist, kinit
kdestroy), Kerberos /usr/krb5/bin /usr/krb5/sbin.
PATH. Kerberos
.
krb5.doc..pdf|html,
.
Kerberos 5 KDC kadmin:
Kerberos 5 KDC kadmin.
: DCE Kerberos
. - ,
, DCE
Kerberos.
, DCE Kerberos. DCE Kerberos
.
: Kerberos 5 , ,
KDC .
300 ( ). Kerberos
- .
xntpd timed. timed
:
1. KDC , timed:
timed -M

2. Kerberos timed.
timed -t

Kerberos KDC kadmin mkkrb5srv. ,


Kerberos MYREALM sundial xyz.com
:
mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin

, kadmind krb5kdc
/etc/inittab.
mkkrb5srv :

261

1. /etc/krb5/krb5.conf. , Kerberos
. /etc/krb5/krb5.conf
default_keytab_name, kdc admin_server.
2. /var/krb5/krb5kdc/kdc.conf. /var/krb5/krb5kdc/kdc.conf
kdc_ports, kadmin_port, max_life, max_renewable_life, master_key_type
supported_enctypes. , database_name,
admin_keytab, acl_file, dict_file key_stash_file.
3. /var/krb5/krb5kdc/kadm5.acl.
admin, root host.
4. admin. Kerberos,
Kerberos.
, .
. 263
. 263.
Kerberos 5:
Kerberos ,
Kerberos (TGT).
, , ,
Kerberos.
Kerberos mkkrb5clnt
:
mkkrb5clnt -c KDC -r -a -s -d -A -i -K -T

, KDC sundial.xyz.com MYREALM sundial.xyz.com


xyz.com files :
mkkrb5clnt -c sundial.xyz.com -r MYREALM -s sundial.xyz.com -d xyz.com -A -i files -K -T

:
1. /etc/krb5/krb5.conf. , Kerberos
. ,
default_keytab_name, kdc kadmin.
2. -i . ,
AIX.
Kerberos. Kerberos Kerberos.
3. -K Kerberos .
Kerberos .
4. -A Kerberos , root
Kerberos.
5. -T TGT.
DNS, KDC,
:
1. /etc/krb5/krb5.conf, [domain realm].
2. .
, abc.xyz.com MYREALM,
/etc/krb5/krb5.conf :
[domain realm]
.abc.xyz.com = MYREALM

262

AIX 5.3:

:
mkkrb5srv :
v krb5.conf, kdc.conf kadm5.acl , mkkrb5srv
. , .

krb5.conf, kdc.conf kadm5.acl.
v ,
.
v
/var/krb5/krb5kdc/* .
v , kadmind krb5kdc.
ps. , .
mkkrb5clnt :
v krb5.conf /etc/krb5/krb5.conf.
v ( -i) /usr/lib/security/
methods.cfg.
:
mkkrb5srv :
v /etc/krb5/krb5.conf
v /var/krb5/krb5kdc/kadm5.acl
v /var/krb5/krb5kdc/kdc.conf
mkkrb5clnt :
v /etc/krb5/krb5.conf
mkkrb5clnt -i /usr/lib/security/methods.cfg:
KRB5:
program =
options =
KRB5files:
options =

:
.
mkkrb5srv:
# mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin

:


---------------------------------------------------------------------------: /usr/lib/objrepos
krb5.server.rte
1.3.0.0 .

: /etc/objrepos
krb5.server.rte

1.3.0.0

263

-s .
.
...
/etc/krb5/krb5.conf...
/var/krb5/krb5kdc/kdc.conf...
...
'/var/krb5/krb5kdc/principal' 'MYREALM'
'K/M@MYREALM'
.
.
:
:
: admin/admin@MYREALM;
. ,
ACL.
"admin/admin@MYREALM":
"admin/admin@MYREALM":
"admin/admin@MYREALM" .
...
/var/krb5/krb5kdc/kadm5.acl...
krb5kdc...
krb5kdc .
kadmind...
kadmind .
.
kadmind krb5kdc

mkkrb5clnt:
mkkrb5clnt -r MYREALM -c sundial.xyz.com -s sundial.xyz.com \
-a admin/admin -d xyz.com -i files -K -T -A

:
...
/etc/krb5/krb5.conf...
.
admin/admin@MYREALM:

admin/admin .
: host/diana.xyz.com@MYREALM;
. ,
ACL.
"host/diana.xyz.com@MYREALM" .
.
admin/admin .
.
admin/admin .
"kadmin/admin@MYREALM" .
.
Kerberos
root Kerberos
admin/admin .
: root/diana.xyz.com@MYREALM;
. ,
ACL.
"root/diana.xyz.com@MYREALM":
"root/diana.xyz.com@MYREALM":
"root/diana.xyz.com@MYREALM" .
.
.

kadmind:

264

AIX 5.3:

KRB5 , kadmind.
kadmind
methods.cfg kadmind.
: No False kadmind, Yes True -
( - Yes). No, kadmind
. , kadmind
(, ).
(, ),
Kerberos AIX, mkuser, chuser rmuser .
kadmind Yes. ,
kadmind. ,
.
kadmind ,
methods.cfg :
KRB5:
program = /usr/lib/security/KRB5
options = kadmind=no
KRB5files:
options = db=BUILTIN,auth=KRB5

kadmind , root .
, , , kadmind.
, Kerberos,
AIX, .
AIX (,
).
kadmind ( ), mkuser
:
3004-694 "krb5user": .

, kadmind no kadmind ,
Kerberos, , Kerberos.
. , lsuser
ALL.
, chuser AIX,
Kerberos . rmuser Kerberos,
passwd ,
Kerberos.
, kadmind, .
, ,
kadmind methods.cfg no.
kadmind , .
kadmind , kadmind=no, : login,
su, passwd, mkuser, chuser rmuser.
Kerberos
KRB5A:

265

KRB5A ,
, Kerberos.
,
AIX KDC.
krb5.client.rte Expansion Pack.
: KRB5A AIX 5.2 .
AIX Kerberos 5 Windows 2000:
Kerberos AIX config.krb5.
Kerberos. Kerberos
Windows 2000, config.krb5 :
-r
-d
-c
-s

= Windows 2000
= , Windows 2000
KDC = Windows 2000
= Windows 2000

1. config.krb5:
config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com

2. Windows 2000 DES-CBC-MD5 DES-CBC-CRC. krb5.conf,


, :
[libdefaults]
default_realm = MYREALM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5

3. methods.cfg:
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A

4. Windows 2000 :
a.
AIX krbtest:
1) .
2) .
3) .
4) krbtest.
b. Ktpass keytab AIX.
, keytab krbtest.keytab :
Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password -out krbtest.keytab

c. keytab AIX.
d. keytab /etc/krb5/krb5.keytab :
$ ktutil
ktutil: rkt krbtest.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q

e. Active Directory
Windows 2000.

266

AIX 5.3:

f. AIX, Windows 2000,


Kerberos. :
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0

KRB5A

KRB5A
.
: KRB5A AIX 5.2 .
v AIX Kerberos Active
Directory KDC?
Kerberos AIX config.krb5.
Kerberos. Kerberos
Windows 2000, config.krb5 :
-r

-d
, Active Directory.
-c KDC
Windows 2000
-s
Windows 2000
config.krb5:
config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com

Windows 2000 DES-CBC-MD5 DES-CBC-CRC. krb5.conf,


, :
[libdefaults]
default_realm = MYREALM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5

methods.cfg:
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A

:
1. Active Directory AIX
krbtest.
.
.
.
krbtest.
2. Ktpass krbtest.keytab
AIX:
Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password \
-out krbtest.keytab

267

3. krbtest.keytab AIX.
4. krbtest.keytab /etc/krb5/krb5.keytab :
$ ktutil
ktutil: rkt krbtest.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q

5. Active Directory
Windows 2000.
6. AIX, Windows 2000,
Kerberos:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0

v AIX Kerberos ?
Kerberos methods.cfg.
methods.cfg .
KRB5A. BUILTIN LDAP. BUILTIN
AIX ASCII. ,
BUILTIN AIX, methods.cfg
:
:
AIX

KRB5A:
program = /usr/lib/security/KRB5A
options=authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
: AIX
LDAP
KRB5A:
program = /usr/lib/security/KRB5A
options=authonly
LDAP:
program = /usr/lib/security/LDAP
KRB5ALDAP:
options = auth=KRB5A,db=LDAP

v AIX
Kerberos KRB5A?
AIX
Kerberos KRB5A mkuser:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo

v Kerberos ?
Windows 2000 . ,
foo,
foo@MYREALM, foo.
.
v , Kerberos?
, Kerberos, passwd:
passwd -R KRB5Afiles foo

v , Kerberos?

268

AIX 5.3:

, Kerberos, rmuser.
AIX. ,
.
rmuser -R KRB5Afiles foo

v AIX , Kerberos?
,
, Kerberos, chuser,
:
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo

, .
chuser. Active Directory
AIX. , auth_name
. ,
chris AIX Active Directory christopher
:
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_name=christopher auth_domain=MYREALM chris

v , ?
. AIX, root
Kerberos.
v auth_name auth_domain?
auth_name auth_domain AIX
Kerberos Active Directory. , AIX chris
auth_name=christopher auth_domain=SOMEREALM, Kerberos
christopher@SOMEREALM. SOMEREALM MYREALM.
, chris MYREALM, SOMEREALM.
.
v , Kerberos, AIX?
, . AIX ,
Kerberos, :
1. AIX (/etc/security/passwd) using the
passwd:
passwd -R files foo

2. SYSTEM :
chuser -R KRB5Afiles SYSTEM=compat foo.

Kerberos .
,
SYSTEM :
chuser -R KRB5Afiles SYSTEM="KRB5Afiles or compat" foo.

v Kerberos AIX
Windows 2000?
. Active Directory KDC,
KDC AIX . Kerberos ,
Kerberos AIX.
v , AIX ?
, AIX, Kerberos. ,
KDC.
v , ?
, :

269

, KDC .
- AIX :
ps -ef | grep krb5kdc

- Windows 2000 :
1. .
2. .
3. , Kerberos (KDC) .
AIX , /etc/krb5/krb5.conf KDC
.
AIX , keytab . , ,
keytab /etc/krb5/krb5.keytab. :
$ ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
KVNO

------ ------ -----------------------------------------------------1


4 host/krbtest.xyz.com@MYREALM
ktutil: q

, auth_name auth_domain, ,
ADS KDC.
, SYSTEM Kerberos (
KRB5Afiles KRB5ALDAP).
, .
v TGT?
TGT host/-. , ,
Kerberos keytab, Windows
2000 Active Directory . .
TGT , KRB5A
/usr/lib/security/methods.cfg:
KRB5A:
program = /usr/lib/security/KRB5A
options = tgt_verify=no
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A

tgt_verify: No False Yes True -


. TGT . tgt_verify
No, TGT , .
keytab , KRB5A.
v passwdexpired 0, kerberos
kerberos AIX?
passwdexpired 0,
AIX
kadmin.
allow_expired_pwd methods.cfg AIX
kerberos.
authenticate
passwdexpired.

270

AIX 5.3:

Kerberos
Kerberos , NFS.
NFS Kerberos,
, gss.
Kerberos gss.
1.2, MIT Kerberos.
Kerberos: /usr/lib/drivers/krb5.ext.
gss.

RADIUS
RADIUS IBM , ,
. ,
(NAS), .
NAS RADIUS.
RADIUS , . ,
, RADIUS.
RADIUS
, . RADIUS ,
,
. RADIUS Proxy
RADIUS, .
RADIUS (UDP).
, RADIUS,
IETF RFC 2865. , , RFC 2866.
: RFC 2284 (EAP), RFC 2869 (),
RFC 2882, MD5-Challenge TLS. RFC
:
IETF RFC 2865
http://www.ietf.org/rfc/rfc2865.txt
RFC 2866
http://www.ietf.org/rfc/rfc2866.txt
RFC 2284
http://www.ietf.org/rfc/rfc2884.txt
RFC 2869
http://www.ietf.org/rfc/rfc2869.txt
RFC 2882
http://www.ietf.org/rfc/rfc2882.txt
RFC web- http://www.ietf.org.

RADIUS
RADIUS SMIT installp.
RADIUS AIX.
: radius.base bos.msg.<>.rte.

271

LDAP,
ldap.server. installp
RADIUS.
RADIUS SRC.
radiusd:
v
v
v
2.
, /etc/rc.d/rc2.d/Sradiusd.

RADIUS
RADIUS /etc/radius/radiusd.conf,
/etc/radius/authorization/default.policy
/etc/radius/authorization/default.auth radiusd
. SMIT .
RADIUS :
>stopsrc -s radiusd
>startsrc -s radiusd

RADIUS ,
, , .
. ,
, .
On-demand:
RADIUS.
. radiusd.conf
1812, - 1813.
IANA. radiusd.conf .
, .
Authentication_Ports Accounting_Ports radiusd.conf ,
radiusd. ,
.

