Безопасность AIX

AIX 5.
SC43-0499-07
AIX 5.3
SC43-0499-07

. 357.
( 2010 )
AIX 5L 5.3 ,
.
. ,
: Information Development, Department 04XA-905-6B013, 11501 Burnet Road, Austin,
Texas 78758-3400. :
pserinfo@us.ibm.com. IBM
- .
Note to U.S. Government Users Restricted Rights - - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Copyright IBM Corporation 2002, 2010.

. . . . . . . . . v
. .
AIX
ISO 9000 . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
. v
. v
. . . . . . . . . . . . . . . 1
. . . . . . 1
. . . 1
, . . . . . . . 39
. . . . . . . . 71
. . . . . . . . 84

(LDAP) . . . . . . . . . . . . . . . 97
#11 . . 115

X.509 . . . . 118
. . . . 150
OpenSSH . . . . . . . . . 158
. . . . . . . . . . . . . . 164
TCP/IP . . . . . . . . . . . . 164
. . . . . . . . . . . 172
IP . . . . . . . . . . 176
NIS NIS+ . . 238
. . . . . 248
256
Kerberos . . . . . . . . . . . . . . 258
RADIUS. . . . . . . . . . . . 271
AIX . . . . . . 304
AIX . . . . . . . . . 307
AIX
308

AIX . . . . . . . . . . . 308

AIX . . . . . . . . . . . . . . . 311

AIX . . . . . . . . 312

AIX . . . . . . . . 314
Copyright IBM Corp. 2002, 2010
AIX
/etc/inittab . . . . . . . . . . . . . .
/etc/rc.tcpip
AIX . . . . . . . .
/etc/inetd.conf
AIX . . . . . . . .
SUID AIX . . .

AIX . . . . . . . . . . .
,
,
AIX . . . . . . . . . . . . . . .

AIX . . . . . . . . . . .
IPsec
AIX . . . . . . . . . . .
AIX. . .

AIX . . . . . . . . . . .

AIX . . . . . . . . . . .
AIX . . . . .

AIX . . . . . . . .

AIX . . . . . . . .

AIX . . . . . . . .

AIX . . . . . . . . . . .
. . . . . . . .
, . . . . . . . .
AIX . . . . .
. . . . . . . . . . .
315
317
320
327
328
330
330
334
335
337
338
338
339
339
340
340
340
341
342
353
. . . . . . . . . . . 357
.
. 358
. . . . . . . . . . . . . . 359
iii
iv
AIX 5.3:

, , ,
. ,
, ,
. - ,
.
, , , , ,
. ,
, - , , ..
, .
,
, , .
AIX
AIX , .. .
, ls. LS,
, . , FILEA, FiLea filea
, .
.
ISO 9000
ISO 9000.
vi
AIX 5.3:

AIX , ,
, .
- ,
.
PDF, .
: Adobe Reader: PDF
Adobe Reader. Web- Adobe
(www.adobe.com/products/acrobat/readstep.html).

.
,
AIX .

AIX .

.
.
(TCB) - ,
. TCB
. TCB .
TCB . TCB
,
(SAK).
:
TCB - , . TCB
,
.
,
( tcbck).
(BOS). TCB ,
tcbck .
TCB.
TCB BOS
. .
TCB 2 Enter.
TCB , /dev
TCB. , TCB 600 ,
/etc/security/sysck.cfg. TCB
(, , - ) .
TCB:
(TCB)
.
tcbck . tcbck
, /etc/security/sysck.cfg.
TCB, .
/etc/security/sysck.cfg , , .
, ,
.
.
TCB tcbck ,
(CAPP) 4+ (EAL4+). CAPP/EAL4+
4+ . 6.
sysck.cfg:
tcbck /etc/security/sysck.cfg , .
/etc/security/sysck.cfg.
:
, .
aclget.
sysck
aclput.
acl
class
group
links
mode
owner
program
source
AIX 5.3:
: SUID, SGID SVTX ,

mode, .
. ,
tcbck . .
. tcbck
.
, . -
, tcbck . tree ,
tcbck , .
tree, tcbck ,
.
, . SUID, SGID, SVTX TCB.
,
9- . , 755 rwxr-xr-x.
tcbck
.
.
tcbck .
, . -
. .
: -y, -n, -p -t, ,
tcbck.
, .
, ,
, .
.
symlinks
, . -
, tcbck.
tree, tcbck ,
.
/etc/security/sysck.cfg ,
.
tcbck:
tcbck , ;
, , ,
.
, tcbck :
v ,
v ,
v ,
tcbck :
v

cron
v

v
sysck.cfg
.
, TCB sum .
TCB , ,
md5sum. textutils RPM - AIX
Toolbox for Linux Applications.
:
tcbck
tcbck.
tcbck :
tcbck -y ALL
tcbck tcbck,
,
/etc/rc.
:

tcbck.
:
tcbck -t tree
tcbck tree, (
). tcbck
, . ,
:
v root SetUID, .
v SetGID,
.
v tcb, .
v ( ), .
v , /etc/security/sysck.cfg,
.
v ,
/etc/security/sysck.cfg, .
: tcbck
/etc/security/sysck.cfg. .
/etc/security/sysck.cfg -l.
: tcbck -y tree. ,
TCB, .
:
/etc/security/sysck.cfg tcbck.
/etc/security/sysck.cfg :
tcbck -a [=]
,
. /etc/security/sysck.cfg.
, SetUID root /usr/bin/setgroups,
/usr/bin/getgroups:
tcbck -a /usr/bin/setgroups links=/usr/bin/getgroups
jfh jsl, developers,

/usr/bin/abc, :
tcbck -a /usr/bin/abc setuids=jfh,jsl setgids=developers
,
/etc/security/sysck.cfg. :
tcbck -t tree
, /etc/security/sysck.cfg.
:
, /etc/security/sysck.cfg,
.
, /etc/cvid, :
AIX 5.3:
tcbck -t ALL
:
3001-020 /etc/cvid .
:
tcbck -d /etc/cvid
:
(TCB).
:
.
getty shell ,
. .
:
SAK (Ctrl-X,
Ctrl-R).
: SAK , ,
, (, /dev/console
/dev/tty0).
:
v
SAK:
, .
,
, , , .
, who .
v . :
root. root
. , root
.
su, passwd newgrp.
.
:
.
, SAK
. /etc/security/login.cfg
sak_enabled. - True, SAK .
(, uucp),
/etc/security/login.cfg :
sak_enabled = false
( ) SAK .
SAK :
sak_enabled = true
4+

(CAPP) 4+ (EAL4+).
, BOS,
.
CAPP/EAL4+:
CAPP - ,
(CAPP) .
CAPP ,
TCSEC C2 ( ).
, (CC), - ,
, .. ISO 15408,
. , ,
CAPP/EAL4+.
CC, CC
( ).
. , , ,
. CAPP, CC
AIX 5.3. , IPsec
, , .
AIX 5.3 CAPP/EAL4+ , 64-
POWER3 POWER4, :
v (LVM) (JFS2)
v X-Windows CDE
v TCP/IP 4 (IPv4): Telnet, FTP, rlogin, rsh/rcp
v (NFS)
CAPP/EAL4+ , :
v ,
.
v .
v NFS
.
:
v ( , , ,
..)
v ( , ,
..)
v DAC ( ACL ,
IPC TCP)
v
v diag
AIX 5.3:
v su (root)
,
.
:
v passwd
v su
v at, batch crontab,
v DAC ( ACL
IPC)
v (, )
(, telnet ftp)
,
.
AIX 5.3 CAPP/EAL4+ IBM eServer pSeries
Symmetric Multiprocessor (SMP) POWER3-II (IBM eServer pSeries 610)
, SMP RS64 IV (IBM eServer pSeries 660), SMP
POWER4 (IBM eServer pSeries 690) SMP POWER5 (IBM System p5 520, System p5 570,
System p5 595). ,
CD-ROM ,
. : Ethernet
Token-Ring.
CAPP/EAL4+ POWER4 (IBM eServer pSeries 630, IBM
eServer pSeries 650 pSeries 690), .
, CD-ROM
,
. : Ethernet Token-Ring.
SCSI.
:
$HOME/.rhosts .
AIX 5.3 System p5 POWER5
CPU (p5-520, p5-570, p5-595).
CAPP/EAL4+:
CAPP/EAL4+ BOS :
1. .
2. ,
CAPP EAL4+. .
CAPP EAL4+ :
v .
v .
v 64- .
v (JFS2).
CAPP EAL4+ ,
,
CDE.
bosinst.data,
INSTALL_TYPE CC_EVAL,
:
control_flow:
CONSOLE = ???
PROMPT = yes
INSTALL_TYPE = CC_EVAL
INSTALL_METHOD = overwrite
TCB = yes
DESKTOP = NONE or CDE
ENABLE_64BIT_KERNEL = yes
CREATE_JFS2_FS = yes
ALL_DEVICES_KERNELS = no
FIREFOX_BUNDLE = no
HTTP_SERVER_BUNDLE = no
KERBEROS_5_BUNDLE = no
SERVER_BUNDLE = no
ALT_DISK_INSTALL_BUNDLE = no
locale:
CULTURAL_CONVENTION = en_US or C
MESSAGES = en_US or C
AIX 5L 5.3
5300-07 :
1. , AIX 6.1
5300-07 Download Director. AIX
web-: http://www14.software.ibm.com/webapp/set2/sas/f/genunix3/aixfixes.html.
2. Search by APAR number or abstract IY88827
.
3. APAR . Add to my download
list.
4. Continue.
5. Packaging Options Include prerequisites and corequisites Include
ifrequisites. Include fixes that correct regressions Replace superseded fixes with the latest
.
6. 5300-07 .
7. lslpp -Lc. Browse
.
8. Continue.
9. Download fixes Download all filesets using Java applet
Java Download Director. ,
, .
10. Java. ,
.
/usr/sys/sp2. .toc inutoc:
# inutoc /usr/sys/sp2
.toc , smitty
:
# smitty update_all
11. /usr/lib/security/CC_EVALify.sh.
AIX 6.1 5300-07. ,
. :
# oslevel -r or oslevel -s
AIX 5.3:
5300-07 .
CAPP/EAL4+ :
CAPP/EAL4+ (NIM).
NIM , AIX 5L
CAPP/EAL4+. NIM ,
NIM. bosinst_data , NIM:
control_flow:
CONSOLE = ???
PROMPT = no
INSTALL_TYPE = CC_EVAL
INSTALL_METHOD = overwrite
TCB = yes
DESKTOP = NONE or CDE
ENABLE_64BIT_KERNEL = yes
CREATE_JFS2_FS = yes
ALL_DEVICES_KERNELS = no
FIREFOX_BUNDLE = no
HTTP_SERVER_BUNDLE = no
KERBEROS_5_BUNDLE = no
SERVER_BUNDLE = no
ALT_DISK_INSTALL_BUNDLE = no
locale:
CULTURAL_CONVENTION = en_US or C
MESSAGES = en_US or C
NIM CAPP/EAL4+
CAPP/EAL4+. NIM
NIM SMIT . NIM
CAPP/EAL4+ NIM.
NIM.
: NIM ,
CAPP/EAL4+; - CAPP/EAL4+. NIM
NIM. CAPP/EAL4+
NIM .
. NIM
, CAPP/EAL4+
NIM.
CAPP/EAL4+:
CAPP/EAL4+
/usr/sys/inst.data/sys_bundles/CC_EVAL.BOS.autoi.
CAPP/EAL4+
. CAPP/EAL4+
,
/usr/sys/inst.data/sys_bundles/CC_EVAL.Graphics.bnd. CAPP/EAL4+
,
/usr/sys/inst.data/sys_bundles/CC_EVAL.DocServices.bnd.
(LPP)
CAPP/EAL4+. :
v /etc/pse.conf /dev/echo.
v
v
v
v
v
.
root.
inetd.conf , CC.
.
sysck.cfg .
v
v
v
v
v
v
v
sysck.cfg .
.
doc_search .
inittab httpdlite.
inittab writesrv.
inittab mkatmpvc.
inittab atmsvcd.
v
v
v
v
v
v
/etc/rc.tcpip snmpd.
/etc/rc.tcpip hostmibd.
/etc/rc.tcpip snmpmibd.
/etc/rc.tcpip aixmibd.
/etc/rc.tcpip muxatmd.
NFS (2049) .
v /etc/security/audit/events .
v loopback.
v /dev/console.
v
v
v
v
X-.
/var/docsearch .
ODM , .
BSD 000.
v .netrc.
v .
:
CAPP/EAL4+ X
Windows.
X Windows , ,
, ., ( aixterm). X Windows
xinit
.
X Windows :
xinit
X Windows .
X Windows root, X Windows
UNIX, root . X
Windows, , ,
, X Windows.
X Windows.
CAPP/EAL4+:
10
AIX 5.3:
CAPP/EAL4+ , .
:
v ,
, .
v .
v
.
v
(.. ).
, , .
v , AIX 5.3 CAPP/EAL4+,
, .
v CAPP/EAL4+ IPv4. IPv6
, , IPv4.
v .
v LPAR PHB.
CAPP/EAL4+:
CAPP/EAL4+ .
:
v .
v , ,
.
v ( ,
).
. 59.
v .
v
, .
v ,
.
v , su
.
v , ,
.
v , ,
, .
v
ACL.
v ,
.
v .
v
.
v LIBPATH,
.
11
v
(tcpdump, trace ..).
v , , HTTP,
(, ).
v NFS TCP.
v .
ACL.
v AIX root.
, AIX,
CAPP/EAL4+.
v
. ,
.
CAPP/EAL4+:
CAPP/EAL4+
.
:
v (HMC), HMC
.
v HMC .
v HMC :
. .
"" .
v HMC .
v .
v .
v AIX LPAR,
EAL4+ LPAR .
v .
CAPP/EAL4+:
(CAPP) 4+ (EAL4+).
system, sys, adm, uucp, mail, security, cron, printq, audit shutdown
. .
:
,
su root .
root, su
root .
:
1. root /etc/security/user:
12
AIX 5.3:
root:
admin = true
.
.
.
sugroups = SUADMIN
2. /etc/group ,
, :
system:!:0:root,paul
staff:!:1:invscout,julie
bin:!:2:root,bin
.
.
.
SUADMIN:!:13:paul
:
v , ,
.
v ,
.
v (,
IBM 3151).
:
AIX , .
, 1 1 000 000,
1 100 000.
/etc/security/user
/usr/share/dict/words. /usr/share/dict/words bos.data.
/etc/security/user bos.data.
/etc/security/user:
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 077
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 5
account_locked = false
loginretries = 3
histexpire = 52
histsize = 20
minage = 0
maxage = 8
maxexpired = 1
minalpha = 2
minother = 2
minlen = 8
13
mindiff = 4
maxrepeats = 2
dictionlist = /usr/share/dict/words
pwdchecks =
dce_export = false
root:
rlogin = false
login = false
, /etc/security/user, ,
.
: login = false root root
. root
, root su.
,
.
, .
,
unsuccessful_login_count /etc/security/lastlog, , ,
loginretries .
,
chsec. chsec
. 49.
/etc/security/login.cfg:
default:
sak_enabled = false
logintimes =
logindisable = 4
logininterval = 60
loginreenable = 30
logindelay = 5
setuid/setgid:
AIX, CAPP .
suid/sgid , root,
. CAPP : system, sys,
adm, uucp, mail, security, cron, printq, audit shutdown. suid,
root sgid, .
.
,
:
v root SUID
v SGID
v , - ,
v , , :
14
/usr/bin/at
/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
AIX 5.3:
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/bin/batch
/usr/bin/chsh
/usr/sbin/chtcb
/usr/sbin/cron
/usr/bin/crontab
/usr/sbin/diag
/usr/sbin/ftpd
/usr/sbin/inetd
/usr/bin/logout
/usr/bin/passwd
/usr/sbin/ping
/usr/sbin/rexecd
/usr/sbin/rlogind
/usr/sbin/rpc.mountd
/usr/sbin/rshd
/usr/bin/setgroups
/usr/bin/setsenv
/usr/bin/su
/usr/sbin/telnetd
/usr/sbin/tsm
/usr/lpp/X11/bin/xlock
/usr/lpp/diagnostics/bin/uformat
: setuid ipcs.
chmod u-s /usr/bin/ipcs chmod u-s /usr/bin/ipcs64.
:
AIX
AIX.
, .
, :
diag -T "format"
,
. .
. ,
, .
, .
. .
, .
.
15
. ,
. .
: .
:
/etc/security/limits, ,
.
, stack rss unlimited ().
,
rss ,
. stack_hard rss_hard .
:
, .
v , .
,

.
v (, ,
/audit) , root.
v CAPP/EAL4+ .
. 91.
v 20
.
v , binmode start /etc/security/audit/config
panic. freespace bin ,
25% , .
bytethreshold binsize 65 536 .
v .
:

(CAPP) 4+ (EAL4+).
, CAPP/EAL4+ (
).
1.
UID
root
/etc/init
root
/usr/sbin/syncd 60
root
/usr/sbin/srcmstr
SRC.
root
/usr/sbin/cron
CRON AT
root
/usr/ccs/bin/shlap64
root
/usr/sbin/syslogd
Syslog.
root
/usr/lib/errdemon
AIX
root
/usr/sbin/getty /dev/console
getty / TSM.
root
/usr/sbin/portmap
NFS CDE.
16
AIX 5.3:
1. ()
UID
root
/usr/sbin/biod 6
NFS.
root
/usr/sbin/rpc.lockd
NFS.
daemon
/usr/sbin/rpc.statd
NFS.
root
/usr/sbin/rpc.mountd
NFS.
root
/usr/sbin/nfsd
NFS.
root
/usr/sbin/inetd
Inetd.
root
/usr/sbin/uprintfd
root
/usr/sbin/qdaemon
root
/usr/lpp/diagnostics/bin/diagd
root
/usr/sbin/secldapcintd
LDAP AIX
root
/usr/sbin/gssd
, GSS
root
/usr/sbin/nfsrgyd
/ NFS v4
CAPP/EAL4+:
CAPP/EAL4+ ,
. , NIS,
CAPP/EAL4+
.
,
, CAPP/EAL4+.

.

, SMIT, . .
/etc/data.shared

/etc/data.shared
:
, , . ,
/etc/security
/etc/group
/etc/group
/etc/hosts
/etc/hosts
/etc/passwd
/etc/passwd
/etc/security/.ids
.
/etc/security/.profile
.profile .
17
/etc/security/acl
/etc/security/acl ACL ,
/etc/rc.tcpip
/etc/security/audit/bincmds
.
/etc/security/audit/config
.
/etc/security/audit/events
.
/etc/security/audit/objects
.
/etc/security/audit/streamcmds
.
/etc/security/environ
.
/etc/security/group
/etc/security/group
/etc/security/limits
.
/etc/security/passwd
.
/etc/security/priv
/etc/security/priv .
/etc/security/services
/etc/security/services , ACL.
/etc/security/user
.
:
, /etc/security,
, :
/etc/security/failedlogin
.
/etc/security/lastlog
.
/etc/security/login.cfg
, ,
..
/etc/security/portlog
.
.
o.
( ):
18
AIX 5.3:
,
. /dev/hd10sec
/etc/data.master .
mkCCadmin
IP- :
mkCCadmin -m -a ip-
( ):
.
/etc/data.shared.
/etc/data.master /etc/data.shared.
.
:
mkCCadmin -a ip- -
chCCadmin.
,
inittab:
isCChost
CAPP/EAL4+.
rcCC
ACL DACinet ,
NFS. .
rcdacinet
ACL DACinet, .
:
v ,
. .
v , -
root.
DACinet :
DACinet TCP.
DACinet TCP
Internet . 170. ,
DACinet TCP/25
DACinet, root CAPP/EAL4+.

telnet TCP/25 .
ACL TCP /etc/inittab
/etc/rc.dacinet. /etc/security/acl ACL
. , ACL,
/etc/security/services.
10.1.1.0/24, X (TCP/6000)
root /etc/security/acl ACL:
19
6000
10.1.1.0/24 u:root
CAPP/EAL4+:
CAPP/EAL4+ .
root
root, CAPP/EAL4+.
, ,
SUID.
, root,
CAPP/EAL4+. , , JFS,
. ,
root (, SNMP), CAPP/EAL4+.
CAPP/EAL4+ .
CAPP/EAL4+ , .
. ,
,
.
NSF v4 :
(ACL) NFS v4 Type, Mask Flags.
:
v Type :
ALLOW , Who, , Mask.
DENY , Who, , Mask.
v Mask :
READ_DATA / LIST_DIRECTORY
.
WRITE_DATA / ADD_FILE
.
APPEND_DATA / ADD_SUBDIRECTORY
.
READ_NAMED_ATTRS .
WRITE_NAMED_ATTRS .
EXECUTE / .
DELETE_CHILD .
READ_ATTRIBUTES ( ACL).
WRITE_ATTRIBUTES , .
DELETE .
READ_ACL ACL.
WRITE_ACL ACL.
WRITE_OWNER .
SYNCHRONIZE (
NFS v4; ).
v Flags - ACL , . ,
, Who . :
20
AIX 5.3:
FILE_INHERIT , , ,
.
DIRECTORY_INHERIT , , ,
.
NO_PROPAGATE_INHERIT , , ,
; , .
INHERIT_ONLY , ;
, .
IDENTIFIER_GROUP , Who ; Who
.
v Who - :
User , .
Group , .
Special :
- OWNER@ , .
- GROUP@ , , .
- EVERYONE@ , ,
.
ACL, UID 0. ACL
:
v READ_ACL
v WRITE_ACL
v READ_ATTRIBUTES
v WRITE_ATTRIBUTES
APPEND_DATA WRITE_DATA. , WRITE_DATA
APPEND_DATA . .
WRITE_OWNER.
setuid. ACL ;
, (,
ACL ).
ACL NFS v4 .
. , :
v Who, UID.
v , GID
v , .
, ,
. .
, . , ,
ACL.
ACL 64 . , ACL
.
WRITE OWNER:
NFS v4 .
21
UID NFS v4.

READ_ATTRIBUTES,
WRITE_ATTRIBUTES , READ_NAMED_ATTRS WRITE_NAME_ATTRS ACL.
ACL READ_ACL WRITE_ACL ACL.
: READ_ATTRIBUTES, WRITE_ATTRIBUTES, READ_ACL WRITE_ACL.
,
WRITE_OWNER.
, ACL WRITE_OWNER ,
ACL, WRITE_OWNER, Who OWNER@.
setuid.
:
v UID 0, UID 0,
WRITE_OWNER.
v WRITE_OWNER . UID 0,
AIX 5.3 5300-05 UID 0.
AIX 5300-05, UID 0,
EUID , .
v ;
GID 0 GID 7 ( ), ,
.
LDAP :
NFS. ,
DCE NIS, .
:
v ( )
v LDAP UNIX ( LDAP ITDSv 6.0)

.
LDAP:
LDAP "UNIX-type",
( , ) LDAP
LDAP.
LDAP SSL
LDAP, ( )
. LDAP
. LDAP
.
LDAP.
. , ,
UID .
LDAP LDAP.
LDAP SSL
SSL LDAP SSL LDAP.
LDAP:
22
AIX 5.3:
mksecldap -s AIX LDAP

.
:
v RFC2307AIX -S.
v SSL, -k.
GSKit ldap.max_crypto_server.
gsk7ikm.
LDAP .
RFC2370AIX. ,
CAPP/EAL4+. ITDS (,
MaxAge). LDAP
, AIX (MaxAge = 8 ()).
ITDS 5.2
. ,
. ITDS.
LDAP,
,
( ), TOE :
v
v
v
v
/etc/group
/etc/passwd
/etc/security/.ids
/etc/security/.profile
v /etc/security/environ
v /etc/security/group
v /etc/security/limits
v /etc/security/passwd
v /etc/security/user
LDAP:
mksecldap -c AIX LDAP
.
:
v mksecldap -c authType unix_auth -A.
v SSL, -k mksecldap -c.
SSL GSKit ldap.max_crypto_client.
gsk7ikm.
LDAP :
v : Integrating AIX into Heterogenous LDAP Environments.
v : Configuring an IBM Directory Server for User Authentication and Management in AIX.
v : Configuring an AIX Client System for User Authentication and Management Through
LDAP.
/ NFS v4 Kerberos:
23
/ NFS v4 LDAP, ,
Kerberos NFS v4.
NAS v1.4 Kerberos ITDS v6.0 ( LDAP)
.
NAS v1.4 ( Kerberos 5) LDAP.
Kerberos .
Kerberos ,
, Kerberos UID
. NFS,
Kerberos, setuid UID, Kerberos,
UID setuid.
RPCSEC-GSS NFS.
, NFS
NFS. Kerberos .
chnfs SMIT. chnfs RPCSEC_GSS.
, NFS.
RPCSEC-GSS DES3
Kerberos. des3.
:
Kerberos LDAP,
.
"Chapter 9. Managing Network
Authentication Service passwords" IBM Network Authentication Service Version 1.4 for AIX, Linux and Solaris
Administrator's and User's Guide.
mindiff
=4
maxrepeats
=2
minalpha
=2
minother
=2
minlen
=8
minage
=0
histsize
= 10
AIX NFS v4 AIX NFS v4

DES3 "nfs/hostname" DES3 (, des3-cbc-sha1)
keytab ( kadmin) DES3 (,
des3-cbc-sha1) default_tgs_enctypes /etc/krb5/krb5.conf
NFS v4.
NFS NFS AIX - NFS v4 AIX
5L 5.3.
-:
- (VIOS)
SCSI VIOS, ,
SCSI .
24
AIX 5.3:
( SCSI VIOS)
,
. , . , VIOS
Ethernet VIOS Ethernet VIOS,
.
Ethernet
Ethernet, .
. ,
Ethernet VLAN.
Ethernet .
VIOS .
VIOS .
1 1 000 000,
1 100 000.
/etc/security/user .
maxage
=8
maxexpired
=1
minother
=2
minlen
=8
maxrepeats
=2
loginretries
=3
histexpire
= 52
histsize
= 20
:
type oem_setup_env
chsec -f /etc/security/user -s default -a maxage=8 -a maxexpired=1 -a minother=2
-a minlen=8 -a maxrepeats=2 -a loginretries=3 -a histexpire=52 -a histsize=20
(padmin)
. , davis (padmin)
:
mkuser maxage=8 maxexpired=1 minother=2 minlen=8 maxrepeats=2 loginretries=3
histexpire=52 histsize=20 davis
, padmin :
v writesrv ctrmc /etc/inittab:
sshd:
stopsrc -s sshd
v , /etc/rc.d/rc2.d/Ksshd
/etc/rc.d/rc2.d/Ssshd. RSCT:
stopsrc -g rsct_rm stopsrc -g rsct
.

( padmin):
v chdate
v chuser
v cleargcl
v de_access
25
v
v
v
v
v
diagmenu
invscout
loginmsg
lsfailedlogin
lsgcl
v
v
v
v
v
v
v
mirrorios
mkuser
motd
oem_platform_level
oem_setup_env
redefvg
rmuser
v shutdown
v unmirrorios
X-:
X- 6000.
X- 6000 ( ), xserverrc
/usr/lpp/X11/defaults EXTENSIONS :
EXTENSIONS="$EXTENSIONS -x abx -x dbe -x GLX -secIP".

.
AIX , .
.
.
KDE GNOME .
KDE GNOME .
, , .
39.
:
/etc/security/login.cfg.

26
AIX 5.3:
2. .
PtY
(
)
TTY
sak_enabled
false
Secure Attention .

. 5.
logintimes
logindisable

4
.
logininterval
60
,

60 .
loginreenable
30
30
.
logindelay

.

(;
- 5 ,
5, 10, 15
20).
, ,
, ,
. ,
:
/dev/tty0:
logintimes = 0600-2200
logindisable = 5
logininterval = 80
loginreenable = 20
:
herald /etc/security/login.cfg,
.
herald .
chsec .
chsec herald:
# chsec -f /etc/security/login.cfg -s default
-a herald=" .\n\nlogin:"
chsec AIX 5L 5.3: ,

1.
/etc/security/login.cfg ,
herald :
default:
herald =" .\n\nlogin:"
sak_enable = false
logintimes =
27
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
: logindisable logindelay
0 (# > 0).
:
Common Desktop Environment (CDE). ,
CDE, .
, /usr/dt/config/$LANG/Xresources, $LANG -
.
, $LANG C, /etc/dt/config/C/
Xresources. /usr/dt/config/C/Xresources
.
, CDE,
X11 CDE . 32.
:

, .
, :
: foo
foo:
,
usernameecho /etc/security/login.cfg.
usernameecho 'true', .. .
chsec .
chsec
usernameecho:
# chsec -f /etc/security/login.cfg -s default -a usernameecho=false
chsec AIX 5L 5.3: ,

1.
usernameecho:
default:
usernamecho = false
'false' usernameecho ,
.
'*', :
:
***:
.
pwdprompt /etc/security/login.cfg.
" -:", - .
28
AIX 5.3:
chsec .
chsec
pwdprompt ":":
# chsec -f /etc/security/login.cfg -s default -a pwdprompt="Password: "
pwdprompt:
default:
pwdprompt = ": "
pwdprompt ": "

, , .
:
: foo
:
:
(
, ..), , ,
, /etc/security/login.cfg.
, :
lock xlock.
, ,
. -
, root.
, .
- .
lock. AIXwindows xlock.
:

.
,
. ,
, .
,
. /etc/security/.profile
, :
TMOUT=600; TIMEOUT=600; export TMOUT TIMEOUT; readonly TMOUT TIMEOUT
600, 600 10 .
.
, ,
.profile. ,
.profile.
29

- " ".
.
,
.
,
, . ,
AIX , .
, -
, .
,
(, , ,
- ).
.
. -

. , ,
1 , , ,
, 1 .
/ ,
root. ,
. root (UID) ,

root.
, ,
. ,
( ).
SED :
AIX (SED), ,
/, .

root . ,
,
.
POWER4, /
. AIX SED
"" .
,
.
, SED.
"". -
, ,
. AIX.
SED sedmgr. sedmgr
SED SED.
SED:
30
AIX 5.3:
(SED) AIX
.
SED, ,
SED. (BOP)
:
off
SED , SED .
select
SED .
SED
. , SED,
select.
setidfiles
SED , ,
setuid setgid. SED
SED- request,
( , exempt):
v SETUID, root
v SETGID, system security
, , SED,
, SED.
.
SED AIX ,
.
SED
.
sedmgr SED,
, . ,
.
-c. ,
, SED.
AIX. SED ,
, , SED,
.
- SED
. .
SED :
AIX SED sedmgr.
SED,
select exempt, . select
SED select SED, exempt
SED.
.
SED
.
, .
SED :
31
3. SED
SED
request
exempt
system
Setuid-root
setgid-system/security
select
enabled
setgidfiles
enabled
enabled
enabled
enabled
enabled
SED
off
SED:
AIX SED select. setuid setgid
select .
SED ,
"" .
.
bopmgr. AIX Java 1.3.1 AIX Java 1.4.2
Just-In-Time (JIT),
Java ( Java
). ,
JIT. , AIX SED ALL,
Java.
, SED, ,
. . SED
32-, 64- ,
. AIX 64- .

sedmgr
AIX
X11 CDE
,
X X11 (CDE).
/etc/rc.dt:
, , /etc/rc.dt.
CDE ,
. CDE ,
. CDE (dt).
, ,
/etc/rc.dt, CDE.
CDE .
X:
32
AIX 5.3:
,
X11.
xwd xwud X ,
,
. ,
- ,
, root.
xwd xwud X11.apps.clients.
xwd xwud,
OpenSSH MIT Magic Cookies.
, xwd xwud .
OpenSSH MIT Magic Cookies
.
:
X .
, xhost +.
xhost +,
X . ,
. xhost
:
# xhost + hostname
, .
xhost AIX 5L 5.3: .
xhost:
xhost chmod.
xhost , root.
/usr/bin/X11/xhost 744
chmod:
chmod 744/usr/bin/X11/xhost
setuid/setgid
AIX setuid/setgid.
.
, AIX. AIX CC
.
v /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
v /opt/IBMinvscout/bin/invscoutClient_PartitionID
v /usr/lpp/diagnostics/bin/diagsetrto
v /usr/lpp/diagnostics/bin/Dctrl
v /usr/lpp/diagnostics/bin/diagTasksWebSM
v /usr/lpp/diagnostics/bin/diagela
33
v
v
v
v
v
/usr/lpp/diagnostics/bin/diagela_exec
/usr/lpp/diagnostics/bin/diagrpt
/usr/lpp/diagnostics/bin/diagrto
/usr/lpp/diagnostics/bin/diaggetrto
/usr/lpp/diagnostics/bin/update_manage_flash
v
v
v
v
v
v
v
/usr/lpp/diagnostics/bin/utape
/usr/lpp/diagnostics/bin/uspchrp
/usr/lpp/diagnostics/bin/update_flash
/usr/lpp/diagnostics/bin/uesensor
/usr/lpp/diagnostics/bin/usysident
/usr/lpp/diagnostics/bin/usysfault
/usr/lpp/X11/bin/xlock
v
v
v
v
v
v
/usr/lpp/X11/bin/aixterm
/usr/lpp/X11/bin/xterm
/usr/lpp/X11/bin/msmitpasswd
/usr/lib/boot/tftp
/usr/lib/lpd/digest
/usr/lib/lpd/rembak
v /usr/lib/lpd/pio/etc/piodmgrsu
v /usr/lib/lpd/pio/etc/piomkpq
v /usr/lib/lpd/pio/etc/pioout
v
v
v
v
/usr/lib/mh/slocal
/usr/lib/perf/libperfstat_updt_dictionary
/usr/lib/sa/sadc
/usr/lib/semutil
v /usr/lib/trcload
v /usr/sbin/allocp
v /usr/sbin/audit
v
v
v
v
v
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
v /usr/sbin/auditselect
v /usr/sbin/auditstream
v
v
v
v
v
v
v
/usr/sbin/backbyinode
/usr/sbin/cfgmgr
/usr/sbin/chcod
/usr/sbin/chcons
/usr/sbin/chdev
/usr/sbin/chpath
/usr/sbin/chtcb
v /usr/sbin/cron
v /usr/sbin/acct/accton
v /usr/sbin/arp64
34
AIX 5.3:
v
v
v
v
v
/usr/sbin/arp
/usr/sbin/devinstall
/usr/sbin/diag_exec
/usr/sbin/entstat
/usr/sbin/entstat.ethchan
v
v
v
v
v
v
v
/usr/sbin/entstat.scent
/usr/sbin/diskusg
/usr/sbin/exec_shutdown
/usr/sbin/fdformat
/usr/sbin/format
/usr/sbin/fuser
/usr/sbin/fuser64
v
v
v
v
v
v
/usr/sbin/getlvcb
/usr/sbin/getlvname
/usr/sbin/getvgname
/usr/sbin/grpck
/usr/sbin/getty
/usr/sbin/extendvg
v /usr/sbin/fastboot
v /usr/sbin/frcactrl64
v /usr/sbin/frcactrl
v
v
v
v
/usr/sbin/inetd
/usr/sbin/invscout
/usr/sbin/invscoutd
/usr/sbin/ipl_varyon
v /usr/sbin/keyenvoy
v /usr/sbin/krlogind
v /usr/sbin/krshd
v
v
v
v
v
/usr/sbin/lchangelv
/usr/sbin/lchangepv
/usr/sbin/lchangevg
/usr/sbin/lchlvcopy
/usr/sbin/lcreatelv
v /usr/sbin/ldeletelv
v /usr/sbin/ldeletepv
v
v
v
v
v
v
v
/usr/sbin/lextendlv
/usr/sbin/lmigratelv
/usr/sbin/lmigratepp
/usr/sbin/lparsetres
/usr/sbin/lpd
/usr/sbin/lquerylv
/usr/sbin/lquerypv
v /usr/sbin/lqueryvg
v /usr/sbin/lqueryvgs
v /usr/sbin/lreducelv
35
v
v
v
v
v
/usr/sbin/lresynclp
/usr/sbin/lresynclv
/usr/sbin/lsaudit
/usr/sbin/lscfg
/usr/sbin/lscons
v
v
v
v
v
v
v
/usr/sbin/lslv
/usr/sbin/lspath
/usr/sbin/lspv
/usr/sbin/lsresource
/usr/sbin/lsrset
/usr/sbin/lsslot
/usr/sbin/lsuser
v
v
v
v
v
v
/usr/sbin/lsvg
/usr/sbin/lsvgfs
/usr/sbin/login
/usr/sbin/lvaryoffvg
/usr/sbin/lvaryonvg
/usr/sbin/lvgenmajor
v /usr/sbin/lvgenminor
v /usr/sbin/lvrelmajor
v /usr/sbin/lvrelminor
v
v
v
v
/usr/sbin/lsmcode
/usr/sbin/mailq
/usr/sbin/mkdev
/usr/sbin/mklvcopy
v /usr/sbin/mknod
v /usr/sbin/mkpasswd
v /usr/sbin/mkpath
v
v
v
v
v
/usr/sbin/mkvg
/usr/sbin/mount
/usr/sbin/netstat64
/usr/sbin/mtrace
/usr/sbin/ndp
v /usr/sbin/newaliases
v /usr/sbin/named9
v
v
v
v
v
v
v
/usr/sbin/named8
/usr/sbin/netstat
/usr/sbin/nfsstat
/usr/sbin/pdelay
/usr/sbin/pdisable
/usr/sbin/penable
/usr/sbin/perf/diag_tool/getschedparms
v /usr/sbin/perf/diag_tool/getvmparms
v /usr/sbin/phold
v /usr/sbin/portmir
36
AIX 5.3:
v
v
v
v
v
/usr/sbin/pshare
/usr/sbin/pstart
/usr/sbin/putlvcb
/usr/sbin/putlvodm
/usr/sbin/qdaemon
v
v
v
v
v
v
v
/usr/sbin/quota
/usr/sbin/reboot
/usr/sbin/redefinevg
/usr/sbin/repquota
/usr/sbin/restbyinode
/usr/sbin/rmdev
/usr/sbin/ping
v
v
v
v
v
v
/usr/sbin/rmgroup
/usr/sbin/rmpath
/usr/sbin/rmrole
/usr/sbin/rmuser
/usr/sbin/rsct/bin/ctstrtcasd
/usr/sbin/srcd
v /usr/sbin/srcmstr
v /usr/sbin/rmsock64
v /usr/sbin/sendmail_ssl
v
v
v
v
/usr/sbin/sendmail_nonssl
/usr/sbin/rmsock
/usr/sbin/sliplogin
/usr/sbin/sendmail
v /usr/sbin/rwhod
v /usr/sbin/route
v /usr/sbin/snappd
v
v
v
v
v
/usr/sbin/swap
/usr/sbin/swapoff
/usr/sbin/swapon
/usr/sbin/swcons
/usr/sbin/switch.prt
v /usr/sbin/synclvodm
v /usr/sbin/tsm
v
v
v
v
v
v
v
/usr/sbin/umount
/usr/sbin/umountall
/usr/sbin/unmount
/usr/sbin/varyonvg
/usr/sbin/watch
/usr/sbin/talkd
/usr/sbin/timedc
v /usr/sbin/uucpd
v /usr/bin/bellmail
v /usr/bin/at
37
v
v
v
v
v
/usr/bin/capture
/usr/bin/chcore
/usr/bin/acctras
/usr/bin/acctctl
/usr/bin/chgroup
v
v
v
v
v
v
v
/usr/bin/chkey
/usr/bin/chque
/usr/bin/chquedev
/usr/bin/chrole
/usr/bin/chsec
/usr/bin/chuser
/usr/bin/confsrc
v
v
v
v
v
v
/usr/bin/crontab
/usr/bin/enq
/usr/bin/filemon
/usr/bin/errpt
/usr/bin/fileplace
/usr/bin/fileplacej2
v /usr/bin/fileplacej2_64
v /usr/bin/ftp
v /usr/bin/getconf
v
v
v
v
/usr/bin/ipcs
/usr/bin/ipcs64
/usr/bin/iostat
/usr/bin/logout
v /usr/bin/lscore
v /usr/bin/lssec
v /usr/bin/mesg
v
v
v
v
v
/usr/bin/mkgroup
/usr/bin/mkque
/usr/bin/mkquedev
/usr/bin/mkrole
/usr/bin/mkuser
v /usr/bin/netpmon
v /usr/bin/newgrp
v
v
v
v
v
v
v
/usr/bin/pagdel
/usr/bin/paginit
/usr/bin/paglist
/usr/bin/passwd
/usr/bin/pwck
/usr/bin/pwdadm
/usr/bin/pwdck
v /usr/bin/rm_mlcache_file
v /usr/bin/rdist
v /usr/bin/remsh
38
AIX 5.3:
v
v
v
v
v
/usr/bin/rlogin
/usr/bin/rexec
/usr/bin/rcp
/usr/bin/rmque
/usr/bin/rmquedev
v
v
v
v
v
v
v
/usr/bin/rsh
/usr/bin/ruptime
/usr/bin/rwho
/usr/bin/script
/usr/bin/setgroups
/usr/bin/setsenv
/usr/bin/shell
v
v
v
v
v
v
/usr/bin/su
/usr/bin/sysck
/usr/bin/tcbck
/usr/bin/sysck_r
/usr/bin/telnet
/usr/bin/tftp
v /usr/bin/traceroute
v /usr/bin/tn
v /usr/bin/tn3270
v
v
v
v
/usr/bin/usrck
/usr/bin/utftp
/usr/bin/vmstat
/usr/bin/vmstat64
v /usr/bin/yppasswd
v /sbin/helpers/jfs2/backbyinode
v /sbin/helpers/jfs2/diskusg
v /sbin/helpers/jfs2/restbyinode
,
AIX.

AIX .
(, ,
LDAP), . AIX
:
AIX PAM. .
AIX
AIX : getty, login, rlogin, rsh, telnet
tsm. pam_aix module, AIX
STD_AUTH, PAM_AUTH. AIX /etc/security/login.cfg,
mkhomeatlogin usw true (
/etc/security/login.cfg). chsec
automatic-home-directory-creation-at-login. ,
:
39
# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
,
. , .
PAM
AIX pam_mkuserhome
PAM. pam_mkuserhome
. PAM ,
. ,
telnet PAM, /etc/pam.cfg:
telnet session optional pam_mkuserhome

. AIX
.
,
. mkuser mkgroup AIX
, .
, ()
dist_uniqid. dist_uniqid usw
/etc/security/login.cfg chsec.
:
# chsec -f /etc/security/login.cfg -s usw -a dist_uniqid=always
dist_uniqid :
never
( ).
always .
- mkuser (mkgroup) ,
. ,
(, mkuser id=234 foo, 234
- ).
uniqbyname
.
,
mkuser id=123 foo. ,

. , acct1 234.
LDAP acct1 mkuser -R LDAP acct1 235.
acct1 234 LDAP acct1
235.
: ,
dist_uniqid.
uniqbyname . , -
,
mkuser (mkgroup) .
, . .
: : , LDAP DCE. LDAP
acct1, DCE - acct2, 234.
uniqbyname mkuser -R files id=234 acct1
40
AIX 5.3:
(mkgroup -R files id=234 acct1), LDAP , 234

LDAP acct1. ,
mkuser (mkgroup) acct1 234.
DCE, mkuser (mkgroup) , 234
DCE acct2, acct1 .
.

, , .
, mkuser (mkgroup), .
root
root ,
.
root - /etc/passwd (UID), 0.
, root. , root
, UID, 0. ,
UID , . ,
root .
root , .
root . root
.
root , root.
.
: root, ,
.
root:
- ,
root.
, root.
su -.
root
root, , .
/var/adm/sulog. - ,
.
root /etc/security/user.
rlogin root false.
root, ,
.
, .
root , ,
su - root, , root
. ,
, .
root
CAPP/EAL4+ . 12.
41

root-user .
root-user .
, .
:
, ,
root.
:

root .
,
, ,
. ,
,
security.
.
, ,
.
security.

.

mksysb
.

.
.

.
system,
shutdown.
:
,
..
.

, .
, ,
shutdown.
SMIT:
, , , ,
SMIT.
SMIT:
42
AIX 5.3:
4.
SMIT
smit mkrole
smit chrole
smit lsrole
smit rmrole
smit lsrole
:
.
.
:

. ,
RoleAdmin chrole. ,
, .

. , UserAdmin
, security. ,
, mkuser ,
.
mkuser.
:
Backup
. Backup
:
Backup
.
Backup.
.
.
. Diagnostics
:
diag
.
Diagnostics, .
GroupAdmin
. GroupAdmin
:
chgroup
. GroupAdmin,
.
chgrpmem
. GroupAdmin,
( -
) , .
chsec
/etc/group
43
/etc/security/group. ,
. GroupAdmin
/etc/group /etc/security/group .
mkgroup
. GroupAdmin
.
rmgroup
. GroupAdmin
.
ListAuditClasses ( )
.
,
audit.
, ,
smit mkuser smit chuser. .
PasswdAdmin
root . PasswdAdmin
:
chsec
lastupdate flags .
PasswdAdmin chsec lastupdate flags
, .
lssec
lastupdate flags .
PasswdAdmin lssec lastupdate
flags , .
pwdadm
.
security.
PasswdManage ( )
. PasswdManage
:
pwdadm
.
security PasswdManage.
UserAdmin
root . UserAdmin
.
. UserAdmin
:
chfn
(gecos). ,
, UserAdmin, security,
gecos , .
gecos.
chsec
-, /etc/passwd,
/etc/security/environ, /etc/security/lastlog, /etc/security/limits
/etc/security/user, .

/usr/lib/security/mkuser.default , auditclasses.
chuser , .
44
AIX 5.3:
UserAdmin
, .
mkuser
( ).
UserAdmin
.
rmuser
. UserAdmin
, .
UserAudit ( )
.
UserAudit :
chsec
auditclasses mkuser.default ,
. UserAdmin,
auditclasses mkuser.default .
chuser .
UserAdmin .
lsuser
root , security,
auditclasses ,
. UserAdmin
.
mkuser

. UserAdmin
.
RoleAdmin
root .
RoleAdmin :
chrole . RoleAdmin,
.
lsrole
mkrole . RoleAdmin,
.
rmrole . RoleAdmin,
.
Restore
. Restore
:
Restore
.
Restore.
:
.
, ,
.
45
chfn
2555 root.security
UserAdmin
chuser
4550 root.security
UserAdmin, UserAudit
diag
0550 root.system
Diagnostics
lsuser
4555 root.security
UserAudit, UserAdmin
mkuser
4550 root.security
UserAdmin, UserAudit
rmuser
4550 root.security
UserAdmin
chgroup
4550 root.security
GroupAdmin
lsgroup
0555 root.security
GroupAdmin
mkgroup
4550 root.security
GroupAdmin
rmgroup
4550 root.security
GroupAdmin
chgrpmem
2555 root.security
GroupAdmin
pwdadm
4555 root.security
PasswdManage, PasswdAdmin
passwd
4555 root.security
PasswdManage, PasswdAdmin
chsec
4550 root.security
UserAdmin, GroupAdmin, PasswdAdmin,

UserAudit
lssec
0550 root.security
PasswdAdmin
chrole
4550 root.security
RoleAdmin
lsrole
0550 root.security
RoleAdmin
mkrole
4550 root.security
RoleAdmin
rmrole
4550 root.security
RoleAdmin
backup
4555 root.system
Backup
restore
4555 root.system
Restore

.
:
, .
. -
. , ,
.
- .
; .
.
,
. . 68.
:
v . ,
.
v . ,

.
v , WSM (Web-
) SMIT. ,
.
46
AIX 5.3:
v . ,
. /etc/passwd
(*), .
v - .
/etc/passwd.
v , admin true. ,
/etc/security/user admin=true,
root.
,
/etc/passwd /etc/system/group, :

.
,
.
.
:
.
9 . AIX 5.3
256 .
NULL,
8 255 .
v_max_logname
sys0. v_max_logname
ODM. , , . ,
ODM, .
:
. ,
, .
ODM:
v_max_logname .
lsattr v_max_logname ODM.
lsattr v_max_logname max_logname.
lsattr AIX 5L 5.3:
, 3.
, lsattr
max_logname:
$ lsattr -El sys0
SW_dist_intr
false
autorestart
true
boottype
disk
capacity_inc
1.00
capped
true
conslogin
enable
cpuguard
enable
dedicated
true
ent_capacity
4.00
SW

/

CPU

True
True
False
False
False
False
True
False
False
47
frequency
fullcore
fwversion
iostat
keylock
max_capacity
max_logname
maxbuf
maxmbuf
maxpout
maxuproc
min_capacity
minpout
modelname
ncargs
pre430core
pre520tune
realmem
rtasversion
sec_flags
sed_config
systemid
variable_weight
$
93750000
false
IBM,SPH01316
false
normal
4.00
20
20
0
0
128
1.00
0
IBM,7044-270
6
false
disable
3145728
1
0
select
IBM,0110B5F5F
0

-

.
.
. - -
. MBUF ()
. -
.
.
. -

ARG/ENV 4
, 430
520
()
RTAS

(SED)

False
True
False
True
False
False
True
True
True
True
True
False
True
False
True
True
True
False
False
True
True
False
False
:
v_max_logname .
getconf
getconf LOGIN_NAME_MAX
. getconf NULL.
, getconf
:
$ getconf LOGIN_NAME_MAX
20
$
sysconf
sysconf _SC_LOGIN_NAME_MAX
.
, sysconf
:
#include <unistd.h>
main()
{
long len;
len = sysconf(_SC_LOGIN_NAME_MAX);
printf("The name length limit is %d\n", len);
}
sys_parm
sys_parm SYSP_V_MAX_LOGNAME
.
48
AIX 5.3:
, sys_parm
:
#include <sys/types.h>
#include <sys/var.h>
#include <errno.h>
main()
{
int rc;
struct vario myvar;
rc = sys_parm (SYSP_GET, SYSP_V_MAX_LOGNAME, &myvar);
if (!rc)
printf("Max_login_name = %d\n", myvar.v.v_max_logname.value);
else
printf("sys_parm() failed rc = %d, errno = %d\n", rc, errno);
}
ODM:
.
ODM chdev.
.
v_max_logname ODM
chdev:
$ chdev -l sys0 -a max_logname=30
sys0 changed
$
:
.
.
mkuser .
chuser.
:
account_locked
admin
admgroups
auth1
auth2
daemon
login
logintimes
registry
rlogin
su
sugroups
ttys
True;
False.
True . .
, .
.
. SYSTEM.
: auth1 ; .
, auth1.
. NONE.
: auth2 ; .
,
startsrc. cron at.
, .
unsuccessful_login_count 0 ( loginsuccess).
, . ,
.
. ,
NIS, LDAP Kerberos.
, rlogin telnet.
, su.
, .
, .
49
expires
loginretries
umask
rcmds
hostallowedlogin
hostsdeniedlogin
maxulogs
; .

. /etc/security/lastlog.
umask .
rsh exec.
allow rsh rexec . deny
rsh rexec . hostlogincontrol ,
hostallowedlogin hostsdeniedlogin.
, .
,
.
, .
,
.
,
.
/etc/security/user ,/etc/security/limits,
/etc/security/audit/config /etc/security/lastlog. ,
mkuser, /usr/lib/security/mkuser.default. mkuser.default
, default
/etc/security/user /etc/security/limits.
.
, ,
, unsuccessful_login_count
/etc/security/lastlog ,
. chsec:
chsec -f /etc/security/lastlog -s username -a
unsuccessful_login_count=0
chsec default
, , /etc/security/user or /etc/security/limits.
. ,
, user /usr/lib/security/
mkuser.default.
, , . 59.
, ,
, .

account_locked
rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login
login
.
login ,
(rexec, rsh, rcp, ssh,
scp, rlogin, telnet ftp).
logintimes
rlogin
,

(ssh, scp, rlogin telnet).
loginretries
/etc/nologin
rcmds=deny
rexec, rsh, rcp, ssh, scp
50
AIX 5.3:
rcmds=hostlogincontrol and hostsdeniedlogin=<target_hosts>
ttys = !REXEC, !RSH
ttys = !REXEC, !RSH, /dev/pts
rexec, rsh
ttys = !REXEC, !RSH, ALL
rexec, rsh
expires
: rsh .
.
:
() .
, .
,
, .
, , .
, .
, , ,
, , .
:
,
. .
ACL
. 71.
PATH:
PATH . ,
.
PATH /etc/profile, PATH
$HOME/.profile. PATH .profile
, .
PATH
"" ( root). ,
,
, , .
, , PATH ,
/tmp. /tmp
su, root ,
su. /tmp/su root
, su . root,
su, , .
PATH :
v . PATH
.
51
v (. ) PATH root.
/etc/profile.
v root PATH .profile.
/etc/profile ,
root .
v .profile
.
. .profile 740.
v root su
, PATH .profile
. .profile.
root , ,
, :
/usr/bin/su - root
, root. root
.
v , (IFS),
/etc/profile file. IFS .profile
PATH.
secldapclntd:
secldapclntd LDAP.
secldapclntd , /etc/security/ldap/
ldap.cfg ( LDAP). , secldapclntd ,
LDAP LDAP,
LDAP. ,
. ,
.
secldapclntd LDAP. -
, , ,
.
connectionsperserver /etc/security/ldap/ldap.cfg
. , connectionsperserver numberofthread,
secldapclntd connectionsperserver numberofthread.
connectionsperserver - 1 100. - 10 (connectionsperserver:
10).
connectionmissratio /etc/security/ldap/ldap.cfg
LDAP. connectionmissratio - ,
LDAP (handle-miss) .
connectionmissratio, secldapclntd
LDAP ( , connectionsperserver).
connectionmissratio - 10 90. - 50 (connectionmissratio:
50).
connectiontimeout /etc/security/ldap/ldap.cfg
secldapclntd. connectiontimeout - 5
( ). - 300 (connectiontimeout: 300).
FTP
FTP .
52
AIX 5.3:

AIX 5.3. AIX,
, .
FTP
.
: (CAPP)
4+ (EAL4+).
1. , bos.net.tcp.client:
lslpp -L | grep bos.net.tcp.client
, .
.
2. , bos.net.tcp.client:
lslpp -L | grep bos.net.tcp.client
, .
.
3. , /home 8
:
df -k /home
, 6, 8
/home .
.
4. , /home 8
:
df -k /home
, 6, 8
/home .
.
5. root /usr/samples/tcpip . :
cd /usr/samples/tcpip
6. :
./anon.ftp
7. /home/ftp?, .
:
.
/home/ftp/bin.
/home/ftp/etc.
/home/ftp/pub.
/home/ftp/lib.
/home/ftp/dev/null.
/home/ftp/usr/lpp/msg/en_US.
8. /home/ftp. :
cd /home/ftp
9. , home:
mkdir home
10. , /home/ftp/home drwxr-xr-x:
53
chmod 755 home
11. , /home/ftp/etc:
cd /home/ftp/etc
12. objrepos :
mkdir objrepos
13. , /home/ftp/etc/objrepos
drwxrwxr-x:
chmod 775 objrepos
14. /home/ftp/etc/objrepos root system

:
chown root:system objrepos
15. , security:
mkdir security
16. , /home/ftp/etc/security
drwxr-x:
chmod 750 security
17. /home/ftp/etc/security root security

:
chown root:security security
18. , /home/ftp/etc/security:
cd security
19. SMIT:
smit mkuser
test.
20. SMIT :
[test]
?

[staff]

[staff]
SU ?

[/home/test]
Enter, .
SMIT SMIT.
21. :
passwd test
, .
.
22. , /home/ftp/etc:
cd /home/ftp/etc
23. /etc/passwd /home/ftp/etc/passwd :

cp /etc/passwd /home/ftp/etc/passwd
24. /home/ftp/etc/passwd . :
vi passwd
25. , root, ftp test.

:
root:!:0:0::/:/bin/ksh
ftp:*:226:1::/home/ftp:/usr/bin/ksh
test:!:228:1::/home/test:/usr/bin/ksh
54
AIX 5.3:
26. .
27. , /home/ftp/etc/passwd
-rw-r--r--:
chmod 644 passwd
28. /home/ftp/etc/passwd root security

:
chown root:security passwd
29. /etc/security/passwd /home/ftp/etc/security/passwd

:
cp /etc/security/passwd /home/ftp/etc/security/passwd
30. /home/ftp/etc/security/passwd . :
vi ./security/passwd
31. test.
32. flags = ADMCHG test.
:
test:
password = 2HaAYgpDZX3Tw
lastupdate = 990633278
33. .
34. , /home/ftp/etc/security/passwd
-rw-------:
chmod 600 ./security/passwd
35. /home/ftp/etc/security/passwd root

security :
chown root:security ./security/passwd
36. /home/ftp/etc/group . :
vi group
37. :
system:*:0:
staff:*:1:test
38. .
39. , /home/ftp/etc/group -rw-r--r-:
chmod 644 group
40. /home/ftp/etc/group root security

:
chown root:security group
41. /home/ftp/etc/security/group . :
vi ./security/group
42. :
system:
admin = true
staff
admin = false
43. . :
a. /etc/security/user /home/ftp/etc/security
:
cp /etc/security/user /home/ftp/etc/security
cd /home/ftp/etc/
b. test :
vi user
55
c. .
44. , /home/ftp/etc/security/group
-rw-r-----:
chmod 640 ./security/group
45. /home/ftp/etc/security/group root security

:
chown root:security ./security/group
46. /home/ftp/etc/objrepos:
cp
cp
cp
cp
cp
cp
cp
/etc/objrepos/CuAt ./objrepos
/etc/objrepos/CuAt.vc ./objrepos
/etc/objrepos/CuDep ./objrepos
/etc/objrepos/CuDv ./objrepos
/etc/objrepos/CuDvDr ./objrepos
/etc/objrepos/CuVPD ./objrepos
/etc/objrepos/Pd* ./objrepos
47. , /home/ftp/home:
cd ../home
48. :
mkdir test
ftp.
49. /home/ftp/home/test test staff
:
chown test:staff test
50. /home/ftp/home/test -rwx------ :

chmod 700 test
51. .
:
chuser login=false rlogin=false test
ftp. , :
1. ftp , test. :
ftp MyHost
2. anonymous. ,
Enter.
3. test :
user test
, 21 . 54
4.
pwd . :
ftp> pwd
/home/test
/home/test ftp.
- /home/ftp/home/test.
:
v ftp sub. , test - ftp sub.
v ftp anonymous anon.users.ftp
, username .
v chroot ,
anonymous , , fileftpaccess.ctl,
56
AIX 5.3:
, ~/etc/, .
'writeonly', 'readonly' 'readwrite' /etc/ftpaccess.ctl
chrooted.
:
v " TCP/IP"
v " ftp" AIX 5L 5.3:

AIX ,
root system .
: .
(*)
/etc/security/passwd. root .
root, .
:
adm
adm :
v , /usr/sbin/perf/diag_tool.
v , :
/usr/sbin/acct
/usr/lib/acct
bin
/var/adm
/var/adm/acct/fiscal
/var/adm/acct/nite
/var/adm/acct/sum
bin .
-
, root sys.
daemon
daemon
. ,
.
nobody
nobody (NFS) .
root root. ,
RPC NFS, /etc/public NIS
, . root
:
newkey -u _
nobody,
chkey, root.
root
root UID 0
.
sys
sys (DFS)
, DFS .
, /usr/sys .
57
system system - , .
system .
root.
, :
.
,
.
, .
: (,
CAPP/EAL4). ,
AIX, AIX.
, :
v ,
:
chuser "account_locked=true" <username>
v , , . :
uucp nuucp, bos.net.uucp
.
,
:
5. , .

uucp, nuucp
, uucp. uucp
UNIX-to-UNIX Copy Program,
, ,
AIX .
lpd
guest
, .
, :
6. , .

uucp
uucp nuucp
printq
lpd.
, .
. .
, :
, LDAP OpenSSH
.
:
v Internet (IP): IP ipsec ipsec
. . ,
/usr/lpp/group.id.keymgt .
58
AIX 5.3:
v Kerberos (PKI):
.
v LDAP: LDAP, ldap.
ldap . LDAP,
DB2. DB2 dbsysadm. dbsysadm
400. LDAP mksecldap ldapdb2.
v OpenSSH: OpenSSH, sshd sshd.
.
SSH .
- .
.
AIX , , ,
:
v
v
v
:
.
, :
v ,
v , . , :
~!@#$%^&*()-_=+[]{}|\;:'",.<>?/<>
v
v , /etc/security/passwd (
,
LDAP)
v ,
v ( - qwerty)
v ,
v ,
v ,
v ,
, ,
UNIX, . dictionlist,
bos.data bos.txt.
dictionlist /etc/security/users
:
dictionlist = /usr/share/dict/words
/usr/share/dict/words dictionlist
UNIX .
/etc/passwd:
59
/etc/passwd ,
.
/etc/passwd , :
v
v
v (UID)
v
v
v
v
(GID)
(GECOS)

/etc/passwd:
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
paul:!:201:1::/home/paul:/usr/bin/ksh
jdoe:*:202:1:John Doe:/home/jdoe:/usr/bin/ksh
UNIX, AIX /etc/password,

/etc/security/password 1, root.
/etc/passwd AIX , .
/etc/passwd root ,
- root, -rw-r--r--.
, (!) ( ).
, (*).
/etc/security/passwd.
/etc/security/passwd, /etc/passwd.
guest:
password = *
nobody:
password = *
lpd:
password = *
paul:
password = eacVScDKri4s6
lastupdate = 1026394230
flags = ADMCHG
jdoe /etc/security/passwd,
/etc/passwd.
1. /etc/security/password
60
AIX 5.3:
/etc/passwd pwdck. pwdck

,
.
/etc/passwd :
,
.
, /etc/passwd .
/etc/passwd .
,
/etc/passwd, (NIS) NIS+.
NIS NIS+ NIS
NIS+ . 238.
:
.
.netrc .
. , :
# find `awk -F: '{print $6}' /etc/passwd` -name .netrc -ls
, . - Kerberos.
Kerberos Kerberos . 258.
:
.
.

.
/etc/security/user,
.
. . ,
/etc/security/user,
. .
. pwdchecks
/etc/security/user ()
. ,
.
. 63.
.
: ,
,
, . ,
. ,
-
.
61
,
, /etc/security/user.
7. .
/usr/share/dict/words
dictionlist

UNIX.
histexpire
,

.
26
260*
histsize
20
50
maxage
-

.
52
maxexpired

maxage,

. (
-
root.)
-1
52
maxrepeats
minage
-
.

,

,

.
52
minalpha
mindiff
minlen
6 (8 -
root)
minother

,
, .
pwdwarntime
62
AIX 5.3:
7. . ()
pwdchecks

passwd

.
* 50 .
Controlled Access Protection Profile and Evaluation Assurance Level 4+
(CAPP/EAL4+) . 13.
, dictionlist
/usr/share/dict/words.
minother 0. ,
minother, minother 1
.
: minlen
minalpha minother. 8 .
minalpha minother 8.
minother 8 minalpha.
histexpire histsize, ,
, 50 . .
/etc/security/user
. ,
chuser.
, mkuser, lsuser rmuser. mkuser
/etc/security/user
/usr/lib/security/mkuser.default. lsuser
. rmuser .
:
, (
), .
, ,
. pwdchecks
/etc/security/user.
pwdrestrict_method,
, AIX 5L 5.3: .
,
.
. login,
passwd, su .
.

, , .
63
. ,
(
). , :
. /etc/passwd
/etc/security/passwd.
.
ASCII.
. ,
LDAP,
LDAP. /etc/security/user
( SYSTEM registry).
(, ,
), AIX,
.
, , ,
(newuser, getentry, putentry ..)
SYSTEM,
/etc/security/user. SYSTEM
,
. , (DCE) ,
, etc/passwd /etc/security/passwd.
SYSTEM ,
.
: compat, DCE, files NONE.
compat. SYSTEM=compat ,
( ) , -
NIS. files , , SYSTEM=DCE
DCE.
NONE .
NONE SYSTEM auth1 .

. , SYSTEM=DCE OR compat
, ,
DCE (crypt()).
.
SYSTEM . ,
SYSTEM SYSTEM=KRB5files OR compat, AIX
Kerberos, , ,
AIX.
SYSTEM registry /etc/security/user .
AIX LDAP SYSTEM
registry, /etc/security/user .
SYSTEM registry chuser.
SYSTEM /usr/lib/security/methods.cfg.
64
AIX 5.3:
: root .
SYSTEM root /etc/security/user SYSTEM=compat.
SYSTEM,
/etc/security/user. , (DCE) ,
, /etc/passwd
/etc/security/passwd. /etc/security/user ,
DCE, SYSTEM=DCE.
SYSTEM - compat, files NONE. compat
, ( )
, - NIS. files ,
. NONE .
NONE SYSTEM auth1 .
SYSTEM /usr/lib/security/
methods.cfg.
: root .
SYSTEM root /etc/security/user SYSTEM = "compat".

.

,
.
.
,
AIX .
, ,
. ,
- . ,
.
: PKI Kerberos ,
( LOCAL LDAP). ()
, LOCAL LDAP.
, LOCAL LDAP.
8.
NIS/NIS+
LDAP
PKI
Kerberos
account_locked
admgroups
admin
auditclasses
auth_cert
auth_domain
auth_name
65
8. ()
NIS/NIS+
LDAP
PKI
Kerberos
auth1
: auth1 ;
.
auth2
: auth2 ;
.
capabilities
core
core_compress
core_hard
core_naming
core_path
core_pathname
cpu
daemon
data
data_hard
dce_export
dictionlist
expires
flags
fsize
fsize_hard
funcmode
gecos
groups
groupsids
histexpire
home
host_last_login
host_last_unsuccessful_login
hostsallowedlogin
hostsdeniedlogin
id
krb5_attributes
krb5_kvno
krb5_last_pwd_change
krb5_max_renewable_life
krb5_mknvo
krb5_mod_date
krb5_mod_name
krb5_names
krb5_principal
krb5_principal_name
krb5_realm
66
AIX 5.3:
8. ()

NIS/NIS+
LDAP
PKI
Kerberos
lastupdate
login
loginretries
logintimes
maxage
maxexpired
maxrepeats
maxulogs
minage
minalpha
mindiff
minlen
minother
nofiles
nofiles_hard
password
pgid
pgrp
projects
pwdchecks
pwdwarntime
rcmds
registry
rlogin
roles
rss
rss_hard
screens
shell
spassword
stack
stack_hard
su
sugroups
sysenv
SYSTEM
time_last_login
time_last_unsuccessful_login
tpath
tty_last_login
tty_last_unsuccessful_login
ttys
umask
unsuccessful_login_count
67
8. ()

NIS/NIS+
LDAP
PKI
Kerberos
unsuccessful_login_times
usrenv
9.

NIS/NIS+
LDAP
PKI
Kerberos
admin
adms
dce_export
id
primary
projects
screens
users

, .
:
, Berkeley Disk Quota System,
.
.
(JFS JFS2).
,
edquota ( JFS) j2edlimit (
JFS2):
v
v
v
1 ,
.
,
.
( - ) .

, ,
.
, .
quota.user quota.group.
, .
quotacheck edquota, quota.
:
68
AIX 5.3:

.

:
v , , ,
, .
v , vi, Esc- ,
, .
, C Korn , Ctrl-Z,

fg (foreground).
v , , ,
.
:
, ,
.
:
v .
v .
v ( ).
,
.
.
: /tmp.
:
1. root.
2. , .
:
/tmp, .
3. chfs userquota groupquota /etc/filesystems.
chfs
/home:
chfs -a "quota = userquota" /home
/home :
chfs -a "quota = userquota,groupquota" /home
/etc/filesystems :
/home:
dev
vfs
log
= /dev/hd1
= jfs
= /dev/hd8
69
mount
check
quota
options
=
=
=
=
true
true
userquota,groupquota
rw
4. , .
quota.user quota.group , ,
. .
userquota groupquota /etc/filesystems.
chfs
/home, myquota.user myquota.group:
chfs -a "userquota = /home/myquota.user" -a "groupquota = /home
/myquota.group" /home
/etc/filesystems :
/home:
dev
vfs
log
mount
check
quota
userquota
groupquota
options
=
=
=
=
=
=
=
=
=
/dev/hd1
jfs
/dev/hd8
true
true
userquota,groupquota
/home/myquota.user
/home/myquota.group
rw
5. , .
6. . edquota

.
davec:
davec:
/home: blocks in use: 30, limits (soft = 100, hard = 150)
inodes in use: 73, limits (soft = 200, hard = 250)
30 100 .
200 davec 73.
50 50 .
, edquota -p,
.
davec nanc :
edquota -p davec nanc
7. quotaon. quotaon
, -a, ,
( /etc/filesystems).
8. quotacheck
.
:
.
,
/etc/rc :
echo " "
/usr/sbin/quotacheck -a
/usr/sbin/quotaon -a
70
AIX 5.3:

, ACL , (ACE).
ACE .
ACL,
, , . ACL
- (DAC),
AIX.
,
. ,
:
v
v
v IPC, ,

. System V Interprocess Communication (SVIPC)
, . ,
,
. (
), ( ).
.

.
,
. ,
.
, ACL, ( ),
. , ACL ,
, .
,
. .
, .
:
System V Interprocess Communication (SVIPC)

, . SVIPC ,
( ).
root.
SVIPC , .

(
).
.
-, . ( SVIPC
, .
.)
71
chmod ( )
. chmod, ,
. chmod ACL
. chmod ,
, ACL NSF4,
ACL AIXC.
chmod.
, , ACL,
. ACL .
AIX . ,
ACL, . ACL
ACE; ACE
. ACL,
AIX 5.3, . ACL ACL
AIXC.
, ACL
(PFS). PFS ACL, ,
.
ACL ( )
, ACL . AIX 5.3
, AIX, ACL . JFS2
GPFS ACL NFS 4. AIX
ACL NFS4. ACL ACL
NFS 4. , ACL NFS4
ACL AIXC , .

5.3.0, AIX ACL, ACL
.
ACL .
:
ACL
, aclget, aclput, acledit, aclconvert aclgetttypes.
, ACL .
ACL
ACL ,
ACL.
ACL
AIX ,
AIX (AIXC) NFS4 (nfs4).
:
, , JFS2 ACL
AIX , .
, ,
ACL ( NFS4), . ,
, ACL NFS4, .
72
AIX 5.3:
, AIX
AIX ACL AIXC NFS4.
, AIX , ACL ,
. , JFS2 PFS
ACL NFS4 ,
2.
AIXC:
ACL AIXC , ACL AIX 5.3.0. ACL AIXC
.
(ACL) AIXC , ACL AIX 5.3.0.
ACL AIXC . JFS2
ACL AIXC 4 .
ACL AIXC
- , ,
. : (r read), (w - write) / (x - execute).
rwx (
(-) ):
base permissions:
owner(name):
group(group):
others:
ACL AIXC
AIXC :
setuid (SUID)
Set-user-ID.
.
setgid (SGID)
Set-group-ID.
.
savetext (SVTX)
,
.
:
attributes: SUID, SGID, SVTX
ACL AIXC
.
(,
), , ,
. .
permit, deny specify :
73
permit
deny
specify
deny specify -
, .
ACL enabled.
disabled.
ACL :
extended permissions:
enabled | disabled
permit
...
deny
...
specify ...
permit, deny specify . Mode

rwx ( (-)). UserInfo
u:UserName, g:GroupName, u:UserName
g:GroupName.
: ,
,
.
ACL AIXC
ACL AIXC:
Attributes: { SUID | SGID | SVTX }
Base Permissions:
owner(name):
group(group):
others:
Extended Permissions:
enabled | disabled
permit
...
deny
...
specify ...
ACL AIXC
ACL AIXC /usr/include/sys/acl.h
AIX.
ACL AIXC
AIXC:
attributes: SUID
base permissions:
owner(frank): rwgroup(system): r-x
others: --extended permissions:
enabled
74
AIX 5.3:
permit
deny
specify
permit
rw- u:dhs
r-- u:chas, g:system
r-- u:john, g:gateway, g:mail
rw- g:account, g:finance
ACL:
v , setuid.
v , , .
v .
.
. chown
chgrp.
v , , .
v , .
v .
dhs (r) (w).
v (r) chas
system.
v , john
gateway mail, (r). john
, .
v ,
account finance, (r) (w).
: , ,
, , ,
, , .
acledit AIX 5L 5.3:
.
NFS4:
AIX (ACL) NFS4.
, ACL NFS4, RFC
3530, NFS 4. JFS2 ACL NFS4
64 .
NFS V4 NFS V4 ACL. Cachefs, Proxy, NFS V4 ACL.
ACL NFS4
ACL NFS V4 (ACE),
. ACE
:
IDENTITY
ACE_TYPE
ACE_MASK
ACE_FLAGS
IDENTITY => '-IDENTITY:(IDENTITY- IDENTITY-, IDENTITY-):'
-IDENTITY => :
u :
g :
s : ""
( IDENTITY-
)
75
IDENTITY- => /
IDENTITY- => /
IDENTITY- => "" (, OWNER@, GROUP@, EVERYONE@)
ACE_TYPE => ACE:
a :
d :
l :
u :
ACE MASK => :
r : READ_DATA LIST_DIRECTORY
w : WRITE_DATA ADD_FILE
p : APPEND_DATA ADD_SUBDIRECTORY
R : READ_NAMED_ATTRS
W : WRITE_NAMED_ATTRS
x : EXECUTE SEARCH_DIRECTORY
D : DELETE_CHILD
a : READ_ATTRIBUTES
A : WRITE_ATTRIBUTES
d : DELETE
c : READ_ACL
C : WRITE_ACL
o : WRITE_OWNER
s : SYNCHRONIZE
ACE_FLAGS ( ) => :
fi : FILE_INHERIT
di : DIRECTORY_INHERIT
oi : INHERIT_ONLY
ni : NO_PROPAGATE_INHERIT
sf : SUCCESSFUL_ACCESS_ACE_FLAG
ff : FAILED_ACCESS_ACE_FLAG
: SYNCHRONIZE Ace_Mask, s, AIX

. AIX s,
AIX.
WRITE_OWNER Ace_Mask Ace_Type allow,
.
: DELETE
DELETE_CHILD . AIX
. DELETE ACL AIXC.
DELETE ACL NFS4.
chdev:
chdev -l sys0 -a nfs4_acl_compat=compatible
, chdev, .
, ACL NFS4, AIX
,
.
:
u:user1(aa@ibm.com):
*s:(OWNER@):
g:staff(jj@jj.com):
s:(GROUP@):
u:2:
g:7:
s:(EVERYONE@):
a
d
a
a
d
a
a
rwp
fidi
x
dini
rx
rwpx fioi
r
di
ac
fi
rca ni
* -
* (uid=2)
* (gid=7)
ACL NFS4
ACL NFS4 /usr/include/sys/acl.h
AIX.
76
AIX 5.3:
ACL NFS4
ACL NFS4 (, j2eav2/d0):
s:(OWNER@):
s:(OWNER@):
s:(GROUP@):
s:(GROUP@):
s:(EVERYONE@):
s:(EVERYONE@):
u:user1:
g:grp1:
u:101:
g:100:
a
d
d
a
a
d
a
d
a
d
rwpRWxDdo
D
x
rx
c
C
wp
wp
C
c
difi
difi
ni
difi
difi
difi
oi
*
*
*
*
*
*
*
*
*
*
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACL:
v ACE , /j2eav2/d0
, ACL:
READ_DATA ( = LIST_DIRECTORY)
WRITE_DATA (=ADD_FILE )
APPEND_DATA ( = ADD_SUBDIRECTORY )
READ_NAMED_ATTR
WRITE_NAMED_ATTR
EXECUTE (=SEARCH_DIRECTORY)
DELETE_CHILD
DELETE
WRITE_OWNER
ACE , DELETE_CHILD (
, /j2eav2),
ACE, DELETE_CHILD.
ACE , (/j2eav2/d0)
EXECUTE (=SEARCH_DIRECTORY), ACE.
ACE , NO_PROPAGATE_INHERIT.
ACE /j2eav2/d0,
.
ACE , (/j2eav2/d0)
READ_DATA (= LIST_DIRECTORY) EXECUTE (=SEARCH_DIRECTORY)
/j2eav2/d0 . ACE (
) EXECUTE (=SEARCH_DIRECTORY) /j2eav2/d0
.
ACE , READ_ACL
/j2eav2/d0 , ACL.
v ACE , WRITE_ACL
/j2eav2/d0 .
NFS4 WRITE_ACL.
v ACE , user1 WRITE_DATA (=ADD_FILE)
APPEND_DATA (= ADD_SUBDIRECTORY) /j2eav2/d0,
/j2eav2/d0.
v ACE , grp1 WRITE_DATA (=ADD_FILE )
APPEND_DATA ( =ADD_SUBDIRECTORY). ACE
, grp1.
v ACE , UID 101 WRITE_ACL,
, , WRITE_ACL.
77
v ACE , GID 100 READ_ACL,

.