RADIUS
RADIUS .
RADIUS.
root security. ,
, (SMIT) -
. , , .
radiusd.conf:
radiusd.conf RADIUS.
RADIUS radiusd.conf /etc/radius.
. RADIUS

272

AIX 5.3:

, . RADIUS
SYSLOG.
.
,
. , .
: radiusd.conf .
SMIT.
radiusd.conf:
#------------------------------------------------------------------#
#

#
#
#
# RADIUS radiusd.conf
#
# /etc/radius.
#
#
#
#
#
# . RADIUS
#
# " : ()".
#
# , .
#
#
# RADIUS
#
# SYSLOG.
#
# ,
#
# .
#
#
#
# , ,
#
#
#
# . ,
#
# .
#
#
#
#
# . SMIT.
#
#
#
#
#
#------------------------------------------------------------------#

#------------------------------------------------------------------#
#

#
#
#
# RADIUSdirectory : RADIUS,
#
#

#
#
.
#
#
#
# Database_location : .
#
#
: Local, LDAP, UNIX
#
#
UNIX - AIX
#
#
Local - AVL raddbm #
#
LDAP -
#
#
#
# Local_Database
: .
#
#
,
#
#
Database_location
#
#
Local.
#
#
#
# Debug_Level
: RADIUS. #
#
: 0, 3 9.
#
#
3.
#
#
,
#
#
*.debug
#
#
/etc/syslog.conf
#
#
#
#

#
#
, syslog.
#

273

#
, "9"
#
#

#
#
,
#
#
"0" "3".
#
#
#
#
0 :
#
#
syslogd.
#
#
RADIUS #
#
. #
#
.
#
#
#
3 : ACCESS ACCEPT,
#
#
REJECT DISCARD .
#
#

#
#
.
#
#
#
#
9 : . - #
#

#
#
,
#
#
.
#
#
[ ] #
#
#
#------------------------------------------------------------------#
RADIUSdirectory
: /etc/radius
Database_location : UNIX
Local_Database
: dbdata.bin
Debug_Level
: 3
#------------------------------------------------------------------#
#

#
#
#
# Local_Accounting : ON TRUE, #
#

#
#
ACCOUNTING START STOP,
#
#
NAS. :
#
#
#
#
/var/radius/data/accounting
#
#
#
# Local_accounting_loc:
#
#
/var/radius/data/accounting.
#
# Local_
#
#
Accounting=ON.
#
#
,
#
#
( )
#
#
.
#
#
#------------------------------------------------------------------#
Local_Accounting : ON
Local_Accounting_loc : /var/radius/data/accounting
#------------------------------------------------------------------#
#

#
#
#
#
Accept_Reply-Message : , RADIUS
#
#
Access-Accept
#
#
#
#
Reject_Reply-Message : , RADIUS
#
#
Access-Reject
#
#
#
#
Challenge_Reply-Message : , RADIUS
#
#
Access-Challenge #
#------------------------------------------------------------------#
Accept_Reply-Message :
Reject_Reply-Message :
Challenge_Reply-Message :
Password_Expired_Reply-Message :
#------------------------------------------------------------------#
#

#
#
#

274

AIX 5.3:

#
Allow_Password_Renewal: YES NO
#
#
YES,
#
#

#
#

#
#
RADIUS. #
#

#
#
Access-Password-Request.
#
#------------------------------------------------------------------#
Allow_Password_Renewal : NO
#------------------------------------------------------------------#
#
Access-Request
#
#
#
#
Require_Message_Authenticator: YES NO
#
#
YES,
#
#

#
#

#
#
Access-Request.
#
#
,
#
#
.
#
#------------------------------------------------------------------#
Require_Message_Authenticator : NO
#------------------------------------------------------------------#
#
( )
#
#
#
# Authentication_Ports : , #
#
. #
#
, #
#
.
#
#

#
#
,
#
#
','.
#
#
#
#
,
#
#
"6666".
#
#
#
#
"6666".
#
#
#
# Accounting_Ports
: Authentication_Ports.
#
#
. , .
#
#
#
# [] .
#
#
, #
#

#
#
. SYSLOG ,
#
#
.
#
#
#
#
#
# []
#
# Authentication_Ports : 1812,6666 ( ) #
#
#
# , ,
#
# .
#
#
#
#
6666 : 6666
#
#
#
#------------------------------------------------------------------#
Authentication_Ports : 1812
Accounting_Ports
: 1813
#------------------------------------------------------------------#
#
LDAP
#
#
#
# , RADIUS
#
# LDAP 3 Database_location
#
# LDAP
#
#
#
# LDAP_User
: , #
#
(LDAP). #

275

#
LDAP.
#
#
#
# LDAP_User_Pwd : LDAP,
#
#
.
#
#
#
#------------------------------------------------------------------#
LDAP_User
: cn=root
LDAP_User_Pwd
:
#------------------------------------------------------------------#
#
LDAP
#
#
#
# Database_location "LDAP",
#
# .
#
#
#
# LDAP_Server_name
: LDAP 3. #
# LDAP_Server_Port
: TCP, #
#
LDAP. LDAP #
#
389.
#
# LDP_Base_DN
:
#
# LDAP_Timeout
: #
#
#
LDAP
#
# LDAP_Hoplimit
:
#
#

#
# LDAP_Sizelimit
:
#
#
( )
#
# LDAP_Debug_level
: 0= , 1= #
#

#
#
#
#------------------------------------------------------------------#
LDAP_Server_name
:
LDAP_Server_port
: 389
LDAP_Base_DN
: cn=aixradius
LDAP_Timeout
: 10
LDAP_Hoplimit
: 0
LDAP_Sizelimit
: 0
LDAP_Debug_level
: 0
#------------------------------------------------------------------#
#
PROXY RADIUS
#
#
#
#
#
# Proxy_Allow
: ON OFF. ON,#
#
proxy ,#
#
, #
#
.
#
# Proxy_Use_Table
: ON OFF. ON,#
#
-#
#
-#
#
.
#
#
Proxy ON, Proxy_Use_Table = ON,#
#
ON.
#
# Proxy_Realm_name
: ,
#
#
.
#
# Proxy_Prefix_delim
:
#
#
,
#
#
.
#
#

#
#
. #
# Proxy_Suffix_delim
:
#
#
,
#
#
.
#
#

#
#
. #
# Proxy_Remove_Hops
: YES NO. #
#
YES,
#
#
,
#
#
, #
#
.
#

276

AIX 5.3:

#
#
# Proxy_Retry_count
:
#
#
.
#
#
#
# Proxy_Time_Out
:
#
#

#
#
.
#
#
#
#------------------------------------------------------------------#
Proxy_Allow
:
OFF
Proxy_Use_Table
:
OFF
Proxy_Realm_name
:
Proxy_Prefix_delim
:
$/
Proxy_Suffix_delim
:
@.
Proxy_Remove_Hops
:
NO
Proxy_Retry_count
:
2
Proxy_Time_Out
:
30
#------------------------------------------------------------------#
#

#
#
#
# UNIX_Check_Login_Restrictions : ON OFF. ON,
#
#

#
#
#
#

#
#

#
#
loginrestrictions().
#
#
#
#------------------------------------------------------------------#
UNIX_Check_Login_Restrictions : OFF
#------------------------------------------------------------------#
#
IP
#
#
#
# Enable_IP_Pool : ON OFF. ON, RADIUS
#
#
IP- ,
#
#
RADIUS.
#
#
#------------------------------------------------------------------#
Enable_IP_Pool
:
OFF
#------------------------------------------------------------------#

EAP SMIT.
EAP , :
Radius Server
-> Configure users
-> Local Database
LDAP Directory
-> Add a user
Change/Show Characteristics of a user
->
Login User ID [ ]
EAP Type [0 2 4]
Password Max Age

EAP :
0

MD5 - challenge

TLS

EAP
, radiusd.conf.
/etc/radius/clients:

277

clients , RADIUS.
, (NAS AP) IP- ,
RADIUS , - IP.
:
<Client IP Address>

<Shared Secret>

<Pool Name>

:
10.10.10.1
10.10.10.2

mysecret1
mysecret2

floor6
floor5

- , RADIUS.
256 , .
RADIUS . ,
( RADIUS) .
(
Message Authentication).
/etc/radius/clients ,
, , .
, 16 . /etc/radius/clients
SMIT.
.
- - , IP-.
- RADIUS. SMIT
- : Proxy IP- IP-.
IP- .
/etc/radius/dictionary:
dictionary , RADIUS
AIX RADIUS.
RADIUS .
, . dictionary
. SMIT .
dictionary:
########################################################################
#
#
# , #
# .
#
# /.
#
# :
#
#
#
# string - 0-253
#
# ipaddr - 4
#
# integer - 32-
#
# date - 32- -
#
#
, 00:00:00 GMT, 1 1970
#
#
#
#
#
# VALUE.
#
#
#
# :
#
#
#
# ATTRIBUTE
VALUE
#

278

AIX 5.3:

# ------------------#
# Framed-Protocol = PPP
#
# 7
= 1
( )
#
#
#
########################################################################
ATTRIBUTE
User-Name
1
string
ATTRIBUTE
User-Password
2
string
ATTRIBUTE
CHAP-Password
3
string
ATTRIBUTE
NAS-IP-Address
4
ipaddr
ATTRIBUTE
NAS-Port
5
integer
ATTRIBUTE
Service-Type
6
integer
ATTRIBUTE
Framed-Protocol
7
integer
ATTRIBUTE
Framed-IP-Address
8
ipaddr
ATTRIBUTE
Framed-IP-Netmask
9
ipaddr
ATTRIBUTE
Framed-Routing
10
integer
ATTRIBUTE
Filter-Id
11
string
.
.
.

: default.policy default.auth ( user_id.policy


user_id.auth) RADIUS,
AIX. ,
radiusd .
: , default.policy default.auth
RADIUS stopsrc startsrc, SMIT.
/etc/radius/proxy:
/etc/radius/proxy - , Proxy.
, Proxy .
/etc/radius/proxy IP- , ,
.
, SMIT:
v
v IP
v
/etc/radius/proxy:
:
16 . RADIUS
.
# @(#)91 1.3 src/rad/usr/sbin/config_files/proxy, radconfig, radius530 1/23/04 13:11:14
#######################################################################
#
#
#
Proxy, #
#
Proxy ,
#
#
.
#
#
#
#
- RADIUS.
#
#
#
#
- IP- RADIUS
#
#
.
#
#
#
#
- , .
#

279

#
#
#
:
#
#
,
#
#
.
#
#
#
#######################################################################
# REALM NAME
REALM IP
SHARED SECRET
#------------------------------------------------------# myRealm
10.10.10.10
sharedsec


. , ,
RADIUS, .
, UNIX LDAP.
/etc/radius/radiusd.conf .
SMIT.
RADIUS RADIUS . 272.
:
RADIUS
.
, UNIX
LDAP.
UNIX:
UNIX RADIUS
.
UNIX database_location radiusd.conf
UNIX SMIT.

authenticate() UNIX. , UNIX, ,
/etc/passwords. mkuser
SMIT.
UNIX, UNIX
, :

RADIUS
*
AVL

/etc/radius
[UNIX]
[dbdata.bin]
[]


.
.
.

[3]

:
database_location radiusd.conf SMIT
Local, RADIUS
/etc/radius/dbdata.bin.

280

AIX 5.3:

,
. . -
. ,
raddbm SMIT. radiusd
radiusd.conf .
: 253 , 128 .
,
:

RADIUS
*
[]
AVL


.
.
.

/etc/radius
[dbdata.bin]
[]
[3]

LDAP:
RADIUS LDAP 3 .
RADIUS API LDAP 3.
LDAP 3 database_location /etc/radiusd.conf LDAP.
, , LDAP.
AIX LDAP 3,
IBM Tivoli. LDAP ,
RADIUS,
. RADIUS ,
ldapsearch.
LDAP RADIUS.
LDAP IBM Tivoli,
Web- http://publib.boulder.ibm.com/tividd/td/IBMDirectoryServer5.2.html.
RADIUS ldif,
LDAP RADIUS, .
LDAP.
RADIUS LDAP .
cn=aixradius, ,
LDAP RADIUS . 282. RADIUS ldif,
RADIUS.
, LDAP
:
1. , RADIUS.
2.
3.
4. EAP,

281

5. .
LDAP LDAP ,
:

RADIUS
*
[LDAP]
AVL

[ON]

.
.
.

/etc/radius
[dbdata.bin]

[3]

LDAP RADIUS:
LDAP LDAP.
LDAP AIX RADIUS,
, LDAP RADIUS.
LDAP . RADIUS cn=aixradius.
- , .
LDAP . - ,
. , ,
.
LDAP SMIT. LDAP
/etc/radius/radiusd.conf. SMIT
RADIUS.
, LDAP, .
.
=, (OID),
. LDAP .
: .