ACL. AIX
ACL WSM (Web- )
.

ACL ACL, .
ACL
ACL :
aclget
ACL FileObject
outAclFile, , .
aclput ACL FileObject,

inAclFile.
acledit ACL FileObject.
aclconvert
ACL . ,
.
aclgettypes
ACL, .
ACL
ACL ,
ACL. (
ACL) ACL .
,
ACL . ,
,
-
AIX.
.
aclx_fget aclx_get
aclx_get aclx_fget
, acl.
acl *acl_sz *acl_type.
aclx_fput aclx_put
aclx_put aclx_fput , acl,
, . ACL;
aclx_convert.
aclx_gettypes
aclx_gettypes ACL,
. ACL.
ACL.
aclx_gettypeinfo
aclx_gettypeinfo ACL ,
. ACL ,
78
AIX 5.3:
ACL. ,
AIXC NFS4, .
aclx_print aclx_printStr
ACL, , .
aclget acledit.
aclx_scan aclx_scanStr
ACL, ,
.
aclx_convert
ACL .
, cp, mv tar.
ACL
ACL . ACL
.
ACL. , AIXC,
AIXC, NFS4. ACL
AIXC , ACL
NFS . ACL
.
: .
.
ACL.
ACL AIX :

ACL ACL
.
aclconvert
ACL.
aclput acledit
ACL.
cp mv
ACL.
ACL.
backup
ACL (ACL AIXC),
. ACL
-U.
.
ACL ,
ACL. , ,
, . .
, NFS4 AIXC, NFS4
16 ,
ACL AIXC). ,
ACL.
: ACL .
79
S-
setuid setgid, S-
.
setuid setgid

. setuid setgid.
AIX uid gid. ACL,
, AIX.
, ACL NFS4
@, UID GID.
, ,
.
, setuid setgid.
, . setuid
, setgid -
. .
, ,
. , setuid setgid
. ,
.
, ,
. ,
, ,
.
: setuid setgid
.
S- ACL
ACL NFS4 S-. ACL NFS4
. AIX S-
, ACL NFS4. S- ,
ACL NFS4, chmod.

.
. ,
0, .
, 0, root-user.
:
v .
v .
v setuid-root.
80
AIX 5.3:
: su
setuid-root. su
root. , su ,
.
setuid-root - , root
setuid. setuid-root
, : ,
.
setuid-root, .

login su,
,
. .
0 root.
. , root ,
, .
ACL AIXC
.
, .
, , , (
others). , : ,
.
, , ( )
:
v (ACE), (ACL),
.
, .
, ACL.
ACL,
, .
v (.. )
(.. ), .
.
ACL ,
.
USER ,
GROUP
. , :
USER:fred, GROUP:philosophers, GROUP:software_programmer
fred
:
philosophers, philanthropists, software_programmer, doc_design
fred
:
philosophers, iconoclasts, hardware_developer, graphic_design
81
,
:
USER:fred, GROUP:philosophers
, ACL ,
, .

. System V Interprocess Communication (SVIPC)
, . ,
,
. (
), ( ).
.

.
,
. ,
.
ACL NFS4
, _ACL, .
WRITE_ACL. ACL
NFS4 :
v ACE .
, "who" (.. ), .
ACE,
who EVERYONE@.
v ACE , ,
. , ,
ACE.
v , ,
ACE .
v ACL ,
, .
ACE ,
, , root,
. , READ_ACL,
WRITE_ACL, READ_ATTRIBUTES WRITE_ATTRIBUTES.
NFS4 . 75.

(ACL).
NFS4
,
ACL NFS4 , .
aclput acledit.
82
AIX 5.3:

echo $? aclput.
:
22 (EINVAL, /usr/include/sys/errno.h)
:
v - 4 .
v ACL NFS4 64 .
v ACL , ACE
w (WRITE_DATA), p (APPEND_DATA ), p (APPEND_DATA), w
(WRITE_DATA).
v ACL , ACE
w (WRITE_DATA), p (APPEND_DATA), p (APPEND_DATA), w ( WRITE_DATA),
fi (FILE_INHERIT).
v ACE OWNER@,
who (Identity), ACE c (READ_ACL), C (WRITE_ACL), a
(READ_ATTRIBUTE) A (WRITE_ATTRIBUTE) ACE d.
124 (ENOTSUP, /usr/include/sys/errno.h)
:
v who (OWNER@, GROUP@
EVERYONE@) ACE.
v u (AUDIT) l (ALARM).
13 (EACCES, /usr/include/sys/errno.h)
:
v , ACE NFS4.
v ,
x ().
v ACL. ACL NFS4,
, , ACE C (WRITE_ACL).

. ,
ACL
NFS4. , /j2v2/file1 ACL NFS4:
s:(EVERYONE@):
acC
input_acl_file ACL:
s:(EVERYONE@):
rwxacC
:
1. , aclput trcrpt, : aclput and trcrpt using the
following commands:
$ trace -j 478 -o trc.raw
$->!aclput -i input_acl_file -t NFS4 /j2v2/file1
$ ->quit
$ trcrpt trc.raw > trc.rpt
2. . ACL
ACL, ACL.
:
83
478 xxx xxx ACL ENGINE: chk_access entry: type=NFS4 obj_mode=33587200 size=68 ops=16384 uid=100
478 xxx xxx ACL ENGINE: chk_access exit: type=NFS4 rc=0 ops=16384 priv=0 against=0
478 xxx xxx ACL ENGINE: set_acl entry: type=NFS4 ctl_flg=2 obj_mode=33587200 mode=0 size=48
478 xxx xxx ACL ENGINE: validate_acl: type=NFS4 rc=22 ace_cnt=1 acl_len=48 size=12
478 xxx xxx ACL ENGINE: set_acl exit: type=NFS4 rc=22 obj_mode=33587200 size=68 cmd=536878912
, chk_access exit, ACL (rc = 0).

, validate_acl, , set_acl exit, , ACL
(rc=22 EINVAL). , validate_acl, ,
ACE (ace_cnt=1). ACE,
s:(EVERYONE@): a
rwxacC), , p.
w p.

( ) ,
ACL NFS4, . ,
.
. ,
/j2v2/file2 ACL NFS4:
s:(EVERYONE@):
rwpx
" ":
ls -l /j2v2/file2
:
1. , ls -l /j2v2/file2, trcrpt :
$ trace -j 478 -o trc.raw
$->!ls -l /j2v2/file2
$ ->quit
$ trcrpt trc.raw > trc.rpt
2. . :
478
478
478
478
xxx
xxx
xxx
xxx
xxx
xxx
xxx
xxx
ACL
ACL
ACL
ACL
ENGINE:
ENGINE:
ENGINE:
ENGINE:
chk_access entry: type=NFS4 obj_mode=33587711 size=68 ps=1024 uid=100

nfs4_chk_access_self: type=NFS4 aceN=1 aceCnt=1 req=128 deny=0
nfs4_mask_privcheck: type=NFS4 deny=128 priv=128
chk_access exit: type=NFS4 rc=13 ops=1024 priv=0 against=0
, = 128 (0x80),
READ_ATTRIBUTES (. /usr/include/sys/acl.h).

,
. , ,
.

, .
v . 85
v . 85
v . 85
.
84
AIX 5.3:

(TCB) (
), ( ).
, . ,
/
. , ,
, .
( ),
( ). ,
, ,
.
/
.
audit, .
, , /etc/security/audit/
config

.
, ,
, .
,
, ( , ,
), , .
.
( ) :

, .

,
. .
- ,
. , .
,
.
,
. , ,
,
, .

.
,
. .
( auditselect ,
SQL). ,
.
, ,
.
85
, , ,
. -,
, -
.

, .
, , ,
.
, -
(TCB). TCB,
,
.
.

.
, TCB
, ,
.

:
. TCB
auditlog auditwrite, TCB, ,
.
.
, ,
. : ,
. ( ).
(, ,
, tty,
), .
, .
.
,
(SVC),
. ,
.

,
, .
/usr/include/sys/audit.h. .
/etc/security/audit/events.
,
, ,
.
. , ,
86
AIX 5.3:
login , ,
auditlog .
( , ) ,
. , -
.

.
, .

:

, ,
.
.
.
,
. ,
, .

.
, (
).
, . ,
,
(//).

(
).
,
.
.

-. ,
. - ,
( ), .
,
. ,
-, . ,
, , .
.
:
87
1. .
-
. -
trace. -,
. . ,
-,
, auditcat.
( auditcat), /etc/security/audit/config
freespace. 512-
, syslog.
, binmode start /etc/security/audit/config
panic. freespace bin ,
25 ,
. bytethreshold binsize 65536 .
. ,
.
/dev/audit.
. , , .
:
88
AIX 5.3:
2. .
,
, , .
- ,
( , - ).

, ,
.

auditselect, auditpr
auditmerge. ,
, .
auditselect
, SQL-like, .
, exec(), afx, :
auditselect -e "login==afx && event==PROC_Execute"
auditpr
, .
89
.
auditpr:
auditpr -v -hhelrtRpPTc
-v, ,
, , (.
/etc/security/audit/events).
auditmerge
.
. auditmerge

.
auditpr. ,
auditmerge auditptr:
auditmerge trail.system1 trail.system2 | auditpr -v -hhelrRtpc
:

watch. ,
.
, FILE_Open vi /etc/hosts, :
watch -eFILE_Open -o /tmp/vi.watch vi /etc/hosts
/tmp/vi.watch FILE_Open .

.
, ,
. ,
, . ,
, (
), (
).
.
,
. ,
( )
. :
v

:
,
v

( )
( )
90
AIX 5.3:
: , ACL
v /

v
,
,

: , ,

v

IPL
RAS

v ()

,
TCB

.
, .
1. () /etc/security/audit/events.
,
.
v ,
( auditwrite auditlog subroutine),
( audit_svcstart, audit_svcbcopy audit_svcfinis
).
v , /etc/security/audit/events
. ,
auditpr
.
2. ( ).
classes /etc/security/audit/config.
91
3. , () :
v ,
/etc/security/audit/config.
chuser.
v ( ) ,
/etc/security/audit/objects.
v
/usr/lib/security/mkuser.default. ,
. ,
general :
user:
auditclasses = general
pgrp = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
ALL.
.
.
4. /etc/security/audit/config : ,
. ,
.
.
:
v :
a. , binmode = on start.
b. binmode, - ,
, .
/etc/security/audit/bincmds.
c. , - ,
freespace, , .
d. /etc/security/audit/bincmds ,
.
v :
a. , streammode = on start.
b. , .
/etc/security/audit/streamcmds.
c. /etc/security/audit/streamcmds ,
.
5.
audit start. AUD_It 1.
6. audit query.
AUD_It 2.
7. audit shutdown.
AUD_It 4.
:
.
92
AIX 5.3:
,
. IDS
,
. ,
.
:
FILE_Write
PROC_SetUserIDs
AUD_Bin_Def
USER_SU
PASSWORD_Change
AUD_Lost_Rec
CRON_JobAdd
AT_JobAdd
USER_Login
PORT_Locked
,
/etc.

su
passwd

cron
at

-
:
1. , , ,
/etc, FILE_Write objects:
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects
2. auditcat . /etc/security/audit/bincmds
:
/usr/sbin/auditcat -p -o $trail $bin
3. /etc/security/audit/config, ,
. custom.
start:
binmode = on
streammode = off
bin:
cmds = /etc/security/audit/bincmds
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 100000
freespace = 100000
classes:
custom = FILE_Write,PROC_SetUser,AUD_Bin_Def,AUD_Lost_Rec,USER_SU, \
PASSWORD_Change,CRON_JobAdd,AT_JobAdd,USER_Login,PORT_Locked
users:
root = custom
afx = custom
...
4. custom /usr/lib/security/mkuser.default,
:
user:
auditclasses = custom
pgrp = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
93
5. SMIT crfs /audit.

.
6. audit start /audit.
trail. ,
, trail ,
:
auditpr
-hhelpPRtTc -v | more
.
ALL . .
custom , .
:

.
:
1. , , ,
/etc, FILE_Write objects:
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects
2. . (
,
- ,
.) /etc/security/audit/streamcmds
:
/usr/sbin/auditstream | /usr/sbin/auditselect -e "event == FILE_Write" |
auditpr -hhelpPRtTc -v > /dev/console &
3. /etc/security/audit/config
, , :
start:
binmode = off
streammode = on
stream:
cmds = /etc/security/audit/streamcmds
classes:
filemon = FILE_write
users:
root = filemon
afx = filemon
...
4. audit start. FILE_Write.

:
, .
, ( ,
), :
v ,
v
v
94
AIX 5.3:
v
v
v
v
v
v
.
.
- , ,
, /etc/security/audit/events
. /etc/security/audit/config,
/etc/security/audit/objects.
/etc/security/audit/events.
auditpr.
, ,
. .

,
. /etc/security/audit/config.
:
general () .
.
objects
.
()
kernel ()
kernel .
/etc/security/audit/config:
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename
system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
init = USER_Login,USER_Logout

,
. , .
, .
, ,
.
95
.
, .
- auditbin
,
.
.
, ,
/dev/audit. ,
auditcat.
NFS
AIX .
.
,
.
.
NFS
, ,
, NFS
NFS. ,
. .
,
, .
NFS
, , ,
NFS.

v , NFS , - NFS,
- NFS, .
: ,
, . .
, .
v nfsd, nfs.
File_System mount
server:/File_system /mnt. A File_System
, /File_system/A.
A File_System ,
/mnt/A.
A , , ,
A , , ,
, .
, A, nfsd,
.
96
AIX 5.3:
(LDAP)
(LDAP)
( )
-.
,
X.500. LDAP

. ,

.
LDAP , (DIT).
DIT.
DIT, LDAP .
LDAP
LDAP .
NIS, DCE KRB5 5.
/usr/lib/security/methods.cfg.
LDAP
, LDAP.
, , LDAP,
LDAP , .
LDAP AIX AIX.
LDAP API ,
. , .
-R,
. , LDAP joe
- :
mkuser -R LDAP joe
: , LDAP, ,
, , 25000.
POSIX .
API.
LDAP:
, LDAP AIX.
, LDAP .
, , .
LDAP AIX :
: .
.
: 500 .
: ,
, 25000.
97
POSIX .
API. ,
, .
.
ITDS:
LDAP,
LDAP,
LDAP.
SSL, GSKit.
ikeyman.
SSL SSL.
AIX mksecldap. LDAP
Security Information Server mksecldap. ldapdb2,
DN
LDAP. , SSL
. mksecldap /etc/inittab LDAP
. mksecldap LDAP,
ibmslapd.conf file (IBM Tivoli Directory Server 5.1 ), slapd.conf (SecureWay Directory
3.2 4.1), slapd32.conf (SecureWay Directory 3.2).
mksecldap -u NONE, LDAP
.
LDAP:
AIX
aixAccount aixAccessGroup.
AIX.
RFC 2307
posixAccount, shadowAccount posixGroup.
. RFC 2307
, AIX.
RFC2307AIX
posixAccount, shadowAccount posixGroup, aixAuxAccount,
aixAuxGroup. aixAuxAccount aixAuxGroup ,
AIX, RFC 2307.
RFC2307AIX . RFC2037AIX
RFC 2307
AIX. ITDS RFC2307AIX LDAP AIX
LDAP UNIX Linux, RFC 2307.
AIX 5.1 AIX. AIX
, , AIX 5.1
. ITDS AIX
.
AIX ( ).
"cn=aixdata". mksecldap -d.
, , , ,
sectoldif.cfg. sectoldif.cfg.
98
AIX 5.3:
AIX (ACL). ACL

,
-a. proxy,
-x -X. , proxy ,
/etc/security/ldap/proxy.ldif.template. proxy LDAP
, ,
LDAP.
mksecldap , LDAP , . mksecldap
AIX AIX.
ACL . LDAP
LDAP AIX.
: mksecldap
.
LDAP
, LDAP
LDAP .
LDAP ,
mksecldap -U.
ibmslapd.conf ( slapd.conf, slapd32.conf).
mksecldap -U,
mksecldap.
, .

, mksecldap.
mksecldap , .
mksecldap ,
.
LDAP
mksecldap.
LDAP:
, LDAP
, , LDAP.
SSL, GSKit,
LDAP.
mksecldap , LDAP.
LDAP,
. , DN ,
AIX . mksecldap DN
, , DN AIX , SSL, SSL
/etc/security/ldap/ldap.cfg.
mksecldap SSL ( SSL)
/etc/security/ldap/ldap.cfg . , ..
secldapclntd , .
secldapcIntd /etc/security/ldap/ldap.cfg ,
.
99
mksecldap .
, , ,
.
. LDAP
. , -
.
LDAP
(secldapclntd). LDAP,
API , LDAP.
LDAP. ,
, .
mksecldap - ,
, .
. ,
.
mksecldap
/etc/inittab.
secldapclntd ls-secldapclntd. LDAP
, .
. ,
. :
1. AIX 5.3 ldap.client.
2. LDAP :
# mksecldap -c -h server1.ibm.com -a cn=DN- -p - -d cn=-DN
.
mksecldap AIX 5L 5.3:
.
LDAP:
(netgroups) NIS-LDAP ( ).
LDAP :
1. LDAP,
../../../com.ibm.aix.security/doc/security/ldap_client_setup.htm.
, ,
LDAP, . , nguser - mygroup,
LDAP, lsuser -R LDAP nguser.
2. netgroup LDAP /usr/lib/security/methods.cfg
options netgroup. /usr/lib/security/methods.cfg
LDAP options = netgroup.
LDAP . :
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options = netgroup
lsuser -R LDAP nguser, lsuser nguser lsuser -R LDAP -a ALL

. LDAP ,
, .
100
AIX 5.3:
3. /etc/passwd ,
. , mygroup
LDAP, :
+@mygroup
4. /etc/group +:, NIS:

+:
lsuser nguser , nguser mygroup.

lsuser -R LDAP nguser , lsuser -R compat nguser ,
compat.
5. ,
AIX , .
/etc/security/user SYSTEM = compat,
, /etc/passwd . -
/etc/security/user .
nguser:
nguser:
SYSTEM = compat
registry = compat
.
:
v , /etc/security/user LDAP
(registry=LDAP SYSTEM="LDAP") LDAP.
nis_ldap
NIS.
v compat , .
, LDAP , compat
NIS LDAP. compat.

v NFS
v .rhosts TCP/IP
v hosts.equiv TCP/IP
LDAP:
AIX LDAP: IBM
Tivoli Directory Server, RFC 2307 Microsoft Active Directory.
IBM Tivoli Directory Server
/ AIX IBM
Tivoli Directory Server (ITDS). ITDS
ITDS.
, IBM Directory Server
AIX ,
RFC 2307. LDAP AIX
ITDS RFC 2037.
LDAP 3.
101
RFC 2307 AIX

, LDAP
AIX (, ,
, AIX
hostsallowedlogin hostsdeniedlogin ..).
AIX , RFC 2307. AIX
, RFC 2307, ,
UNIX.
AIX RFC 2307.
. AIX
.
LDAP.
Microsoft Active Directory
AIX Microsoft Active Directory (AD) LDAP,
. AD UNIX.
UNIX Microsoft Service For UNIX (SFU). SFU
. AIX
AD Windows 2000 2003 SFU 3.0 3.5,
AD Windows 2003 R2 UNIX.
, UNIX Windows,
LDAP AD AIX. ,
mkuser mkgroup. ,
, , , AD,
. , lsuser, chuser, rmuser, lsgroup, chgroup, rmgroup, id, groups,
passwd chpasswd.
AIX Windows: LDAP Kerberos. AIX
AD LDAP,
AIX.
AIX Active Directory LDAP:
AIX Microsoft Active Directory (AD) LDAP,
. AD UNIX.
AIX AD mksecldap
ITDS. mksecldap
. AIX AD mksecldap
:
1. AD UNIX.
2. AD UNIX.
UNIX AD UNIX
AD Microsoft.
AD UNIX (,
). , AIX
,
. AIX ,
AD, .
Active Directory:
102
AIX 5.3:
AIX : unix_auth ldap_auth.

unix_auth Microsoft Active Directory (AD) .
AD .
, . ldap_auth
LDAP
. ,
. AD . AIX
AD.
unix_auth
unix_auth AD:
v userPassword
v unixUserPassword
v msSFU30Password
AD AIX
. , UNIX,
. LDAP AIX
.
AIX msSFU30Password AD Windows 2000
2003 userPassword Windows 2003 R2.
/etc/security/ldap/sfu30user.map (
/etc/security/ldap/sfur2user.map, AD Windows 2003 R2).
, spassword, AD.
LDAP.
mksecldap LDAP AIX .
LDAP AIX , restart-secldapclntd secldapclntd
.
unix_auth Windows UNIX,
. AIX
Windows, Windows uncodepwd. AIX passwd
UNIX Windows, AIX
Windows UNIX AIX.
ldap_auth
, Active Directory unicodepwd, Windows
Windows. AD
unicodePwd. , unix_auth, .
ldap_auth , mksecldap
AD unicodePwd .
AIX unicodePwd AD
Windows AIX. AIX Windows
- AIX Windows.
Active Directory:
Microsoft UNIX memberUid, msSFU30MemberUid msSFU30PosixMember.
103
memberUid msSFU30MemeberUid ;
msSFU30PosixMember . ,
foo ( bar), AD:
v memberUid: foo
v msSFU30MemberUid: foo
v msSFU30PosixMember: CN=foo bar,CN=Users,DC=austin,DC=ibm,DC=com
AIX .
AD. mksecldap AIX
msSFU30PosixMember Windows 2000 2003 uidMember
Windows 2003 R2. , AD
Windows. -
.

. AD : /etc/security/ldap/
sfu30group.map (Windows 2000 2003) /etc/security/ldap/sfur2group.map (Windows 2003 R2).
, users, .
LDAP.
mksecldap LDAP AIX ; AIX
, restart-secldapclntd secldapclntd .
:
AD .
AD Windows cn=users,...,
.
DN AIX.
DN.
Kerberos Windows:
LDAP AIX
Windows Kerberos.
AIX Kerberos Windows KDC LDAP Windows Active
Directory KRB5ALDAP.
Microsoft Active Directory,
AIX.
LDAP:
LDAP
LDAP .
-R,
, LDAP, DCE, NIS KRB5 5.
-R .
LDAP, SYSTEM
LDAP chuser. SYSTEM
,
104
AIX 5.3:
(, compat LDAP).
. 63 SYSTEM
/etc/security/user.
LDAP ,
mksecldap -u:
1. :
mksecldap -c -u 1,2,...
,2,... - .
, LDAP. SYSTEM
/etc/security/user LDAP.
LDAP.
LDAP,
. chuser SYSTEM
,
(, local LDAP).
2.
mksecldap -c -u ALL
SYSTEM /etc/security/user
LDAP. LDAP.
LDAP,
. ,
LDAP, ,
. LDAP ,
SYSTEM LDAP chuser.
, LDAP, ,
. "default"
/etc/security/user "LDAP" SYSTEM. ,
SYSTEM , "default". , default
"SYSTEM = "compat"", , "SYSTEM = "compat OR LDAP"",
AIX, LDAP. default
"SYSTEM = "LDAP"", LDAP.
, SYSTEM, default
.
DN:
AIX 5L 5.3 5300-05, AIX LDAP
DN. , /etc/security/ldap/ldap.cfg
DN.
userbasedn
, AIX .
, .
AIX 5L 5.3 5300-05,
DN. /etc/security/ldap/ldap.cfg 10
DN. DN
/etc/security/ldap/ldap.cfg. , AIX,
DN. :
105
v (, lsuser) DN
, DN.
ALL DN.
v (, chuser) .
v (, rmuser) .
v (, mkuser) DN. AIX
DN.

.
AIX .
. ,
.
LDAP mksecldap DN
/etc/security/ldap/ldap.cfg. LDAP
DN, mksecldap .
AIX DN /etc/security/ldap/
ldap.cfg mksecldap.
DN DN. AIX 10 DN
; DN .
, DN AIX .
DN .
, AIX.
AIX , .
SSL LDAP:
SSL LDAP ldap.max_crypto_server GSKit
. -
AIX.
SSL IBM
.
1. IBM Directory GSKit, .
2. IBM gsk7ikm
( GSKit).
(CA), , VeriSign, gsk7ikm.
CA ( ).
3. .
/usr/ldap/etc.
4. :
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -k /usr/ldap/etc/mykey.kdb -w keypwd
mykey.kdb - , keypwd - .
:
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -u NONE -k /usr/ldap/etc/mykey.kdb -w keypwd
SSL LDAP:
SSL LDAP ldap.max_crypto_client GSKit
- AIX.
106
AIX 5.3:
SSL LDAP :
1. gsk7ikm .
2. . SSL
, .
3.
gsk7ikm.
4. SSL :
# mksecldap -c -h servername -a adminDN -p pwd -k /usr/ldap/etc/mykey.kdb -p keypwd
/usr/ldap/etc/mykey.kdb - , keypwd - .
,
. ,
.sth (, mykey.sth).
LDAP:
AIX .
LDAP , AIX LDAP.
SYSTEM .
SYSTEM /etc/security/user.
chuser:
# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo
: LDAP SYSTEM default,

LDAP .
foo . ,
registry LDAP, foo
LDAP.
LDAP ,
.
AIX 5.2, LDAP AIX
- LDAP.
. :
. LDAP.
, ,
, . ,
, .
: ( mkuser) ( chuser).
, ,
, - LDAP.
AIX 5.2.
:
# mkuser -R LDAP hostsallowedlogin=host1,host2 foo
foo, foo host1

host2.
# mkuser -R LDAP hostsdeniedlogin=host2 foo
107
foo, foo
, host2.
# chuser -R LDAP hostsallowedlogin=192.9.200.1 foo
foo ,
192.9.200.1.
# chuser -R LDAP hostsallowedlogin=192.9.200/24 hostsdeniedlogin=192.9.200.1 foo
foo ,
192.9.200/24, 192.9.200.1.
chuser.
SSL:
,
LDAP, (unix_auth), (ldap_auth).
, Internet,
SSL, . AIX
SSL,
.
:
v SSL LDAP . 106
v SSL LDAP . 106
Kerberos:
, DN , secldapclntd
Kerberos V.
Kerberos secldapclntd
keytab. Kerberos, secldapclntd
Kerberos LDAP keytab,
/etc/security/ldap/ldap.cfg. , secldapclntd
DN , /etc/security/ldap/ldap.cfg.
Kerberos secldapclntd
/etc/security/ldap/krb5cc_secldapclntd.
. LDAP
secldapclntd .
LDAP Kerberos
mksecldap, DN .
/etc/security/ldap/ldap.cfg Kerberos.
Kerberos secldapclntd. Kerberos
DN ,
/etc/security/ldap/ldap.cfg .
Kerberos:
Kerberos (KDC)
IDS. - LDAP, - ,
.
108
AIX 5.3:
keytab,
.
IBM. Kerberos
, .
v kadmin KDC root.
#/usr/krb5/sbin/kadmin.local
kadmin.local:
v ldap/-- LDAP. -- -
, LDAP.
kadmin.local: addprinc ldap/plankton.austin.ibm.com
: "ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com":
"ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com":
"ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com" .
kadmin.local:
v keytab. LDAP
. keytab slapd_krb5.keytab :
kadmin.local: ktadd -k /etc/security/slapd_krb5.keytab ldap/plankton.austin.ibm.com
ldap/plankton.austin.ibm.com, - 2,
- Triple DES, cbc HMAC/sha1, keytab
WRFILE:/etc/security/slapd_krb5.keytab.
- ArcFour HMAC/md5, keytab
- AES-256, CTS 96- SHA-1 HMAC,
keytab
- DES, cbc RSA-MD5, keytab
kadmin.local:
v ldapadmin IDS.
kadmin.local: addprinc ldapadmin
: ldapadmin@ud3a.austin.ibm.com; .
, ACL.
"ldapadmin@ud3a.austin.ibm.com":
"ldapadmin@ud3a.austin.ibm.com":
"ldapadmin@ud3a.austin.ibm.com" .
kadmin.local:
v kdapadmin.keytab keytab.
secldapclntd .
kadmin.local: ktadd -k /etc/security/ldapadmin.keytab ldapadmin
ldapadmin, - 2, Triple DES, cbc HMCA/sha1, keytab
WRFILE:/etc/security/ldapadmin.keytab.
ldapadmin, - 2, ArcFour HMAC/md5, keytab
ldapadmin, - 2, AES-256 CTS 96- SHA-1 HMAC, keytab
ldapadmin, - 2, DES, cbc RSA-MD5, keytab
kadmin.local
v ldapproxy, LDAP.
kadmin.local: addprinc ldapproxy
: ldapproxy@ud3a.austin.ibm.com; .
, ACL
109
"ldapproxy@ud3a.austin.ibm.com":
"ldapproxy@ud3a.austin.ibm.com":
"ldapproxy@ud3a.austin.ibm.com" .
kadmin.local:
v ldapproxy keytab ldapproxy.keytab.

secldapclntd .
kadmin.local: ktadd -k /etc/security/ldapproxy.keytab ldapproxy
ldapproxy, - 2, Triple DES, cbc HMAC/sh1, keytab
WRFILE:/etc/security/ldapproxy.keytab.
ldapproxy, - 2, ArcFour HMAC/md5, keytab
WRFILE:/etc/security/ldapproxy.keytab
ldapproxy, - 2, AES-256, CTS 96- SHA-1 HMAC, keytab
WRFILE:/etc/security/ldapproxy.keytab
ldapproxy, - 2,
- DES, cbc RSA-MD5, keytab
WRFILE:/etc/security/ldapproxy.keytab.
kadmin.local:
Kerberos IDS:
Kerberos IDS.
, IDS
Kerberos.
IDS v5.1:
1. krb5.client.
2. , /etc/krb5/krb5.conf .
/usr/sbin/config.krb5.
# config.krb5 -r ud3a.austin.ibm.com -d austin.ibm.com -c KDC -s alyssa.austin.ibm.com
...
/etc/krb5/krb5_cfg_type...
/etc/krb5/krb5.conf...
.
# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = ud3a.austin.ibm.com
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
defaut_tgs_enctypes = des3-cbc-shal1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
ud3a.austin.ibm.com = {
kdc = alyssa.austin.ibm.com:88
admin_server = alyssa.austin.ibm.com:749
default_domain = austin.ibm.com
}
[domain_realm]
.austin.ibm.com = ud3a.austin.ibm.com
alyssa.austin.ibm.com = ud3a.austin.ibm.com
[logging]
kdc = FILE:/var/krb5/log/krb5
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
3. keytab ldap:/-- /usr/ldap/etc.

: /usr/ldap/etc/slapd_krb5.keytab.
4. , .
110
AIX 5.3:
# chown ldap:ldap/usr/ldap/etc/slapd_krb5.keytab
#
5. IDS Kerberos,
/etc/ibmslapd.conf :
dn: cn=Kerberos, cn-Configuration
cn: Kerberos
ibm-slapdKrbAdminDN: ldapadmin
ibm-slapdKrbEnable: true
ibm-slapdKrbIdentityMap: true
ibm-slapdKrbKeyTab: /usr/ldap/etc/slapd_krb5.keytab
ibm-slapdKrbRealm: ud3a.austin.ibm.com
objectclass: ibm-slapdKerberos
objectclass: ibm-slapdconfigEntry
objectclass: top
6. ldapproxy DN cn-proxyuser,cn=aixdata.
a. DN IDS , ldapproxy.ldif
:
dn: cn=proxyuser,cn=aixdata
changetype: modify
add: objectclass
objectclass: ibm-securityidentities
add:altsecurityidentities
alsecurityidentities: Kerberos:ldapproxy@ud3a.austin.ibm.com
b. DN IDS , proxyuser.ldif
:
: proxyuserpwd .
dn: cn=proxyuser,cn=mytest
cn: proxyuser
sn: proxyuser
userpassword: proxyuserpwd
objectclass: person
objectclass: top
objectclass: ibm-securityidentities
altsecurityidentities: Kerberos:ldapproxy@ud3a.austin.ibm.com
DN IDS ldapmodify.
# ldapmodify -D cn-admin -w adminPwd -f /tmp/proxyuser.ldif
( cn=proxyuser,cn=mytest)
#
7. IDS.
Kerberos LDAP AIX:
LDAP AIX Kerberos LDAP.
IDS , .
IDS v 5.1:
1. krb5.client.
2. , /etc/krb.conf .
/usr/sbin/config.krb5.
3. keytab /etc/security/ldap.
4. 600.
111
5. mksecldap, DN
. , AIX LDAP.
6. /etc/security/ldap/ldap.cfg Kerberos.
ldapproxy keytab ldapproxy.keytab.
IDS ldapproxy ldapadmin, ldapproxy.keytab
ldapadmin.keytab.
useKRB5:yes
krbprincipal:ldapproxy
krbkeypath:/etc/security/ldap/ldapproxy.keytab
krbcmddir:/usr/krb5/bin/
DN ldap.cfg ,
secldapclntd Kerberos.
7. secldapclntd.
8. /etc/security/ldap/ldap.cfg .
LDAP:
SecureWay Directory 3.2
. ,
LDAP. LDAP
LPP.
AIX 5.1, LDAP
LDAP. SecureWay Directory,
. AIX
, ,
AIX, LDAP. AIX.
/etc/security/audit/event LDAP:
v LDAP_Bind
v LDAP_Unbind
v LDAP_Add
v LDAP_Delete
v LDAP_Modify
v LDAP_Modifydn
v LDAP_Search
, /etc/security/audit/config ldapserver.
LDAP,
/etc/security/audit/config:
ldap = ldapserver
LDAP
AIX, AIX.
audit start audit shutdown.
, auditpr.
. 84.
LDAP:
LDAP.
112
AIX 5.3:
lsldap
lsldap LDAP.
, automount, , ether, ,
, , , passwd, , rpc .
mksecldap
mksecldap
IBM SecureWay Directory. .
secldapclntd
secldapclntd LDAP, LDAP Security
Information Server, , ,
LDAP.
LDAP LDAP
attribute mapping file format AIX 5L 5.3: .

mksecldap, start-secldapclntd, stop-secldapclntd, restart-secldapclntd, ls-secldapclntd, sectoldif
flush-secldapclntd.
secldapclntd.
/etc/security/ldap/ldap.cfg.
LDAP.
NIS LDAP, ,
Network Information Services (NIS and NIS+) Guide: Appendix B. Migrating from NIS and NIS+ to RFC
2307-compliant LDAP services.
LDAP:
LDAP.
start-secldapclntd
start-secldapclntd secldapclntd, .
stop-secldapclntd
stop-secldapclntd secldapclntd.
restart-secldapclntd
restart-secldapclntd secldapclntd, .
secldapclntd , .
ls-secldapclntd
ls-secldapclntd secldapclntd.
113
flush-secldapclntd
flush-secldapclntd secldapclntd.
sectoldif
sectoldif , ,
ldif.
ldap.cfg:
/etc/security/ldap/ldap.cfg ,
secldapclntd, , .
AIX 5L 5.3 5300-05, AIX
DN. ,
userbasedn. AIX 5L 5.3 5300-05,
secldapclntd DN ( 10 DN).
DN :
userbasedn: ou=people, ou=dept1, cn=aixdata
userbasedn: ou=people, out=dept2, cn=aixdata
DN ,
DN, , . ,
. ALL (, lsuser -R LDAP ALL),
DN.
. AIX
DN.
, AIX 5L 5.3 5300-05
DN, DN
. DN:
1.
2.
3.
4.
userbasedn: ou=people, cn=aixdata

userbasedn: ou=people, cn=aixdata?scope
userbasedn: ou=people, cn=aixdata??filter
userbasedn: ou=people, cn=aixdata?scope?filter
, secldapclntd.
scope filter
. scope, filter.
scope :
v sub
v one
v base
scope , sub.
filter , LDAP.
.
, - LDAP, -
. "*".
v (=)
v (&(=)(=))
114
AIX 5.3:
v (|(=)(=))
/etc/security/ldap/ldap.cfg mksecldap .
/etc/security/ldap/ldap.cfg /etc/security/ldap/
ldap.cfg AIX 5L 5.3: .
LDAP:
/usr/lib/security/LDAP secldapclntd
AIX LDAP.
.
, :
AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type
AIX_Attribute_Name
AIX_Attribute_Type
LDAP_Attribute_Name
LDAP_Value_Type
AIX.
AIX. SEC_CHAR, SEC_INT, SEC_LIST SEC_BOOL.
LDAP.
LDAP. s ( ) m ( ).
LDAP KRB5LDAP
LDAP , KRB5LDAP,
, . ,
/usr/lib/security/methods.cfg, LDAP , KRB5LDAP,
. :
1. LDAP KRB5LDAP .
2. /usr/lib/security/methods.cfg :
LXAP:
program = /usr/lib/security/LDAP program_64

=/usr/lib/security/LDAP64
LDAP:
program = /usr/lib/security/LDAP program_64

=/usr/lib/security/LDAP64
NIS:
program = /usr/lib/security/NIS program_64 =

/usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
KRB5:
program = /usr/lib/security/KRB5
KRB5LXAP: options = db=LXAP,auth=KRB5
3. /etc/security/user :
SYSTEM = "KRB5LXAP OR LDAP OR compat"
LDAP .
KRB5LDAP:
mkuser
rmuser
lsuser
passwd
-R
-R
-R
-R
KRB5LXAP
KRB5LXAP
KRB5LXAP
KRB5LXAP
<_>
<_>
<_>
<_>
#11
(PKCS #11)
().
2.01 PKCS #11.
115
PKCS #11 :
v (pkcsslotd),
. .
v API (/usr/lib/pkcs11/pkcs11_API.so) - ,
PKCS #11.
v , PKCS #11 .
PKCS #11,
.
IBM 4758, 2
IBM 4758, 2 .
PKCS #11 , .
IBM 4960
IBM 4960 .
PKCS #11 .
IBM 4758, 2 PKCS #11:
PKCS #11 , PKCS #11,
. ,
IBM 4758 2 PKCS #11,
.
:
1. , :
lsdev -Cc adapter | grep crypt
IBM 4758, 2,
,
.
2. , ,
:
csufclu /tmp/l ST --
, 3 PKCS #11. ,
,
.
:
.
IBM 4960, 2
#11:
PKCS #11 , PKCS #11,
.
IBM 4960 PKCS #11,
.
:
lsdev -Cc adapter | grep ica
116
AIX 5.3:
IBM 4960, ,
.
#11
PKCS #11 , PKCS #11.
.
API ( PKCS #11) SMIT.
PKCS #11 SMIT , PKCS11
smit pkcs11.
:
PKCS #11 ( ) .
.
. , . API
. PKCS #11
SMIT. PIN ,
- 87654321. PKCS #11
.
:
1. , smit pkcs11.
2. .
3. PKCS #11.
4.
, Enter.
: .
5. PIN- (SO PIN) .
PIN-, .
PIN- :
PIN- SO .
PIN- :
1. smit pkcs11.
2.
3.
4.
5.
PIN- .
, PIN-.
PIN-.
PIN-.
PIN-:
PIN-,
.
, ,
.
PIN- :
1. , smit pkcs11.
117
2.
3.
4.
5.
6.
PIN-.
PKCS #11.
PIN- PIN-.
PIN-.
, , PIN- .
PIN-:
PIN- PIN-
, PIN-
.
PIN- :
1. , smit pkcs11.
2. PIN-.
3. , PIN-.
4. PIN-.
5. PIN-.
#11
PKCS #11,
, API.
inittab,
/etc/rc.pkcs11. ,
. , ,
.
.
API ,
. , PKCS #11
:
d CK_RV (*pf_init)();
void *d;
CK_FUNCTION_LIST *functs;
d = dlopen(e, RTLD_NOW);
if ( d == NULL ) {
return FALSE;
}
pfoo = (CK_RV (*)())dlsym(d, C_GetFunctionList);
if (pfoo == NULL) {
return FALSE;
}
rc = pf_init(&functs);

X.509
AIX
X.509 (PKI)
. (LAMF),
AIX , DCE, Kerberos ..
118
AIX 5.3:
-
, PKI,
PKI.
.
PKI .
. ,
, .
. . .
. .
LDAP, (
) Internet (
).
, ,
. ,
.
.
.
,
. ,
.
.
- , , ,
PIN-. ,
PKI. , .

.
; ,
;
, .
.
, . ,
,
.
:
,
, .
, X.509. 3 (X.509v3) -
. ,
(CA), ,
. .
.
:
v - X.509 ( 1, 2 3)
v - , ,
CA.
v - CA, .
v - .
119
v
v
v
v
- .
- .
- .
URI - URI/URL Web- .
, , X.509
. ,
, CA.
CA, . CA .
: ,
, , . ,
, .
3 5 .
- , ,
(DN). DN , , , ,
, (
). - , URI -
Web- .

(CA) , , , .
LDAP,
. ,
(CRL). ,
, ,
. CA,
, CA (CRL),
. , , ,
CRL, ,
. CA ,
CA. , CA.
:
v .
v .
v CA.
CA . CA
(, ).
CA
(CMP).
( ) CA. CA
. ,
, CA.
, , , , CA.
,
.
CMP ,
CRL. CRL . CRL
120
AIX 5.3:
LDAP, CRL LDAP .

- (OCSP), CA
.
, CA
, ,
, .
, .

1 (ASN.1), (DER).
DER.
:
( ) ,
.
,
. ,
. ,
. .
-, LDAP, .. ,
, .
, .

(CRL), LDAP.
,
.
-.
(CA), X.509 3
(CRL). ( , CA.)
(, ,
), PKI.
cas.server, - cas.client.
PKI:
PKI AIX mkuser.
. (
PKI, .)
,
.
:
.
, .
.
121
, , auth_cert.
auth_cert .
, , ,
LDAP. . ,
LDAP.
LDAP PKI LDAP PKI ( ) .
124.
. ,
, , auth_cert.
, ,
LDAP.
, , ,
, . ,
, .
, ,
. , PKI
. ( , .
AIX,
.)
, ,
. LDAP
. ,
auth_cert.
CRL.
( CRL ; ,
) , CRL (CA CRL
,
, ).
, CA. ,
LDAP, .
:
CA, Java,
(RA) .
CRL LDAP.
CA ( Java).
, runpki.
, ,
, CMP . CA
Java 1.3.1, IBM DB2 7.1 IBM Directory 4.1. ,
DB2, CA root.
cas.server :
mksecpki
PKI AIX.
, .
runpki .
JavaPKI, . runpki
122
AIX 5.3:
lb. ,
runpki , lb
l.
runpki su -,
, .
javapki, ,
. ( , ,
mksecpki.)
, pkiinst,
root:
1. su - pkiinst
2. cd javapki
3. runpki
:
,
.

(,
mkuser, chuser, passwd login).
AIX (LAMF). , , ,
.
AIX
LDAP AIX .
LDAP, . ,
,
. 132.

, . ,
,
PKI.
:

.
:
v
v
v
v
v
PKI

CA
AIX (,
login, passwd mkuser)
v

v LDAP AIX,

123
v
v (PAG).
:
.
Java:
Java, JCE.
Java , ,
CMP . API
PKI, C, , API
, (SML)
API.
:
, ,
.
SML Java /usr/lib/security/pki/JSML.sml.
LDAP PKI.
SML
Java PKCS#12.
,
. URI.
/var/pki/security/keys.
. ,
. SML API .
,
. - LDAP.

, .
LDAP PKI ( ):

LDAP. LDAP PKI.
.
.
,
LDAP.
LDAP (URI)
, :
. ,
.
, CA LDAP.
124
AIX 5.3:
URI LDAP.
DER URI.
LDAP
.
,
.
.
LDAP
auth_cert. , .
LDAP .
auth_cert, LDAP ldappkiadmin. root
LDAP ldappkiadmin acct.cfg, ,
root, auth_cert. (
URI, , . ,
URI, .) API
libpki.a.
libpki.a:
API SML API LDAP PKI, libpki.a .
, API :
v
v
v
v SML
: API .
:
API SML API LDAP PKI
(LAMF). LAMF AIX
API ,
(, Kerberos, LDAP, DCE ).
LAMF PKI API SML API LDAP PKI.
, API LAMF
. login, telnet , passwd, mkuser
API LAMF,
.
LAMF
/usr/lib/security/PKI. PKI
/usr/lib/security/methods.cfg.
methods.cfg (, LDAP).
methods.cfg, LAMF ,
methods.cfg . 145.
methods.cfg
registry SYSTEM /etc/security/user ,
PKI.
125
:
API (LAMF, PKI LDAP SML) .
AIX,
( LAMF),
.
. .
certadd
LDAP ,
.
certcreate
.
certdelete
, , LDAP.
certget , , LDAP.
certlink

LDAP , .
certlist , LDAP.
certrevoke
.
certverify
, ,
.
keyadd
.
keydelete
.
keylist , .
keypasswd
.
AIX 5L 5.3:
.
:
(PAG) AIX. PAG -
, .
,
, . PAG
, .
PAG , /usr/sbin/certdaemon.
. PAG ,
, .
certdaemon, /etc/inittab:
126
AIX 5.3:
certdaemon:2:wait:/usr/sbin/certdaemon
PAG :
paginit PAG.
pagdel , .
paglist PAG .
AIX 5L 5.3:
.
:
,
AIX LAMF AIX.
chuser, lsuser, mkuser passwd API LAMF. ,

.
, PKI
.
PKI :
chuser auth_cert.
, .
. (
,
.)
lsuser
auth_cert,
. auth_cert ,
. ( ,
.)
lsuser :
DN-
, .
--
.
-
, .
-
.
mkuser
.
mkuser ,
, .
, ,
( ) .
cert newuser
/usr/lib/security/pki/policy.cfg.
127
, ,
mkuser .
newuser /usr/lib/security/pki/policy.cfg.
newuser. :
v CA
v auth_cert
v
v
v
v ,
PKI
, mkuser
, . mkuser
, policy.cfg
( ); ,
.
mkuser , .
passwd
PKI,
. ,
/etc/security/user, , /etc/security/passwd, ,
PKI.

, root ,
. , root
, .
.
:

acct.cfg, ca.cfg policy.cfg.
SMIT.
.
acct.cfg
acct.cfg CA LDAP. CA CA,
ca.cfg, .
. LDAP
LDAP, , ,
LDAP PKI.
CA ca.cfg CA
acct.cfg. CA . LDAP
ldap, CA ldap. ,
default. LDAP
CA, local.
CA :
capasswd
CMP . CA.
128
AIX 5.3:
carefnum
CMP CA.
keylabel
, ,
.
keypasswd
.
rvpasswd
, CMP .
CA.
rvrefnum
, CMP.
LDAP :
ldappkiadmin
LDAP, ldapservers.
ldappkiadmpwd
LDAP.
ldapservers
LDAP.
ldapsuffix
DN, DN mkuser.
acct.cfg:
local:
carefnum = 12345678
capasswd = password1234
rvrefnum = 9478371
rvpasswd = password4321
keylabel = "Trusted Key"
keypasswd = joshua
ldap:
ldappkiadmin = "cn=admin"
ldappkiadmpwd = secret
ldapservers = "LDAP server.austin.ibm.com"
ldapsuffix = "ou=aix,cn=us"
AIX 5L 5.3: .
ca.cfg
ca.cfg CA. CA,

.
CA ca.cfg CA
acct.cfg. CA ca.cfg .
local. ldap default CA.
CA :
algorithm
(, RSA).
129
crl
URI CRL .
dn
DN, .
keysize
.
program
PKI.
retries CA.
server URI CA.
signinghash
, (,
MD5).
trustedkey
, ,
, .
URI .
url
CA, , local. ca.cfg:

local:
program = /usr/lib/security/pki/JSML.sml
trustedkey = file:/usr/lib/security/pki/trusted.p15
server = "cmp://9.53.230.186:1077"
crl = "ldap://dracula.austin.ibm.com/o=aix,c=us"
dn = "o=aix,c=us"
url = "http://www.ibm.com/"
algorithm = RSA
keysize = 512
retries = 5
signinghash = MD5
AIX 5L 5.3: .
policy.cfg
policy.cfg : newuser, storage, crl comm.
.
newuser mkuser. storage certlink .
comm crl certadd certlink.
newuser :
ca
CA, mkuser .
cert
, mkuser (new) (get).
domain
, mkuser
.
keysize
, mkuser
.
keystore
URI , mkuser .
130
AIX 5.3:
keyusage
, mkuser .
label
, mkuser .
passwd
, mkuser .
subalturi
URI , mkuser .
tag
auth_cert, mkuser ,
cert = new.
validity
, mkuser .
version
. 3.
storage :
replicate
, certlink (yes)
(no).
crl check, , certadd certlink
CRL (yes no).
comm timeout, - ,
certadd certlink , HTTP
(, CRL).
policy.cfg:
newuser:
cert = new
ca = local
passwd = pki
version = "3"
keysize = 512
keystore = "file:/var/pki/security/keys"
validity = 86400
storage:
replicate = no
crl:
check = yes
comm:
timeout = 10
AIX 5L 5.3: .
:
(CAS).
v CERT_Create
v CERT_Add
v CERT_Link
v CERT_Delete
131
v
v
v
v
v
CERT_Get
CERT_List
CERT_Revoke
CERT_Verify
KEY_Password
v KEY_List
v KEY_Add
v KEY_Delete
:
(CAS).
CAS , 3B7 3B8.

(CAS) AIX 5.2.
DB2, IBM Directory .
.
.

:
:
X.509 3. ,
3.
certcreate ca.cfg.
Teletex.
7- Teletex ( ASCII).
:
. -,
LDAP .
/var/pki/security/keys
. , . ,
,
.
,
, .
: ,
. ( AIX LDAP
, .
, .)
:
LDAP. ,
LDAP.
132
AIX 5.3:
, .
PKI
. , , PKI,
, .
, Bob A Bob B
Bob. ,
LDAP .
. ,
, , LDAP ,
, PKI,
LDAP. Bob A
Bob B, Bob PKI,
Bob LDAP,
.
:
(acct.cfg, ca.cfg
policy.cfg) , .
.
.
, .
:
acct.cfg ca.cfg , .
acct.cfg
acct.cfg CA (. carefnum,
capasswd, rvrefnum rvpasswd acct.cfg).
CMP CA . ,
.
,
. carefnum capasswd
, ( certcreate
mkuser). ,
.
: mkuser ,
. .
, rvrefnum rvpasswd ,
( certrevoke).
acct.cfg (.
keylabel keypasswd acct.cfg).
. ,
.
, ,
. keylabel keypasswd acct.cfg,
trustedkey ca.cfg ,
. , ,
133
mkuser ( ) certverify.

PKI cert newuser policy.cfg
new, mkuser PKI
. passwd newuser.
.
,
.
root
, root
PKI, . ,
,
, . ,
.
:
(CAS)
:
v (CA).
CA .
v ,
. .
v LDAP IBM Directory.
LDAP .
v DB2.
.
v , ,
Unicode.

(CAS).
10.

cas.server
cas.server.rte
(CA)
v AIX 5.2
v Java131 (
AIX)
v Java131 Security Extensions
( -
Expansion Pack)
v IBM Directory Server (LDAP)
v DB2 7.1
134
AIX 5.3:
10. ()

cas.client
cas.client.rte
v AIX 5.2
v
PKI
v Java131 (
AIX)
v SML
v Java131 Security Extensions

( -
Expansion Pack)
v IBM Directory Client (LDAP)
v Java
v PAG ( )
v libpki.a
cas.msg
cas.msg.[lang].client
cas.client
bos
bos.security.rte
PAG
cas.server CA. /usr/cas/server /usr/cas/client.

CA, .
, IBM Directory,
db2_07_01.client, Java131.rte Java131.ext.security. Java131.rte
AIX 5.2, .
db2_07_01.client , , ,
db2_07_01.server.
cas.client ,
. ,
PKI AIX.

(CAS)
.
LDAP PKI:
LDAP,
PKI.
LDAP:
IBM Directory Server
, ldap.html.en_US.config.
ldap.html.en_US.config Web-, :
file:/usr/ldap/web/C/getting_started.htm.
LDAP :
1. root.
2. AIX
-.
3. smitty install_latest Enter.
4. .
5. , IBM Directory Server
Enter.
6. F4
.
135
7. LDAP Enter.
8. ,
, Enter. LDAP,
DB2.
:
v LDAP .adt (SDK LDAP)
v LDAP .dmt (DMT LDAP)
v LDAP .java ( Java)
v LDAP .rte ( LDAP)
v LDAP .rte ( LDAP)
v LDAP .admin ( LDAP)
v LDAP .cfg ( LDAP)
v LDAP .com ( LDAP)
v db2_07_01.* ( DB2 )
9. DB2, db2_07_01.jdbc. DB2 db2_07_01.jdbc -
. .
LDAP:
LDAP DB2 LDAP.
,
Web- LDAP.
Web-.
- AIX Toolbox for LINUX Applications Web- Apache.
Web- SMIT geninstall.
Web-. LDAP.
LDAP ,
HTML. LDAP :
1. ldapcfg DN LDAP.
LDAP root. DN
cn=admin, - secret, :
# ldapcfg -u cn=admin -p secret
DN . , DN
ldappkiadmin ldappkiadmpwd ldap acct.cfg.
2. Web-, Web-:
# ldapcfg -s apache -f /etc/apache/httpd.conf
3. Web-. Apache :
# /usr/local/bin/apachectl restart
4. Web-, http:// hostname/ldap.

, DN LDAP, 2.
5. DB2, Web-,
LDAP.
LDAP PKI:
LDAP.
CA CRL.
PKI .
136
AIX 5.3:
LDAP,
PKI .
1. LDAP. PKI
cn=aixdata. , PKI ,
AIX. PKI
ou=pkidata,cn=aixdata. PKI .
PKI
cn=aixdata
AIX. LDAP AIX,
, , .
Web-,
LDAP.
Web-,
:
a. .
b. .
c. PKI .
d. LDAP .
LDAP
:
a. /usr/ldap/etc/slapd32.conf , :
ibm-slapdSuffix: cn=localhost
.
b. ibm-slapdSuffix PKI. ,
:
ibm-slapdSuffix: cn=aixdata
c. , .
d. LDAP.
2. PKI, ACL.
- LDAP, PKI. ACL
- ,
PKI. , ACL
pkiconfig.ldif.
a. ,
PKI.
:
dn: cn=aixdata
objectclass: top
objectclass: container
cn: aixdata
dn: ou=pkidata,cn=aixdata
objectclass: organizationalUnit
ou: cert
userPassword: <<>>
b.
pkiconfig.ldif <<>> userPassword

PKI.
DN userPassword . , DN
(ou=pkidata,cn=aixdata) ldappkiadmin ldappkiadmpwd
ldap acct.cfg.
137
ACL PKI:
changetype: modify
add: entryOwner
entryOwner: access-id:ou=pkidata,cn=aixdata
ownerPropagate: true
changetype: modify
add: aclEntry
aclEntry: group:cn=anybody:normal:grant:rsc:normal:deny:w
aclEntry: group:cn=anybody:sensitive:grant:rsc:sensitive:deny:w
aclEntry: group:cn=anybody:critical:grant:rsc:critical:deny:w
aclEntry: group:cn=anybody:object:deny:ad aclPropagate: true
: PKI,
ACL.
, pkiconfig.ldif,
, LDAP. ldif
ldapadd.
c. -D -w DN LDAP:
# ldapadd -c -D cn=admin -w secret -f pkiconfig.ldif
3. LDAP. LDAP Web-,

slapd.
:

.
,
:
1.
Java (Java131.ext.security.*) -
. :
v Java131.ext.security.cmp-us ( Java)
v Java131.ext.security.jce-us ( Java)
v Java131.ext.security.jsse-us ( Java)
v Java131.ext.security.pkcs-us ( Java)
2. ibmjcaprovider.jar /usr/java131/jre/lib/ext .
Java,
.
3. (cas.server.rte)
- Expansion Pack.
LDAP:
(CAS) LDAP,
CAS LDAP.
CAS LDAP :
1. , IBM Directory ,
cas.server.
2. , IBM Directory :
# ldapcfg -l /home/ldapdb2 -u "cn=admin" -p secret -s apache \
-f /usr/local/apache/conf/httpd.conf
138
AIX 5.3:
, Web- Apache.
3. slapd.conf:
ibm-slapdSuffix: o=aix,c=us
o=aix,c=us .
4. slapd:
# /usr/bin/slapd -f /etc/slapd32.conf
5. :
# ldapmodify -D cn=admin -w secret -f setup.ldif
, setup.ldif :
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 2.5.6.21 NAME 'pkiuser' DESC 'auxiliary class for non-CA certificate owners'
SUP top AUXILIARY MAY userCertificate )
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'class for Cartification Authorities' SUP top
AUXILIARY MAY ( authorityRevocationList $ caCertificate $ certificateRevocationList $
crossCertificatePair ) )
dn:cn=schema
changetype: modify
replace: attributetypes
attributetypes: ( 2.5.4.39 NAME ( 'certificateRevocationList'
'certificateRevocationList;binary' ) DESC ' ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
SINGLE-VALUE )
replace:ibmattributetypes
ibmattributetypes:( 2.5.4.39 DBNAME ( 'certRevocationLst' 'certRevocationLst' )
ACCESS-CLASS NORMAL)
6.
:
# ldapadd -D cn=admin -w secret -f addentries.ldif
, addentries.ldif :
dn: o=aix,c=us
changetype: add
objectclass: organization
objectclass: top
objectclass: pkiCA
o: aix
: addentries.ldif setup.ldif cas.server.

7. slapd .
:
.
1. . ,
. ,

( CMP).
. :
139
12345678
password1234
87654321
password4321
12345678 87654321 - , password1234 password4321 - .

. ,
. .
/usr/cas/server/iafile. .
2. CA mksecpki:
# mksecpki -u pkiuser -f /usr/cas/server/iafile -p 1077 -H ldap.cert.mydomain.com \
-D cn=admin -w secret -i o=aix,c=us
mksecpki :
-u
,
.
-f
, .
-p
LDAP.
-H
IP- LDAP.
-D
LDAP.
-w
LDAP.
-i
LDAP, .
mksecpki TrustedKey
CA, /usr/lib/security/
pki/trusted.pkcs12. , ,
,
, .
:
mksecpki TrustedKey
CA, /usr/lib/security/pki/
trusted.pkcs12.
, .
,
,
, .
, .
.
.
/usr/java131/bin/keytool.
. keytool
. ,
. keytool:
keytool -genkey -dname `cn=trusted key' -alias `TrustedKey' -keyalg RSA \
-keystore .pkcs12 -storetype pkcs12ks
TrustedKey,
. ,
. ,
keylabel and keypasswd
acct.cfg.
140
AIX 5.3:
(.pkcs12)
. root.
.
:

. . ,
PKI.

. 140.
/usr/lib/security/pki.
.
root.
acct.cfg
/usr/lib/security/pki/acct.cfg (, vi)
ldap.
:
CA .
,
.
, ,
CA. CA local
, .
local
. CA local.
, CA, . ldap default
CA.
CA SMIT.
/ :
(CA) .
/ (CA) :
1. PKI SMIT :
smitty pki
2. .
3. local Enter.
4. /usr/lib/security/pki/JSML.sml.
SML . program /usr/lib/security/
pki/ca.cfg.
5. CA . certfile
/usr/lib/security/pki/ca.cfg.
141
6. CA URI,
. .
/usr/lib/security/pki.
(
. 141.) trustedkey /usr/lib/security/
pki/ca.cfg.
7. URI CA (cmp://:1077).
server /usr/lib/security/pki/ca.cfg.
8. . cdp
9. URI (CRL). URI,
CA. URI
LDAP, :
ldap://crlserver/o=XYZ,c=us
10.
11.
12.
13.
14.
15.
16.
crl /usr/lib/security/pki/ca.cfg.
DN,
(, o=XYZ,c=us). . dn
URI URI
, ,
. . url
, .
RSA DSA. ,
RSA. algorithm /usr/lib/security/pki/ca.cfg.
( ) .
, , ,
. (
, 8). 512, 1024 2048.
, 1024 .
keysize /usr/lib/security/pki/ca.cfg.
. , CA
( ). 5 .
retries /usr/lib/security/pki/ca.cfg.
,
, . MD2,
MD5 SHA1. MD5. signinghash
, Enter.
:
/ (CA)
:
1. PKI SMIT :
smitty pki
2. CA.
3. local Enter.
4. CA,
. , 7 .
142
AIX 5.3:
CA. (
. 139.) carefnum
/usr/lib/security/pki/acct.cfg.
5. , .
7- ASCII.
12 . CA. ,
. ( .
139.) capasswd /usr/lib/security/pki/acct.cfg.
6. ,
. , 7 .
CA . CA
.
( ), .
rvrefnum /usr/lib/security/pki/acct.cfg.
7. ,
. 7- ASCII.
12 . CA
. CA .
(
), . rvpasswd
8. ( ) ,
.
. 140.
keylabel /usr/lib/security/pki/acct.cfg.
9. ,
.
. 140. keypasswd
10. , Enter.
LDAP :
LDAP CA.
1. PKI SMIT :
smitty pki
2. LDAP.
3. DN LDAP. LDAP
CA LDAP . 136
LDAP . 138.
cn=admin. LDAP CA.
ldappkiadmin /usr/lib/security/pki/acct.cfg. :
ldappkiadmin = "cn=admin"
4. LDAP.
LDAP . 136
LDAP . 138.
ldappkiadmpwd /usr/lib/security/pki/acct.cfg. :
ldappkiadmpwd = secret
5. LDAP. LDAP.
LDAP. ldapservers
/usr/lib/security/pki/acct.cfg. :
ldapservers = ldapserver.mydomain.com
143
6. DN , .
ibm-slapdSuffix
LDAP . 138.
LDAP. ldapsuffix /usr/lib/security/pki/acct.cfg. :
ldapsuffix = "ou=aix,cn=us"
7. , Enter.
LDAP PKI:
LDAP PKI.
, LDAP
. 143, , PKI ACL
LDAP PKI . 136.
:
v (ou=pkidata,cn=aixdata),
v (password),
v (site specific),
v (ou=pkidata,cn=aixdata).
, Enter.
:
/ (CA) :
1. PKI SMIT :
smitty pki
2. .
v ,
(new) mkuser ,
(get).
cert newuser /usr/lib/security/pki/policy.cfg.
v , mkuser
.
ca.cfg; , local. ca newuser
v , mkuser
. passwd newuser
v , mkuser
. 3,
X.509v3. version newuser /usr/lib/security/pki/
policy.cfg.
v .
mkuser . keysize newuser
v URI,
mkuser .
keystore newuser /usr/lib/security/pki/policy.cfg.
v , mkuser
. CA
. , .
144
AIX 5.3:
, , . d,
. y,
. :
1y (1 )
30d (30 )
2592000 ( , 30 )
validity newuser /usr/lib/security/pki/policy.cfg.
v , certlink
() (). replicate
storage /usr/lib/security/pki/policy.cfg.
v , certadd certlink
CRL () ().
check crl /usr/lib/security/pki/policy.cfg.
v - - , certadd
certlink HTTP (, CRL).
timeout comm /usr/lib/security/pki/policy.cfg.
methods.cfg:
methods.cfg ,
registry SYSTEM. ,
PKILDAP (PKI LDAP) FPKI (PKI ).
methods.cfg. PKI, LDAP
PKILDAP . .
.
PKI:
program = /usr/lib/security/PKI
options = authonly
LDAP:
PKILDAP:
options = auth=PKI,db=LDAP

methods.cfg .
:
.
PKI
PKI mkuser,
/usr/lib/security/methods.cfg (PKILDAP).
, /usr/lib/security/pki/policy.cfg, mkuser
. mkuser,
bob:
mkuser -R PKILDAP SYSTEM="PKILDAP" registry=PKILDAP bob
145
PKI
PKI
.
. , .
,
.
:
v cas.server cas.client , .
v PKILDAP methods.cfg, methods.cfg . 145.
1:
root
bob:
certcreate -f cert1.der -l auth_lbl1 cn=bob bob
certadd -f cert1.der -l auth_lbl1 auth_tag1 bob
certverify auth_tag1 bob
chuser SYSTEM="PKILDAP" registry=PKILDAP bob
chuser -R PKILDAP auth_cert=auth_tag1 bob
#
#
#
#
#
#
#
cert1.der.
auth_tag1
LDAP.
LDAP.
PKILDAP.

.
bob keypasswd.
2:
bob 1 (certcreate,
certadd, certverify), .
chuser 1.

PKI ,

. bob ,
.
# bob:
certcreate -f cert1.der -l auth_lbl1 cn=bob # cert1.der.
certadd -f cert1.der -l auth_lbl1 auth_tag1 # auth_tag1 LDAP.
certverify auth_tag1
# LDAP.
# :
chuser -R PKILDAP auth_cert=auth_tag1 bob
#
# .

,
PKI, passwd newuser stanza /usr/lib/security/pki/
policy.cfg.

, ,
.
146
AIX 5.3:

,
, , ,
.
. ,
(
, ).

. .
, .
.

, LDAP, ,
.

, LDAP.
, ,
.
/var/pki/security/keys/user1.p12 /var/pki/security1/keys/
user1.p12:
# root...
cp /var/pki/security/keys/user1.p12 /var/pki/security1/keys/user1.p12
# .
certlist ALL user1
#
#
#
#
#
#
#
, , :
A) .
B) LDAP.
C) LDAP,
.
D) , .
( D .)
# .
# , :
# : user1
# : tag1
# : label1
# .
certlist -a label tag1 user1
# LDAP cert.der.
certget -f cert.der tag1 user1
# LDAP.
certadd -r -f cert.der -p /var/pki/security1/keys/user1.p12 -l label1 tag1 user1
# , .
# ( .)
certverify tag1 user1
147
, :
, AIX
.
.
DER x509 v3, pkcs12.
- aixtest.cer, - aixtest.p12,
AIX - aixuser. aixuser . aixtest, .
.
, ,
Java.
,
, :
1. , , /usr/bin/keylist,
.
# keylist -v -p aixtest.p12
:
: aixtest
: aixtest
#
keytool .
keytool , ,
.
# keytool -list -keystore aixtest.p12 -storepass secret -storetype pkcs12
: pkcs12
: IBMJCE
1
2. AIX keyadd.
. ,
. , .
# keyadd -l aixtest -s aixtest.p12 aixuser
:
:
:
#
, , AIX:
# keylist -v aixuser
:
: aixtest
: aixtest
#
3. AIX LDAP:
# certadd -c -f aixtest.cer -l aixtest logincert aixuser
, :
# certlist -f logincert aixuser
aixuser:
auth_cert=
distinguished_name=c=US,o=IBM,ou=Sec Team,cn=AIX test
alternate_name=
validafter=0412230006
148
AIX 5.3:
validuntil=1231215916
issuer=c=US,o=IBM,ou=Sec Team,cn=AIX test
tag=logincert
verified=false
4. , :
# certverify logincert puser1
:
, :
# certlist -f -a verified logincert aixuser
aixuser:
verified=true
5. :
# chuser -R PKIfiles auth_cert=logincert aixuser
, auth_cert :
# lsuser -R PKIfiles -a auth_cert aixuser
aixuser auth_cert=logincert
6. SYSTEM registry:
# chuser -R PKIfiles SYSTEM=PKIfiles registry=PKIfiles aixuser
, :
# lsuser -f -R PKIfiles -a SYSTEM registry auth_cert aixuser
aixuser:
SYSTEM=PKIfiles
registry=PKIfiles
auth_cert=logincert
7. ca.cfg, .
dn program. certlist
, , .
# certlist -f -a issuer logincert aixuser
aixuser:
issuer=c=US,o=IBM,ou=Sec Team,cn=AIX test
#
/usr/lib/security/pki/JSML.sml.
/usr/lib/security/pki/ca.cfg :
remoteCA:
program = /usr/lib/security/pki/JSML.sml
dn
= "c=US,o=IBM,ou=Sec Team,cn=AIX test"
# telnet testsystem.ibm.com
AIX Version 5
(C) Copyrights by IBM and by others 1982, 2006.
login: aixuser
aixuser's Password:
8. , aixuser , :
# telnet testsystem.ibm.com
AIX Version 5
(C) Copyrights by IBM and by others 1982, 2006.
login: aixuser
aixuser's Password:
......
Last login: Fri Apr 14 10:46:29 CDT 2006 on /dev/pts/3 from localhost
$ echo $AUTHSTATE
PKIfiles
$
149

(PAM)

.
PAM ,
. :
v
v
v
v
PAM , . PAM
(API) PAM PAM
(SPI) PAM, .

. ,
.
. ,
.
AIX PAM, auth_type usw
/etc/security/login.cfg. auth_type = PAM_AUTH PAM
, AIX, API PAM.
. .
auth_type /etc/security/login.cfg.
auth_type PAM
AIX:
v login
v passwd
v su
v ftp
v telnet
v rlogin
v rexec
v rsh
v snappd
v
v
v
v
imapd
dtaction
dtlogin
dtsession
, PAM,
PAM , PAM. PAM,
API PAM PAM.
SPI PAM . PAM
, . ,
, ,
, .
, ; .
150
AIX 5.3:
3. PAM. ,
PAM PAM .
PAM
PAM /usr/lib/libpam.a API PAM,
PAM .
PAM , /etc/pam.conf
API PAM SPI PAM, PAM.
, API pam_authenticate PAM SPI pam_sm_authenticate.
v pam_authenticate
v pam_setcred
v pam_acct_mgmt
v pam_open_session
v pam_close_session
v pam_chauthtok
, PAM API,
PAM . API
PAM, AIX :
pam_start
pam_end
pam_get_data
pam_set_data
pam_getenv
pam_getenvlist
pam_putenv
pam_get_item
pam_set_item
pam_get_user
pam_strerror
PAM
PAM

PAM
PAM
PAM
PAM
PAM

PAM
PAM
PAM
.
151
PAM .
SPI PAM,
.

, ,
.
.
:
v pam_sm_authenticate
v pam_sm_setcred

.
.
:
v pam_sm_acct_mgmt

. ,
.
:
v pam_sm_open_session
v pam_sm_close_session

.
:
v pam_sm_chauthtok
PAM
/etc/pam.conf PAM
.
, :
- - - -- -
-
-
-
--
152
AIX 5.3:
. , ,
, OTHER.
. : auth, account, session password.
.
. : required, requisite, sufficient
optional.
, . --
: .
, PAM
/usr/lib/security ( 32- ), /usr/lib/security/64 ( 64-
).
.
, ,
--. .
, -
-, PAM. , (#),
.
PAM , .