. ,
, ,
. .
RADIUS. ldif.
- LDAP,
RADIUS. RADIUS .
, , LDAP
API SASL ldap_bind_s, DN, CRAM-MD5,
LDAP.
. CRAM-MD5 - ,
( ).
: .
LDAP RADIUS:

282

AIX 5.3:

RADIUS LDAP cn=aixradius.


cn=aixradius (OU). OU - ,
.
LDAP RADIUS.
, , ().
aixradius, , : ibm-radiususer
ibm-radiusactiveusers. ibm-radiususer userid, password
maxLogin. ibmradiusactiveusers userid +, login number, login status
session_id. aixradius aixsecurity root.

19. LDAP RADIUS

LDAP:
LDAP RADIUS LDAP.
LDAP /etc/radius/ldap:
IBM.V3.radiusbase.schema.ldif
RADIUS (cn=aixradius).
, cn=aixradius:
ou=ibm-radiususer
ou=ibm-radiusactiveusers

:
ldapadd -D --ldap -w -i /etc/radius/ldap/IBM.V3.radiusbase.schema.ldif

LDAP, ,
-h ( ).
IBM.V3.radius.schema.ldif
RADIUS .

283

RADIUS:
ldapmodify -D --ldap -w -i /etc/radius/ldap/IBM.V3.radius.schema.ldif

, SMIT LDAP
, LDAP .
RADIUS LDAP SMIT.
:
LDAP RADIUS
. .
,
, . ibm-radiusUserInstance
API LDAP . ,
, . MaxLoginCount
LDAP .
:
LDAP ,
.
, login_number = 1
MaxLoginCount = 5. RADIUS start_accounting.
ibm-radiusUserInstance . ,
RADIUS.
RADIUS start_accounting ibm-radiusactiveusers ,
,
. stop_accounting
.
, .
. API LDAP
.
:
, (PAP),
MD5.
, :
1. , ,
, .
2. - MD5,
.
3. , , .
4. -, 2, XOR
( ). user_password.
5. RADIUS -, 2.
6. (. 4) -
XOR.
:
, RADIUS PPP CHAP.

284

AIX 5.3:

CHAP .
- MD5 , RADIUS ,
.
:
(EAP) - ,
.
EAP
.
EAP. EAP :
v MD5-challenge
v One-time password
v Generic token card
v TLS
EAP RADIUS RADIUS,
EAP RADIUS . RADIUS
EAP , EAP.
RADIUS AIX MD5-challenge EAP.
EAP . ,
LDAP, . EAP
.


RADIUS
default.auth default.policy.
- RADIUS, RFC
/etc/radius/dictionary.
NAS .
.
.
- -, .
RADIUS,
.
: /etc/radius/
authorization/default.auth default.policy. default.policy
.
-, .
.
, -.policy. ,
, , .
- -.policy ,
default.policy.
, .
, .
.

285

default.auth -,
. default.auth -,
. default.auth,
SMIT. ,
, (NAS)
.
, ,
.auth, : -.auth.
/etc/radius/authorization.
SMIT.
, ,
default.auth. default.auth
-.auth , ,
.
( ), ,
.
:
1. /etc/radius/authorization/default.policy
default.auth .
2. .
3. -, .
a. -.auth.
b. , default.policy.
c. , .
4. , .
a. /etc/radius/authorization/-.auth
default.auth.
b. .
5. .

RADIUS , ,
.
radiusd.conf .
RADIUS , ACCOUNTING_START,
, , ,
. RADIUS,
.
ACCOUNTING_STOP, , ,
, .
ACCOUNTING_STOP, RADIUS .
ACCOUNTING_START ACCOUNTING_STOP RADIUS .
, ACCOUNTING_REQUEST
, . ,
Proxy,
, . Proxy
Proxy . 287.

286

AIX 5.3:

RADIUS (=)
/etc/var/radius/data/accounting. .
RADIUS , Accounting_Response
, syslog .
/var/radius/data/accounting:
/var/radius/data/accounting
ACCOUNTING START ACCOUNTING STOP.
/var/radius/data/accounting.
ACCOUNTING START ACCOUNTING STOP.
, AIX RADIUS /var/radius/data/accounting.
.
:
v , /var
.
v Perl . ,
Web- http://www.pgregg.com/projects/
radiusreport
v Proxy.
27 2004 . 14.43.19
NAS-IP-Address = 10.10.10.1
NAS-Port = 1
NAS-Port-Type = Async
User-Name = "rod"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "0000000C"
Framed-Protocol = PPP
Acct-Delay-Time = 0
Timestamp = 1085686999
27 2004 . 14.45.19
NAS-IP-Address = 10.10.10.1
NAS-Port = 1
<-- rod #1
NAS-Port-Type = Async
User-Name = "rod"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "0000000C"
<-- ,
.
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
<-- IP- rod
Acct-Terminate-Cause = User-Request <--
Acct-Input-Octets = 4016
Acct-Output-Octets = 142
Acct-Input-Packets = 35
Acct-Output-Packets = 7
Acct-Session-Time = 120 <--
Acct-Delay-Time = 0
Timestamp = 1085687119 <-- 120 (2 )

Proxy
Proxy RADIUS , NAS,
RADIUS NAS. Proxy
.

287

RADIUS Proxy .
, . Proxy
radiusd.conf.
:
- , ,
User-Name, RADIUS
.
RADIUS:
XYZ, .
SAC.
. - NYC. , NYC,
User-Name SAC/Joe. RADIUS NYC,
, SAC.
User-Name:
User-Name .
,
.
User-Name . ,
, , User-Name,
, RADIUS.
, User-Name. , (/)
User-Name (&) . radiusd.conf.
User-Name .
User-Name, :
USA/TEXAS/AUSTIN/joe

User-Name, :
joe@USA@TEXAS@AUSTIN

, . ,
, ,
.
.
,
:
USA/joe@TEXAS@AUSTIN

Proxy:
Proxy RADIUS proxy, /etc/radius directory.
proxy . proxy :
Realm Name, Next Hop IP address Shared Secret.
Proxy :

288

AIX 5.3:

Proxy
Proxy
Proxy
Proxy
Proxy

Proxy /etc/radius/proxy .
:
realm_name

next_hop_address

shared_secret

Proxy . , ,
/etc/radius/proxy.
Proxy RADIUS .
/etc/radius/proxy_file.
.
/etc/radius/clients
. 277.
Proxy , :
Proxy
*
[] ( 64 )
*IP- ( ) [xx.xx.xx.xx]
*
[] ( 6 256 )

Proxy . ,
, .
Proxy . ,
, .
.
Proxy radiusd.conf:
#------------------------------------------------------------------#
#
PROXY RADIUS
#
#
#
#
#
# Proxy_Allow
: ON OFF. ON,#
#
proxy ,#
#
, #
#
.
#
# Proxy_Use_Table
: ON OFF. ON,#
#
-#
#
-#
#
.
#
#
Proxy ON, Proxy_Use_Table = ON,#
#
ON.
#
# Proxy_Realm_name
: ,
#
#
.
#
# Proxy_Prefix_delim
:
#
#
,
#
#
.
#
#

#
#
. #
# Proxy_Suffix_delim
:
#
#
,
#

289

#
.
#
#

#
#
. #
# Proxy_Remove_Hops
: YES NO. #
#
YES,
#
#
,
#
#
, #
#
.
#
#
#
# Proxy_Retry_count
:
#
#
.
#
#
#
# Proxy_Time_Out
:
#
#

#
#
.
#
#
#
#------------------------------------------------------------------#
Proxy_Allow
:
OFF
Proxy_Use_Table
:
OFF
Proxy_Realm_name
:
Proxy_Prefix_delim
:
$/
Proxy_Suffix_delim
:
@.
Proxy_Remove_Hops
:
NO
Proxy_Retry_count
:
2
Proxy_Time_Out
:
3

RADIUS:
RADIUS .
/etc/radius/radiusd.conf.
.
: RADIUS,
SMIT:

290

AIX 5.3:


RADIUS
*
AVL

/etc/radius
[UNIX]
[dbdata.bin]
[]
[]

[3]
[]
[]
[]
[]
[]
[]

*
*

[1812]
[1813]

LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP

[]
[389]
[]
[]
[cn=aixradius]
[0]
[0]
[10]
[0]

Proxy
Proxy
Proxy
Proxy
Proxy
:

Proxy
Proxy
- Proxy
UNIX
IP

[]
[]
[]
[$/]
[@.]

[]
[2]
[30]
[]
[]


OpenSSL

[TLS, MD5]
[ ]


RADIUS SYSLOG.
:
0

, .

access_accept, access_reject*, discard error.


: discard ,
.

, 0 3, . 9
.

3.
RADIUS. ,
, .
SYSLOG , ,
.
, .

291

LDAP IBM Tivoli Directory Server


Version 5.2 Administration Guide, Web- Tivoli Software Information Center.
RADIUS syslogd:
SYSLOG syslogd.
syslogd .
1. /etc/syslog.conf local4.debug var/adm/ipsec.log.
IP local4.
. IP ,
debug.
:
.
2. /etc/syslog.conf.
3. , , .
/var/adm touch:
touch ipsec.log

4. refresh syslogd:
refresh -s syslogd

SYSLOG:
Debug_Level, radiusd.conf, .
0, 3 9, ,
SYSLOG.
- 3. radiusd.conf
:
#.
#.
#.
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

292

Debug_Level

RADIUS.
: 0, 3 9.
3.
,
*.debug
/etc/syslog.conf

#
#
#
#
#
#
#

#
, syslog.
#
, "9"
#

#
,
#
"0" "3".
#
#
0 :
#
syslogd.
#
RADIUS #
. #
.
#
3 : ACCESS ACCEPT,
#
REJECT DISCARD .
#

#
.
#
#
9 : . - #

AIX 5.3:

#

#
#
,
#
#
.
#
#
[ ] #
#
#
#------------------------------------------------------------------#

.
3
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18

10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:24:07
10:24:07
10:24:07
10:24:07
10:24:07
10:24:07
10:24:07
10:24:13
10:24:13
10:24:13
10:24:14
10:24:14
10:24:14
10:24:14

server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1

syslog: [0]: [389288]


radiusd[389288]: [0]: (AVL) .
radiusd[389288]: [0]: : Pid= 549082 = 1812
radiusd[389288]: [0]: : Pid= 643188 = 1813
radiusd[643188]: [0]: [15]
radiusd[643188]: [0]: [15]
radiusd[549082]: [0]: [15]
radiusd[549082]: [0]: [15]
radiusd[643188]: [1]:*** Process_Packet() ***
radiusd[643188]: [1]: 4, = 96, = 41639 = 10.10.10.10
radiusd[643188]: [1]:ACCOUNTING-START - [ user_id1 ]
radiusd[643188]: [1]: 96 10.10.10.10 (client1.ibm.com)
radiusd[643188]: [1]:send_acct_reply() :
radiusd[643188]: [1]: = 5, = 96, = 20
radiusd[643188]: [1]:*** Process_Packet() ***
radiusd[643188]: [2]:*** Process_Packet() ***
radiusd[643188]: [2]: 4, = 97, = 41639 = 10.10.10.10
radiusd[643188]: [2]:ACCOUNTING-STOP - [ user_id1 ]
radiusd[643188]: [2]: 97 10.10.10.10 (client1.ibm.com)
radiusd[643188]: [2]:send_acct_reply() :
radiusd[643188]: [2]: = 5, = 97, = 20
radiusd[643188]: [2]:*** Process_Packet() **

9
18 10:21:18 server1 syslog: [0]: [643170]
18 10:21:18 server1 radiusd[643170]: [0]: (AVL) .
18 10:21:18 server1 radiusd[643170]: [0]: : Pid= 389284 = 1812
18 10:21:18 server1 radiusd[643170]: [0]: : Pid= 549078 = 1813
18 10:22:03 server1 radiusd[643170]: [0]:PID = [389284]
18 10:22:03 server1 radiusd[643170]: [0]:PID = [549078]
18 10:22:03 server1 radiusd[643170]: [0]: .
radiusd
18 10:22:09 server1 syslog: [0]: [1081472]
18 10:22:09 server1 radiusd[1081472]: [0]: (AVL) .
18 10:22:09 server1 radiusd[1081472]: [0]: client_init()
18 10:22:09 server1 radiusd[1081472]: [0]: : 1
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_policy s /etc/radius/authorization/default.policy.
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file /etc/radius/authorization/default.policy.
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file() .
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file /etc/radius/authorization/default.auth.
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file() .
18 10:22:09 server1 radiusd[549080]: [0]:connect_to_LDAP_server:
( )=LDAP.
18 10:22:09 server1 radiusd[549080]: [0]:connect_to_LDAP_server:
LDAP = server1.austin.ibm.com.
18 10:22:09 server1 radiusd[549080]: [0]:connect_to_LDAP_server:
LDAP=389.
18 10:22:09 server1 radiusd[1081472]: [0]:
: Pid= 549080 = 1812
18 10:22:09 server1 radiusd[389286]: [0]:connect_to_LDAP_server:
( )=LDAP.
18 10:22:09 server1 radiusd[389286]: [0]:connect_to_LDAP_server:
LDAP = server1.austin.ibm.com.
18 10:22:09 server1 radiusd[389286]: [0]:connect_to_LDAP_server:

293

LDAP=389.
18 10:22:09 server1
Pid= 389286 = 1813
18 10:22:10 server1
18 10:22:10 server1
[15]
18 10:22:10 server1
18 10:22:10 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1

radiusd[1081472]: [0]: :
radiusd[549080]: [0]: [15]
radiusd[549080]: [0]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:

[0]: [15]
[0]: [15]
[1]:*** Process_Packet() ***
[1]: :
[1]: = 4, = 94, = 80
[1]: = 0xC5DBDDFE6EFFFDBD6AE64CA35947DD0F
[1]:
= 40, = 6, = 0x00000001
[1]:
= 1, = 8, = 0x67656E747931
[1]:
= 4, = 6, = 0x00000000
[1]:
= 8, = 6, = 0x0A0A0A01
[1]:
= 44, = 8, = 0x303030303062
[1]:
= 30, = 10, = 0x3132332D34353638
[1]:
= 31, = 10, = 0x3435362D31323335
[1]:
= 85, = 6, = 0x00000259
[1]: parse_packet()
[1]: 4, = 94, = 41639 = 10.10.10.10
[1]:Acct-Status-Type = Sta

0
18
18
18
18

10:06:11
10:06:11
10:06:11
10:06:11

server1
server1
server1
server1

syslog: [0]: [1081460]


radiusd[1081460]: [0]: (AVL) .
radiusd[1081460]: [0]: : Pid= 549076 = 1812
radiusd[1081460]: [0]: : Pid= 389282 = 18

3
18 10:01:32 server2 radiusd[389276]: [3]:*** Process_Packet() ***
18 10:01:32 server2 radiusd[389276]: [3]: 1, = 72, = 41638 = 10.10.10.10
18 10:01:32 server2 radiusd[389276]: [3]:authenticate_password_PAP: ,

18 10:01:32 server2 radiusd[389276]: [3]: [user_id1]
IP- [10.10.10.10]
18 10:01:32 server2 radiusd[389276]: [3]:ACCESS-REJECT -
72 10.10.10.10 (client1.ibm.com)
18 10:01:32 server2 radiusd[389276]: [3]:send_reject() :
18 10:01:32 server2 radiusd[389276]: [3]: = 3, = 72, = 30
18 10:01:32 server2 radiusd[389276]: [3]:*** Process_Packet() ***
18 10:01:53 server2 radiusd[389276]: [4]:*** Process_Packet() ***
18 10:01:53 server2 radiusd[389276]: [4]: 1, = 74, = 41638 = 10.10.10.10
18 10:01:53 server2 radiusd[389276]: [4]:authenticate_password_PAP: ,

18 10:01:53 server2 radiusd[389276]: [4]: [user_id1]
IP- [10.10.10.10]
18 10:01:53 server2 radiusd[389276]: [4]: [user_id1]
IP- [10.10.10.10]
18 10:01:53 server2 radiusd[389276]: [4]:ACCESS-ACCEPT -
74 10.10.10.10 (client1.ibm.com)
18 10:01:53 server2 radiusd[389276]: [4]:send_accept() :
18 10:01:53 server2 radiusd[389276]: [4]: = 2, = 74, = 31
18 10:01:53 server2 radiusd[389276]: [4]:*** Process_Packet() **

9
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
**********************
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1

294

radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:

[1]:*** Process_Packet() ***


[1]: :
[1]: = 1, = 77, = 58
[1]: = 0xE6CB0F9C22BB4E799854E734104FB2D5
[1]:
= 1, = 8, = 0x67656E747931
[1]:
= 4, = 6, = 0x00000000
[1]:
= 2, = 18, = 0x**********

radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:

[1]:
= 7, = 6, = 0x00000001
[1]: parse_packet()
[1]: 1, = 77, = 41638 = 10.10.10.10
[1]:User-Name = "user_id1"

AIX 5.3:

18 10:03:56 server1 radiusd[389278]: [1]:NAS-IP-Address = 10.10.10.10


18 10:03:56 server1 radiusd[389278]: [1]:Framed-Protocol = PPP
18 10:03:56 server1 radiusd[389278]: [1]: parse_packet()
18 10:03:56 server1 radiusd[389278]: [1]: Message-Authenticator
18 10:03:56 server1 radiusd[389278]: [1]: Message-Authenticator
18 10:03:56 server1 radiusd[389278]: [1]: proxy_request_needed()
18 10:03:56 server1 radiusd[389278]: [1]:Proxy
18 10:03:56 server1 radiusd[389278]: [1]: = [user_id1]
18 10:03:56 server1 radiusd[389278]: [1]:IP- = [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: parse_for_login( user_id1 )
18 10:03:56 server1 radiusd[389278]: [1]:User_id = [user_id1]
18 10:03:56 server1 radiusd[389278]: [1]:User_id = [user_id1]
18 10:03:56 server1 radiusd[389278]: [1]: rad_authenticate()
18 10:03:56 server1 radiusd[389278]: [1]: [client1.austin.ibm.com]
18 10:03:56 server1 radiusd[389278]: [1]: get_ldap_user() LDAP
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user: LDAP: user_id1.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user:LDAP max_login_cnt:2.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user:LDAP EAP_type: 4.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user:LDAP passwordexpiredweeks: 9.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_active_sessions: = 2.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_active_session:dn retrieved=
radiusuniqueidentifier=user_id11,ou=radiusActiveUsers,cn=aixradius.
18 10:03:56 server1 radiusd[389278]: [1]: get_client_secret ip-:10.10.10.10
18 10:03:56 server1 radiusd[389278]: [1]: NAS-IP = [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: .
18 10:03:56 server1 radiusd[389278]: [1]:authenticate_password_PAP: ,

18 10:03:56 server1 radiusd[389278]: [1]:is_ldap_pw:
18 10:03:56 server1 radiusd[389278]: [1]: [user_id1]
IP- [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: rad_authorize().
18 10:03:56 server1 radiusd[389278]: [1]:
read_authorize_policy : /etc/radius/authorization/user_id1.policy.
18 10:03:56 server1 radiusd[389278]: [1]:
read_authorize_file : s/etc/radius/authorization/user_id1.policy.
18 10:03:56 server1 radiusd[389278]: [1]:
/etc/radius/authorization/user_id1.policy file. , .
18 10:03:56 server1 radiusd[389278]: [1]: :
/etc/radius/authorization/user_id1.policy.
18 10:03:56 server1 radiusd[389278]: [1]:rad_authorize:
.
18 10:03:56 server1 radiusd[389278]: [1]: create_def_copy().
18 10:03:56 server1 radiusd[389278]: [1]: .
18 10:03:56 server1 radiusd[389278]: [1]: read_authorize_file :
/etc/radius/authorization/user_id1.auth.
18 10:03:56 server1 radiusd[389278]: [1]:
/etc/radius/authorization/user_id1.auth. , .
18 10:03:56 server1 radiusd[389278]: [1]:rad_authorize:
.
18 10:03:56 server1 radiusd[389278]: [1]: [user_id1]
IP- [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]:ACCESS-ACCEPT -
77 10.10.10.10 (client1.austin.ibm.com)
18 10:03:56 server1 radiusd[389278]: [1]: proxy_response_needed()
18 10:03:56 server1 radiusd[389278]: [1]:Proxy
18 10:03:56 server1 radiusd[389278]: [1]: get_client_secret ip-:10.10.10.10
18 10:03:56 server1 radiusd[389278]: [1]: NAS-IP = [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: .
18 10:03:56 server1 radiusd[389278]: [1]:send_accept() :
18 10:03:56 server1 radiusd[389278]: [1]: = 2, = 77, = 31
18 10:03:56 server1 radiusd[389278]: [1]:send_accept() :
18 10:03:56 server1 radiusd[389278]: [1]: = 2, = 77, = 31
18 10:03:56 server1 radiusd[389278]: [1]: = 0xCCB2B645BBEE86F5E4FC5BE24E904B2A
18 10:03:56 server1 radiusd[389278]: [1]:
= 18, = 11, = 0x476F6F646E65737321
18 10:03:56 server1 radiusd[389278]: [1]:*** Process_Packet() ***
18 10:04:18 server1 radiusd[389278]: [2]:*** Process_Packet() ***
18 10:04:18 server1 radiusd[389278]: [2]: :
18 10:04:18 server1 radiusd[389278]: [2]: = 1, = 79, = 58
18 10:04:18 server1 radiusd[389278]: [2]: = 0x774298A2B6DD90D7C33B3C10C4787D41
18 10:04:18 server1 radiusd[389278]: [2]:
= 1, = 8, = 0x67656E747931
18 10:04:18 server1 radiusd[389278]: [2]:
= 4, = 6, = 0x00000000
18 10:04:18 server1 radiusd[389278]: [2]:
= 2, = 18, = 0x*******

295

*************************
18 10:04:18 server1 radiusd[389278]: [2]:
= 7, = 6, = 0x00000001
18 10:04:18 server1 radiusd[389278]: [2]: parse_packet()
18 10:04:18 server1 radiusd[389278]: [2]: 1, = 79, = 41638 = 10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]:User-Name = "user_id1"
18 10:04:18 server1 radiusd[389278]: [2]:NAS-IP-Address = 10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]:Framed-Protocol = PPP
18 10:04:18 server1 radiusd[389278]: [2]: parse_packet()
18 10:04:18 server1 radiusd[389278]: [2]: Message-Authenticator
18 10:04:18 server1 radiusd[389278]: [2]: Message-Authenticator
18 10:04:18 server1 radiusd[389278]: [2]: proxy_request_needed()
18 10:04:18 server1 radiusd[389278]: [2]:Proxy
18 10:04:18 server1 radiusd[389278]: [2]:Username = [user_id1]
18 10:04:18 server1 radiusd[389278]: [2]:IP- = [10.10.10.10]
18 10:04:18 server1 radiusd[389278]: [2]: parse_for_login( user_id1 )
18 10:04:18 server1 radiusd[389278]: [2]:User_id = [user_id1]
18 10:04:18 server1 radiusd[389278]: [2]:User_id = [user_id1]
18 10:04:18 server1 radiusd[389278]: [2]: rad_authenticate()
18 10:04:18 server1 radiusd[389278]: [2]: [client1.austin.ibm.com]
18 10:04:18 server1 radiusd[389278]: [2]: get_ldap_user() LDAP
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user: LDAP: user_id1.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user:LDAP max_login_cnt:2.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user:LDAP EAP_type: 4.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user:LDAP passwordexpiredweeks: 9.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_active_sessions: = 2.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_active_session:dn retrieved=
radiusuniqueidentifier=user_id11, ou=radiusActiveUsers, cn=aixradius.
18 10:04:18 server1 radiusd[389278]: [2]:
get_client_secret ip-:10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]: NAS-IP = [10.10.10.10]
18 10:04:18 server1 radiusd[389278]: [2]: .
18 10:04:18 server1 radiusd[389278]: [2]:authenticate_password_PAP:
,
18 10:04:18 server1 radiusd[389278]: [2]:
[user_id1] IP- [10.10.10.10]
18 10:04:18 server1 radiusd[389278]: [2]:ACCESS-REJECT -
79 10.10.10.10 (client1.austin.ibm.com)
18 10:04:18 server1 radiusd[389278]: [2]:
proxy_response_needed()
18 10:04:18 server1 radiusd[389278]: [2]:Proxy
18 10:04:18 server1 radiusd[389278]: [2]:
get_client_secret ip-:10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]: NAS-IP = [10.10.10.10]
18 10:04:18 server1 radiusd[389278]: [2]: .
18 10:04:18 server1 radiusd[389278]: [2]:send_reject() :
18 10:04:18 server1 radiusd[389278]: [2]: = 3, = 79, = 30
18 10:04:18 server1 radiusd[389278]: [2]:send_reject() :
18 10:04:18 server1 radiusd[389278]: [2]: = 3, = 79, = 30
18 10:04:18 server1 radiusd[389278]: [2]: = 0x05D4865C6EBEFC1A9300D2DC66F3DBE9
18 10:04:18 server1 radiusd[389278]: [2]:
= 18, = 10, = 0x4261646E65737321
18 10:04:18 server1 radiusd[389278]: [2]: Leave_Packet()


RADIUS
RADIUS.
,
. AIX.
.
RADIUS .
radiusd.conf ,
RADIUS. .
Password_Expired_Reply_Message,
password-expired.
PAP.