-. , ;
- .
- ,
:
required
requisite
sufficient
optional
.
.
,
,
.
. required, ,
,
,
.
. , , ,
,

.
.
,
, .
- ,
.
/etc/pam.conf auth
.
#
# PAM /etc/pam.conf
#
#
login auth
required
login auth
required
login auth
optional
OTHER auth
required
/usr/lib/security/pam_ckfile
/usr/lib/security/pam_aix
/usr/lib/security/pam_test
/usr/lib/security/pam_prohibit
file=/etc/nologin
use_first_pass
.
pam_ckfile pam_aix ,
. pam_test .
. use_first_pass
pam_test , ,
.
OTHER
, . ,
. ,
, , pam_prohibit
PAM.
pam_aix
pam_aix - PAM, PAM
AIX , , AIX (
).
153
AIX
methods.cfg. ,
AIX, PAM.
4. PAM AIX
API PAM ,
/etc/pam.conf pam_aix. ,
(DCE, LDAP
KRB5), AIX ().
pam_aix /usr/lib/security. pam_aix
/etc/pam.conf. /etc/pam.conf
, :
#
#
#
OTHER auth
required
#
#
#
OTHER account required
#
#
#
OTHER session required
#
#
#
OTHER password required
pam_aix SPI pam_sm_authenticate, pam_sm_chauthok pam_sm_acct_mgmt.

pam_sm_setcred, pam_sm_open_session pam_sm_close_session pam_aix,
PAM_SUCCESS.
154
AIX 5.3:
SPI PAM
AIX:
PAM SPI
=========
pam_sm_authenticate
pam_sm_chauthtok
-->
-->
pam_sm_acct_mgmt
-->
pam_sm_setcred
-->
pam_sm_open_session
-->
pam_sm_close_session -->
AIX
=====
authenticate
passwdexpired, chpass
: passwdexpired

PAM_CHANGE_EXPIRED_AUTHTOK.
loginrestrictions, passwdexpired
, PAM_SUCCESS
, PAM_SUCCESS
, PAM_SUCCESS
, AIX,
pam_set_item , , ,
pam_aix.
PAM
AIX , PAM
AIX.
: AIX 5.3 PAM
PAM AIX.
PAM, PAM
PAM AIX.
PAM AIX auth_type usw
/etc/security/login.cfg PAM_AUTH. auth_type
PAM - , .
PAM auth_type.
/usr/lib/security/methods.cfg PAM
AIX (passwd, login, ..) PAM. PAM
/etc/pam.conf, , PAM , SPI
PAM. PAM AIX
.
155
5. AIX PAM
AIX
PAM. PAM (pam_krb, pam_ldap pam_dce)
, .
PAM /usr/lib/security
. PAM
. , methods.cfg
PAM, files. BUILTIN,
db, , UNIX.
PAM:
program = /usr/lib/security/PAM
PAMfiles:
options = auth=PAM,db=BUILTIN
-R ,
SYSTEM . :
mkuser -R PAMfiles SYSTEM=PAMfiles registry=PAMfiles pamuser
, AIX (login, passwd, ..)

PAM. files,
, , LDAP.
AIX API PAM:
AIX
=====
authenticate
chpass
passwdexpired
passwdrestrictions
-->
-->
-->
-->
PAM API
=========
pam_authenticate
pam_chauthtok
pam_acct_mgmt
,
/etc/pam.conf API PAM PAM

. .
156
AIX 5.3:
, AIX, PAM pam_set_item, PAM

. PAM,
PAM, pam_get_item
.
, : AIX
PAM, PAM, , AIX.
.
: /etc/pam.conf pam_aix PAM
AIX, .
PAM
PAM.
1. 32- /usr/lib/security; 64-
/usr/lib/security/64.
2. root, - 555.
PAM , root.
3. /etc/pam.conf, .
4. . ,
.
the /etc/pam.conf
, /etc/pam.conf, .
/etc/pam.conf :
v root security.
644, ,
- root.
v PAM,
pam_prohibit ( OTHER).
v ,
, .
v ,
required, requisite, sufficient optional.
: PAM , ,
, root.

. , ,
/etc/pam.conf
PAM
PAM .
PAM-API
PAM.
PAM :
1. /etc/pam_debug. PAM
/etc/pam_debug, , , syslog.
2. /etc/syslog.conf, ,
.
3. syslogd .
157
4. PAM ,
/etc/syslog.conf
OpenSSH
OpenSSH SSH1 SSH2.
.
OpenSSH /. OpenSSH AIX sshd
.
,
.
OpenSSH, man, Web-:
http://www.openssh.org
http://www-128.ibm.com/developerworks/eserver/articles/openssh_updated.html
installp AIX Web-: http://sourceforge.net/projects/openssh-aix.
OpenSSH AIX.
OpenSSH AIX 5.3.
OpenSSH installp
openssh-3.8.p1. installp man
. OpenSSH, ,
IBM (IPLA)
.
OpenSSH installp
Open Secure Sockets Layer (OpenSSL) . OpenSSL RPM
- AIX Toolbox Linux. , Web-
AIX Toolbox Linux: http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
OpenSSL ,
Web-. :
1. AIX Toolbox Cryptographic Content Web- AIX Toolbox
Linux.
2. I have not registered before.
3. .
4. Accept License,
. .
5. openssl-0.9.6m-1.aix4.3.ppc.rpm
OpenSSL SSL Cryptographic Libraries.
6. Download now! openssl-0.9.6m-1.aix4.3.ppc.rpm.
OpenSSL OpenSSL OpenSSH.
1. OpenSSL RPM geninstall:
# geninstall -d/dev/cd0 R:openssl-0.9.6m
--------openssl-0.9.6m-3
2. OpenSSH installp geninstall:

# geninstall -I"Y" -d/dev/cd0 I:openssh.base
158
AIX 5.3:
Y,
OpenSSH.
:

-------------------
------------------------------------------------------------------------------openssh.base.client
3.8.0.5200
USR

openssh.base.server
3.8.0.5200
USR

openssh.base.client
3.8.0.5200
ROOT

openssh.base.server
3.8.0.5200
ROOT

OpenSSL OpenSSH SMIT install_software.

OpenSSH:
scp
, rcp.
sftp
, FTP, SSH1 SSH2.
sftp-server
SFTP ( sshd).
ssh
rlogin rsh.
ssh-add
ssh-agent.
ssh-agent
.
ssh-keygen
.
ssh-keyscan
.
ssh-keysign
.
ssh-rand-helper
, OpenSSH .
AIX 5.1.
sshd
OpenSSH:
v /etc/ssh sshd ssh.
v /usr/openssh readme OpenSSH
. Kerveros
ssh.
v sshd AIX SRC. ,
:
startsrc -s sshd
stopsrc -s sshd
lssrc -s sshd
startsrc -g ssh
stopsrc -g ssh
lssrc -s ssh
()
:
/etc/rc.d/rc2.d/Ksshd start
/etc/rc.d/rc2.d/Ssshd start
159
/etc/rc.d/rc2.d/Ksshd stop
/etc/rc.d/rc2.d/Ssshd stop
v OpenSSH /etc/rc.d/rc2.d .
inittab (l2:2:wait:/etc/rc.d/rc 2),
sshd .
, /etc/rc.d/rc2.d/Ksshd /etc/rc.d/rc2.d/Ssshd.
v OpenSSH SYSLOG.
v OpenSSH AIX (IBM Redbook),
Managing AIX Server Farms, Web-:
http://www.redbooks.ibm.com
v AIX, OpenSSH ( 256

).
mkuser.
v , AllowUsers, DenyUsers, AllowGroups DenyGroups
ssh_config sshd_config.
, .
OpenSSH
OpenSSH:
1. Web- http://sourceforge.net/projects/openssh-aix
2. , , uncompress - command.
:
uncompress openssh361p2_52_nologin.tar.Z
3. tar -xvf -. :
tar -xvf openssh361p2_52_nologin.tar
4. inutoc.
5. smitty install.
6. .
7. ( ).
8. (.) Enter.
9. Tab
.
10. Enter, .
OpenSSH - , PTF.
.
OpenSSH
OpenSSH AIX.
OpenSSH AIX 5.1 :
OpenSSH :
: /usr/bin
: /usr/sbin
: /etc/ssh
Askpass: /usr/sbin/ssh-askpass
man: /usr/man
PID: /etc/ssh
chroot : /var/empty
PATH sshd: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
man: man
160
AIX 5.3:
PAM:
KerberosIV:
KerberosV:
Smartcard:
AFS:
S/KEY:
TCP:
MD5:
IP- $DISPLAY:
IPv4 :
v4 v6:
BSD:
: ssh-rand-helper
ssh-rand-helper : (- 200)
: powerpc-ibm-aix5.1.0.0
: cc
: -O -D__STR31__
: -I. -I$(srcdir) -I/home/BUILD/test2debug/zlib-1.1.3/ -I/o
pt/freeware/src/packages/SOURCES/openssl-0.9.6m/include -I/usr/include -I/usr/in
clude/gssapi -I/usr/include/ibm_svc -I/usr/local/include $(PATHS) -DHAVE_CONFIG_
H
: -L. -Lopenbsd-compat/ -L/opt/freeware/lib/ -L/usr/local/lib
-L/usr/krb5/lib -blibpath:/opt/freeware/lib:/usr/lib:/lib:/usr/local/lib:/usr/kr
b5/lib
: -lz -lcrypto -lkrb5 -lk5crypto -lcom_err
: . WARNING.RNG

.
OpenSSH AIX 5.2 :

OpenSSH :
: /usr/bin
: /usr/sbin
: /etc/ssh
man: /usr/man
PID: /etc/ssh
chroot : /var/empty
PATH sshd: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
man: man
PAM:
KerberosIV:
KerberosV:
Smartcard:
AFS:
S/KEY:
TCP:
MD5:
IP- $DISPLAY:
IPv4 :
v4 v6:
BSD:
: OpenSSL
: cc
: -O -D__STR31__
: -I/opt/freeware/src/packages/BUILD/openssl-0.9.6m/includ
e -I/usr/local/include -I/usr/local/include
: -L/opt/freeware/src/packages/BUILD/openssl-0.9.6m -L/usr/lo
cal/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib:/usr/local/lib
OpenSSH AIX 5.3 :

OpenSSH :
: /usr/bin
: /usr/sbin
161
: /etc/ssh
man: /usr/man
PID: /etc/ssh
chroot : /var/empty
PATH sshd: /usr/bin:/bin:/usr/sbin:/sbin:/usr/
local/bin
man: man
PAM:
KerberosIV:
KerberosV:
Smartcard:
AFS:
S/KEY:
TCP:
MD5:
IP- $DISPLAY:
IPv4 :
v4 v6:
BSD:
: OpenSSL
: cc
: -O -D__STR31__
: -I/opt/freeware/src/packages/BUILD/openssl-0.9.6m/
include -I/usr/local/include -I/usr/local/include
Linker flags: -L/opt/freeware/src/packages/BUILD/openssl-0.9.6m
-L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/
lib:/usr/local/lib
OpenSSH Kerberos 5
Kerberos ,
. , ,
. , Kerberos
.
Kerberos kinit,
Kerberos,
KDC (Key Distribution Center - ). KDC
, TGT (Ticket-Granting Ticket -
). ,
Telnet Kerberos OpenSSH. Kerberos ,
KDC . Kerberos
, . Kerberos, IBM,
(NAS). NAS -
AIX. krb5.client.rte krb5.server.rte. 2003
OpenSSH 3.6 Kerberos 5
NAS 1.3.
OpenSSH 3.8 Kerberos 5
NAS 1.4. OpenSSH NAS
(Kerberos). OpenSSH 3.8.x NAS 1.4 .
AIX OpenSSH Kerberos .
Kerberos , OpenSSH Kerberos
(,
AIX).
162
AIX 5.3:
Kerberos Kerberos
. Kerberos
IBM Network Authentication Service Version 1.3 for AIX : Administrator's and User's Guide,
/usr/lpp/krb5/doc/html//ADMINGD.htm
OpenSSH Kerberos:
, OpenSSH Kerberos.
, OpenSSH
Kerberos:
1. OpenSSH /etc/krb5.conf.
Kerberos, KDC ,
.. krb5.conf:
[libdefaults]
ticket_lifetime = 600
default_realm = OPENSSH.AUSTIN.XYZ.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
OPENSSH.AUSTIN.xyz.COM = {
kdc = kerberos.austin.xyz.com:88
kdc = kerberos-1.austin.xyz.com:88
kdc = kerberos-2.austin.xyz.com:88
admin_server = kerberos.austin.xyz.com:749
default_domain = austin.xyz.com
}
[domain_realm]
.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
kdc.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
2. , /etc/services
Kerberos:
kerberos
88/udp
kerberos
88/tcp
kerberos-adm 749/tcp
kerberos-adm 749/udp
krb5_prop
754/tcp
kdc
kdc
#
#
#
#
#
#
Kerberos V5 KDC
Kerberos V5 KDC
Kerberos 5 admin/changepw
Kerberos 5 admin/changepw
Kerberos slave
propagation
3. KDC LDAP,
LDAP . 97
Kerberos. , :
v KDC LDAP. LDAP
secldapclntd.
v LDAP LDAP slapd.
4. OpenSSH /etc/ssh/sshd_config, :
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UseDNS yes
UseDNS Yes, ssh

. , ,
IP-.
163
5.
6.
7.
8.
: SSH -
DNS. ,
DNS, UseDNS no. UseDNS
/etc/ssh/sshd_config, yes.
SSH startsrc -g ssh, SSH.
SSH kinit (TGT).
TGT klist.
.
ssh @.
Kerberos
SSH.

IP;
; .
TCP/IP
TCP/IP NFS .
TCP/IP,
. TCP/IP TCP/IP
in .
. ,
. ,
. ,
, , .
TCP/IP ,
.
TCP/IP NFS WSM (Web- )
SMIT tcpip.
dacinet AIX 5L 5.3:
.

TCP/IP (, )
.
TCP/IP.
:

, .
:
v
, . TCP/IP, ftp, rexec
telnet, ,
.
164
AIX 5.3:
v , IP-
. , .
v ,
. ,
, .
:
TCP/IP .
, .
- ,
, , .
:

v
v
v
v
v
v
v

v
v
v
v
v
v
v
v
v
.
, .
, :
,
. , ,
.
, (tsh),
, . TCP/IP ,
(SAK),
. TCP/IP SAK. SAK
telnet.
165
SAK telnet ,
: telnet , ,
telnet. , telnet
telnet send sak ( telnet). telnet set sak
, SAK.

. 1.
TCP/IP
TCP/IP . ftp,
rexec telnet.
ftp . rexec
. telnet
.
ftp, rexec telnet . ,
.
securetcpip.
; ,
IP.
ftp, rexec, securetcpip telnet :
ftp .
ftp ,
.
.
.
ftp

$HOME/.netrc.
$HOME/.netrc 600 (
). ,
.
: .netrc
,
ftp securetcpip.
ftp tcpip
/etc/security/config.
ftp TCP/IP:
(FTP), .
,
. ,
, , .
, ftp
.
.
rexec
. .
rexec

$HOME/.netrc rexec.
$HOME/.netrc 600
( ). ,
.
: .netrc
,
rexec
. rexec tcpip
/etc/security/config.
166
AIX 5.3:
securetcpip TCP/IP.
. securetcpip
:
securetcpip
v rlogin rlogind
v rcp, rsh rshd
v tftp tftpd
v trpt
securetcpip .
securetcpip ,
TCP/IP.
telnet (TELNET)
. .
, , .
, .
, ,
. , telnet
SAK.
, ,
telnet.
telnet tn
:
, /etc/hosts.equiv,
, .
, ,
Web- , WSM (Web- ) .
11.
SMIT
WSM (Web- )
smit lshostsequiv

/etc/hosts.equiv
TCPIP (IPv4 IPv6)

TCPIP TCP/IP TCP/IP
hosts /etc/hosts .
smit mkhostsequiv
/etc/hosts.equiv .
smit rmhostsequiv

/etc/hosts.equiv .
TCPIP (IPv4 IPv6)

TCPIP TCP/IP TCP/IP
hosts. / :
IP-, , .
/ OK.
TCPIP (IPv4 IPv6)
TCPIP TCP/IP TCP/IP
hosts. /etc/host.
OK.
: "hosts.equiv File
Format for TCP/IP" AIX 5L 5.3: .
FTP:
167
, /etc/ftpusers, FTP. ,
, A B .
B /etc/ftpusers, A
FTP, .
, ,
WSM (Web- ), SMIT .
FTP
SMIT
WSM (Web- )
FTP
smit lsftpusers

/etc/ftpusers
smit mkftpusers

/etc/ftpusers
file.
Selected
. OK.
smit rmftpusers

/etc/ftpusers
file.

Delete.
: "ftpusers File Format

for TCP/IP" AIX 5L 5.3: .

( ) - , ,
.
, .
. A1, B1, B2, B3, C1, C2 D, A1 . .
, C2 :

, , .
, ,
.
,
. ,
,
.
, ,
,
, .
TCP/IP .
:
v ftpd
v rexecd
v telnetd
:
v rshd
v rlogind
v tftpd
168
AIX 5.3:
,
. , .

(NTCB) ,
. NTCB, TCP/IP.
, TCP/IP.
, , .
NTCB . ,
, :
/etc
gated.conf
root
system
0664
rw-rw-r
gateways
root
system
0664
rw-rw-r
hosts
root
system
0664
rw-rw-r
hosts.equiv
root
system
0664
rw-rw-r
inetd.conf
root
system
0644
rw-rr
named.conf
root
system
0644
rw-rr
named.data
root
system
0664
rw-rw-r
networks
root
system
0664
rw-rw-r
protocols
root
system
0644
rw-rr
rc.tcpip
root
system
0774
rwxrwxr
resolv.conf
root
system
0644
rw-rw-r
services
root
system
0644
rw-rr
3270.keys
root
system
0664
rw-rw-r
3270keys.rt
root
system
0664
rw-rw-r
host
root
system
4555
r-sr-xr-x
hostid
bin
bin
0555
r-xr-xr-x
hostname
bin
bin
0555
r-xr-xr-x
finger
root
system
0755
rwxr-xr-x
ftp
root
system
4555
r-sr-xr-x
netstat
root
bin
4555
r-sr-xr-x
rexec
root
bin
4555
r-sr-xr-x
ruptime
root
system
4555
r-sr-xr-x
rwho
root
system
4555
r-sr-xr-x
talk
bin
bin
0555
r-xr-xr-x
telnet
root
system
4555
r-sr-xr-x
/usr/bin
169
/usr/sbin
arp
root
system
4555
r-sr-xr-x
fingerd
root
system
0554
r-xr-xr
ftpd
root
system
4554
r-sr-xr
gated
root
system
4554
r-sr-xr
ifconfig
bin
bin
0555
r-xr-xr-x
inetd
root
system
4554
r-sr-xr
named
root
system
4554
r-sr-x
ping
root
system
4555
r-sr-xr-x
rexecd
root
system
4554
r-sr-xr
route
root
system
4554
r-sr-xr
routed
root
system
0554
r-xr-x-
rwhod
root
system
4554
r-sr-xr
securetcpip
root
system
0554
r-xr-xr
setclock
root
system
4555
r-sr-xr-x
syslogd
root
system
0554
r-xr-xr
talkd
root
system
4554
r-sr-xr
telnetd
root
system
4554
r-sr-xr
tn
root
system
4555
r-sr-xr-x
rwho ()
root
system
0755
drwxr-xr-x
/usr/ucb
/var/spool/rwho

TCP/IP .
,
(, ), .
TCP/IP (DOD)
DOD 5200.5 NCSD-11, .
TCP
Internet
Internet (DACinet)
TCP AIX 5.2.
AIX 5.2
TCP. DACinet
, .
: DACinet CAPP/EAL4+, AIX systems.
, DACinet
, root. UNIX, AIX,
170
AIX 5.3:
1024 root. AIX 5.2

1024 ( root).
DACinet
DACinet. . DACinet,
.
dacinet , IP-
.
host.domain.org:
host.domain.org
IP- 10.0.0.1:
10.0.0.1
, 24 ( ) 10.0.0.0:
10.0.0.0/24
10.0.0.1 10.0.0.254.
TCP:
DACinet /etc/rc.dacinet /etc/security/priv,
/etc/security/services /etc/security/acl.
/etc/security/services , ACL.
, /etc/services.
/etc /etc/security , ACL.
ACL . ACL ;
dacinet aclls. ACL, /etc/rc.tcpip,
/etc/security/acl. :
/_ [|]
/etc/services, -
, - u: or g:.
, ACL .
-. ACL . ,
, ,
.
/etc/services , AIX 5.2.
mkCCadmin .
/etc/services :
sco_printer
sco_s5_port
70000/tcp
70001/tcp
sco_spooler
lpNet_s5_port
# For System V print IPC

# For future use
DACinet:
, DACinet TCP/25
root DACinet, root
AIX 5.2.
TCP/25.
171
X11 root. ,
X11 /etc/security/services, ACL
.
10.1.1.0/24, , X
(TCP/6000) root, /etc/security/acl
ACL:
6000
10.1.1.0/24 u:root
Telnet friends ,
telnet /etc/security/services ACL:
telnet
0.0.0.0/0
g:friends
Web- fred,
:
-80
80
0.0.0.0/0 u:fred
0.0.0.0/0
:
,
.
1024. ,
Web- 8080, SOCKS - 1080.
dacinet setpriv. /etc/security/priv
, .
, /etc/services, .
, root, SOCKS Lotus Notes
:
1080
lotusnote
: .
.

,
, .

AIX.
: AIX
.
AIX:
172
AIX 5.3:
13/tcp
daytime
Daytime (RFC 867)
13/udp
daytime
Daytime (RFC 867)
21/tcp
ftp
File Transfer [Control]
21/udp
ftp
File Transfer [Control]
23/udp
telnet
Telnet
23/udp
telnet
Telnet
25/tcp
smtp
Simple Mail Transfer
25/udp
smtp
Simple Mail Transfer
37/tcp
time
Time
37/udp
time
Time
111/tcp
sunrpc
SUN Remote Procedure Call
111/udp
sunrpc
SUN Remote Procedure Call
161/tcp
snmp
SNMP
161/udp
snmp
SNMP
199/tcp
smux
SMUX
199/udp
smux
SMUX
512/tcp
exec
513/tcp
login
, telnet;
514/tcp
shell
cmd
514/udp
syslog
Syslog
518/tcp
ntalk
Talk
518/udp
ntalk
Talk
657/tcp
rmc
RMC
657/udp
rmc
RMC
1334/tcp
writesrv
writesrv
1334/udp
writesrv
writesrv
2279/tcp
xmquery
xmquery
2279/udp
xmquery
xmquery
9090/tcp
wsmserver
WebSM
32768/tcp
filenet-tms
Filenet TMS
32768/udp
filenet-tms
Filenet TMS
32769/tcp
filenet-rpc
Filenet RPC
32769/udp
filenet-rpc
Filenet RPC
32770/tcp
filenet-nch
Filenet NCH
32770/udp
filenet-nch
Filenet NCH
32771/tcp
filenet-rmi
FileNET RMI
32771/udp
filenet-rmi
FileNet RMI
32772/tcp
filenet-pa
FileNET Process Analyzer
32772/udp
filenet-pa
FileNET Process Analyzer
32773/tcp
filenet-cm
FileNET
32773/udp
filenet-cm
FileNET
32774/tcp
filenet-re
FileNET
32774/udp
filenet-re FileNET Rules Engine
FileNET
173

- ,
.
,
, , , ,
. , ,
Internet.
:
1. netstat:
# netstat -af inet
. netstat
. , ,
(LISTEN).
Internet ( )
Recv-Q
Send-Q
()
tcp4
*.echo
*.*
tcp4
*.discard
*.*
tcp4
*.daytime
*.*
tcp
*.chargen
*.*
tcp
*.ftp
*.*
tcp4
*.telnet
*.*
tcp4
*.smtp
*.*
tcp4
*.time
*.*
tcp4
*.www
*.*
tcp4
*.sunrpc
*.*
tcp
*.smux
*.*
tcp
*.exec
*.*
tcp
*.login
*.*
tcp4
*.shell
*.*
tcp4
*.klogin
*.*
udp4
*.kshell
*.*
udp4
*.echo
*.*
udp4
*.discard
*.*
udp4
*.daytime
*.*
udp4
*.chargen
*.*
udp4
*.time
*.*
udp4
*.bootpc
*.*
udp4
*.sunrpc
*.*
udp4
255.255.255.255.ntp
*.*
udp4
1.23.123.234.ntp
*.*
174
AIX 5.3:
Internet ( )
Recv-Q
Send-Q
udp4
localhost.domain.ntp
*.*
udp4
name.domain..ntp
*.*
()
....................................
2.
/etc/services , Internet
Assigned Numbers Authority (IANA).
/etc/services:
tcpmux
1/tcp
# TCP Port Service Multiplexer
tcpmux
1/tcp
# TCP Port Service Multiplexer
Compressnet
2/tcp
# Management Utility
Compressnet
2/udp
# Management Utility
Compressnet
3/tcp
# Compression Process
Compressnet
3/udp
Compression Process
Echo
7/tcp
Echo
7/udp
discard
9/tcp
sink null
discard
9/udp
sink null
rfe
5002/tcp
# Radio Free Ethernet
rfe
5002/udp
# Radio Free Ethernet
rmonitor_secure
5145/tcp
rmonitor_secure
5145/udp
pad12sim
5236/tcp
pad12sim
5236/udp
sub-process
6111/tcp
# HP SoftBench Sub-Process Cntl.
sub-process
6111/udp
# HP SoftBench Sub-Process Cntl.
xdsxdm
6558/ucp
xdsxdm
6558/tcp
afs3-fileserver
7000/tcp
# File Server Itself
afs3-fileserver
7000/udp
# File Server Itself
af3-callback
7001/tcp
# Callbacks to Cache Managers
af3-callback
7001/udp
# Callbacks to Cache Managers
..............
3. , .
: 657 (RMC)
. , - .
TCP UDP
TCP, , UDP,
, lsof, netstat -af.
175
, TCP, ,
UDP, , lsof:
# lsof -i | egrep "||UDP"
PID
FD
dtlogin
2122
root
5u
IPv4
0x70053c00
0t0
UDP
*:xdmcp
dtlogin
2122
root
6u
IPv4
0x70054adc
0t0
TCP
*:32768(.)
syslogd
2730
root
4u
IPv4
0x70053600
0t0
UDP
*:syslog
2880
root
6u
IPv4
0x70054adc
0t0
TCP
*:32768(.)
2880
root
8u
IPv4
0x700546dc
0t0
TCP
*:6000(.)
dtlogin
3882
root
6u
IPv4
0x70054adc
0t0
TCP
*:32768(.)
glbd
4154
root
4u
IPv4
0x7003f300
0t0
UDP
*:32803
glbd
4154
root
9u
IPv4
0x7003f700
0t0
UDP
*:32805
dtgreet
4656
root
6u
IPv4
0x70054adc
0t0
TCP
*:32768(.)
(PID)
:
" # ps -fp PID#"
, .
IP
IP- , IP Internet
.
IP -
IP ,
.
.
IP :
IP (IPsec),
, Internet Engineering Task Force (IETF).
IPsec IP .
. IPsec IETF
IPv4, IPv6.
IPsec :
, .

, ,
.
176
AIX 5.3:

,
IP- .
,
. (
IP) - ,
. . ,
,
.
.
. ,
, .
,
, .
.
IPsec ESP (Encapsulating Security Payload)
AH (Authentication Header). ESP IP.
ESP ESP.
AH ESP,
. AH IP
, -
, .
, . ,
.
IP:
IP.
v
v
v
v
AES 128-, 192- 256- .

10/100 Ethernet PCI Adapter II.
AH RFC 2402 ESP RFC 2406.
,
IKE, IPv6.
v .
v HMAC (Hashed Message Authentication Code) MD5 (Message Digest 5) HMAC
SHA (Secure Hash Algorithm).
v DES 56- , CBC 64-bit- (IV),
Triple DES, DES CBC 4 (32- IV) AES CBC.
v IP (IPv4 IPv6).
v IPv4 IPv6. IP
, IP .
v , ,
IP- , , , ..
v .
v ( IP-) . IP-
( DNS).
v IP syslog.
v .
177
v ,
.
Internet Key Exchange (IKE):
AIX 4.3.3 IKE,
.
v ESP DES, Triple DES, AES, Null Encryption;
ESP HMAC MD5 HMAC SHA1.
v PKCS #7 (AIX 5.1 ).
v
HTTP LDAP.
v IKE IETF.
v X.509 IKE
.
v IKE Linux ( AIX 5.1 ).
v X.509.
v ( ) .
v 1, 2 5 Diffie-Hellman.
v AH HMAC MD5 HMAC SHA1.
v IPv4 IPv6.
:
- .
.
(AH ESP)
. IP-
, SPI ( ),
, .
.
A B. B
6. A B
, B A. , SPI, ,
, , .
178
AIX 5.3:

.
:
,
, .
, :
v IKE ( , IETF)
v ( , IETF)
IKE:
IKE ISAKMP/Oakley (Internet Security Association and Key Management
Protocol), IETF.
.
:
X.509v3.
.
.
IP ,
.
,
AH ESP IKE.
AH IP 4 6
ESP IP 4 6
HMAC MD5
HMAC SHA1
DES CBC 8
Triple DES CBC
AES CBC (128, 192, 256)
ESP Null
:
,
.
.
.
,
AH ESP .
179
AH IP 4
AH IP 6
ESP IP 4
ESP IP 6
HMAC MD5
HMAC SHA1
AES CBC (128, 192,

256)
Triple DES CBC
DES CBC 8
DES CBC 4
IKE ,
.
:
-
.
.
, , IP-
, IP (4 6), , ,
, , , .
, .

, .
(, , ),
.
IKE
.
IP
. ,
,
.
, ,
.
,
, .
.
.
,
, . ,
, .
, ,
.
IP , ,
.
:
180
AIX 5.3:
IP X.509 3.
,
.
.
IBM.
IP:
(VPN)
(, Internet).
VPN ,
(, ).
,
, ,
.
IPsec, IETF
IPv4 IPv6.
9 A Comprehensive Guide to Virtual Private Networks, Volume III:
Cross-Platform Key and Policy Management, ISBN SG24-5309-00.
AIX.
Internet http://www.redbooks.ibm.com/redbooks/SG245309.html.
IP-
IP- AIX .
:
v bos.net.ipsec.rte ( IP- )
v bos.msg.LANG.net.ipsec ( LANG - , , ru_ru)
v bos.net.ipsec.keymgt
v bos.net.ipsec.websm
v bos.crypto-priv ( DES, DES AES)
bos.crypto-priv . IKE
gskit.rte (AIX 4) gskkm.rte (AIX 5.1)
.
IP WSM (Web- ),
Java131.ext.xml4j 1.3.1.1 .
IP- IP 4 6
, IP-, mkdev.
IP-:
IP- , SMIT WSM
(Web- ). , SMIT WSM (Web- )
IKE .
: IP- .
. .
181
, lsdev IP .
lsdev -C -c ipsec
ipsec_v4 : IP- 4
ipsec_v6 : IP- 6
IP-
.
IP
IP .
,
. ,
.
IP WSM (Web- ),
(SMIT). SMIT
:
smit ips4_basic
IP 4.
smit ips6_basic
IP 6.
IP : ,
/ , .. ,
:
:
10/100 Mbps Ethernet PCI Adapter II ( 4962) IP
AIX IP.
AIX 10/100 Mbps Ethernet PCI Adapter II, IP
:
v DES Triple DES.
v MD5 SHA-1.
v ,
. 10/100 Mbps Ethernet PCI
Adapter II IKE.
IP bos.net.ipsec.rte
devices.pci.1410ff01.rte 5.1.0.25 .
,
. , ,
.
.
10/100 Mbps Ethernet PCI Adapter II :
v DES, 3DES NULL ESP
182
AIX 5.3:
v HMAC-MD5 HMAC-SHA-1 ESP AH, .

( ESP AH, ESP.
IKE,
.)
v
v IPV4
: 10/100 Mbps Ethernet PCI Adapter II IP.
IP 10/100 Mbps Ethernet PCI Adapter II
IPsec.
SMIT :
IPsec SMIT :
1.
2.
3.
4.
5.
root.
smitty eadap Enter.
/ Ethernet Enter.
10/100 Mbps Ethernet PCI Adapter II Enter.
IPsec Enter.
:
# ifconfig enX detach
IPsec :
# chdev -l entX -a ipsec_offload=yes
IPsec :
# lsattr -El entX detach
IPsec :
# chdev -l entX -a ipsec_offload=no
enstat , IPsec.
enstat IPsec
IPsec. , Ethernet ent1,
:
# entstat -d ent1
:
.
.
.
10/100 Mbps Ethernet PCI Adapter II (1410ff01):
-------------------------------------------.
.
.
IPsec: 3
IPsec: 0
IPsec: 2
IPsec: 0
183
IP - .
, .
- ,
, .
.
,
, IP (4 6), , , , ,
, . IP,
.
.
, .
IP.
, , .
, .
, .
.
,
, .
.
7.
. IP, .
, IP
.
:
,
. ,
. ,
.
A B.
184
AIX 5.3:
A B. B
8. A B
, B A. , SPI, ,
, , .
(SPI)
. . ,
, , ,
.
:
, IP, .
IKE ,
.
IKE .
.
Internet
. .

. ,
, .
IKE .
, IKE
AH ESP, .
, IP. ,
:
v
v
v
185
IKE.
9. IKE
(IKE)
( IP). IKE ,
. IP ,
IP. ,
,
. , IKE
, IP ,
.
:
, ,
IKE. ,
.
, .
( ) IKE
(. ):
186
AIX 5.3:
( )
IKE.
. , IKE.
, , VPN
VPN .
, IKE.
, ,
.
,
, - KEY_ID.
KEY_ID ,
.
IP-, (FQDN),
(user@FQDN). :
jdoe@studentmail.ut.edu.
IP-
IP- . ,
KEY_ID, IP-. ,
,
IP- .
:
IKE.
IP, ,
, .
.
, IP:
,
,
, .
,
. ,
, .
IP- (, 9.53.250.96 255.255.255.0)
IP-
IP- ,
(, 9.53.250.96 - 9.53.250.96 9.53.250.93)
IP-
IP- ,
(, 9.53.250.93 - 9.53.250.96 9.53.250.93)
, (, 21 23)
,
(, TCP UDP). ,
,
.
.
:
IKE ,
, .
IKE,
.
IETF ESP AH.
.
, ,
.
187
.
, .
, ,
, IP .
MD5 DES, HMAC MD5 DES.
IP.
,
( ).
.
, .
, , - ,
. ,
.
IKE DHCP :
IP IKE
, IP-.
, ,
, IP.
, , ,
(FQDN) (@FQDN).
( 1) RSA
, IP-. ,
,
IP- .
DHCP, IPsec,
DHCP ,
RSA.
, DHCP (.
/usr/samples/ipsec/group_aix_responder.xml ).
IPsec AIX.
IKE ( IP-), FQDN, FQDN,
IP- .
.
: .
, DHCP.
( ) TCP
UDP, . , ,
, , IP-
. ,
, .
XML:
XML,
ikedb.
IKE XML ikedb
IKE . 193.
188
AIX 5.3:
DHCP. XML IPSecTunnel, WSM

(Web- ) .
. ,
IPSecProtection, ,

.
, AIX . IPSecProtection
.
IKEProtection.
XML IKE_IPSecDefaultProtectionRef IKE_IPSecDefaultAllowedTypes.
-, IPSecProtection,
IPSecTunnels. IPSecProtection
IPSec_ProtectionName, _defIPSprot_.
IKEProtection, IPSecProtection .
IKE_IPSecDefaultProtectionRef, IPSec_Protection .
IKEProtection IKE_IPSecDefaultAllowedTypes.
( ):
Local_IPV4_Address
Local_IPV6_Address
Local_IPV4_Subnet
Local_IPV6_Subnet
Local_IPV4_Address_Range
Local_IPV6_Address_Range
Remote_IPV4_Address
Remote_IPV6_Address
Remote_IPV4_Subnet
Remote_IPV6_Subnet
Remote_IPV4_Address_Range
Remote_IPV6_Address_Range
. IKE
. IPSecProtection ,
IKE_IPSecDefaultAllowedTypes , Local_,
, , Remote_,
. , IPSec_Protection
IKE_IPSecDefaultAllowedTypes Local_
Remote_.
:
.
( ) AIX :
:
:
IPV4_Address
192.168.100.104
:
IPV4_Subnet
:
10.10.10.2
: 255.255.255.192
AIX , . IPSecProtection
:
189
IKE_IPSecDefaultProtectionRef="_defIPSprot_protection4"
IKE_IPSecDefaultAllowedTypes="Local_IPV4_Address
Remote_IPV4_Address
Remote_IPV4_Subnet
Remote_IPV4_Address_Range"
(IPV4_Address)
Local_ (Local_IPV4_Address). , (IPV4_Subnet)
Remote_IPV4_Subnet. ,
_defIPSprot_protection4 IPSecProtection.
/usr/samples/ipsec/default_p2_policy.xml XML
IPSecProtection.
WSM (Web- ):
WSM (Web- ).
WSM (Web- )
:
1. IKE,
.
2. .
. .
. IP V4 V6,
IP V4 V6, IP V4 V6
.
3.
OK. .
:
AIX.
IKE ( Internet-)
IKE WSM (Web- ), SMIT
.
IKE WSM (Web- ):
IKE WSM (Web- )
:
IKE WSM (Web-
) .
WSM (Web- ) IKE
IP-, ;
, , .
:
v . ,
IKE .
v , .
, hostA_to_hostB,
IP-.
190
AIX 5.3:
v 1 2 .
v ( 0x) .
v ,
.
v IP-.
v ,
. WSM (Web- )
VPN IKE.
:
1. WSM (Web- ) wsm.
2. .
3. ( IP-).
4. .
5. .
6. , , IKE.
( F1).

IKEWSM (Web- ), .
IKE:

.
:
IKE WSM (Web- ).
:
1. WSM (Web- ) wsm.
2. .
3. ( IP-).
4. .
5.
IP-. ,
IP-, isakmpd, tmd cpsd.
,
.
v - .
, .
v , .
(
IP-), .

, (,
).
6.
IKE.
7. , , .
IP-, , .
191
,
.
.
8. ,
. .
9. , ,
.

RSA RSA CRL.

. 196.
:
, IKE,
.
WSM (Web- ), IKE,
. 205.
:
1. .
.
2. (IP-, IP-).
, .
3. ,
OK.
.
:
IP- IKE

.
,
. ,
.
. 1
.
.
,
.
, IKE.
, :
v IPv4
v IPv6
v
v @
v DN X500
192
AIX 5.3:

.
WSM (Web- )
. WSM (Web- )
:
1.
2.
3.
4.
5.
IKE.
.
.
.
.
IKE
.
IKE SMIT:
IKE
SMIT.
SMIT , IKE XML.
SMIT IKE
XML, IKE. IKE SMIT ,
IKE.
IPv4 smitty ike4. IPv6
smitty ike6. IKE
IP-.
IKE, SMIT, WSM
(Web- ).
IKE :
ikedb , , ,
IKE XML.
ikedb () ()
IKE. XML. XML
(DTD). ikedb DTD,
XML . ,
DTD - -e. DOCTYPE
XML , DOCTYPE
. XML DTD XML.
/usr/samples/ipsec XML, .
ikedb AIX 5L 5.3:
.
ike , IKE. ike
, .
ike AIX 5L 5.3: .
ike, ikedb IKE
:
193
1. ( )
( ), ike :
# ike cmd=activate numlist=1
IP-:
# ike cmd=activate remid=9.3.97.256
# ike cmd=activate ipaddr=9.3.97.100, 9.3.97.256
, .
2. ike:
# ike cmd=list
:
1
2
[1]
[1]
1 2, .
3. ike:
# ike cmd=list verbose
:
1
:
:
:
:
:
:
:
:
:
:
:
:
:
:
. . :
:
:
:
:
1
Fully_Qualified_Domain_Name
bee.austin.ibm.com
Fully_Qualified_Domain_Name
ipsec.austin.ibm.com
BOTH_AGGR_3DES_MD5
3DES-CBC

MD5
28800
0
28737
0
5%
2592000
0
2591937
2
1
:
IPv4_Address
:
10.10.10.1
:
:
:
IPv4_Address
:
10.10.10.4
:
:
:
Oakley_quick
:
ESP_3DES_MD5_SHA_TUNNEL_NO_PFS
:
:
ESP_3DES
AH:
: HMAC-MD5
PFS:
SA:
600
SA:
0
: 562
:
0
. . : 15%
194
AIX 5.3:
:
:
:
P1:
:
:
2592000
0
2591962
0
ESP_tunnel
4. IKE
lsfilt:
# lsfilt -d
:
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all
2 *** *** no
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all
packets 0 all
*** ***
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 500 eq 500 local both no all
packets 0
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both inbound no all
packets 0
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both inbound no all
packets 0
1 permit 10.10.10.1 255.255.255.255 10.10.10.4 255.255.255.255 no all any 0 any
0 both outbound yes all packets 1
1 permit 10.10.10.4 255.255.255.255 10.10.10.1 255.255.255.255 no all any 0 any
0 both inbound yes all packets 1
IKE .
( 2
)
.
. , .
5. #2 yes,
chfilt:
# chfilt -v 4 -n 2 -l y
IKE
. 218.
6. ike:
# ike cmd=remove numlist=1
7. ikedb:
# ikedb -g
8. IKE XML, ,
, ,
ikedb:
# ikedb -pFs peer_tunnel_conf.xml
peer_tunnel_conf.xml - XML, .
9. 1 tunnel_sys1_and_sys2
2 ikedb:
# ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2
10. ikedb:
# ikedb -d -t IKEPresharedKey
IKE . 192.
ikedb .
195
AIX IKE Linux:

AIX IKE Linux.
IKE AIX Linux (AIX 5.1 ),
ikedb -c ( ), Linux
/etc/ipsec.conf /etc/ipsec.secrets, IKE. ikedb
Linux, XML () XML
IKE. ikedb -g, WSM
(Web- ).
IKE:
,
. ,
.
v ,
. ,
.
.
IKE IKE.
, , - ,
.
. ike.
v ,
.
.
AH ESP. - -.
v
. IP- ,
, , (user@).
KEYID.

- ,
.
AIX 4.3.2, IP
( ), ,
, , -
. . - ,
.
,
. ,
.
. ,
.
,
(CA), .
.
, .
196
AIX 5.3:
AIX 4.3.2 -
. .
:
,
. .
. ,
10.
, .
:

().
:
country=RU ( - ), organization=IJK ( - IJK), lower organization=SERV
( - SERV). :
/C=RU/O=IJK/OU=SERV/CN=petrov.serv.ijk.ru
197
11.
, O=IJK
. OU=AIX, - OU=Acctg.
. CN=Petrov, CN=Nikolaev.

.

: IP-, , ..

.

.

.

, .
:
.
,
.
, , ,
. . -
, ,
. .
:
,
, .
198
AIX 5.3:
,
.
- .
,
.
,
, . ,
- , .
, .
, .
:
, .
.
,
, .
,
. ,
.

.
HTTP LDAP.
. .
IKE,
RSA
CRL. CRL,
.
: , SOCKS
( 4 HTTP) () LDAP. SOCKS LDAP,
,
WSM (Web- ).
CRL .
Internet:
Internet, ,
.
:
(VPN)
( ) -
,
() . ,
, .
, IKE IP.

(, )
.
199
SSL
SSL .
Web- - Web-
Web-, LDAP - LDAP
LDAP, Host-on-Demand V.2 -
. SSL ,
, , .

(, PEM S/MIME)

.
:
,
.
,
.
, , .
, .
, ,
, :
v .
v , ,
.
, -
.
.
:
- , .
gskkm.rte, .
, ,
1, 2, 3, 4, 6 7. WSM (Web- )
IKE ,
RSA.
WSM (Web- ).
VPN certmgr
.
:
:
VPN. IP AIX
*.kdb.
CA:
v RSA Secure Server Certification Authority
200
AIX 5.3:
v
v
v
v
v
Thawte Personal Premium Certification Authority

Thawte Personal Freemail Certification Authority
Thawte Personal Basic Certification Authority
Thawte Personal Server Certification Authority
Thawte Server Certification Authority
v
v
v
v
Verisign Class 1 Public Primary Certification Authority

,
. .
, ,
.
CA.
certmgr :
1. , :
# certmgr
2. .
3. ( CMS) .
4. :
ikekey.kdb
5. :
/etc/security
: ikekey.kbd /etc/security.
IP.
6. . .
7. .
8. ,
? . 60 .
, ? .
9. ,
? .
: IP
.
10. . .
11. OK IBM.
.
CA:
, .
*.arm, :
cert.arm
CA , :
201
1. , :
# certmgr
2. .
3. , CA,
.
4. . ,
IBM. .
, .
5. CA from the list.
6. .
7. , :
ASCII Base64
8.
.
9. .
10. CA, , CA,
OK. . CA
CA.
.
:
CA .
.
:
1. , :
# certmgr
2. .
3. , ,
.
4. . ,
IBM. . ,
.
6. ().
.
7. ,
OK.
, .
8. OK CA. IBM.
.
CA:
, ,
.
:
, .
202
AIX 5.3:
CA , :
1. , :
# certmgr
2. .
3. , CA,
.
4. . ,
. . ,
.
6. . .
7. . IBM.
CA.
.
:
,
. PKCS#10.
.
, :
1. , :
# certmgr
2. .
3. /etc/security/ikekey.kdb, ,
.
4. . ,
IBM. .
, .
5. (AIX 4)
( AIX 5.1).
6. .
7. , :
keytest
8. ( ) , .
.
9. . , IP-
DNS. IP- IP-
. user@FQDN . FQDN
DNS (, ..com).
10. , :
certreq.arm
11. . ,
.
12. . IBM.
.
13. .
.
203
:
, ,
.
, :
1. , :
# certmgr
2. .
3. , ,
.
4. . ,
IBM. .
, .
5. .
6. , .
7. .
ASCII Base64.
8.
.
9. .
10. , :
VPN Branch Certificate
11. . IBM.
.
. , ,
-BEGIN CERTIFICATE- -END
CERTIFICATE-.
:
-----BEGIN CERTIFICATE----ajdkfjaldfwwwwwwwwwwadafdw
kajf;kdsajkflasasfkjafdaff
akdjf;ldasjkf;safdfdasfdas
kaj;fdljk98dafdas43adfadfa
-----END CERTIFICATE-----
, .
:
.
: ,
.
:
1. , :
# certmgr
2. .
3. , , .
4. . ,
IBM. . ,
.
204
AIX 5.3:
5. .
6. . .
7. . IBM.
.
.
:
.
:
1. , :
# certmgr
2. .
3. .
4. ,
? . 60 .
, ? .
5. ,
? .
: IP
.
6. . .
7. OK IBM.
.
IKE, :
IKE, , WSM
(Web- ) .
IKE,
, .
RSA. ( RSA RSA
CRL) " () " WSM (Web-
).
,
. WSM (Web- )
.
IP IKE (
):
v IP-
v (FQDN)
v user@FQDN
v X.500
v
-
WSM (Web- ). IP-, FQDN user@FQDN,
205
WSM (Web- )
.
.
, WSM (Web- )
X.500,
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com,
:
v : name.austin.ibm.com
v : IJK
v : SERV
v : RU
X.500 ,
LDAP. .
.
: IP-,
10.10.10.1, :
v : name.austin.ibm.com
v : IJK
v : SERV
v : RU
v IP-: 10.10.10.1
.
:
v X.509.
v - MD5 RSA.
v . :
IP-
(FQDN)
user@FQDN
:
v ( ).
v ( PKCS#10).
. 203.
IKE
(ikekey.kdb).
. 204.
IP :

:
/C=RU/O=IJK/OU=SERV/CN=name.serv.ijk.ru
OU.
206
AIX 5.3:
DN IP-
IP-:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com 10.10.10.1
DN FQDN

:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com bell.austin.ibm.com.
DN user@FQDN

(@--):
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com name@austin.ibm.com.
DN
:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com bell.austin.ibm.com, 10.10.10.1
user@name.austin.ibm.com.

IP ,
(NAT).
NAT
Internet .
IP
IP-. ,
, IP
, IP .
NAT IP , ,
, IP.
IP , .
IP NAT VPN
, Internet, NAT.
12. IP NAT
IP NAT
NAT UDP.
IP NAT:
NAT IP
ENABLE_IPSEC_NAT_TRAVERSAL /etc/isakmpd.conf. ,
4500.
207
, ,
ENABLE_IPSEC_NAT_TRAVERSAL.
2:

:

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()
:
:

: 0 ()

: 4500
:

: 0
3:

:

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()

: 0.0.0.0 ()
:
:

: 4500

: 0 ()
:

: 0
ENABLE_IPSEC_NAT_TRAVERSAL
. IPSEC NAT UDP,
. , 1
. IP-,
IP-.
IP NAT IP
NAT. NAT_KEEPALIVE_INTERVAL
/etc/isakmpd.conf.
NAT. NAT_KEEPALIVE_INTERVAL ,
, 20 .
NAT:
NAT ESP
.
ESP IP,
. ESP , IP.
AH
. , NAT, ,
. 2
AH, 1 NAT,
NO_PROPOSAL_CHOSEN.
, , NAT,
IP- . NAT.
NAT, 2 ,
NO_PROPOSAL_CHOSEN.
208
AIX 5.3:
:
, .
.
.
13.
(SA) IP- 10.1.2.3.

, , .
IP-,
, IP-.
, IP-.
,
,
.

.
:
,
.
.
.
.
, . ,
, ,
, .
:
IP rmdev.
,
mkfilt -d. ,
, .
- DENY. mkfilt -d, ,
lsfilt , ,
. , IP, rmdev.
:
209
WSM (Web- ) ,
SMIT ips4_basic ( IP 4), ips6_basic ( IP 6). ,
.
gentun :
gentun -v 4 -t manual -s 5.5.5.19 -d 5.5.5.8 \
-a HMAC_MD5 -e DES_CBC_8 -N 23567
, ,
lstun -v 4. :

:
IP :
:

:
AH :
ESP:
AH
:
ESP :
SPI AH
:
SPI ESP
:
SPI AH
:
SPI ESP
:
:
:

:
:

:
. ENC-MAC:
. ENC-MAC :
1
IP 4
5.5.5.19
5.5.5.8
/
HMAC_MD5
DES_CBC_8
HMAC_MD5
DES_CBC_8
300
300
23576
23576
480
:
mktun -v 4 -t1
, , .
lsfilt -v 4. :
4:

:

: 5.5.5.19

: 255.255.255.255

: 5.5.5.8

: 255.255.255.255
.
:
:

: 0

: 0
:

: 1
:
5:

210
:
: 5.5.5.8
: 255.255.255.255
: 5.5.5.19
: 255.255.255.255
AIX 5.3:
.
:
:

: 0

: 0
:

: 1
, , mktun -v 4 -t 1.
( )
A, B.
ipsec_tun_manu.exp,
- ipsec_fltr_rule.exp , -f:
exptun -v 4 -t 1 -f /tmp
:
.
:
imptun -v 4 -t 1 -f /tmp
/tmp
. gentun lstun
. ,
, -t .
,
, SPI.
, .
-n:
imptun -v 4 -f /tmp -n
IP
, , ,
, ,
IP-.
. ,
, - .
SPI ,
. , .
, , ,
, , , , .
:
211
v ,
. , , .
.
v , , (
) - IKE.
,
.
v , ,
; , , ah, esp.
.
(-w) genfilt ,
. both, ,
, . AIX IPsec ,
(, ).
, ( ) ,
-w genfilt. , A B,
IP A, B.
IPsec, A, B. , A
B G. G ( )
: ( ipforwarding). ,
A B G, :
v A src addr A, dest addr B,
v B src addr A, dest addr B,
G :
1. src addr A, dest addr B,
2. src addr A, dest addr B,
: src addr A, dest addr B both (
, ). , both
, ipforwarding no. , ,
, A B G. ,
( B A G), .
: both ,
, . , ,
, . , A
A B, both,
A B A . both
, .
,
--. .
IP AIX:
IPFilter - ,
(NAT).
IPFilter 4.1.13, AIX,
, Web- IP Filter (http://coombs.anu.edu.au/
~avalon/). IPFilter AIX 5.3, AIX 5L
5.3 5300-05. installp (ipfl)
.
212
AIX 5.3:
IPFilter AIX (/usr/lib/drivers/ipf).

ipf, ipfs, ipfstat, ipmon ipnat.
:
/usr/lib/methods/cfg_ipf -l
:
/usr/lib/methods/cfg_ipf -u
, ipforwarding.
IPFilter,
, Web- IPFilter (http://coombs.anu.edu.au/~avalon/).
:
.
( 1):
v Rule_number - (1)
v
v
v
v
v
Action - (permit - )
Source_addr - (0.0.0.0)
Source_mask - (0.0.0.0)
Dest_addr - (0.0.0.0)
Dest_mask - (0.0.0.0)
v Source_routing - (no - )
v Protocol - (udp)
v
v
v
v
v
Src_prt_operator - (eq - )
Src_prt_value - (4001)
Dst_prt_operator - (eq - )
Dst_prt_value - (4001)
Scope - (both - )
v Direction - (both - )
v Logging - (no - )
v Fragment - (all packets - )
v Tunnel - (0)
v Interface - (all - ).

1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all
2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both both no all packets
0 all
3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both both no all packets
0 all
4 permit 10.0.0.1 255.255.255.255 10.0.0.2 255.255.255.255 no all any 0 any 0 both
outbound no all packets 1 all
5 permit 10.0.0.2 255.255.255.255 10.0.0.1 255.255.255.255 no all any 0 any 0 both
inbound no all packets 1 all
213
6 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp lt 1024 eq 514 local

outbound yes all packets 2 all
7 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 514 lt 1024
local inbound yes all packets 2 all
8 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp/ack lt 1024 lt 1024
local outbound yes all packets 2 all
9 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp lt 1024 lt 1024 local
inbound yes all packets 2 all
10 permit 10.0.0.1 255.255.255.255 10.0.0.4 255.255.255.255 no icmp any 0 any 0 local
11 permit 10.0.0.4 255.255.255.255 10.0.0.1 255.255.255.255 no icmp any 0 any 0 local
12 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 eq 21 local
13 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 21 gt 1023 local
14 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp eq 20 gt 1023 local
15 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp/ack gt 1023 eq 20 local
16 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 gt 1023 local
17 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack gt 1023 gt 1023 local
18 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no all any 0 any 0 both both yes all
packets
:
1
.
IP 4. 4001 .
1 , .
: , .
2 3
AH ESP.
: 2 3, .
214
AIX 5.3:
4 5
, 10.0.0.1
10.0.0.2 1. 4 , 5 - .
: 4 .
6-9
,
rsh, rcp, rdump, rrestore rdist 10.0.0.1 10.0.0.3 2.
yes (),
.
10 11
,
icmp 10.0.0.1 10.0.0.4 3.
12 17
, FTP
10.0.0.1 10.0.0.5 4.
18
, .
, , , .
, , ,
.
( lsfilt);
. :
1:

:

: 0.0.0.0

: 0.0.0.0

: 0.0.0.0

: 0.0.0.0
.
:
:

: eq 4001

: eq 4001
:

: 0
, , :
-v
-a
IP: 4 6.
:
d
-s
-m
-d
-M
-g
-c
-o
-p
. IP- .
.
. IP- .
.
: y () n ().
. : udp, icmp, tcp, tcp/ack, ospf, pip, esp, ah all.
ICMP.
ICMP.
215
ICMP.
ICMP.
:
-O
-P
-r
/ .
b
.
.
-l
n
.
.
-f
,
.

.
.
; , tr0 en0.
h
-t
-i
genfilt chfilt.
:
, IP- , .
:
v , IP4 IKE ( AIX 4.3.3 )
v AH ESP.
, .
,
. .
IKE ,
IKE. IKE ,
, . IKE
, .
, .
.
, IP-
. ,
ICMP.
1 permit 10.0.0.1 255.255.255.255 10.0.0.4
local outbound no all packets 3 all
2 permit 10.0.0.4 255.255.255.255 10.0.0.1
3 permit 10.0.0.4 255.255.255.255 10.0.0.1
4 permit 10.0.0.1 255.255.255.255 10.0.0.4
outbound no all packets 3 all
216
AIX 5.3:
255.255.255.255 no icmp any 8 any 0

255.255.255.255 no icmp any 0 any 0 local
,
. , gentun -g.
genfilt TCP/IP
/usr/samples/ipsec/filter.sample.
:
.
,
ipsec_v4 ipsec_v6. ,
, .
: , ,
.
, IP-
.
IP 4, IP 6.
, . ,
.
- chfilt -l, ,
.
IKE
IP4. , .

. isakmpd,
IKE, ,
IKE, AH ESP.
:
,
.
.
, IP- 10.10.10.4 255.255.255.255
, IP-, :

IP-
1010.1010.1010.0100
10.10.10.4
11111111.11111111.11111111.11111111
255.255.255.255
10.10.10.x 11111111.11111111.11111111.0 255.255.255.0.

,
. , 10.10.10.100
10.10.10.0, .
255.255.255.240 .
--:
217
-- ,

, .
,
. UDP, AH ESP
.
. SPI ,
, .
--. A
14. --
Internet. B C.

, , syslogd. ,
IP.
, .
.
1. /etc/syslog.conf :
local4.debug var/adm/ipsec.log
IP local4.
. IP ,
debug.
:
.
2. /etc/syslog.conf.
3. , , .
/var/adm :
touch ipsec.log
4. refresh syslogd:
refresh -s syslogd
5. IKE isakmpd
/etc/isakmpd.conf. ( IKE
IP . 223.)
6. , ,
, -l Y (Yes)
genfilt chfilt.
7. ipsec_logd :
mkfilt -g start
:
mkfilt -g stop
218
AIX 5.3:
, IP:
1. Aug 27 08:08:40 host1 : Filter logging daemon ipsec_logd (level 2.20)
initialized at 08:08:40 on 08/27/97A
2. Aug 27 08:08:46 host1 : mkfilt: Status of packet logging set to Start
at 08:08:46 on 08/27/97
3. Aug 27 08:08:47 host1 : mktun: Manual tunnel 2 for IPv4, 9.3.97.244, 9.3.97.130
activated.
4. Aug 27 08:08:47 host1 : mkfilt: #:1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
udp eq 4001 eq 4001 both both l=n f=y t=0 e= a=
ah any 0 any 0 both both l=n f=y t=0 e= a=
esp any 0 any 0 both both l=n f=y t=0 e= a=
7. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.1 255.255.255.255 10.0.0.2
255.255.255.255 icmp any 0 any 0 local outbound l=y f=y t=1 e= a=
8. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.2 255.255.255.255 10.0.0.1
255.255.255.255 icmp any 0 any 0 local inbound l=y f=y t=1 e= a=
all any 0 any 0 both both l=y f=y t=0 e= a=
10. Aug 27 08:08:47 host1 : mkfilt: Filter support (level 1.00) initialized at
08:08:47 on 08/27/97
11. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.20 p:udp
sp:3327 dp:53 r:l a:n f:n T:0 e:n l:67
12. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.20 d:10.0.0.1 p:udp
sp:53 dp:3327 r:l a:n f:n T:0 e:n l:133
13. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcp
sp:4649 dp:23 r:l a:n f:n T:0 e:n l:43
14. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.15 p:tcp
sp:23 dp:4649 r:l a:n f:n T:0 e:n l:41
15. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcp
sp:4649 dp:23 r:l a:n f:n T:0 e:n l:40
16. Aug 27 08:08:51 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmp
t:8 c:0 r:l a:n f:n T:1 e:n l:84
17. Aug 27 08:08:51 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmp
t:0 c:0 r:l a:n f:n T:1 e:n l:84
18. Aug 27 08:08:52 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmp
t:8 c:0 r:l a:n f:n T:1 e:n l:84
19. Aug 27 08:08:52 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmp
t:0 c:0 r:l a:n f:n T:1 e:n l:84
20. Aug 27 08:32:27 host1 : Filter logging daemon terminating at 08:32:27 on
08/27/97l
.
1
mkfilt -g start.
, .
4-9
. .
10
11-12
DNS.
13-15
, Telnet ( ).
16-19
ping.
20

. ( isakmpd isakmp_events.)
1. Dec 6 14:34:42 host1 Tunnel Manager: 0: TM is processing a
Connection_request_msg
2. Dec 6 14:34:42 host1 Tunnel Manager: 1: Creating new P1 tunnel object (tid)
219
3. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( SA PROPOSAL

TRANSFORM )
4. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( SA
PROPOSAL TRANSFORM )
5. Dec 6 14:34:42 host1 isakmpd: Phase I SA Negotiated
6. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( KE NONCE )
7. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( KE
NONCE )
8. Dec 6 14:34:42 host1 isakmpd: Encrypting the following msg to send: ( ID HASH
)
9. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted
Payloads )
10. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 (
Encrypted Payloads )
11. Dec 6 14:34:42 host1 Tunnel Manager: 1: TM is processing a P1_sa_created_msg
(tid)
12. Dec 6 14:34:42 host1 Tunnel Manager: 1:
Received good P1 SA, updating P1
tunnel (tid)
13. Dec 6 14:34:42 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need
to start
14. Dec 6 14:34:42 host1 isakmpd: Decrypted the following received msg: ( ID HASH
)
15. Dec 6 14:34:42 host1 isakmpd: Phase I Done !!!
16. Dec 6 14:34:42 host1 isakmpd: Phase I negotiation authenticated
17. Dec 6 14:34:44 host1 Tunnel Manager: 0: TM is processing a
Connection_request_msg
18. Dec 6 14:34:44 host1 Tunnel Manager: 0: Received a connection object for an
active P1 tunnel
19. Dec 6 14:34:44 host1 Tunnel Manager: 1: Created blank P2 tunnel (tid)
20. Dec 6 14:34:44 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need
to start
21. Dec 6 14:34:44 host1 Tunnel Manager: 1: Starting negotiations for P2 (P2 tid)
22. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH SA
PROPOSAL TRANSFORM NONCE ID ID )
Payloads )
24. Dec 6 14:34:45 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 (
Encrypted Payloads )
25. Dec 6 14:34:45 host1 isakmpd: Decrypted the following received msg: ( HASH SA
PROPOSAL TRANSFORM NONCE ID ID )
26. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH )
Payloads )
28. Dec 6 14:34:45 host1 isakmpd: Phase II SA Negotiated
29. Dec 6 14:34:45 host1 isakmpd: PhaseII negotiation complete.
30. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a P2_sa_created_msg
31. Dec 6 14:34:45 host1 Tunnel Manager: 1: received p2_sa_created for an existing
tunnel as initiator (tid)
32. Dec 6 14:34:45 host1 Tunnel Manager: 1: Filter::AddFilterRules: Created filter
rules for tunnel
33. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a List_tunnels_msg
.
1-2
ike cmd=activate phase=1 .
3-10
isakmpd .
11-12
1 .
13
, ike cmd=activate 2 (
). .
14-16
isakmpd .
17-21
ike cmd=activate phase=2 .
22-29
isakmpd .
220
AIX 5.3:
30-31
2 .
32
33
ike cmd=list.
:
DASD
.
#
R
, .

p
i/o
. IP- , :
v (i) - , .
s
d
p
sp/t
dp/c
r
l
f
T
i
v (o) - , IP .
IP- ( IP).
IP- ( IP).
, .
, : udp, icmp, tcp, tcp/ack, ospf, pip, esp, ah all.
( TCP/UDP). ICMP OSPF
t, IP.
( TCP/UDP). ICMP
c, IP.
, .
, .
f
b
,
.
, .
.
, .
Internet-:
Internet- SYSLOG
isakmpd.
isakmpd ike cmd=log.
/etc/isakmpd.conf log_level.
, ,
: none (), errors (), isakmp_events ( isakmp) information ().
, ,
:
log_level=INFORMATION
: AIX 5.1 , isakmpd .

/etc/isakmpd.conf.
isakmpd : , .
, .
221
, , isakmpd
. , , tmd
SYSLOG. , , SYSLOG.
, /etc/syslog.conf.
SYSLOG , , ,
. googly isakmpd:
Nov
Nov
Nov
Nov
Nov
20
20
20
20
20
09:53:50
09:53:50
09:53:51
09:53:51
09:53:51
googly
googly
googly
googly
googly
isakmpd: ISAKMP_MSG_HEADER
isakmpd: Icookie : 0xef06a77488f25315, Rcookie :0x0000000000000000
isakmpd: Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0
isakmpd: Xchg Type : 2 (ID protected), Flag= 0, Encr : No,COMMIT : No
isakmpd: Msg ID : 0x00000000
grep
(, isakmpd), cut.
/etc/isakmpd.conf:
isakmpd /etc/isakmpd.conf.
/etc/isakmpd.conf .

, . .
IKE .
: none | error | isakmp_events | information
:
none
. .
error
(API).
isakmp_events
IKE. .
information
.
IP-
YES NO. YES
IKE IP- 1. YES,
. IP-
IP-, .
NO.
IKE IP-
1. ,
. IP-
.
, NO.
: MAIN_MODE_REQUIRES_IP= YES | NO
SOCKS4
SOCKS4_PORTNUM . ,
SOCKS 1080. SOCKS HTTP.
: = ,
:
SOCKS4_SERVER= -
222
AIX 5.3:
SOCKS4_PORTNUM= SOCKS
SOCKS4_USERID=
LDAP
: = ,
:
LDAP_SERVER= LDAP
LDAP_VERSION= LDAP (2 3)
LDAP_SERVERPORT= LDAP
LDAP_SEARCHTIME= -
CRL
HTTP LDAP, .
CRL_FETCH_ORDER . , - HTTP,
LDAP, HTTP, LDAP.
: CRL_FETCH_ORDER= #, #,
# HTTP LDAP.
IP
,
.
IPSec .
. (
. 218.)
:
.
:
mktun :
insert_tun_man4(): : .
: , , , SPI.
: rmtun , mktun . ,
SPI , .
SPI.
mktun :
ipsec_v4 .
IP 4 .
: IP .
: :
mkdev -l ipsec -t 4
IP 6, -t 6.
. IP
:
lsdev -Cc ipsec
223
gentun :
IP-.
: IP-.
: IP 4 , IP- 4 .
;
.
IP 6 , IP- . netstat -in

IP- 6, /usr/sbin/autoconf6 ()
( MAC) ifconfig.
gentun :
IP-.
: IP-.
: IP 4 , IP- 4 .
;
.
IP 6 , IP- . netstat -in

IP- 6, /usr/sbin/autoconf6 ()
( MAC) ifconfig.
mktun :
insert_tun_man4(): : .
: ESP AH,
.
: , . ,
HMAC_MD5 HMAC_SHA .
SMIT ips4_basic -z chtun. ,
DES_CBC_4 .
IP WSM (Web- ) .
: IP.
: ps -ef . IP
:
v tmd
v isakmpd
v cpsd
cpsd , (
gskit.rte gskkm.rte)
.
, IP WSM (Web- ).
.
IP :
bos.crypto.
: bos.net.ipsec.* , bos.crypto.*
.
: bos.crypto.* , bos.net.ipsec.*
Internet- (IKE):
, IKE.
IKE:
224
AIX 5.3:
Internet- (IKE).
IKE ike VPN WSM (Web- );
:
12. , IKE.
tmd
isakmpd
IKE.
cpsd
Proxy .
IKE tmd isakmpd . IP

, .
WSM (Web- ).
isakmpd.
(, ),
. ,
, .
ike cmd=list. syslog debug,
event information, .
:
1. WSM (Web- ) ike.
2. tmd isakmpd
( ).
3. isakmpd SA .
4. tmd isakmpd
( ).
5. isakmpd SA .
6. .
7. .
, isakmpd tmd
.
3 7
tmd.
:
(SA) IKE.
,
.

/etc/isakmpd.conf. /etc/isakmpd.conf
:
information
IKE
IKE. SA Payload, Key Exchange Payload, Certificate Request Payload,
Certificate Payload Signature Payload. ,
ISAKMP_MSG_HEADER :
225
ISAKMP_MSG_HEADER
Icookie : 0x9e539a6fd4540990, Rcookie : 0x0000000000000000
Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0
Xchg Type : 4 (Aggressive), Flag= 0, Encr : No,COMMIT : No
Msg ID : 0x00000000
len
: 0x10e(270)
SA Payload:
Next Payload : 4(Key Exchange), Payload len : 0x34(52)
DOI
: 0x1(INTERNET)
bitmask
: 1(SIT_IDENTITY_ONLY
Proposal Payload:
Next Payload : 0(NONE), Payload len : 0x28(40)
Proposal # : 0x1(1), Protocol-ID : 1(ISAKMP)
SPI size : 0x0(0), # of Trans : 0x1(1)
Transform Payload:
Trans # : 0x1(1), Trans.ID : 1(KEY_IKE)
Attr : 1(Encr.Alg
), len=0x2(2)
Value=0x1(1),(DES-cbc)
Attr : 2(Hash Alg
), len=0x2(2)
Value=0x1(1),(MD5)
Attr : 3(Auth Method ), len=0x2(2)
Value=0x3(3),(RSA Signature)
Attr : 4(Group Desc
), len=0x2(2)
Value=0x1(1),(default 768-bit MODP group)
Attr : 11(Life Type
), len=0x2(2)
Value=0x1(1),(seconds)
Attr : 12(Life Duration), len=0x2(2)
Value=0x7080(28800)
Key Payload:
Next Payload : 10(Nonce), Payload len : 0x64(100)
Key Data
33 17 68
a0 e1 1f
9f 13 62
8a 59 97
d9 8b 39
ab d3 5a
:
10
42
aa
1f
d1
39
91
c2
27
3b
cb
7d
1f
10
d8
1c
39
67
ea
aa
e5
08
c2
5b
da
8d
52
3e
a4
a6
38
9d
8d
2a
05
2e
a0
14
5c
55
8d
37
22
0f
c3
9b
2d
d3
2d
58
cf
3c
a1
07
84
3e
d5
50
98
e6
a3
c4
45
cc
74
98
5d
ec
1a
82
7d
1a
5d
a3
79
2c
95
6b
Nonce Payload:
Next Payload : 5(ID), Payload len : 0xc(12)
Nonce Data:
6d 21 73 1d dc 60 49 93
ID Payload:
Next Payload : 7(Cert.Req), Payload len : 0x49(73)
ID type
: 9(DER_DN), Protocol : 0, Port = 0x0(0)
Certificate Request Payload:
Certificate Encoding Type: 4(X.509 Certificate - Signature)
( Next Payload) .
IKE, Next Payload (None).
,
. , SA Payload Proposal Payload Transform Payload, ,
, , ,
, SA.
, SA Payload Proposal Payload
Transform Payload. Next Payload Proposal Payload 0,
Proposal Payload, 2,
Proposal Payload. , Next Payload Transform Payload 0,
226
AIX 5.3:
Transform Payload, 3,
Transform Payload, :
ISAKMP_MSG_HEADER
Icookie : 0xa764fab442b463c6, Rcookie : 0x0000000000000000
Next Payload : 1(SA), Maj Ver : 1, Min Ver : 0
Xchg Type : 2 (ID protected), Flag= 0, Encr : No,COMMIT : No
Msg ID : 0x00000000
len
: 0x70(112)
SA Payload:
DOI
: 0x1(INTERNET)
bitmask
: 1(SIT_IDENTITY_ONLY
Proposal Payload:
Proposal # : 0x1(1), Protocol-ID : 1(ISAKMP)
SPI size : 0x0(0), # of Trans : 0x2(2)
Transform Payload:
Next Payload : 3(Transform), Payload len : 0x20(32)
Attr : 1(Encr.Alg
), len=0x2(2)
Value=0x5(5),(3DES-cbc)
Attr : 2(Hash Alg
), len=0x2(2)
Value=0x1(1),(MD5)
Value=0x1(1),(Pre-shared Key)
Attr : 4(Group Desc
), len=0x2(2)
Attr : 11(Life Type
), len=0x2(2)
Value=0x7080(28800)
Transform Payload:
Attr : 1(Encr.Alg
), len=0x2(2)
Value=0x1(1),(DES-cbc)
Attr : 2(Hash Alg
), len=0x2(2)
Value=0x1(1),(MD5)
Value=0x1(1),(Pre-shared Key)
Attr : 4(Group Desc
), len=0x2(2)
Attr : 11(Life Type
), len=0x2(2)
Value=0x7080(28800)
IKE Parse Payload ( ),

, ..
Certificate Request Payload .
. Certificate Payload
Signature Payload, SA.
.
ISAKMP_MSG_HEADER
Icookie : 0x9e539a6fd4540990, Rcookie : 0xc7e0a8d937a8f13e
Next Payload : 6(Certificate), Maj Ver : 1, Min Ver : 0
Xchg Type : 4 (Aggressive), Flag= 0, Encr : No,COMMIT : No
Msg ID : 0x00000000
len
: 0x2cd(717)
Certificate Payload:
Next Payload : 9(Signature), Payload len : 0x22d(557)
Certificate Encoding Type: 4(X.509 Certificate - Signature)
227
Certificate: (len 0x227(551) in bytes