296

AIX 5.3:


(VSA) , ,
, RADIUS.
.
RADIUS.
.
NAS ,
.
, VSA
User-Name Password. , ,
Access-Request, .
, , NAS
. =
-.policy.
VSA :
########################################################################
#
#
# , #
# (VSA).
#
# "Cisco". /
#
# "VENDOR".
#
#
#
# :
#
#
#
# VENDOR
Cisco
9
#
#
#
# VENDOR: , , , #
# Cisco.
#
# Cisco :
#
# 9
: , RFC "Assigned Numbers"
#
#
#
########################################################################
#VENDOR

Cisco

#ATTRIBUTE
Cisco-AVPair
1
string
#ATTRIBUTE
Cisco-NAS-Port
2
string
#ATTRIBUTE
Cisco-Disconnect-Cause
195
integer
#
#----------------Cisco-Disconnect-Cause---------------------------------#
#
#VALUE
Cisco-Disconnect-Cause
Unknown
2
#VALUE
Cisco-Disconnect-Cause
CLID-Authentication-Failure 4
#VALUE
Cisco-Disconnect-Cause
No-Carrier
10
#VALUE
Cisco-Disconnect-Cause
Lost-Carrier
11
#VALUE
Cisco-Disconnect-Cause
No-Detected-Result-Codes
12
#VALUE
Cisco-Disconnect-Cause
User-Ends-Session
20
#VALUE
Cisco-Disconnect-Cause
Idle-Timeout
21
#VALUE
Cisco-Disconnect-Cause
Exit-Telnet-Session
22
#VALUE
Cisco-Disconnect-Cause
No-Remote-IP-Addr
23

RADIUS
- , radiusd.conf.
NAS AP . ,
. , ,

297

.
. .
RADIUS :
v
v
v CHAP
v
radiusd.conf
.
SMIT. 256 .
:
1. radiusd radiusd.conf
.
2. .
3. ,
. , , .
4. ,
.
5. , CHAP
.

IP RADIUS
RADIUS IP- IP.
IP- .
IP-.
IP- RADIUS :
v Framed-Pool
v
v IP RADIUS

Framed-Pool
(NAS) IP -. RADIUS
Framed-Pool ( 88 ), NAS
RFC2869. NAS
, Framed-Pool
default.auth user.auth RADIUS. RADIUS
:
ATTRIBUTE

Framed-Pool

88

NAS , .
NAS IP-. NAS IP-,
, .


(ISV) Framed-Pool,
IP-. RADIUS

298

AIX 5.3:

(VSA). , Cisco NAS


Cisco-AVPair. RADIUS :
VENDOR
TTRIBUTE

Cisco
Cisco-AVPair

9
1

NAS
Cisco-AVPair=ip:addr-pool=-, - - ,
NAS. RADIUS
. NAS IP- .
NAS
, VSA default.auth user.auth
RADIUS.

IP RADIUS
RADIUS , IP- IP-. IP-
Framed-IP-Address .
IP- SMIT. /etc/radius/
ippool_def. etc/radius/clients.
NAS. RADIUS
etc/radius/clients /etc/radius/ippool_def.
IP- ,
RADIUS . RADIUS
(/etc/radius/radius.conf) , IP- (Enable_IP_Pooling=YES),
IP- (IP_pool_flag) On.
poolname.data. ,
. .
, etc/radius/clients
/etc/radius/ippool_def. poolname.data 256
( AIX). poolname.data 256 ,
RADIUS .
IP /etc/radius/ippool_def IP-
. IP- NAS, NAS IN
USE. - NAS-IP NAS-port.
, UDP , IP-
NAS. , NAS -,
etc/radius/clients.
. , NAS-IP
NAS-port in use () RADIUS. IP-
Framed-IP-Address NAS .
poolname.data , , .
, RADIUS .
IP- , NAS
RADIUS .
:
v NOT_POOLED nas_ip.
v POOL_EXHAUSTED nas_ip , .

299

NAS NAS-, IP-,


, IN USE Off
NAS-IP-address NAS-port. IP-.
IP- , RADIUS NAS .
NAS-IP-address NAS-port. ippool_mem
:
v IP-. IN USE true.
v . IP- in use
false.

poolname.data . IP-
ON OFF Enable_IP_Pooling RADIUS (radiusd.conf).
, IP- default.auth
user.auth. , IP-,
Enable_IP_Pool = NO.
/etc/radius/ippool_def, SMIT:

Floor5

192.165.1.1

192.165.1.125

Floor6

192.165.1.200

192.165.1.253

/etc/radiusclients, SMIT:
NAS-IP

1.2.3.4

Secret1

Floor5

1.2.3.5

Secret2

Floor6

1.2.3.6

Secret3

Floor5

1.2.3.7

Secret4

, NAS-IP-Address 1.2.3.7 . NAS IP-


( IP_pool_flag = True).
, RADIUS .
, IP-,
default.auth user.auth. NAS-Port .
IP , IP-
default.auth, user.auth, .
RADIUS IP- , , NAS. IP-
, ( ) .
IP-, auth, .
IP , NAS , NAS-IP
, NAS,
.
Floor5.data, :

300

AIX 5.3:

IP-

NAS-IP

NAS-Port

In Use

192.165.1.1

1.2.3.4

192.165.1.2

1.2.3.4

.......

....

....

192.165.1.124

1.2.3.6

192.165.1.125

1.2.3.6

............

Floor6.data, :
IP-

NAS-IP

NAS-Port

In Use

192.165.200

1.2.3.4

192.165.201

1.2.3.4

............

.......

....

....

192.165.1.252

1.2.3.4

192.165.1.253

1.2.3.4

NAS IP- (, NAS),


poolname.data IP- .
SMIT:
v IP
v IP

SMIT IP
( ).
64 . , IP-
, RADIUS IP-,
Framed-IP-Address.
IP :
v IP
v IP
v / IP
v IP
v IP
v IP
IP: , IP-
IP- .
IP: , .
ippool_def.
.
RADIUS .
/ IP:
. .
. Enter ippool_def.
RADIUS .

301

IP: .
?, .
ippool_def rmippool.
RADIUS .
IP : IN-USE 0 IP-,
NAS. , IP- NAS .
RADIUS .
IP: ?,
ippool_mem.
RADIUS .

SMIT RADIUS
, (*),
RADIUS SMIT.
SMIT:
smitty radius

RADIUS:
RADIUS



Proxy

RADIUS
RADIUS

RADIUS, SMIT:

302

AIX 5.3:


RADIUS
*
AVL

/etc/radius
[UNIX]
[dbdata.bin]
[]
[]

[3]
[]
[]
[]
[]
[]
[]

*
*

[1812]
[1813]

LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP

[]
[389]
[]
[]
[cn=aixradius]
[0]
[0]
[10]
[0]

Proxy
Proxy
Proxy
Proxy
Proxy
:

Proxy
Proxy
- Proxy
UNIX
IP

[]
[]
[]
[$/]
[@.]

[]
[2]
[30]
[]
[]


OpenSSL

[TLS, MD5]
[ ]

SMIT F1.


RADIUS.
,
RADIUS , ,
. AIX RADIUS
/dev/urandom.
. NIST
.

NLS
RADIUS raddbm SMIT NLS.
API AIX NLS.


: installp, mkuser raddbm

303

AIX
AIX ,
, .
,
AIX.


: chfilt, ckfilt, expfilt, genfilt, impfilt, lsfilt, mkfilt, mvfilt, rmfilt.


, ,
. AIX

.
:
bos.net.ipsec.
IP (IPsec) AIX.
:
, ,
IPsec. ,
, .
- , .
.
genfilt. ,
, .
mkfilt. , mkfilt
.
.
,
.

.
. , ,
, sendmail,
SMTP 25 sendmail.
, .
genfilt , ,
Web- http://www.clamav.net.
:
: , .
.

304

AIX 5.3:


- ASCII,
:
GET /../../../../../../../../


:
0x33c0b805e0cd16b807e0cd1650558becc7460200f05d0733ffb8c800b9fffff3abb00150
e670e47132c0e67158fec03c8075f033c033c9b002fa99cd26fb4183f90575f5c3

:
0x.

.
Web- http://www.clamav.net.
:
/
.
,
, ,
.
,
, , ,
.
, 37, ,
, . 37
, ,
, .
, .
:
1. , ,
, .
2. lsfilt -a.


, .


,
.

305

:
, ,
. IF, ELSE ENDIF
,
.
, .
mkfilt -u ELSE ,
IF. IF IF ,
mkfilt -u.
ckfilt
, , :
%ckfilt -v4
IPv4.
Rule 2
IF Rule 3
IF Rule 4
Rule 5
ELSE Rule 6
Rule 7
ENDIF Rule 8
ELSE Rule 9
Rule 10
ENDIF Rule 11
Rule 0

:
,
mkfilt -v [4|6] -u.
genfilt -e.
mkfilt genfilt.
: IF, ELSE ENDIF.
,
. .

SMIT
SMIT.
SMIT .
1. : smitty ipsec4
2. IP.
3. IP.
4. IP.

306

AIX 5.3:

IP
.
Enter.
[]
[ ]
*
[permit]
* IP-
[]
* IP-
[]
IP-
[]
IP-
[]
* (PERMIT/) []
*
[]
* / ICMP
[]
* / ICMP
[0]
* / ICMP
[]
* / ICMP
[0]
*
[]
*
[]
*
[]
*
[0]
*
[]
()
[]

[]
/
[]

[]

" " :
x

+
+
+
#
+
#
+
+
+
+
+
#
+

x#
x
x

action : permit, deny, shun_host, shun_port, if, else, endif.


,
mkfilt -a. /etc/security/ipsec_filter.

AIX
AIX (TCP, NET, IPSEC,
).
AIX .
bos.aixpert. AIX ,
, AIX, 300
,
. AIX
,
.
AIX .

. ,
.
AIX WSM (Web- ), SMIT
aixpert.

307

AIX
:








AIX


AIX .

AIX
,
.
,
. , AIX.
AIX
.
UNIX.
(, ),
.
, -
. , telnet rlogin,
.
, .
, , , ,
,
.

NIST 800-70, NIST IT .

AIX
AIX .
.
, ( ,
), ,
.
.

308

AIX 5.3:

13. AIX -

mindiff
/etc/security/user,
, ,
.

,
AIX

4


3


AIX

minage
/etc/security/user,
, .


4


AIX


maxage
/etc/security/user,
, .


13


13

52
AIX

minlen
/etc/security/user,
.


8

8
AIX


minalpha
/etc/security/user,
.


1


AIX

309

13. AIX - ()

,
AIX

histexpire
/etc/security/user, ,
.


13


13

26
AIX


maxrepeats
/etc/security/user,
.





AIX
8

histsize
/etc/security/user,
, .


20


4

4
AIX


maxexpired
/etc/security/user,
, maxage,
.


4

8
AIX
-1


,
,

minother
/etc/security/user,
, , .


2

1


AIX

310

AIX 5.3:

13. AIX - ()
,
AIX

pwdwarntime
/etc/security/user, ,
5

.

14


5
AIX


AIX
AIX , .
14. AIX -
,
AIX

:
% grpck -y ALL

AIX

TCB

tcbck
TCB. :
% tcbck -y ALL
: TCB ,
TCB.
(prereqtcb)
.
: TCB
.

sysck
/etc/objrepos/inventory:
% sysck -i -f \
/etc/security/sysck.cfg.rte

AIX

AIX

311

14. AIX -
()
,
AIX

:
% pwdck -y ALL

AIX

.

:
% usrck -y ALL

AIX


AIX
AIX .
: , ,
, , ,
su, , , root,
, root. ,
root,
.
15. AIX -
,
AIX

logininterval

/etc/security/login.cfg,
300
( ),
, ,
. , logininterval 60
60
logindisable 4, ,



.
AIX

312

AIX 5.3:

15. AIX - ()

loginretries
/etc/security/user,

, , .
root.

,
AIX


3

4


AIX


root

rlogin /etc/security/user,
,
root.



AIX

loginreenable
/etc/security/login.cfg,
( ), ,
, -
logindisable.


360

30


AIX

logindisable

/etc/security/login.cfg,
,
.


10

10


AIX

logintimeout
/etc/security/login.cfg,
, .


30


60

60
AIX
60

313

15. AIX - ()

logindelay
/etc/security/login.cfg,
( )
.
. ,
logindelay 5,

.
, 10 (2*5),
,
15 (3*5).

,
AIX

10


5

5
AIX

login /etc/security/user,
,

root.





AIX


AIX
AIX .
, ,
,
(). , , :
1. , .
, AIX
.
2. 100 ,
, /audit 100.
AIX .
.
1. JFS /audit.
100 .
2. . /etc/security/audit/config
:
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds
= /etc/security/audit/bincmds
.
.
etc

314

AIX 5.3:

3. ,
.
4. , .
5. ,
. , auditclasses
/usr/lib/security/mkuser.default.
6. /audit, cronjob.
.
, AIX
:
16. , AIX

AIX

/etc/security/audit/config
:

Root:

Root:

Root:

General
Src
Mail
Cron
Tcpip
Ipsec
Lvm
User:
General
Src
Cron
Tcpip


/usr/lib/security/
mkuser.default

:

General
Src
Tcpip

General
Tcpip
User:
General

User:
General
Tcpip


/usr/lib/security/
mkuser.default

:



/usr/lib/security/
mkuser.default

:

default=login

login = USER_SU,
USER_Login,
USER_Logout,
TERM_Logout,
USER_Exit

auditclasses=general

auditclasses=general,
tcpip

auditclasses=general,SRC,
cron,tcpip

, cronjob /audit.
true,
. ,
/audit . /audit ,
( ,
/audit/trail /audit/trailOneLevelBack ).

AIX /etc/inittab
AIX /etc/inittab,
.

315

17. AIX - /etc/inittab

qdaemon
/ qdaemon /etc/inittab:
qdaemon:2:wait:/usr/bin/startsrc sqdaemon

,

AIX


AIX


lpd /
lpd


/etc/inittab:
lpd:2:once:/usr/bin/startsrc -s lpd


AIX

CDE /
CDE

LFT,
/etc/inittab:
dt:2:wait:/etc/rc.dt


AIX


piobe /
piobe


/etc/inittab:
piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit
>/dev/null 2>&1


AIX

316

AIX 5.3:

/etc/rc.tcpip
AIX
AIX /etc/rc.tcpip,
.
, /etc/rc.tcpip,
.
18. AIX /etc/rc.tcpip


/etc/rc.tcpip:
start /usr/lib/sendmail "$src_running"

,
AIX


AIX


/etc/rc.tcpip:
start /usr/sbin/routed "$src_running" -q


AIX


mrouted


/etc/rc.tcpip:
start /usr/sbin/mrouted "$src_running"


AIX


timed


/etc/rc.tcpip:
start /usr/sbin/timed


AIX

317

18. AIX /etc/rc.tcpip ()



rwhod


/etc/rc.tcpip:
start /usr/sbin/rwhod "$src_running"

,
AIX


AIX


/etc/rc.tcpip:
start /usr/sbin/lpd "$src_running"


AIX


SNMP /
SNMP


/etc/rc.tcpip:
start /usr/sbin/snmpd "$src_running"


AIX

DHCP
Agent


/etc/rc.tcpip:
start /usr/sbin/dhcprd "$src_running"


AIX


DHCP
/etc/rc.tcpip:
start /usr/sbin/dhcpsd "$src_running"


AIX

318

AIX 5.3:

18. AIX /etc/rc.tcpip ()


autoconf6


/etc/rc.tcpip:
start /usr/sbin/autoconf6 "

,
AIX


AIX


DNS
/etc/rc.tcpip:
start /usr/sbin/named "$src_running"


AIX


gated


/etc/rc.tcpip:
start /usr/sbin/gated "$src_running"


AIX

DHCP
Client


/etc/rc.tcpip:
start /usr/sbin/dhcpd "$src_running"


AIX


DPID2


/etc/rc.tcpip:
start /usr/sbin/dpid2 "$src_running"


AIX

319

18. AIX /etc/rc.tcpip ()



NTP
/etc/rc.tcpip:
start /usr/sbin/xntpd "$src_running"

,
AIX


AIX

/etc/inetd.conf
AIX
AIX /etc/inetd.conf.
AIX ,
. AIX
/etc/inetd.conf.
AIX .
,
/etc/inetd.conf.
19. AIX - /etc/inetd.conf

sprayd
/etc/inetd.conf:

/etc/inetd.conf sprayd sunrpc_udp udp wait root \


/usr/lib/netsvc/

,
AIX



AIX

UDP
chargen
/etc/inetd.conf


/etc/inetd.conf:
chargen dgram udp wait root internal





AIX

320

AIX 5.3:

19. AIX - /etc/inetd.conf ()


telnet /
telnet
/etc/inetd.conf:
telnet stream tcp6 nowait root \
/usr/sbin/telnetd telnetd

,
AIX





AIX

UDP Echo

/etc/inetd.conf


/etc/inetd.conf:
echo dgram udp wait root internal





AIX

tftp
/etc/inetd.conf


/etc/inetd.conf:
tftp dgram udp6 SRC nobody \
/usr/sbin/tftpd tftpd -n



AIX


krshd
/etc/inetd.conf:
kshell stream tcp nowait root \
/usr/sbin/krshd krshd





AIX

rusersd
/etc/inetd.conf


/etc/inetd.conf:
rusersd sunrpc_udp udp wait root \
/usr/lib/netsvc/



AIX

321

19. AIX - /etc/inetd.conf ()


rexecd

/etc/inetd.conf:
/etc/inetd.conf / exec stream tcp6 nowait root \
rexecd
/usr/sbin/rexecd rexecd

/etc/inetd.conf

,
AIX



AIX

POP3D


/etc/inetd.conf:
pop3 stream tcp nowait root \
/usr/sbin/pop3d pop3d





AIX

pcnfsd
/etc/inetd.conf:

/etc/inetd.conf pcnfsd sunrpc_udp udp wait root \


/usr/sbin/rpc.pcnfsd pcnfsd





AIX

bootpd
/etc/inetd.conf


/etc/inetd.conf:
bootps dgram udp wait root \
/usr/sbin/bootpd



AIX

rwalld
/etc/inetd.conf:

/etc/inetd.conf rwalld sunrpc_udp udp wait root \


/usr/lib/netsvc/



AIX

322

AIX 5.3:

19. AIX - /etc/inetd.conf ()


UDP
discard
/etc/inetd.conf


/etc/inetd.conf:
discard dgram udp wait root \
internal

,
AIX





AIX

/etc/inetd.conf:
TCP
daytime
daytime stream tcp nowait root \
/etc/inetd.conf / internal

TCP daytime
/etc/inetd.conf





AIX

netstat
/etc/inetd.conf:

/etc/inetd.conf netstat stream tcp nowait nobody \


/usr/bin/netstat



AIX


/etc/inetd.conf:
rshd /
rshd
shell stream tcp6 nowait root \
/usr/sbin/rshd rshd rshd

AIX


cmsd
/etc/inetd.conf:
/etc/inetd.conf / cmsd sunrpc_udp udp wait root \

/usr/dt/bin/rpc.cms cmsd
cmsd
/etc/inetd.conf





AIX

323

19. AIX - /etc/inetd.conf ()


ttdbserver /etc/inetd.conf:

ttdbserver sunrpc_tcp tcp wait \


/etc/inetd.conf / root /usr/dt/bin/

ttdbserver
/etc/inetd.conf

,
AIX





AIX

uucpd

/etc/inetd.conf:
/etc/inetd.conf / uucp stream tcp nowait root \
uucpd /usr/sbin/uucpd uucpd
/etc/inetd.conf





AIX

UDP time /etc/inetd.conf:


/etc/inetd.conf / time dgram udp wait root internal

UDP time
/etc/inetd.conf





AIX


TCP time /etc/inetd.conf:
/etc/inetd.conf / time stream tcp nowait root \

internal
TCP time
/etc/inetd.conf





AIX

rexd
/etc/inetd.conf


/etc/inetd.conf:
rexd sunrpc_tcp tcp wait root \
/usr/sbin/tpc.rexd.rexd rexd

AIX

324

AIX 5.3:

19. AIX - /etc/inetd.conf ()


TCP
chargen
/etc/inetd.conf


/etc/inetd.conf:
chargen stream tcp nowait root \
internal

,
AIX





AIX

rlogin
/etc/inetd.conf:

/etc/inetd.conf / login stream tcp6 nowait root \


rlogin /usr/sbin/rlogind rlogind
/etc/inetd.conf



AIX

talk
/etc/inetd.conf


/etc/inetd.conf:
talk dgram udp wait root \
/usr/sbin/talkd talkd

AIX

fingerd
/etc/inetd.conf


/etc/inetd.conf:
finger stream tcp nowait nobody \
/usr/sbin/fingerd fingerd



AIX

FTP /
FTP


/etc/inetd.conf:
ftp stream tcp6 nowait root \
/usr/sbin/ftpd ftpd





AIX

325

19. AIX - /etc/inetd.conf ()


IMAPD


/etc/inetd.conf:
imap2 stream tcp nowait root \
/usr/sbin/imapd imapd

,
AIX





AIX

comsat
/etc/inetd.conf


/etc/inetd.conf:
comsat dgram udp wait root \
/usr/sbin/comsat comsat





AIX

rquotad
/etc/inetd.conf


/etc/inetd.conf:
rquotad sunrpc_udp udp wait root \
/usr/sbin/rpc.rquotad

AIX

/etc/inetd.conf:
UDP
daytime
daytime dgram udp wait root internal
/etc/inetd.conf /

UDP daytime
/etc/inetd.conf





AIX

krlogind
/etc/inetd.conf


/etc/inetd.conf:
klogin stream tcp nowait root \
/usr/sbin/krlogind krlogind





AIX

326

AIX 5.3:

19. AIX - /etc/inetd.conf ()


TCP
Discard
/etc/inetd.conf


/etc/inetd.conf:
discard stream tcp nowait root \
internal

,
AIX





AIX

TCP echo /etc/inetd.conf:


/etc/inetd.conf echo stream tcp nowait root internal





AIX

sysstat
/etc/inetd.conf:

/etc/inetd.conf systat stream tcp nowait nodby \


/usr/bin/ps ps -ef



AIX

rstatd

/etc/inetd.conf


/etc/inetd.conf:
rstatd sunrpc_udp udp wait root \
/usr/sbin/rpc.rstatd rstatd



AIX

dtspc
/etc/inetd.conf


/etc/inetd.conf:
dtspc stream tcp nowait root \
/usr/dt/bin/dtspcd





AIX

SUID AIX
, SUID. ,
. AIX
SUID .
v rcp

327

v
v
v
v
v

rdist
remsh
rexec
rlogin
rsh

20. SUID - AIX


SUID

SUID
:
v /usr/bin/rcp
v /usr/bin/rdist
v /usr/bin/remsh
v /usr/bin/rexec
v /usr/bin/rlogin
v /usr/bin/rsh

SUID

SUID
:
v /usr/bin/rcp
v /usr/bin/rdist
v /usr/bin/remsh
v /usr/bin/rexec
v /usr/bin/rlogin
v /usr/bin/rsh

,
AIX

AIX






AIX

AIX
AIX .
,
. ,
, .
, .
AIX, .
v rcp
v rlogin
v
v
v
v
v

rsh
tftp
rlogind
rshd
tftpd

328

AIX 5.3:

21. AIX -

TCB, rlogind,
rshd tftpd, sysck
. TCB ,
rlogind, rshd tftpd.

,
AIX





AIX

1. TCB, rcp,
rlogin, rsh tftp sysck

. TCB

, rcp, rlogin

rsh.
2. rcp, rlogin,
rsh, tftp uftp, -

AIX.
3. tcpip: /etc/security/config,
.netrc ftp rexec.

1. TCB , rcp,
rlogin, rsh tftp sysck
. TCB
, rcp, rlogin rsh.
2. /etc/security/config.



AIX





AIX

1. TCB,


rlogind, rshd tftpd

sysck .

TCB , rlogind,

rshd tftpd .

NFS

2. rlogind,
rshd tftpd, -

AIX.

v NFS

v NFS
v NFS /etc/inittab

AIX





AIX

329

21. AIX - ()
,
AIX

NFS

v /etc/exports
v /etc/inittab /etc/rc.nfs

v /etc/rc.nfs





AIX

,
, AIX
AIX ,
.
/etc/hosts.equiv, $HOME/.rhosts
, .
, .
22. AIX - ,


rhosts netrc

.rhosts .netrc

, .

, AIX

.rhosts .netrc
,
root.


.rhosts .netrc
,
root.

.rhosts .netrc
root.
AIX
.rhosts .netrc
,
root.

/etc/hosts.equiv

/etc/hosts.equiv

$HOME/.rhosts, ,


.

,

.


/etc/hosts.equiv.

/etc/hosts.equiv.

/etc/hosts.equiv.
AIX
/etc/hosts.equiv.

AIX
.
0, , 1, .

330

AIX 5.3:

,
. ,
.
23. AIX -


ipsrcrouteforward

, ,
ICMP.
ipsrcrouteforward, ,

.

,
AIX

0


0


AIX
1

ipignoreredirects
.





AIX


clean_partial_conns

,
(SYN).


1

1
AIX

ipsrcrouterecv

, ,
ICMP.
ipsrcrouterecv, ,

.





AIX

ipforwarding

, .
ipforwarding,
.





AIX

331

23. AIX -
()

,
AIX

ipsendredirects

,
. ipsendredirects,
.





AIX
1

ip6srcrouteforward

, IPv6,
ICMP.
ip6srcrouteforward, ,

.





AIX
1


ip6srcrouteforward

,
.
directed_broadcast,
.


0

0
AIX


tcp_pmtu_discover

MTU
TCP. tcp_pmtu_discover,
,
.


0

0
AIX
1

bcastping

ICMP,
. bcastping,
smurf (,


IP-).


0

0

0
AIX

332

AIX 5.3:

23. AIX -
()

icmpaddressmas ,
ICMP. icmpaddressmask,
,
.

,
AIX

0


0

0
AIX


udp_pmtu_discover

MTU
UDP. udp_pmtu_discover,
,
.


0

0
AIX
1

ipsrcroutesend

,
ICMP. ipsrcroutesend,
,
.





AIX
1

nonlocsrcroute

, IP
.
nonlocsrcroute, ,

.





AIX

, .
24. AIX -

rfc1323

rfc1323
TCP.

,
AIX

1


1

1
AIX

333

24. AIX - ()

tcp_sendspace

tcp_sendspace
,
, ,
.

,
AIX

262144


262144

262144
AIX
16384

tcp_mssdflt

,
.