82 02 24 30 82 01 8d a0 03 02 01 02 02 05 05 8e
fb 3e ce 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04
05 00 30 5c 31 0b 30 09 06 03 55 04 06 13 02 46
49 31 24 30 22 06 03 55 04 0a 13 1b 53 53 48 20
43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 20 53
65 63 75 72 69 74 79 31 11 30 0f 06 03 55 04 0b
13 08 57 65 62 20 74 65 73 74 31 14 30 12 06 03
55 04 03 13 0b 54 65 73 74 20 52 53 41 20 43 41
30 1e 17 0d 39 39 30 39 32 31 30 30 30 30 30 30
5a 17 0d 39 39 31 30 32 31 32 33 35 39 35 39 5a
30 3f 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
10 30 0e 06 03 55 04 0a 13 07 49 42 4d 2f 41 49
58 31 1e 30 1c 06 03 55 04 03 13 15 62 61 72 6e
65 79 2e 61 75 73 74 69 6e 2e 69 62 6d 2e 63 6f
6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b2 ef
48 16 86 04 7e ed ba 4c 14 d7 83 cb 18 40 0a 3f
55 e9 ad 8f 0f be c5 b6 6d 19 ec de 9b f5 01 a6
b9 dd 64 52 34 ad 3d cd 0d 8e 82 6a 85 a3 a8 1c
37 e4 00 59 ce aa 62 24 b5 a2 ea 8d 82 a3 0c 6f
b4 07 ad 8a 02 3b 19 92 51 88 fb 2c 44 29 da 72
41 ef 35 72 79 d3 e9 67 02 b2 71 fa 1b 78 13 be
f3 05 6d 10 4a c7 d5 fc fe f4 c0 b8 b8 fb 23 70
a6 4e 16 5f d4 b1 9e 21 18 82 64 6d 17 3b 02 03
01 00 01 a3 0f 30 0d 30 0b 06 03 55 1d 0f 04 04
03 02 07 80 30 0d 06 09 2a 86 48 86 f7 0d 01 01
04 05 00 03 81 81 00 75 a4 ee 9c 3a 18 f2 de 5d
67 d4 1c e4 04 b4 e5 b8 5e 9f 56 e4 ea f0 76 4a
d0 e4 ee 20 42 3f 20 19 d4 25 57 25 70 0a ea 41
81 3b 0b 50 79 b5 fd 1e b6 0f bc 2f 3f 73 7d dd
90 d4 08 17 85 d6 da e7 c5 a4 d6 9a 2e 8a e8 51
7e 59 68 21 55 4c 96 4d 5a 70 7a 50 c1 68 b0 cf
5f 1f 85 d0 12 a4 c2 d3 97 bf a5 42 59 37 be fe
9e 75 23 84 19 14 28 ae c4 c0 63 22 89 47 b1 b6
f4 c7 5d 79 9d ca d0
Signature Payload:
Signature: len
9d 1b 0d 90 be
b4 ca a2 85 0f
5c b6 9c e2 a5
e3 a2 87 f4 7c
7d b4 8c 4e 19
f0 5a 81 58 2e
4d 19 7e e0 e7
5b cb 07 ea 36
0x80(128) in bytes
aa dc 43 95 ba 65 09
15 9e 3e 8d 5f e1 f0
64 f4 ef 0b 31 c3 cb
9d 20 49 b2 39 00 fa
3a b8 70 90 88 2c cf
15 40 37 b7 c8 d6 8c
c7 c2 93 42 89 46 6b
e5 82 9d 70 79 9a fe
b9
43
48
8e
89
5c
5f
bd
00
98
7c
bf
69
e2
f8
6c
6d
69
d8
d9
5d
50
8b
86
67
d8
30
b0
07
c3
7d
36
:
,
.
228
AIX 5.3:
cpsd ( Proxy ). , :
Sep 21 16:02:00 ripple CPS[19950]: Init():LoadCaCerts() failed, rc=-12
: .
: , /etc/security .
: ikekey.crl, ikekey.kdb, ikekey.rdb ikekey.sth.
ikekey.sth, , .
IP . (
.)
:
Base64
: , .
: 'DER' .
, BEGIN CERTIFICATE END CERTIFICATE, .
-----BEGIN CERTIFICATE----MIICMTCCAZqgAwIBAgIFFKZtANowDQYJKoZIhvcNAQEFBQAwXDELMAkGA1UEBhMC
RkkxJDAiBgNVBAoTG1NTSCBDb21tdW5pY2F0aW9ucyBTZWN1cml0eTERMA8GA1UE
CxMIV2ViIHRlc3QxFDASBgNVBAMTC1Rlc3QgUlNBIENBMB4XDTk5MDkyMTAwMDAw
MFoXDTk5MTAyMTIzNTk1OVowOzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEe
MBwGA1UEAxMVcmlwcGxlLmF1c3Rpbi5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC5EZqo6n7tZrpAL6X4L7mf4yXQSm+m/NsJLhp6afbFpPvXgYWC
wq4pvOtvxgum+FHrE0gysNjbKkE4Y6ixC9PGGAKHnhM3vrmvFjnl1G6KtyEz58Lz
BWW39QS6NJ1LqqP1nT+y3+Xzvfv8Eonqzno8mglCWMX09SguLmWoU1PcZQIDAQAB
oyAwHjALBgNVHQ8EBAMCBaAwDwYDVR0RBAgwBocECQNhhzANBgkqhkiG9w0BAQUF
AOBgQA6bgp4Zay34/fyAlyCkNNAYJRrN3Vc4NHN7IGjUziN6jK5UyB5zL37FERW
hT9ArPLzK7yEZs+MDNvB0bosyGWEDYPZr7EZHhYcoBP4/cd0V5rBFmA8Y2gUthPi
Ioxpi4+KZGHYyLqTrm+8Is/DVJaQmCGRPynHK35xjT6WuQtiYg==
-----END CERTIFICATE---- .
v , .
v ASN.1, Internet, .
:
.
: .
: .
IKE WSM (Web- ) :
171 ( ):
PUT_IRL_FAILED
: , IKE
. ,
, . ,
X500,
.
: , .
IKE , :
inet_cert_service::channelOpen():clientInitIPC():error,rc =2
( )
: cpsd .
: IP WSM (Web- ).
.
229
IKE , :
CertRepo::GetCertObj:
DN:
("/C=US/O=IBM/CN=ripple.austin.ibm.com")
: IKE (DN) X.500, DN X.500,

.
: IKE WSM (Web- ) ,

.
IKE WSM (Web- )
.
: RSA.
: , RSA. ,
IKE IBM_low_CertSig.
:
.
, .
IP SMIT
IP. : , , ,
, , /, ,
.
. ,
.
. ,
. SMIT smit ips4_tracing (
IPv4) smit ips6_tracing ( IPv6).
ipsecstat:
ipsecstat ,
IP Security packets.
ipsecstat , , IP ,
,
.
IP.
IP:
ipsec_v4
ipsec_v6
:
HMAC_MD5 -- Hashed MAC MD5 Authentication Module
HMAC_SHA -- Hashed MAC SHA Hash Authentication Module
KEYED_MD5 -- Keyed MD5 Hash Authentication Module
:
CDMF -- CDMF Encryption Module
DES_CBC_4 -- DES CBC 4 Encryption Module
DES_CBC_8 -- DES CBC 8 Encryption Module
3DES_CBC -- Triple DES CBC Encryption Module
IP : 1106
AH: 326
ESP: 326
Srcrte: 0
: 844
230
AIX 5.3:
AH: 527
ESP: 527
: 12
: 12
AH: 0
ESP: 0
AH: 0
ESP: 0
: 0
: 0
: 7
: 0
: 6
: AIX 4.3.2, CDMF ,

DES. , CDMF,
DES Triple DES.
IP
IP. ,
IKE.
:
.
ike cmd=activate
ike cmd=remove
ike cmd=list
ikedb
gentun
mktun
chtun
rmtun
lstun
exptun
imptun
genfilt
mkfilt
mvfilt
chfilt
rmfilt
lsfilt
expfilt
impfilt
ipsec_convert
ipsecstat
ipsectrcbuf
unloadipsec
IKE ( AIX 4.3.3 ).

IKE ( AIX 4.3.3 )
IKE ( AIX 4.3.3 )
IKE ( AIX 5.1
)

IP
IP
IP

:
.
231
defipsec
cfgipsec
ucfgipsec
IP IP 4 6
ipsec_v4 ipsec_v6
ipsec_v4 ipsec_v6
IP:
IKE, AIX 4.3 AIX 5.2.
IKE:
AIX 4.3 :
1. bos.net.ipsec.keymgt.pre_rm.sh. /tmp
:
a. p2proposal.bos.net.ipsec.keymgt
b. p1proposal.bos.net.ipsec.keymgt
c. p1policy.bos.net.ipsec.keymgt
d. p2policy.bos.net.ipsec.keymgt
e. p1tunnel.bos.net.ipsec.keymgt
f. p2tunnel.bos.net.ipsec.keymgt
: .
.
,
bos.net.ipsec.keymgt.pre_rm.sh . 233.
2. , , /tmp/lpplevel - ,
, - .
:
.
IKE .
,
AIX 5.2:
1. ikedb -g, :
ikedb -g > out.keys
2. out.keys FORMAT=ASCII
FORMAT=HEX.
3. XML :
ikedb -pF out.keys
:
.
1. /tmp SMIT,
:
a. smitty ipsec4.
b. IP>
IP> IP.
c. /tmp.
d. F4 .
232
AIX 5.3:
e. Enter, /tmp/ipsec_fltr_rule.exp
.
, AIX 4.3 AIX 5.2.
2. , , /tmp/lpplevel
/tmp/ipsec_fltr_rule.exp /tmp .
3. bos.net.ipsec.keymgt.post_i.sh
.
4.
ikedb -g, .
: , ,
*.loaded /tmp .
AIX 5.2 . lsfilt

:
ipv4
:
1. AIX 5.2 ipsec_filter ipsec_filter.vc /etc/security
. ,
IBM.
2. /tmp SMIT,
:
a. smitty ipsec4.
b. IP>
IP> IP.
c. /tmp.
d. F4 .
e. Enter.
SMIT lsfilt.
bos.net.ipsec.keymgt.pre_rm.sh:
bos.net.ipsec.keymgt.pre_rm.sh ,
AIX 4.3.
#!/usr/bin/ksh
keymgt_installed=`lslpp -Lqc bos.net.ipsec.keymgt 2>/dev/null | awk -F: '{print $6}' | head -1`
if [ ! "$keymgt_installed" ]
then
exit 0
fi
#
if [ -d /etc/ipsec/inet/DB ]
then
cp -R /etc/ipsec/inet/DB /etc/ipsec/inet/DB.sav || exit $?
fi
# ,
VRM=$(LANG=C lslpp -Lqc bos.net.ipsec.keymgt 2>/dev/null | awk -F: '{print $3}' | \
awk -F. '{print $1"."$2"."$3}')
VR=${VRM%.*}
echo $VRM > /tmp/lpplevel
IKEDB=$(which ikedb) || IKEDB=/usr/sbin/ikedb
233
XMLFILE=/tmp/full_ike_database.bos.net.ipsec.keymgt
PSKXMLFILE=/tmp/psk_ike_database.bos.net.ipsec.keymgt
# , ikedb.
if [ -f $IKEDB ]
then
#
#
#
#
# - ikedb , .
# ( ) .
post_i .
IKE , ,

.
$IKEDB -g > $XMLFILE

if [ $? -ne 0 ]
then
rm -f $XMLFILE || exit $?
fi
if [[ $VR = "5.1" ]]; then
# . 5.1 ikedb ,
# .
# .
$IKEDB -g -t IKEPresharedKey > $PSKXMLFILE
if [ $? -ne 0 ]
then
rm -f $PSKXMLFILE || exit $?
fi
fi
# ikegui
elif [ -f /usr/sbin/ikegui ]
then
# /tmp
/usr/sbin/ikegui 0 1 0 0 > /tmp/p1proposal.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p1proposal.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 1 1 0 > /tmp/p1policy.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p1policy.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 2 0 0 > /tmp/p2proposal.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p2proposal.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 2 1 0 > /tmp/p2policy.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p2policy.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 1 2 0 > /tmp/p1tunnel.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
234
AIX 5.3:
then
rm -f /tmp/p1tunnel.bos.net.ipsec.keymgt || exit $?
fi
/usr/sbin/ikegui 0 2 2 0 > /tmp/p2tunnel.bos.net.ipsec.keymgt 2>/dev/null
RC=$?
if [[ $RC -ne 0 ]]
then
rm -f /tmp/p2tunnel.bos.net.ipsec.keymgt || exit $?
fi
fi
bos.net.ipsec.keymgt.post_i.sh:
bos.net.ipsec.keymgt.post_i.sh
AIX 5.2.
#!/usr/bin/ksh
function
echo
echo
echo
echo
echo
}
PrintDot {
"echo \c"
"\".\c"
"\\\c\c"
"\"\c"
function P1PropRestore {
while :
do
read NAME
read MODE
if [[ $? = 0 ]]; then
echo "ikegui 1 1 0 $NAME $MODE \c"
MORE=1
while [[ $MORE = 1 ]];
do
read AUTH
read HASH
read ENCRYPT
read GROUP
read TIME
read SIZE
read MORE
echo "$AUTH $HASH $ENCRYPT $GROUP $TIME $SIZE $MORE \c"
done
echo " > /dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
function P2PropRestore {
while :
do
read NAME
FIRST=yes
MORE=1
do
read PROT
if [[ $? = 0 ]]; then
read AH_AUTH
read ESP_ENCR
235
read ESP_AUTH
read ENCAP
read TIME
read SIZE
read MORE
if [[ $FIRST = "yes" ]]; then
echo "ikegui 1 2 0 $NAME $MODE \c"
fi
echo "$PROT $AH_AUTH $ESP_ENCR $ESP_AUTH \
$ENCAP $TIME $SIZE $MORE \c"
FIRST=no
else
return 0
fi
done
PrintDot
done
}
function P1PolRestore {
while :
do
read NAME
read ROLE
if [[ $? = 0 ]]; then
read TIME
read SIZE
read OVERLAP
read TTIME
read TSIZE
read MIN
read MAX
read PROPOSAL
echo "ikegui 1 1 1 $NAME $ROLE $OVERLAP $TTIME $TSIZE \
$MIN $MAX 1 0 0 $PROPOSAL > \
/dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
function P2PolRestore {
while :
do
read NAME
read ROLE
if [[ $? = 0 ]]; then
read IPFS
read RPFS
read TIME
read SIZE
read OVERLAP
read TTIME
read TSIZE
read MIN
read MAX
echo "ikegui 1 2 1 $NAME $ROLE $IPFS $RPFS \
$OVERLAP $TTIME $TSIZE $MIN $MAX 1 0 0 \c"
MORE=1
do
read PROPOSAL
read MORE
echo "$PROPOSAL $MORE \c"
236
AIX 5.3:
FIRST=no
done
else
return 0
fi
PrintDot
done
}
function P1TunRestore {
while :
do
read TUNID
read NAME
if [[ $? = 0 ]]; then
read LID_TYPE
read LID
if [[ $LPPLEVEL = "4.3.3" ]]; then
read LIP
fi
read RID_TYPE
read RID
read RIP
read POLICY
read KEY
read AUTOSTART
echo "ikegui 1 1 2 0 $NAME $LID_TYPE \"$LID\" \
$LIP $RID_TYPE \"$RID\" \
$RIP $POLICY $KEY $AUTOSTART > /dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
function P2TunRestore {
while :
do
read TUNID
read NAME
if [[ $? = 0 ]]; then
read P1TUN
read LTYPE
read LID
read LMASK
read LPROT
read LPORT
read RTYPE
read RID
read RMASK
read RPROT
read RPORT
read POLICY
read AUTOSTART
echo "ikegui 1 2 2 0 $NAME $P1TUN $LTYPE $LID \
$LMASK $LPROT $LPORT $RTYPE
\$RID $RMASK $RPROT $RPORT $POLICY $AUTOSTART \
> /dev/null 2>&1"
PrintDot
else
return 0
fi
done
}
237
function allRestoreWithIkedb {
ERRORS=/tmp/ikedb_msgs.bos.net.ipsec.keymgt
echo > $ERRORS
$IKEDB -p $XMLFILE 2>> $ERRORS
if [ -f $PSKXMLFILE ]
then
$IKEDB -p $PSKXMLFILE 2>> $ERRORS
fi
}
P1PROPFILE=/tmp/p1proposal.bos.net.ipsec.keymgt
P2PROPFILE=/tmp/p2proposal.bos.net.ipsec.keymgt
P1POLFILE=/tmp/p1policy.bos.net.ipsec.keymgt
P2POLFILE=/tmp/p2policy.bos.net.ipsec.keymgt
P1TUNFILE=/tmp/p1tunnel.bos.net.ipsec.keymgt
P2TUNFILE=/tmp/p2tunnel.bos.net.ipsec.keymgt
XMLFILE=/tmp/full_ike_database.bos.net.ipsec.keymgt
PSKXMLFILE=/tmp/psk_ike_database.bos.net.ipsec.keymgt
CMD_FILE=/tmp/commands
IKEDB=$(which ikedb) || IKEDB=/usr/sbin/ikedb
echo "building ISAKMP database \n"
$IKEDB -x || exit $?
if [ -f $XMLFILE ]; then
echo "\nRestoring database entries\c"
allRestoreWithIkedb
echo "\ndone\n"
elif [ -f /tmp/*.bos.net.ipsec.keymgt ]; then
echo "\nRestoring database entries\c"
LPPLEVEL=`cat /tmp/lpplevel`
echo > $CMD_FILE
touch $P1PROPFILE; P1PropRestore
touch $P2PROPFILE; P2PropRestore
touch $P1POLFILE; P1PolRestore <
touch $P2POLFILE; P2PolRestore <
touch $P1TUNFILE; P1TunRestore <
touch $P2TUNFILE; P2TunRestore <
mv
mv
mv
mv
mv
mv
< $P1PROPFILE
< $P2PROPFILE
$P1POLFILE >>
$P2POLFILE >>
$P1TUNFILE >>
$P2TUNFILE >>
>> $CMD_FILE
>> $CMD_FILE
$CMD_FILE
$CMD_FILE
$CMD_FILE
$CMD_FILE
$P1PROPFILE ${P1PROPFILE}.loaded
$P2PROPFILE ${P2PROPFILE}.loaded
$P1POLFILE ${P1POLFILE}.loaded
$P2POLFILE ${P2POLFILE}.loaded
$P1TUNFILE ${P1TUNFILE}.loaded
$P2TUNFILE ${P2TUNFILE}.loaded
ksh $CMD_FILE
echo "done\n"
fi
NIS NIS+
NIS+ NIS+ namespace.
. ,
.

,
, , ,
. RPC .
238
AIX 5.3:
:

.

.
Root
root root.
RPC
NIS+, 2 ( ),
NIS+ NIS+ (, , ,
, ..) NIS+ RPC.
RPC RPC.
, RPC .
, ,
. ( RPC .
Administering NIS+ Credentials
AIX 5L 5.3: (NIS NIS+).)
RPC
. ,
,
RPC.
NIS+.
NIS+, NIS,
RPC ,
NIS+ , ,
(.. ,
RPC).
, NIS+,
, , . (
RPC,
.
. 244.)
NIS+
Administering NIS+ Credentials AIX 5L 5.3:
(NIS NIS+).

, ,
, , ,
.
NIS+
NIS+ , ,
NIS+ .
NIS+.
NIS+ Administering
NIS+ Access Rights AIX 5L 5.3: (NIS NIS+).
239
NIS+
NIS+, , ,

.
NIS+
. NIS+ ,
.
NIS+ :
NIS+.
( ) NIS+ RPC
. ( , .
, - RPC
, NIS+
.
RPC. . Administering NIS+ Credentials AIX 5L
5.3: (NIS NIS+).)

.
NIS+ NIS+ (, ,
). NIS+ NIS+
NIS+ , , . ,
passwd,
,
.
, NIS+
, - ,
.
. (
. 244.)
, root A,
su ,
B, NIS+ NIS+ .
, NIS+
NIS+ , .
NIS+ root
, .
NIS+.
240
AIX 5.3:
15. NIS+
1.
2.
3.
4.
/ NIS+ NIS+.
, .
.
.
5. , .
6. , ,
.
NIS+:
NIS+ - , NIS+.
NIS+ ,
root, , root NIS+.
, NIS+ .
, NIS+ , NIS+ NIS+.
NIS+ NIS+,
.
NIS+:
NIS+ . ,
.
NIS+ 2. 0
, .
.
: WSM (Web- ),
SMIT passwd .
241
NIS+

0 NIS+.
NIS+, 0, NIS+
NIS+ . 0
. 0
.
1 AUTH_SYS. NIS+
.
2 . ,
NIS+; ,
Data Encryption Standard (DES). DES
, .
DES .
DES ,
. ( , : ,
, ; ;
..)
NIS+
NIS+ , NIS+
NIS+.
NIS+ credential
RPC.
.
, , root ,
su ,
, NIS+ NIS+ .
: NIS+
NIS+ , . NIS+
root ,
.
NIS+.
( NIS+ . 244.)
:

, , :

NIS+ ,
NIS+ .

NIS+ root,
.
DES :
NIS+ DES .
DES:
242
AIX 5.3:
Data Encryption Standard (DES) .

NIS+ NIS+,
DES.
: DES - .
DES NIS+.
NIS+ NIS+,
. DES
, NIS+.
Administering NIS+ Credentials AIX 5L
5.3: (NIS NIS+).
v NIS+ DES ,
.
v , .
,
DES. ( DES
.)
v DES cred ,
, .
:
- NIS+,
.
, ,
, DES.
DES .
, ,
. , NIS+
DES.
, DES
. .
.
16.
DES. .
.
.
cred
. ,
243
, NIS+
DES. , .
:
,
DES.
root NIS+ root ,
(UID) root . root (UID=0) A
B root,
root (UID=0) B.
; .
NIS+
NIS+ - NIS+
NIS+.
, NIS+, NIS+
. , ,
NIS+, . ,
.
: , , .
: , , .
:
NIS+ NIS+.
NIS+ :
, , .
NIS+ . , ,
NIS+. , ,
. ( ,
NIS+, .)
NIS+ . 245.
NIS+, . ( ,
, .)
, .
:
244
AIX 5.3:
17.
. , , ,
, , , - .
NIS+,
.
. ,
, , ,
.
, , , , , - .
:
:
NIS+.
, NIS+,
( DES).
.
:
v (. Administering NIS+ Access Rights AIX
5L 5.3: (NIS NIS+)).
v (. Administering NIS+ Access Rights
AIX 5L 5.3: (NIS NIS+)).
,
, .
:
NIS+. ( , NIS+,
.)
245
, NIS+,
( DES)
.
NIS+ - NIS+,
. , NIS+,
. ( .)
, .
, .
NIS+ NIS+, groups_dir
NIS+. ( , NIS+ NIS+.
.)
NIS+ Administering NIS+ Groups AIX 5L 5.3:
(NIS NIS+).
:
NIS+, ,
, , DES.
, , .
:
, ,
DES.
NIS+:
NIS+ .
,
, - , - .
:

NIS+ NIS+: groups_dir org_dir.
groups_dir . org_dir - .

.
.

.
()
.
. , .
,
.
, .
NIS+:
246
AIX 5.3:
NIS+ NIS+ ,
.
, NIS+
NIS+. ( niscat -o.)
NIS+,
: , , .
.

. , NIS+
. NIS+ .
NIS+ NIS+ ,
NIS+. , IP-
, NIS+ hosts,
. NIS+,
.
, -
. , NIS+,
. ,
. ,
, . ,
. ,
. ,
. , , , .
, .
NIS+
NIS+ NIS+.
, .. , , , ,
NIS+ .
NIS+ .
( ),
. ,
,
.
, .
.
NIS+. NIS+.
NIS+
, .
chkey
RPC . ,
, passwd.
chkey passwd /etc/passwd.
247
keylogin
keyserv.
keylogout
keyserv.
keyserv
keyserv, .
newkey
.
nisaddcred
NIS+.
nisupdkeys
.
passwd
.

(NFS) - ,
.
AIX 5.3.0, NFS, DES, Kerberos 5.
Kerberos 5 RPCSEC_GSS.
UNIX NFS
.
DES .
AIX 5L 5.2, NFS DES Kerberos 5.
Kerberos 5 RPCSEC_GSS.
Kerberos NFS NFS.

(NFS).
v , .
, .
, . ,
, Web- ,
, ,
Web-. (Security Alerts) IBM System p
, Web-: http://
www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd.
v NFS ,
.
, .
,
. SMIT
/etc/exports.
v NFS ,
. NFS , NFS
.
. ,
NFS, .
248
AIX 5.3:
v .
,
, .
, .
v NFS root
. NFS
.

.
v NFS suid sgid .
.
,
, NFS .
, mknfsmnt -y.
v NFS. NFS ,
RPC, DES. RPC - , NFS
. NFS RPC
, RPC.
, , RPC
.
v NFS, . .
AIX 5.3 AIX 6.1, NFS Triple DES Single DES
AES Kerberos 5. Kerberos 5
AES NFS. AIX 5.3 NFS V4
:
v des-cbc-crc
v des-cbc-md4
v des-cbc-md5
v des3-cbc-sha1
v aes256-cts
:
v AIX 5L 5.1
NFS: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/commadmn/
nfs_install.htm
NFS: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/files/aixfiles/exports.htm
NFS: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/commadmn/
nfs_secure.htm
mknfsmnt: http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds3/mknfsmnt.htm
v AIX 5L 5.2
NFS: http://publib16.boulder.ibm.com/pseries/en_US/aixbman/commadmn/
nfs_install.htm
NFS: http://publib16.boulder.ibm.com/pseries/en_US/files/aixfiles/exports.htm
(NFS): http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/
secure_nfs.htm
mknfsmnt: http://publib16.boulder.ibm.com/pseries/en_US/cmds/aixcmds3/mknfsmnt.htm
249

NFS DES . DES
(RPC),
NFS.
.
RPC
.
UNIX. ,
secure.
NFS:
publickey.byname, .
DES .
keylogin
RPC. ,
yppasswd .
keyserv RPC, NIS NIS+.
, keyserv NIS+, AIX 5L 5.3:
(NIS NIS+). NIS, keyserv
:
v key_setsecret
v key_encryptsession
v key_decryptsession
key_setsecret ( SKA) .
keylogin. key_encryptsession
,
RPC.
( key_setsecret) .
key_decryptsession.
,
. DES,
. ,
root. root
setuid .
:
NFS , ,
.
:
v .
v DES.
:
,
timed. .
250
AIX 5.3:
RPC
. .
RPC ,
.
DES:
DES
.
A B , ,
A B. :
KAB = PKBSKA
K - , PK - , SK - . - 128 .
:
KAB = PKASKB
,
. 128 , DES
56- , DES 56
.
:
,
. (CK).
DES (.
) RPC.
.
18. . ,
.
A B. K(CK) , CK
DES K.
RPC (A), (CK) win (),
CK. ( 30 .)
251
(win + 1).

.
:
v A
v CK
v
v
,
.
, 1 CK.
, ,
, .
,
. RPC
, ,
1 CK.
DES
DES .
DES NIS+ AIX 5L 5.3:
(NIS NIS+).
- , .
, .
netid.byname NIS.
.
NIS Internet.
Internet (, com, edu, gov, mil).
, .
. , hal eng.xyz.com
unix.hal@eng.xyz.com.
, , .
NIS.
, -
.
, , NFS rlogin.
/etc/publickey
/etc/publickey , NIS NIS+
publickey.
publickey .
, ( ),
( ).
/etc/publickey nobody.
/etc/publickey ,
. /etc/publickey chkey
newkey.
252
AIX 5.3:

- ,
. root , -
root.
root - , .
setuid . , setuid
- A, ,
A. setuid
root, .
NFS
NFS .
v . .
RPC .
, .
v RPC :
1. .
2. .
3. .
4. .
NFS ,
.

NFS.
v -secure
, /etc/hosts. DNS, ,
/etc/hosts. ,
,
/etc/hosts, publickey .
v .
. ,
-secure
-secure, nobody,
. , , NIS
NIS+, .
v NIS
chkey newkey,
.
v /etc/keystore /etc/.rootkey.
, ,
/etc/keystore /etc/.rootkey.
v , ppasswd
yppasswd.
.
v login keyserv publickey,
keylogin. keylogin profile ,
. keylogin
.
253
v root newkey -h chkey

keyserv keylogin. /etc/.rootkey,
keyserv .
v , yppasswdd ypupdated NIS.
publickey.
v , keyserv, , NFS.

NFS NIS
WSM (Web- ) .
NFS NIS+, AIX 5L 5.3:
(NIS NIS+).
1. NIS NIS /etc/publickey
newkey:
v :
smit newkey
newkey -u -
root :
newkey -h -
v , chkey newkey .
NIS publickey AIX 5L 5.3:
(NIS NIS+). publickey.byname NIS
NIS.
3. /etc/rc.nfs:
2.
#if [ -x /usr/sbin/keyserv ]; then

# startsrc -s keyserv
#fi
#if [ -x /usr/lib/netsvc/yp/rpc.ypupdated -a -d /etc/yp/`domainname` ]; then
# startsrc -s ypupdated
#fi
#DIR=/etc/passwd
#if [ -x /usr/lib/netsvc/yp/rpc.yppasswdd -a -f $DIR/passwd ]; then
# startsrc -s yppasswdd
#fi
4. keyserv, ypupdated yppasswdd startsrc.

NFS NIS keyserv
startsrc.
NFS
NFS WSM (Web-
) .
v NFS SMIT,
:
1. lssrc -g nfs , NFS. nfsd
rpc.mountd .
2. , publickey, keyserv.
.
3. smit mknfsexp.
254
AIX 5.3:
4. , (,
, ). .
5. .
6. SMIT. /etc/exports , .
7. 3-6 , .
v NFS ,
:
1. /etc/exports .
2. , . ,
. .
.
/etc/exports, secure, /etc/exports.
3. /etc/exports .
4. NFS , :
/usr/sbin/exportfs -a
-a exportfs, NFS
/etc/exports.
v ( /etc/exports),
:
exportfs -i -o secure /
- . exportfs -i
/etc/exports ,
.
NFS
NFS .
NFS, :
1. , NFS, :
showmount -e
- NFS. ,
NFS . , , ,
.
2. mkdir.
NFS, , .
. , ,
.
3. , publickey, keyserv.
. 254.
4.
mount -o secure :/remote/directory /local/directory
- NFS, /remote/directory - NFS,

, /local/directory - NFS.
: NFS root.
255

,
.
, , , .
(EIM)
.
,
, EIM.

, ,

.

. ,
, .
, .

,
, ,
.
,
.
, .

. ,
.

, . ,
(LDAP) ,
. , , LDAP,
,
, .

,
, .
, ,

. , ,
, ,
.
, ,
. ,
,
.
, .
256
AIX 5.3:
.
, ,
. :
v . ,
,
.
v ,
.
, .
v ,
. -
.
, ,
, .

EIM (,
) ,
. , EIM API,
.
, , ,
.

,
. , -
. , EIM
.

. , -
, - . ,
SAP SAP.
:
1. EIM, .
2. EIM, .
3.
EIM.
.
. EIM
- ( ,
). EIM - (..
),
. EIM .
EIM
. , EIM, - .
LDAP, ,
, ,
.
EIM Web-:
257
v http://publib.boulder.ibm.com/eserver/
v http://www.ibm.com/servers/eserver/security/eim/
Kerberos
Kerberos - ,
. Kerberos ,
, , .
Kerberos .
: .
. ,
, .
.
Kerberos.
Kerberos,
.
Kerberos (KDC). KDC
Kerberos.
Kerberos , , ,
, .
KDC , KDC.
Kerberos:
,
IBM Network Authentication Service developerWorks

.
: (DCE) 2.2, DCE
Kerberos 5.
: AIX 5.2, (rcmds)
Kerberos 5, (NAS) 1.3. DCE
ftp GSSAPI DCE libdce.a,
ftp GSSAPI NAS 1.3. NAS 1.3 -
Expansion Pack. krb5.client.rte.
: AIX 5.2 Kerberos 5 4,
krb5.client.rte.
: rlogin, rcp, rsh, telnet ftp.
AIX. ( , AIX 4.3
.) Kerberos 5
Kerberos 4.
Kerberos 5 DCE
Kerberos Kerberos 5. DCE
, TCP/IP,
. TCP/IP .
TCP/IP . DCE
, , ,
258
AIX 5.3:
.
Kerberos, Kerberos 5 DCE.
Kerberos 5
TCP/IP. ,
Kerberos (TGT).
DCE, TCP/IP TGT DCE
k5dcecreds.
ftp ,
. GSSAPI
ftp ftpd. ftp
clear, safe private.
ftp
.
.
ftp .
:

. , .
libauthm.a, lsauthent chauthent,
get_auth_methods
set_auth_methods.
, .
:
v Kerberos 5 DCE.
v Kerberos 4, rlogin, rsh rcp.
SP . Kerberos 4
DCE.
v AIX, AIX 4.3 .

, .
.
AIX, .
AIX ,
.
- .