1448


1448

1448
AIX
1460
extendednetstats
.


1

1
AIX

tcp_recvspace

tcp_recvspace
,
.


262144


262144

262144
AIX
16384
sb_max

sb_max
,
,
,
.


1048576

1048576

1048576
AIX
1048576

IPsec AIX
AIX IPsec.

334

AIX 5.3:

25. AIX - IPsec


,
tcp udp .
,
.

,
AIX





AIX

.

,

.
.



AIX

AIX
AIX ,
.
26. - AIX

,
AIX


root

$HOME/.profile , $HOME/.kshrc,
$HOME/.cshrc $HOME/.login "."
PATH, .

AIX

, cron
root.


cron.allow

root
cron.deny.





AIX
cron.allow

cron.deny.

335

26. - AIX ()


/etc/environment

. PATH
/etc/environment.

,
AIX

AIX


-root

. PATH
$HOME/.profile, $HOME/.kshrc, $HOME/.cshrc
$HOME/.login , root.





AIX

root
/etc/ftpusers

root /etc/ftpusers,
, ftp

root.



AIX

root
/etc/ftpusers

root /etc/ftpusers, ,
ftp
root.





AIX

, /etc/security/login.cfg
herald
herald. herald ,
herald="Unauthorized use of
. herald ,
this system is
en_US -
prohibited.\nlogin:"
. ,
herald

/etc/security/login.cfg :
herald="Unauthorized use of
Unauthorized use of this \
this system is
system is prohibited.\nlogin:
prohibited.\nlogin:"
:
.
,
.


herald="Unauthorized use of
this system is
prohibited.\nlogin:"
AIX
herald=

336

AIX 5.3:

26. - AIX ()


guest

guest
,
.
AIX, guest .
:
,
AIX
.

,
AIX



guest



guest


guest
AIX

guest.


Crontab

, crontab root

root.

AIX


X-Server


X-Server.





AIX


umask
/etc/security/user,
077
.


027


AIX
022

core

core
/etc/security/limits,
core root.
:
.
,
.


0

0

0
AIX
2097151

AIX
AIX .

337

AIX .
27. AIX
,

X-Server ,

,
root
AIX

guest ,

TCB ,

AIX
AIX .
AIX,
. -
AIX,
/etc/security/aixpert/check_report.txt
AIX.
, talkd /etc/inetd.conf, .
talkd , ,
check_report.txt :
coninetdconf.ksh: Service talk using protocol udp should be disabled, however it is enabled now.

, check_report.txt .
, , ,
, AIX.
,
.

AIX
AIX .
/etc/security/aixpert/core/aixpertall.xml
XML .
/etc/security/aixpert/core/appliedaixpert.xml
XML .
/etc/security/aixpert/core/secaixpert.xml
XML AIX
GUI.
/etc/security/aixpert/log/aixpert.log
. AIX
syslog; AIX
/etc/security/aixpert/log/aixpert.log.
: AIX XML
:
/etc/security/aixpert/
drwx------

338

AIX 5.3:

/etc/security/aixpert/core/
drwx-----/etc/security/aixpert/core/aixpertall.xml
r-------/etc/security/aixpert/core/appliedaixpert.xml
/etc/security/aixpert/core/secaixpert.xml
/etc/security/aixpert/log
drwx-----/etc/security/aixpert/log/aixpert.log
-rw------/etc/security/aixpert/core/secundoaixpert.xml
rw------/etc/security/aixpert/check_report.txt
rw-------


AIX
AIX.
AIX
(NIST) IT -
( Web- NIS:
http://www.nist.gov/index.html). , - ,
. , .
, .
, .
, .
Internet. Internet, ,
HTTP,
. ISP,
.
, .
telnet, rlogin, ftp ,
. Internet.
, openssh.
AIX, , -
, .
.
HTTP , .
, AIX ,
.
.
, Internet.


AIX
AIX.

339

, ,
. .
, telnet ftp.
, ,
,
. ,
.


AIX
AIX.
.
. .
, .
.

AIX

AIX.
AIX ,
. , AIX AIX.
, , AIX
( ).
. ,
AIX. ,
, /etc/security/aixpert/core/
appliedaixpert.xml . ,
, , :
aixpert -f appliedaixpert.xml



.
,
.
v AIX . :
, CDE, GNOME KDE.
, . ,
, ,
Web- IBM System p eServer Support Fixes (http://www-03.ibm.com/servers/eserver/
support/unixservers/aixfixes.html).
.
v .
v , , daemon, bin, sys, adm, lp
uucp. , (,
) .
,
.

340

AIX 5.3:

v /etc/inetd.conf, /etc/inittab, /etc/rc.nfs /etc/rc.tcpip


.
v , :
-rw-rw-r--rw-rw-r--rw-------rw-r--r--rw-r--r--rw-rw----

root
root
root
root
root
root

system
system
system
system
system
audit

/etc/filesystems
/etc/hosts
/etc/inittab
/etc/vfs
/etc/security/failedlogin
/etc/security/audit/hosts

v root.
.
v .
. 84.
v .
. 26.
v xhost.
X11 CDE . 32.
v PATH.
PATH . 51.
v telnet, rlogin rsh. TCP/IP .
164.
v .
. 49.
v .
. 59.
v .
. 68.
v su .
the su /var/adm/sulog.
v X-Windows.
v cron at ,
.
v ls, .
v rm, .
v .
. 172.
v .
v , .

,
, , : Web-,
.

Web-,
AIX Virtual Private Networks: http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/index.html)
CERIAS (Center for Education and Research in Information Assurance and Security): http://www.cerias.purdue.edu/
CERT (Computer Emergency Response Team -): http://www.cert.org/

341

Computer Security Resource Clearinghouse: http://csrc.ncsl.nist.gov/


FIRST (Forum of Incident Response and Security Teams): http://www.first.org/
IBM eServer Security Planner: http://publib.boulder.ibm.com/infocenter/eserver/v1r1/en_US/index.htm?info/secplanr/
securwiz.htm
OpenSSH: http://www.openssh.org/
IBM Security: http://www.ibm.com/servers/eserver/pseries/security/

,
CERT: http://www.cert.org/contact_cert/
IBM System p eServer : http://www14.software.ibm.com/webapp/set2/subscriptions/
pqvcmjd
comp.security.unix: news:comp.security.unix


faqs.org: http://www.faqs.org/faqs/computer-security/
IBM AIX Information Center: http://publib16.boulder.ibm.com/pseries/index.htm

AIX
AIX. ,
.
,
:
v /etc/inetd.conf
v /etc/inittab
v /etc/rc.nfs
v /etc/rc.tcpip

inetd/bootps

inetd

/etc/inetd.conf

v NIM
.
v tftp.
v
.

inetd/chargen

inetd

/etc/inetd.conf

).

v
TCP UDP.
v
" ".
v ,
.

342

AIX 5.3:

inetd/cmsd

inetd

/etc/inetd.conf

(
CDE).

v root,

.
v CDE,
.
v .

inetd/comsat

inetd

/etc/inetd.conf

v root,

.
v .
v .

inetd/daytime

inetd

/etc/inetd.conf


(
).

v root.
v
TCP UDP.
v
" "
PING.
v
.
v .

inetd/discard

inetd

/etc/inetd.conf

/dev/null
(
).

v
TCP UDP.
v
" ".
v

v .
inetd/dtspc

inetd

/etc/inetd.conf

CDE.

v
inetd
CDE
.

.
v CDE.
v CDE
.
v ,

inetd/echo

inetd

etc/inetd.conf


(
).

v
TCP UDP.
v
" " "Smurf".
v
- -


.
v .

343

inetd/exec

inetd

/etc/inetd.conf

v root.
v
,
.
v
.
v .

inetd/finger

inetd

/etc/inetd.conf

v root.
v
.
v .

inetd/ftp

inetd

/etc/inetd.conf

v root.
v
,
.
v
.

inetd/imap2

inetd

/etc/inetd.conf

Internet.

v
.
v

.

.
v
.

inetd/klogin

inetd

/etc/inetd.conf


Kerberos.

v ,

Kerberos.

inetd/kshell

inetd

/etc/inetd.conf

Kerberos.

v ,

Kerberos.

inetd/login

inetd

/etc/inetd.conf


rlogin.

v IP DNS.
v ,
,
.
v root.
v
.

inetd/netstat

inetd/ntalk

inetd

inetd

/etc/inetd.conf

/etc/inetd.conf

v
.

v root.

v .

v
.
v ,

344

AIX 5.3:

inetd/pcnfsd

inetd

/etc/inetd.conf


PC.

v ,
.

inetd/pop3

inetd

/etc/linetd.conf

v ,

Samba, pcnfsd

Microsoft
SMB.

v

.
.
v ,


,
POP3
v POP3
IMAP,
IMAP, POP3s.

SSL.
v ,


,
POP.

inetd/rexd

inetd

/etc/inetd.conf

v root.
v on.
v .
v
rsh rshd.

inetd/quotad

inetd

/etc/inetd.conf

v

NFS.

v
,
NFS.

quota
v ,

.

inetd/rstatd

inetd

/etc/inetd.conf

v
SNMP,
.
v
rup.

inetd/rusersd

inetd

/etc/inetd.conf

v .
.
v root.
v rusers

.

345

inetd/rwalld

inetd

/etc/inetd.conf


- .

v root.
v

,
.
v
.
v .

inetd/shell

inetd

/etc/inetd.conf

rsh.

v .

.
v
,
TCP,

.
v Xhier.

inetd/sprayd

inetd

/etc/inetd.conf


RPC
spray.

v root.
v
NFS.
v ,
NFS.

inetd/systat

inetd

/etc/inted.conf

"ps -ef".

v


.
v
.
,
.

inetd/talk

inetd/ntalk

inetd/telnet

inetd

inetd

inetd

/etc/inetd.conf

/etc/inetd.conf

/etc/inetd.conf

-
.

v .


talk.

-
.

v .

telnet.

v
.
.

v talk.
v UDP 517.
v ,


UNIX

v talk.
v UDP 517.
v ,


UNIX

v ,

.

346

AIX 5.3:

inetd/tftp

inetd

/etc/inetd.conf

v UDP 69.
v root.
v NIM.
v ,
NIM

.

inetd/time

inetd

/etc/inetd.conf

v inetd,
rdate.
v
TCP UDP.
v

.
v .
ntpdate
v

(/).
,
.

inetd/ttdbserver

inetd

/etc/inetd.conf


tool-talk
( CDE).

v rpc.ttdbserverd
root.
v
CDE, CDE
.
v
,
.

inetd/uucp

inetd

/etc/inetd.conf


UUCP.

v ,
,
UUCP.

inittab/dt

init

/etc/rc.dt /etc/inittab



CDE.

v X11.
v
X11 (xdcmp),

X11.
v

.
.

inittab/dt_nogb

inittab/httpdlite

init

init

/etc/inittab

/etc/inittab



CDE
(
).

v

.

Web-

docsearch.

v Web-
.

v , inittab/dt

v ,

.

347

inittab/i4ls

init

/etc/inittab

-
.

v ,
.
v .
v ,

.
v
,
.

inittab/imqss

inittab/lpd

init

init

/etc/inittab

/etc/inittab

v Web-
.

BSD.

v ,
.

v ,

.

v ,

.
v , ,

.

inittab/nfs

init

/etc/inittab

v NFS NIS
UDP/RPC.
v
.
v
.

inittab/piobe

init

/etc/inittab

v ,
,

qdaemon
v ,

,
.

inittab/qdaemon

init

/etc/inittab


( ).

v
piobe.
v ,

.

inittab/uprintfd

init

/etc/inittab

inittab/writesrv

init

/etc/inittab

v .
v .
v

UNIX
v ,

,
.
v
.

348

AIX 5.3:

inittab/xdm

init

/etc/inittab

X11.

v
.
v
,

X11.
v
,
.

rc.nfs/automountd

rc.nfs/biod

rc.nfs/keyserv

/etc/rc.nfs

/etc/rc.nfs

/etc/rc.nfs

v
, NFS.


-
(
NFS).

v
NFS.


RPC.

v ,
RPC.

v

,

.

v
NFS, ,
nfsd rpc.mountd

v NIS+.
v ,
NFS, NIS NIS+.

rc.nfs/nfsd

/etc/rc.nfs

NFS
(
NFS).

v .
v .
v ,
NFS.
v ,
biod, nfsd
rpc.mountd.

rc.nfs/rpc.lockd

/etc/rc.nfs

NFS.

v ,
NFS.
v ,

.
v lockd

, SANS
Top Ten Security Threats.

rc.nfs/rpc.mountd

/etc/rc.nfs

NFS
(

NFS).

v .
v .
v
, NFS.
v ,
biod nfsd.

rc.nfs/rpc.statd

/etc/rc.nfs

NFS (
.).

NFS.

v ,
NFS.

349

rc.nfs/rpc.yppasswdd

/etc/rc.nfs


NIS (
NIS).

v
.
v
NIS.
.

rc.nfs/ypupdated

/etc/rc.nfs

v NIS
NIS
NIS.
(
v
NIS).

NIS.

rc.tcpip/autoconf6

/etc/rc.tcpip

IPv6.

v ,
IPv6

rc.tcpip/dhcpcd

/etc/rc.tcpip


().

v

DHCP.
.
v DHCP,
.

rc.tcpip/dhcprd

/etc/rc.tcpip

DHCP

.
(-
v
).
.
v ,
DHCP
.

rc.tcpip/dhcpsd

/etc/rc.tcpip


().

v DHCP,

;
, , IP-,
, ,

.
v ,
DHCP.
v
, ,
DHCP.

rc.tcpip/dpid2

/etc/rc.tcpip

SNMP.

v ,
SNMP.

rc.tcpip/gated

/etc.rc.tcpip

v
.

inetd.

v

,

.

rc.tcpip/inetd

/etc/rc.tcpip

v
RIP .

v
,

Web-.

350

AIX 5.3:


rc.tcpip/mrouted

/etc/rc.tcpip

v


.
v .
.

rc.tcpip/names

/etc/rc.tcpip


(DNS).

v
,
DNS.
v
, ,
,
.

rc.tcpip/ndp-host

/etc/rc.tcpip


IPv6.

v ,
IPv6

rc.tcpip/ndp-router

/etc/rc.tcpip

-
IPv6.

v ,
IPv6. IPv6
.

rc.tcpip/portmap

/etc/rc.tcpip


RPC.

v .
v RPC
portmap. ,

RPC,
portmap, ,
.
v portmap
,
RPC.

rc.tcpip/routed

/etc/rc.tcpip

-
RIP
.

v
.
v ,

.

rc.tcpip/rwhod

/etc/rc.tcpip

v
"who".
.

rc.tcpip/sendmail

/etc/rc.tcpip

. v root.

v .

v ,

.
v ,

:
crontab
.
/usr/lib/sendmail -q.
DNS
,

- .
rc.tcpip/snmpd

/etc/rc.tcpip

v ,


.
SNMP.
v SNMP
.

351

rc.tcpip/syslogd

/etc/rc.tcpip

v
.
v "
".
v .

rc.tcpip/timed

/etc/rc.tcpip

v
xntp.

rc.tcpip/xntpd

/etc/rc.tcpip

v
.
v .
v



cron,
ntpdate.

dt login

/usr/dt/config/Xaccess

CDE
.

v
CDE X11,
dtlogin
.

FTP

user rmuser -p <>

ftp.

v FTP

,
FTP.
v
ftp,
rmuser -p ftp.
v

/etc/ftpusers ,

FTP.


FTP.

FTP.

v ftp
- .
v
FTP

,
.
v /etc/ftpusers
,
.
v ,


FTP: root, daemon,
bin.sys, admin.uucp, guest, nobody, lpd,
nuucp, ladp.
v
ftpusers
: chown
root:system /etc/ftpusers
v
ftpusers
: chmod 644 /etc/ftpusers

352

AIX 5.3:

ftp.restrict

root.access

snmpd.readWrite

/etc/security/user

/etc/snmpd.conf


FTP.

v ftpusers




root
rlogin/telnet.

v rlogin
etc/security/user false.
v ,
root,


root
su;
.

SNMP v SNMP,
readWrite.
SNMP.
v

/etc/snmpd.conf.
v 'public'
IP-,
.

syslog.conf

syslogd.

v
/etc/syslog.conf,
.
v syslog.conf

, .



. (0) (1) .
, no.

bcastping

/usr/sbin/no -o bcastping=0

ICMP,

. ,
Smurf
(,


IP-).

clean_partial_conns

/usr/sbin/no -o clean_partial_conns=1

,
SYN (,


SYN

).

directed_broadcast

/usr/sbin/no -o directed_broadcast=0

,
.

0,
.

353

icmpaddressmask

/usr/sbin/no -o icmpaddressmask=0

,
ICMP.
,
,
.

ipforwarding

/usr/sbin/no -o ipforwarding=0

,
. ,

.

ipignoreredirects

/usr/sbin/no -o ipignoreredirects=1

ipsendredirects

/usr/sbin/no -o ipsendredirects=0

,
.
,
.

ip6srcrouteforward

/usr/sbin/no -o ip6srcrouteforward=0

,
IPv6,
ICMP. ,
,

.

ipsrcrouteforward

/usr/sbin/no -o ipsrcrouteforward=0

,
,
ICMP. ,
,

.

ipsrcrouterecv

/usr/sbin/no -o ipsrcrouterecv=0

,
,
. ,
,

.

ipsrcroutesend

/usr/sbin/no -o ipsrcroutesend=0

,

ICMP. ,
,

.

nonlocsroute

/usr/sbin/no -o nonlocsrcroute=0

,
IP
. ,
,

.

tcp_icmpsecure

/usr/sbin/no -o tcp_icmpsecurer=1

TCP ICMP
(
Internet-)
PMTUD ( MTU
).
ICMP-, ,
TCP

. : 0=off
( ); 1=on.

ip_nfrag

/usr/sbin/no -o ip_nfrag=200


IP,
IP
(
200 - IP
200
IP-).

354

AIX 5.3:

tcp_pmtu_discover

/usr/sbin/no -o tcp_pmtu_discover=0

,
,
.

tcp_tcpsecure

/usr/sbin/no -o tcp_tcpsecure=7

TCP.
: 0= ;
1=
SYN; 2=

RST; 3=
TCP; 57=
.

udp_pmtu_discover

/usr/sbin/no -o udp_pmtu_discover=0


MTU
TCP. ,
,

.

355

356

AIX 5.3:


, .
IBM ,
. , ,
IBM . , IBM
, , .
, ,
IBM .
, .
IBM
. -
. :
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
, ,
: INTERNATIONAL BUSINESS MACHINES
CORPORATION " ",
- , ,
, ,
- .
,
.
.
,
. IBM ,
, .
: (i)
( ) (ii)
, , :
IBM Corporation
Dept. LRAS/Bldg. 903
11501 Burnet Road
Austin, TX 78758-3400
U.S.A.
, -
.

IBM IBM,
IBM .

Copyright IBM Corp. 2002, 2010

357

, ,
(DBCS), IBM
:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
IBM
- .
,
. IBM
,
.
.
Web-
Web-.
, Web-,
IBM. Web- .
,
. , ,
.
.


IBM, IBM ibm.com
International Business Machines Corp .
IBM . IBM
Web- Copyright and trademark information :
www.ibm.com/legal/copytrade.shtml.
Adobe, Adobe, PostScript PostScript
Adobe Systems Incorporated / .
Java Java
Sun Microsystems, Inc. .
Linux / .
Microsoft, Windows, Windows NT Windows Microsoft Corporation
/ .
UNIX - The Open Group ..
,
.

358

AIX 5.3:


.
.netrc 166
/dev/urandom 303
/usr/lib/security/audit/config

166

A
Active Directory, LDAP
AIX 102
AIX
Active Directory, LDAP

102

C
CAPP/EAL4+
.
4+ 6
CAPP/EAL4+ (NIM) 9

Kerberos ()
()
rsh 258
telnet 258
AIX 260
, Windows 104

Kerberos KRB5 261

Kerberos KRB5A 266
kerbos, 271
KRB5 261
KRB5A 266

LDAP
KRB5LDAP
115
mksecldap 113
LDAP 97

99

112
97
104
106, 108
Light Directory Access Protocol (LDAP) 97

EIM
.
256

D
dacinet 170
DES,
dist_uniqid 40

243

mgrsecurity

F
ftp

258

41, 46, 59

IKE
178
Internet Key Exchange
IKE 178
IP
Internet 176
IPv4
. . IP- 176
IPv6 176
ITDS 101

98

NFS ( )
NFS 248
253
254
254
253
252
252
250
255
250
/etc/publickey 252
NIS+
240
241

Kerberos 258

ftp 258
rcp 258
rlogin 258

OpenSSH
Web- 158
158
160
Kerberos 5 162

Copyright IBM Corp. 2002, 2010

359

OpenSSH ()
Kerberos 5
158

RADIUS ()
()
radiusd.conf 272
rcp 258
rlogin 258
root, 41
root
rsh 258

163

P
PAM
151
150
157

/etc/pam.conf 157
152
157

/etc/pam.conf 152
PKCS #11 115
118
117
PKI 119

155

SAK 5
SED 30
setgid,
80
setuid,
80

R
RADIUS 271
LDAP


284
283
283
proxy
288
288
288
297
303
272
280
280
IP 298
UNIX 280
290
SMIT 302
297
285

271
LDAP
282
proxy
288

CHAP 285
EAP 285
PAP 284
296
272

291
286
286
272
dictionary 278
proxy 279
278
287

360

AIX 5.3:

41

284

TCB 1
tcbck,
5
3
TCP/IP
.netrc 166
/etc/ftpusers 168
/etc/hosts.equiv 167
/usr/lib/security/audit/config 166
164
DOD 170
NTCB 169
SAK 165
TCP/IP 166, 168
164, 165
167
170
165
FTP 168
IP 176
223
231
IP
IKE 178
182
217
181
Internet 177
telnet 258

V
VPN

181

X
XML

188, 190


247
42
42

39

()
42
42
42
43
42
261, 266
103
104
Framed-Pool 298
mkhomeatlogin 39
,

298

, 202
73
307, 308, 311, 312, 314, 315, 317, 320, 327,
328, 330, 331, 334, 335, 338, 339, 340

(VPN) 176

43
42
, 51, 64

103

104
307

kadmind 265
secldapclntd 113
200
CA

201


42

IP- 176
NIS+ 240
247
240
240
244
241
242
241
root, 41
TCP/IP 164
1
46
40
307, 308, 311, 312, 314, 315, 317, 320, 327, 328,
330, 331, 334, 335, 338, 339, 340

59
239
307

()
307, 308, 311, 312, 314, 315, 317, 320, 327, 328, 330,
331, 334, 335, 338, 339, 340
IP
181

185
IP
SA 184
178

SA 184
184
179
180
184
239
239
RPC 239
239
Internet (IP) 176
218
211
182
217
181
IP
223
Internet- (IP)
231
NFS 248
64

5

4

3
86
1
2
tcbck 3

4

5

40
64
64, 242
64
, Windows
Kerberos 104
205
(SPI)

119

178

179

200

205

361

aixpert 307
chsec 40
keylogin
NFS 250
lsldap 113
mkgroup 40
mksecldap 113
mkuser 40
mount
NFS
255

aixpert 307
LDAP 113
, LDAP 113


87
90

86
watch 90
86, 91
84
87
84
, 94
87
84
84
86
(SA) 178
184

243

30
SED 30
pam_mkuserhome
, SED 31

39

307

304

305
304
305
306

SMIT 306

305

.
4+ 6

362

AIX 5.3:


Web- 190
XML 188

v_max_logname 47
47
30
30, 31

, 202
59
59
RPC 239
61
42, 43
63
/etc/password 60
RPC 239
LDAP 101
DN 105
104
42, 43
42, 43
244, 247
73
73
244
246
244
304
LDAP 115
256
257
NLS 303

setuid/setgid 33
setgid 33
setuid 33
Internet
176
177
IKE 178
176
IP 218
4+
7, 9
6
6
6
root
80
IP 298


LDAP 104
Internet (IETF) 176

kerbos 271
73

73
31

6,

SED 31
, SED 31

43
42
42
42
42
42
42
43
42


ITDS 98
Proxy, 288
RADIUS 298
LDAP 101
(CA)
201
203
202
204
CA 200
202
169
100
LDAP 100

307

69
69
68

. 68

4+ 6
RADIUS 271

119
261, 266
(NAS) 258
proxy, RADIUS 288
200
IKE
205
307
AIX 307

241

SA 184
184
179
185
IKE

CA 202
204
242
DES 243
243
26
, 29
27
CDE 28
26
29
29

73
71, 73
307, 308, 311, 312, 314, 315, 317, 320, 327, 328,
330, 331, 334, 335, 338, 339, 340
CAPP/EAL+ 7

49

/etc/publickey 252
/etc/radius/dictionary 278
/etc/radius/proxy 279
/var/radius/data/accounting 287
radiusd.conf 272
, RADIUS 272

/etc/radius/clients 278
default.auth 285
default.policy 285
ldap.client 272
ldap.server 272
radius.base 272
user_id.auth 285

184
180
, 211
31
, SED 31
ldap.cfg 114


201
203
202
204
200
IKE 205
202

200

204

205

305
305

305

363


NFS 250

AIX 307, 308, 311, 312, 314, 315, 317, 320,


327, 328, 330, 331, 334, 335, 338, 339, 340
307
307, 308, 311, 312, 314, 315, 317, 320,
327, 328, 330, 331, 334, 335, 338, 339, 340
328
/etc/inittab 315
340
331
307, 308, 311, 312, 314, 315, 317, 320, 327, 328,
330, 331, 334, 335, 338, 339, 340
/etc/inetd.conf 320
/etc/rc.tcpip 317
SUID 327
307
338
307
308
IPsec 334
338
335
312
314

311
339
340
340
,
330
338

364

AIX 5.3:



SC43-0499-07