. , Kerberos 4 rlogin, rsh rcp,
, Kerberos 4,
telnet FTP.
Kerberos 5:
Kerberos 5
.
259
Kerberos 5 TCP/IP
TCP/IP. ,
( DCE ).
- , DCE
. DCE
libvaliduser.a,
, kvalid_user. ,
libvaliduser.a.
DCE:
DCE
, .
DCE :
host/__
ftp/__
--

:

, .
:
host/__@_
ftp/__@_
--

_
Kerberos 5
:
v get_auth_method set_auth_method AIX 5L 5.3:
, 2
v chauthent AIX 5L 5.3: , 1
v lsauthent AIX 5L 5.3: , 3
AIX Kerberos
AIX KRB5 KRB5A. ,
Kerberos, KRB5
Kerberos, KRB5A .
Kerberos KRB5 Kerberos
IBM. KRB5 AIX
, Kerberos,
Kerberos AIX -
. , AIX Kerberos
mkuser.
260
AIX 5.3:
KRB5A . Kerberos
, . KRB5A ,
Kerberos AIX AIX
Kerberos. KRB5A Microsoft Windows
2000 Active Directory, Kerberos
API.
Kerberos
KRB5:
( IBM Kerberos) .
Kerberos 5 krb5.client.rte Kerberos
5 krb5.server.rte Kerberos 5
krb5
DCE Kerberos (, klist, kinit
kdestroy), Kerberos /usr/krb5/bin /usr/krb5/sbin.
PATH. Kerberos
.
krb5.doc..pdf|html,
.
Kerberos 5 KDC kadmin:
Kerberos 5 KDC kadmin.
: DCE Kerberos
. - ,
, DCE
Kerberos.
, DCE Kerberos. DCE Kerberos
.
: Kerberos 5 , ,
KDC .
300 ( ). Kerberos
- .
xntpd timed. timed
:
1. KDC , timed:
timed -M
2. Kerberos timed.
timed -t
Kerberos KDC kadmin mkkrb5srv. ,

Kerberos MYREALM sundial xyz.com
:
mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
, kadmind krb5kdc
/etc/inittab.
mkkrb5srv :
261
1. /etc/krb5/krb5.conf. , Kerberos
. /etc/krb5/krb5.conf
default_keytab_name, kdc admin_server.
2. /var/krb5/krb5kdc/kdc.conf. /var/krb5/krb5kdc/kdc.conf
kdc_ports, kadmin_port, max_life, max_renewable_life, master_key_type
supported_enctypes. , database_name,
admin_keytab, acl_file, dict_file key_stash_file.
3. /var/krb5/krb5kdc/kadm5.acl.
admin, root host.
4. admin. Kerberos,
Kerberos.
, .
. 263
. 263.
Kerberos 5:
Kerberos ,
Kerberos (TGT).
, , ,
Kerberos.
Kerberos mkkrb5clnt
:
mkkrb5clnt -c KDC -r -a -s -d -A -i -K -T
, KDC sundial.xyz.com MYREALM sundial.xyz.com

xyz.com files :
mkkrb5clnt -c sundial.xyz.com -r MYREALM -s sundial.xyz.com -d xyz.com -A -i files -K -T
:
1. /etc/krb5/krb5.conf. , Kerberos
. ,
default_keytab_name, kdc kadmin.
2. -i . ,
AIX.
Kerberos. Kerberos Kerberos.
3. -K Kerberos .
Kerberos .
4. -A Kerberos , root
Kerberos.
5. -T TGT.
DNS, KDC,
:
1. /etc/krb5/krb5.conf, [domain realm].
2. .
, abc.xyz.com MYREALM,
/etc/krb5/krb5.conf :
[domain realm]
.abc.xyz.com = MYREALM
262
AIX 5.3:
:
mkkrb5srv :
v krb5.conf, kdc.conf kadm5.acl , mkkrb5srv
. , .

krb5.conf, kdc.conf kadm5.acl.
v ,
.
v
/var/krb5/krb5kdc/* .
v , kadmind krb5kdc.
ps. , .
mkkrb5clnt :
v krb5.conf /etc/krb5/krb5.conf.
v ( -i) /usr/lib/security/
methods.cfg.
:
mkkrb5srv :
v /etc/krb5/krb5.conf
v /var/krb5/krb5kdc/kadm5.acl
v /var/krb5/krb5kdc/kdc.conf
mkkrb5clnt :
v /etc/krb5/krb5.conf
mkkrb5clnt -i /usr/lib/security/methods.cfg:
KRB5:
program =
options =
KRB5files:
options =
:
.
mkkrb5srv:
# mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
:

---------------------------------------------------------------------------: /usr/lib/objrepos
krb5.server.rte
1.3.0.0 .
: /etc/objrepos
krb5.server.rte
1.3.0.0
263
-s .
.
...
/var/krb5/krb5kdc/kdc.conf...
...
'/var/krb5/krb5kdc/principal' 'MYREALM'
'K/M@MYREALM'
.
.
:
:
: admin/admin@MYREALM;
. ,
ACL.
"admin/admin@MYREALM":
"admin/admin@MYREALM":
"admin/admin@MYREALM" .
...
/var/krb5/krb5kdc/kadm5.acl...
krb5kdc...
krb5kdc .
kadmind...
kadmind .
.
kadmind krb5kdc
mkkrb5clnt:
mkkrb5clnt -r MYREALM -c sundial.xyz.com -s sundial.xyz.com \
-a admin/admin -d xyz.com -i files -K -T -A
:
...
.
admin/admin@MYREALM:

admin/admin .
: host/diana.xyz.com@MYREALM;
. ,
ACL.
"host/diana.xyz.com@MYREALM" .
.
admin/admin .
.
admin/admin .
"kadmin/admin@MYREALM" .
.
Kerberos
root Kerberos
admin/admin .
: root/diana.xyz.com@MYREALM;
. ,
ACL.
"root/diana.xyz.com@MYREALM":
"root/diana.xyz.com@MYREALM":
"root/diana.xyz.com@MYREALM" .
.
.
kadmind:
264
AIX 5.3:
KRB5 , kadmind.
kadmind
methods.cfg kadmind.
: No False kadmind, Yes True -
( - Yes). No, kadmind
. , kadmind
(, ).
(, ),
Kerberos AIX, mkuser, chuser rmuser .
kadmind Yes. ,
kadmind. ,
.
kadmind ,
methods.cfg :
KRB5:
program = /usr/lib/security/KRB5
options = kadmind=no
KRB5files:
options = db=BUILTIN,auth=KRB5
kadmind , root .
, , , kadmind.
, Kerberos,
AIX, .
AIX (,
).
kadmind ( ), mkuser
:
3004-694 "krb5user": .
, kadmind no kadmind ,
Kerberos, , Kerberos.
. , lsuser
ALL.
, chuser AIX,
Kerberos . rmuser Kerberos,
passwd ,
Kerberos.
, kadmind, .
, ,
kadmind methods.cfg no.
kadmind , .
kadmind , kadmind=no, : login,
su, passwd, mkuser, chuser rmuser.
Kerberos
KRB5A:
265
KRB5A ,
, Kerberos.
,
AIX KDC.
krb5.client.rte Expansion Pack.
: KRB5A AIX 5.2 .
AIX Kerberos 5 Windows 2000:
Kerberos AIX config.krb5.
Kerberos. Kerberos
Windows 2000, config.krb5 :
-r
-d
-c
-s
= Windows 2000
= , Windows 2000
KDC = Windows 2000
= Windows 2000
1. config.krb5:
config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com
2. Windows 2000 DES-CBC-MD5 DES-CBC-CRC. krb5.conf,

, :
[libdefaults]
default_realm = MYREALM
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
3. methods.cfg:
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
4. Windows 2000 :
a.
AIX krbtest:
1) .
2) .
3) .
4) krbtest.
b. Ktpass keytab AIX.
, keytab krbtest.keytab :
Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password -out krbtest.keytab
c. keytab AIX.
d. keytab /etc/krb5/krb5.keytab :
$ ktutil
ktutil: rkt krbtest.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
e. Active Directory
Windows 2000.
266
AIX 5.3:
f. AIX, Windows 2000,

Kerberos. :
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0
KRB5A

KRB5A
.
: KRB5A AIX 5.2 .
v AIX Kerberos Active
Directory KDC?
Kerberos AIX config.krb5.
Kerberos. Kerberos
Windows 2000, config.krb5 :
-r

-d
, Active Directory.
-c KDC
Windows 2000
-s
Windows 2000
config.krb5:
config.krb5 -C -r MYREALM -d xyz.com -c w2k.xyz.com -s w2k.xyz.com
Windows 2000 DES-CBC-MD5 DES-CBC-CRC. krb5.conf,

, :
[libdefaults]
default_realm = MYREALM
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
methods.cfg:
KRB5A:
options = authonly
KRB5Afiles:
:
1. Active Directory AIX
krbtest.
.
.
.
krbtest.
2. Ktpass krbtest.keytab
AIX:
Ktpass -princ host/krbtest.xyz.com@MYREALM -mapuser krbtest -pass password \
-out krbtest.keytab
267
3. krbtest.keytab AIX.
4. krbtest.keytab /etc/krb5/krb5.keytab :
$ ktutil
ktutil: rkt krbtest.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q
5. Active Directory
Windows 2000.
6. AIX, Windows 2000,
Kerberos:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles user0
v AIX Kerberos ?
Kerberos methods.cfg.
methods.cfg .
KRB5A. BUILTIN LDAP. BUILTIN
AIX ASCII. ,
BUILTIN AIX, methods.cfg
:
:
AIX

KRB5A:
options=authonly
KRB5Afiles:
: AIX
LDAP
KRB5A:
options=authonly
LDAP:
KRB5ALDAP:
options = auth=KRB5A,db=LDAP
v AIX
Kerberos KRB5A?
AIX
Kerberos KRB5A mkuser:
mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo
v Kerberos ?
Windows 2000 . ,
foo,
foo@MYREALM, foo.
.
v , Kerberos?
, Kerberos, passwd:
passwd -R KRB5Afiles foo
v , Kerberos?
268
AIX 5.3:
, Kerberos, rmuser.
AIX. ,
.
rmuser -R KRB5Afiles foo
v AIX , Kerberos?
,
, Kerberos, chuser,
:
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=MYREALM foo
, .
chuser. Active Directory
AIX. , auth_name
. ,
chris AIX Active Directory christopher
:
chuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_name=christopher auth_domain=MYREALM chris
v , ?
. AIX, root
Kerberos.
v auth_name auth_domain?
auth_name auth_domain AIX
Kerberos Active Directory. , AIX chris
auth_name=christopher auth_domain=SOMEREALM, Kerberos
christopher@SOMEREALM. SOMEREALM MYREALM.
, chris MYREALM, SOMEREALM.
.
v , Kerberos, AIX?
, . AIX ,
Kerberos, :
1. AIX (/etc/security/passwd) using the
passwd:
passwd -R files foo
2. SYSTEM :
chuser -R KRB5Afiles SYSTEM=compat foo.
Kerberos .
,
SYSTEM :
chuser -R KRB5Afiles SYSTEM="KRB5Afiles or compat" foo.
v Kerberos AIX
Windows 2000?
. Active Directory KDC,
KDC AIX . Kerberos ,
Kerberos AIX.
v , AIX ?
, AIX, Kerberos. ,
KDC.
v , ?
, :
269
, KDC .
- AIX :
ps -ef | grep krb5kdc
- Windows 2000 :
1. .
2. .
3. , Kerberos (KDC) .
AIX , /etc/krb5/krb5.conf KDC
.
AIX , keytab . , ,
keytab /etc/krb5/krb5.keytab. :
$ ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
KVNO
------ ------ -----------------------------------------------------1

4 host/krbtest.xyz.com@MYREALM
ktutil: q
, auth_name auth_domain, ,
ADS KDC.
, SYSTEM Kerberos (
KRB5Afiles KRB5ALDAP).
, .
v TGT?
TGT host/-. , ,
Kerberos keytab, Windows
2000 Active Directory . .
TGT , KRB5A
/usr/lib/security/methods.cfg:
KRB5A:
options = tgt_verify=no
KRB5Afiles:
tgt_verify: No False Yes True -

. TGT . tgt_verify
No, TGT , .
keytab , KRB5A.
v passwdexpired 0, kerberos
kerberos AIX?
passwdexpired 0,
AIX
kadmin.
allow_expired_pwd methods.cfg AIX
kerberos.
authenticate
passwdexpired.
270
AIX 5.3:
Kerberos
Kerberos , NFS.
NFS Kerberos,
, gss.
Kerberos gss.
1.2, MIT Kerberos.
Kerberos: /usr/lib/drivers/krb5.ext.
gss.
RADIUS
RADIUS IBM , ,
. ,
(NAS), .
NAS RADIUS.
RADIUS , . ,
, RADIUS.
RADIUS
, . RADIUS ,
,
. RADIUS Proxy
RADIUS, .
RADIUS (UDP).
, RADIUS,
IETF RFC 2865. , , RFC 2866.
: RFC 2284 (EAP), RFC 2869 (),
RFC 2882, MD5-Challenge TLS. RFC
:
IETF RFC 2865
http://www.ietf.org/rfc/rfc2865.txt
RFC 2866
RFC 2284
RFC 2869
RFC 2882
RFC web- http://www.ietf.org.
RADIUS
RADIUS SMIT installp.
RADIUS AIX.
: radius.base bos.msg.<>.rte.
271
LDAP,
ldap.server. installp
RADIUS.
RADIUS SRC.
radiusd:
v
v
v
2.
, /etc/rc.d/rc2.d/Sradiusd.
RADIUS
RADIUS /etc/radius/radiusd.conf,
/etc/radius/authorization/default.policy
/etc/radius/authorization/default.auth radiusd
. SMIT .
RADIUS :
>stopsrc -s radiusd
>startsrc -s radiusd
RADIUS ,
, , .
. ,
, .
On-demand:
RADIUS.
. radiusd.conf
1812, - 1813.
IANA. radiusd.conf .
, .
Authentication_Ports Accounting_Ports radiusd.conf ,
radiusd. ,
.
RADIUS
RADIUS .
RADIUS.
root security. ,
, (SMIT) -
. , , .
radiusd.conf:
radiusd.conf RADIUS.
RADIUS radiusd.conf /etc/radius.
. RADIUS
272
AIX 5.3:
, . RADIUS
SYSLOG.
.
,
. , .
: radiusd.conf .
SMIT.
radiusd.conf:
#------------------------------------------------------------------#
#

#
#
#
# RADIUS radiusd.conf
#
# /etc/radius.
#
#
#
#
#
# . RADIUS
#
# " : ()".
#
# , .
#
#
# RADIUS
#
# SYSLOG.
#
# ,
#
# .
#
#
#
# , ,
#
#
#
# . ,
#
# .
#
#
#
#
# . SMIT.
#
#
#
#
#
#------------------------------------------------------------------#
#------------------------------------------------------------------#
#

#
#
#
# RADIUSdirectory : RADIUS,
#
#

#
#
.
#
#
#
# Database_location : .
#
#
: Local, LDAP, UNIX
#
#
UNIX - AIX
#
#
Local - AVL raddbm #
#
LDAP -
#
#
#
# Local_Database
: .
#
#
,
#
#
Database_location
#
#
Local.
#
#
#
# Debug_Level
: RADIUS. #
#
: 0, 3 9.
#
#
3.
#
#
,
#
#
*.debug
#
#
/etc/syslog.conf
#
#
#
#

#
#
, syslog.
#
273
#
, "9"
#
#

#
#
,
#
#
"0" "3".
#
#
#
#
0 :
#
#
syslogd.
#
#
RADIUS #
#
. #
#
.
#
#
#
3 : ACCESS ACCEPT,
#
#
REJECT DISCARD .
#
#

#
#
.
#
#
#
#
9 : . - #
#

#
#
,
#
#
.
#
#
[ ] #
#
#
#------------------------------------------------------------------#
RADIUSdirectory
: /etc/radius
Database_location : UNIX
Local_Database
: dbdata.bin
Debug_Level
: 3
#------------------------------------------------------------------#
#

#
#
#
# Local_Accounting : ON TRUE, #
#

#
#
ACCOUNTING START STOP,
#
#
NAS. :
#
#
#
#
/var/radius/data/accounting
#
#
#
# Local_accounting_loc:
#
#
/var/radius/data/accounting.
#
# Local_
#
#
Accounting=ON.
#
#
,
#
#
( )
#
#
.
#
#
#------------------------------------------------------------------#
Local_Accounting : ON
Local_Accounting_loc : /var/radius/data/accounting
#------------------------------------------------------------------#
#

#
#
#
#
Accept_Reply-Message : , RADIUS
#
#
Access-Accept
#
#
#
#
Reject_Reply-Message : , RADIUS
#
#
Access-Reject
#
#
#
#
Challenge_Reply-Message : , RADIUS
#
#
Access-Challenge #
#------------------------------------------------------------------#
Accept_Reply-Message :
Reject_Reply-Message :
Challenge_Reply-Message :
Password_Expired_Reply-Message :
#------------------------------------------------------------------#
#

#
#
#
274
AIX 5.3:
#
Allow_Password_Renewal: YES NO
#
#
YES,
#
#

#
#

#
#
RADIUS. #
#

#
#
Access-Password-Request.
#
#------------------------------------------------------------------#
Allow_Password_Renewal : NO
#------------------------------------------------------------------#
#
Access-Request
#
#
#
#
Require_Message_Authenticator: YES NO
#
#
YES,
#
#

#
#

#
#
Access-Request.
#
#
,
#
#
.
#
#------------------------------------------------------------------#
Require_Message_Authenticator : NO
#------------------------------------------------------------------#
#
( )
#
#
#
# Authentication_Ports : , #
#
. #
#
, #
#
.
#
#

#
#
,
#
#
','.
#
#
#
#
,
#
#
"6666".
#
#
#
#
"6666".
#
#
#
# Accounting_Ports
: Authentication_Ports.
#
#
. , .
#
#
#
# [] .
#
#
, #
#

#
#
. SYSLOG ,
#
#
.
#
#
#
#
#
# []
#
# Authentication_Ports : 1812,6666 ( ) #
#
#
# , ,
#
# .
#
#
#
#
6666 : 6666
#
#
#
#------------------------------------------------------------------#
Authentication_Ports : 1812
Accounting_Ports
: 1813
#------------------------------------------------------------------#
#
LDAP
#
#
#
# , RADIUS
#
# LDAP 3 Database_location
#
# LDAP
#
#
#
# LDAP_User
: , #
#
(LDAP). #
275
#
LDAP.
#
#
#
# LDAP_User_Pwd : LDAP,
#
#
.
#
#
#
#------------------------------------------------------------------#
LDAP_User
: cn=root
LDAP_User_Pwd
:
#------------------------------------------------------------------#
#
LDAP
#
#
#
# Database_location "LDAP",
#
# .
#
#
#
# LDAP_Server_name
: LDAP 3. #
# LDAP_Server_Port
: TCP, #
#
LDAP. LDAP #
#
389.
#
# LDP_Base_DN
:
#
# LDAP_Timeout
: #
#
#
LDAP
#
# LDAP_Hoplimit
:
#
#
#
# LDAP_Sizelimit
:
#
#
( )
#
# LDAP_Debug_level
: 0= , 1= #
#
#
#
#
#------------------------------------------------------------------#
LDAP_Server_name
:
LDAP_Server_port
: 389
LDAP_Base_DN
: cn=aixradius
LDAP_Timeout
: 10
LDAP_Hoplimit
: 0
LDAP_Sizelimit
: 0
LDAP_Debug_level
: 0
#------------------------------------------------------------------#
#
PROXY RADIUS
#
#
#
#
#
# Proxy_Allow
: ON OFF. ON,#
#
proxy ,#
#
, #
#
.
#
# Proxy_Use_Table
: ON OFF. ON,#
#
-#
#
-#
#
.
#
#
Proxy ON, Proxy_Use_Table = ON,#
#
ON.
#
# Proxy_Realm_name
: ,
#
#
.
#
# Proxy_Prefix_delim
:
#
#
,
#
#
.
#
#

#
#
. #
# Proxy_Suffix_delim
:
#
#
,
#
#
.
#
#

#
#
. #
# Proxy_Remove_Hops
: YES NO. #
#
YES,
#
#
,
#
#
, #
#
.
#
276
AIX 5.3:
#
#
# Proxy_Retry_count
:
#
#
.
#
#
#
# Proxy_Time_Out
:
#
#

#
#
.
#
#
#
#------------------------------------------------------------------#
Proxy_Allow
:
OFF
Proxy_Use_Table
:
OFF
Proxy_Realm_name
:
Proxy_Prefix_delim
:
$/
Proxy_Suffix_delim
:
@.
Proxy_Remove_Hops
:
NO
Proxy_Retry_count
:
2
Proxy_Time_Out
:
30
#------------------------------------------------------------------#
#

#
#
#
# UNIX_Check_Login_Restrictions : ON OFF. ON,
#
#

#
#
#
#

#
#

#
#
loginrestrictions().
#
#
#
#------------------------------------------------------------------#
UNIX_Check_Login_Restrictions : OFF
#------------------------------------------------------------------#
#
IP
#
#
#
# Enable_IP_Pool : ON OFF. ON, RADIUS
#
#
IP- ,
#
#
RADIUS.
#
#
#------------------------------------------------------------------#
Enable_IP_Pool
:
OFF
#------------------------------------------------------------------#
EAP SMIT.
EAP , :
Radius Server
-> Configure users
-> Local Database
LDAP Directory
-> Add a user
Change/Show Characteristics of a user
->
Login User ID [ ]
EAP Type [0 2 4]
Password Max Age
EAP :
0
MD5 - challenge
TLS
EAP
, radiusd.conf.
/etc/radius/clients:
277
clients , RADIUS.
, (NAS AP) IP- ,
RADIUS , - IP.
:
<Client IP Address>
<Shared Secret>
<Pool Name>
:
10.10.10.1
10.10.10.2
mysecret1
mysecret2
floor6
floor5
- , RADIUS.
256 , .
RADIUS . ,
( RADIUS) .
(
Message Authentication).
/etc/radius/clients ,
, , .
, 16 . /etc/radius/clients
SMIT.
.
- - , IP-.
- RADIUS. SMIT
- : Proxy IP- IP-.
IP- .
/etc/radius/dictionary:
dictionary , RADIUS
AIX RADIUS.
RADIUS .
, . dictionary
. SMIT .
dictionary:
########################################################################
#
#
# , #
# .
#
# /.
#
# :
#
#
#
# string - 0-253
#
# ipaddr - 4
#
# integer - 32-
#
# date - 32- -
#
#
, 00:00:00 GMT, 1 1970
#
#
#
#
#
# VALUE.
#
#
#
# :
#
#
#
# ATTRIBUTE
VALUE
#
278
AIX 5.3:
# ------------------#
# Framed-Protocol = PPP
#
# 7
= 1
( )
#
#
#
########################################################################
ATTRIBUTE
User-Name
1
string
ATTRIBUTE
User-Password
2
string
ATTRIBUTE
CHAP-Password
3
string
ATTRIBUTE
NAS-IP-Address
4
ipaddr
ATTRIBUTE
NAS-Port
5
integer
ATTRIBUTE
Service-Type
6
integer
ATTRIBUTE
Framed-Protocol
7
integer
ATTRIBUTE
Framed-IP-Address
8
ipaddr
ATTRIBUTE
Framed-IP-Netmask
9
ipaddr
ATTRIBUTE
Framed-Routing
10
integer
ATTRIBUTE
Filter-Id
11
string
.
.
.
: default.policy default.auth ( user_id.policy

user_id.auth) RADIUS,
AIX. ,
radiusd .
: , default.policy default.auth
RADIUS stopsrc startsrc, SMIT.
/etc/radius/proxy:
/etc/radius/proxy - , Proxy.
, Proxy .
/etc/radius/proxy IP- , ,
.
, SMIT:
v
v IP
v
/etc/radius/proxy:
:
16 . RADIUS
.
# @(#)91 1.3 src/rad/usr/sbin/config_files/proxy, radconfig, radius530 1/23/04 13:11:14
#######################################################################
#
#
#
Proxy, #
#
Proxy ,
#
#
.
#
#
#
#
- RADIUS.
#
#
#
#
- IP- RADIUS
#
#
.
#
#
#
#
- , .
#
279
#
#
#
:
#
#
,
#
#
.
#
#
#
#######################################################################
# REALM NAME
REALM IP
SHARED SECRET
#------------------------------------------------------# myRealm
10.10.10.10
sharedsec

. , ,
RADIUS, .
, UNIX LDAP.
/etc/radius/radiusd.conf .
SMIT.
RADIUS RADIUS . 272.
:
RADIUS
.
, UNIX
LDAP.
UNIX:
UNIX RADIUS
.
UNIX database_location radiusd.conf
UNIX SMIT.

authenticate() UNIX. , UNIX, ,
/etc/passwords. mkuser
SMIT.
UNIX, UNIX
, :

RADIUS
*
AVL

/etc/radius
[UNIX]
[dbdata.bin]
[]

.
.
.
[3]
:
database_location radiusd.conf SMIT
Local, RADIUS
/etc/radius/dbdata.bin.
280
AIX 5.3:
,
. . -
. ,
raddbm SMIT. radiusd
radiusd.conf .
: 253 , 128 .
,
:

RADIUS
*
[]
AVL

.
.
.
/etc/radius
[dbdata.bin]
[]
[3]
LDAP:
RADIUS LDAP 3 .
RADIUS API LDAP 3.
LDAP 3 database_location /etc/radiusd.conf LDAP.
, , LDAP.
AIX LDAP 3,
IBM Tivoli. LDAP ,
RADIUS,
. RADIUS ,
ldapsearch.
LDAP RADIUS.
LDAP IBM Tivoli,
Web- http://publib.boulder.ibm.com/tividd/td/IBMDirectoryServer5.2.html.
RADIUS ldif,
LDAP RADIUS, .
LDAP.
RADIUS LDAP .
cn=aixradius, ,
LDAP RADIUS . 282. RADIUS ldif,
RADIUS.
, LDAP
:
1. , RADIUS.
2.
3.
4. EAP,
281
5. .
LDAP LDAP ,
:

RADIUS
*
[LDAP]
AVL

[ON]

.
.
.
/etc/radius
[dbdata.bin]
[3]
LDAP RADIUS:
LDAP LDAP.
LDAP AIX RADIUS,
, LDAP RADIUS.
LDAP . RADIUS cn=aixradius.
- , .
LDAP . - ,
. , ,
.
LDAP SMIT. LDAP
/etc/radius/radiusd.conf. SMIT
RADIUS.
, LDAP, .
.
=, (OID),
. LDAP .
: .

. ,
, ,
. .
RADIUS. ldif.
- LDAP,
RADIUS. RADIUS .
, , LDAP
API SASL ldap_bind_s, DN, CRAM-MD5,
LDAP.
. CRAM-MD5 - ,
( ).
: .
LDAP RADIUS:
282
AIX 5.3:
RADIUS LDAP cn=aixradius.

cn=aixradius (OU). OU - ,
.
LDAP RADIUS.
, , ().
aixradius, , : ibm-radiususer
ibm-radiusactiveusers. ibm-radiususer userid, password
maxLogin. ibmradiusactiveusers userid +, login number, login status
session_id. aixradius aixsecurity root.
19. LDAP RADIUS
LDAP:
LDAP RADIUS LDAP.
LDAP /etc/radius/ldap:
IBM.V3.radiusbase.schema.ldif
RADIUS (cn=aixradius).
, cn=aixradius:
ou=ibm-radiususer
ou=ibm-radiusactiveusers
:
ldapadd -D --ldap -w -i /etc/radius/ldap/IBM.V3.radiusbase.schema.ldif
LDAP, ,
-h ( ).
IBM.V3.radius.schema.ldif
RADIUS .
283
RADIUS:
ldapmodify -D --ldap -w -i /etc/radius/ldap/IBM.V3.radius.schema.ldif
, SMIT LDAP
, LDAP .
RADIUS LDAP SMIT.
:
LDAP RADIUS
. .
,
, . ibm-radiusUserInstance
API LDAP . ,
, . MaxLoginCount
LDAP .
:
LDAP ,
.
, login_number = 1
MaxLoginCount = 5. RADIUS start_accounting.
ibm-radiusUserInstance . ,
RADIUS.
RADIUS start_accounting ibm-radiusactiveusers ,
,
. stop_accounting
.
, .
. API LDAP
.
:
, (PAP),
MD5.
, :
1. , ,
, .
2. - MD5,
.
3. , , .
4. -, 2, XOR
( ). user_password.
5. RADIUS -, 2.
6. (. 4) -
XOR.
:
, RADIUS PPP CHAP.
284
AIX 5.3:
CHAP .
- MD5 , RADIUS ,
.
:
(EAP) - ,
.
EAP
.
EAP. EAP :
v MD5-challenge
v One-time password
v Generic token card
v TLS
EAP RADIUS RADIUS,
EAP RADIUS . RADIUS
EAP , EAP.
RADIUS AIX MD5-challenge EAP.
EAP . ,
LDAP, . EAP
.

RADIUS
default.auth default.policy.
- RADIUS, RFC
/etc/radius/dictionary.
NAS .
.
.
- -, .
RADIUS,
.
: /etc/radius/
authorization/default.auth default.policy. default.policy
.
-, .
.
, -.policy. ,
, , .
- -.policy ,
default.policy.
, .
, .
.
285
default.auth -,
. default.auth -,
. default.auth,
SMIT. ,
, (NAS)
.
, ,
.auth, : -.auth.
/etc/radius/authorization.
SMIT.
, ,
default.auth. default.auth
-.auth , ,
.
( ), ,
.
:
1. /etc/radius/authorization/default.policy
default.auth .
2. .
3. -, .
a. -.auth.
b. , default.policy.
c. , .
4. , .
a. /etc/radius/authorization/-.auth
default.auth.
b. .
5. .
RADIUS , ,
.
radiusd.conf .
RADIUS , ACCOUNTING_START,
, , ,
. RADIUS,
.
ACCOUNTING_STOP, , ,
, .
ACCOUNTING_STOP, RADIUS .
ACCOUNTING_START ACCOUNTING_STOP RADIUS .
, ACCOUNTING_REQUEST
, . ,
Proxy,
, . Proxy
Proxy . 287.
286
AIX 5.3:
RADIUS (=)
/etc/var/radius/data/accounting. .
RADIUS , Accounting_Response
, syslog .
/var/radius/data/accounting:
/var/radius/data/accounting
ACCOUNTING START ACCOUNTING STOP.
/var/radius/data/accounting.
ACCOUNTING START ACCOUNTING STOP.
, AIX RADIUS /var/radius/data/accounting.
.
:
v , /var
.
v Perl . ,
Web- http://www.pgregg.com/projects/
radiusreport
v Proxy.
27 2004 . 14.43.19
NAS-IP-Address = 10.10.10.1
NAS-Port = 1
NAS-Port-Type = Async
User-Name = "rod"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "0000000C"
Framed-Protocol = PPP
Acct-Delay-Time = 0
Timestamp = 1085686999
27 2004 . 14.45.19
NAS-IP-Address = 10.10.10.1
NAS-Port = 1
<-- rod #1
NAS-Port-Type = Async
User-Name = "rod"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "0000000C"
<-- ,
.
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
<-- IP- rod
Acct-Terminate-Cause = User-Request <--
Acct-Input-Octets = 4016
Acct-Output-Octets = 142
Acct-Input-Packets = 35
Acct-Output-Packets = 7
Acct-Session-Time = 120 <--
Acct-Delay-Time = 0
Timestamp = 1085687119 <-- 120 (2 )
Proxy
Proxy RADIUS , NAS,
RADIUS NAS. Proxy
.
287
RADIUS Proxy .
, . Proxy
radiusd.conf.
:
- , ,
User-Name, RADIUS
.
RADIUS:
XYZ, .
SAC.
. - NYC. , NYC,
User-Name SAC/Joe. RADIUS NYC,
, SAC.
User-Name:
User-Name .
,
.
User-Name . ,
, , User-Name,
, RADIUS.
, User-Name. , (/)
User-Name (&) . radiusd.conf.
User-Name .
User-Name, :
USA/TEXAS/AUSTIN/joe
User-Name, :
joe@USA@TEXAS@AUSTIN
, . ,
, ,
.
.
,
:
USA/joe@TEXAS@AUSTIN
Proxy:
Proxy RADIUS proxy, /etc/radius directory.
proxy . proxy :
Realm Name, Next Hop IP address Shared Secret.
Proxy :
288
AIX 5.3:
Proxy
Proxy
Proxy
Proxy
Proxy
Proxy /etc/radius/proxy .
:
realm_name
next_hop_address
shared_secret
Proxy . , ,
/etc/radius/proxy.
Proxy RADIUS .
/etc/radius/proxy_file.
.
/etc/radius/clients
. 277.
Proxy , :
Proxy
*
[] ( 64 )
*IP- ( ) [xx.xx.xx.xx]
*
[] ( 6 256 )
Proxy . ,
, .
Proxy . ,
, .
.
Proxy radiusd.conf:
#------------------------------------------------------------------#
#
PROXY RADIUS
#
#
#
#
#
# Proxy_Allow
: ON OFF. ON,#
#
proxy ,#
#
, #
#
.
#
# Proxy_Use_Table
: ON OFF. ON,#
#
-#
#
-#
#
.
#
#
Proxy ON, Proxy_Use_Table = ON,#
#
ON.
#
# Proxy_Realm_name
: ,
#
#
.
#
# Proxy_Prefix_delim
:
#
#
,
#
#
.
#
#

#
#
. #
# Proxy_Suffix_delim
:
#
#
,
#
289
#
.
#
#

#
#
. #
# Proxy_Remove_Hops
: YES NO. #
#
YES,
#
#
,
#
#
, #
#
.
#
#
#
# Proxy_Retry_count
:
#
#
.
#
#
#
# Proxy_Time_Out
:
#
#

#
#
.
#
#
#
#------------------------------------------------------------------#
Proxy_Allow
:
OFF
Proxy_Use_Table
:
OFF
Proxy_Realm_name
:
Proxy_Prefix_delim
:
$/
Proxy_Suffix_delim
:
@.
Proxy_Remove_Hops
:
NO
Proxy_Retry_count
:
2
Proxy_Time_Out
:
3
RADIUS:
RADIUS .
/etc/radius/radiusd.conf.
.
: RADIUS,
SMIT:
290
AIX 5.3:

RADIUS
*
AVL

/etc/radius
[UNIX]
[dbdata.bin]
[]
[]
[3]
[]
[]
[]
[]
[]
[]
*
*
[1812]
[1813]
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
[]
[389]
[]
[]
[cn=aixradius]
[0]
[0]
[10]
[0]
Proxy
Proxy
Proxy
Proxy
Proxy
:
Proxy
Proxy
- Proxy
UNIX
IP
[]
[]
[]
[$/]
[@.]
[]
[2]
[30]
[]
[]

OpenSSL
[TLS, MD5]
[ ]

RADIUS SYSLOG.
:
0
, .
access_accept, access_reject*, discard error.

: discard ,
.
, 0 3, . 9
.
3.
RADIUS. ,
, .
SYSLOG , ,
.
, .
291
LDAP IBM Tivoli Directory Server

Version 5.2 Administration Guide, Web- Tivoli Software Information Center.
RADIUS syslogd:
SYSLOG syslogd.
syslogd .
1. /etc/syslog.conf local4.debug var/adm/ipsec.log.
IP local4.
. IP ,
debug.
:
.
2. /etc/syslog.conf.
3. , , .
/var/adm touch:
touch ipsec.log
4. refresh syslogd:
refresh -s syslogd
SYSLOG:
Debug_Level, radiusd.conf, .
0, 3 9, ,
SYSLOG.
- 3. radiusd.conf
:
#.
#.
#.
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
292
Debug_Level
RADIUS.
: 0, 3 9.
3.
,
*.debug
/etc/syslog.conf
#
#
#
#
#
#
#

#
, syslog.
#
, "9"
#

#
,
#
"0" "3".
#
#
0 :
#
syslogd.
#
RADIUS #
. #
.
#
3 : ACCESS ACCEPT,
#
REJECT DISCARD .
#

#
.
#
#
9 : . - #
AIX 5.3:
#

#
#
,
#
#
.
#
#
[ ] #
#
#
#------------------------------------------------------------------#
.
3
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:23:57
10:24:07
10:24:07
10:24:07
10:24:07
10:24:07
10:24:07
10:24:07
10:24:13
10:24:13
10:24:13
10:24:14
10:24:14
10:24:14
10:24:14
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
server1
syslog: [0]: [389288]

radiusd[389288]: [0]: (AVL) .
radiusd[389288]: [0]: : Pid= 549082 = 1812
radiusd[389288]: [0]: : Pid= 643188 = 1813
radiusd[643188]: [0]: [15]
radiusd[643188]: [0]: [15]
radiusd[549082]: [0]: [15]
radiusd[549082]: [0]: [15]
radiusd[643188]: [1]:*** Process_Packet() ***
radiusd[643188]: [1]: 4, = 96, = 41639 = 10.10.10.10
radiusd[643188]: [1]:ACCOUNTING-START - [ user_id1 ]
radiusd[643188]: [1]: 96 10.10.10.10 (client1.ibm.com)
radiusd[643188]: [1]:send_acct_reply() :
radiusd[643188]: [1]: = 5, = 96, = 20
radiusd[643188]: [2]: 4, = 97, = 41639 = 10.10.10.10
radiusd[643188]: [2]:ACCOUNTING-STOP - [ user_id1 ]
radiusd[643188]: [2]: 97 10.10.10.10 (client1.ibm.com)
radiusd[643188]: [2]:send_acct_reply() :
radiusd[643188]: [2]: = 5, = 97, = 20
radiusd[643188]: [2]:*** Process_Packet() **
9
18 10:21:18 server1 syslog: [0]: [643170]
18 10:21:18 server1 radiusd[643170]: [0]: (AVL) .
18 10:21:18 server1 radiusd[643170]: [0]: : Pid= 389284 = 1812
18 10:21:18 server1 radiusd[643170]: [0]: : Pid= 549078 = 1813
18 10:22:03 server1 radiusd[643170]: [0]:PID = [389284]
18 10:22:03 server1 radiusd[643170]: [0]:PID = [549078]
18 10:22:03 server1 radiusd[643170]: [0]: .
radiusd
18 10:22:09 server1 syslog: [0]: [1081472]
18 10:22:09 server1 radiusd[1081472]: [0]: (AVL) .
18 10:22:09 server1 radiusd[1081472]: [0]: client_init()
18 10:22:09 server1 radiusd[1081472]: [0]: : 1
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_policy s /etc/radius/authorization/default.policy.
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file /etc/radius/authorization/default.policy.
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file() .
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file /etc/radius/authorization/default.auth.
18 10:22:09 server1 radiusd[1081472]: [0]:
read_authorize_file() .
18 10:22:09 server1 radiusd[549080]: [0]:connect_to_LDAP_server:
( )=LDAP.
LDAP = server1.austin.ibm.com.
LDAP=389.
18 10:22:09 server1 radiusd[1081472]: [0]:
: Pid= 549080 = 1812
( )=LDAP.
LDAP = server1.austin.ibm.com.
293
LDAP=389.
18 10:22:09 server1
Pid= 389286 = 1813
18 10:22:10 server1
18 10:22:10 server1
[15]
18 10:22:10 server1
18 10:22:10 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
18 10:22:15 server1
radiusd[1081472]: [0]: :
radiusd[549080]: [0]: [15]
radiusd[549080]: [0]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
radiusd[389286]:
[0]: [15]
[0]: [15]
[1]:*** Process_Packet() ***
[1]: :
[1]: = 4, = 94, = 80
[1]: = 0xC5DBDDFE6EFFFDBD6AE64CA35947DD0F
[1]:
= 40, = 6, = 0x00000001
[1]:
= 1, = 8, = 0x67656E747931
[1]:
= 4, = 6, = 0x00000000
[1]:
= 8, = 6, = 0x0A0A0A01
[1]:
= 44, = 8, = 0x303030303062
[1]:
= 30, = 10, = 0x3132332D34353638
[1]:
= 31, = 10, = 0x3435362D31323335
[1]:
= 85, = 6, = 0x00000259
[1]: parse_packet()
[1]: 4, = 94, = 41639 = 10.10.10.10
[1]:Acct-Status-Type = Sta
0
18
18
18
18
10:06:11
10:06:11
10:06:11
10:06:11
server1
server1
server1
server1
syslog: [0]: [1081460]

radiusd[1081460]: [0]: (AVL) .
radiusd[1081460]: [0]: : Pid= 549076 = 1812
radiusd[1081460]: [0]: : Pid= 389282 = 18
3
18 10:01:32 server2 radiusd[389276]: [3]:*** Process_Packet() ***
18 10:01:32 server2 radiusd[389276]: [3]: 1, = 72, = 41638 = 10.10.10.10
18 10:01:32 server2 radiusd[389276]: [3]:authenticate_password_PAP: ,

18 10:01:32 server2 radiusd[389276]: [3]: [user_id1]
IP- [10.10.10.10]
18 10:01:32 server2 radiusd[389276]: [3]:ACCESS-REJECT -
72 10.10.10.10 (client1.ibm.com)
18 10:01:32 server2 radiusd[389276]: [3]:send_reject() :
18 10:01:32 server2 radiusd[389276]: [3]: = 3, = 72, = 30
18 10:01:53 server2 radiusd[389276]: [4]: 1, = 74, = 41638 = 10.10.10.10

IP- [10.10.10.10]
IP- [10.10.10.10]
18 10:01:53 server2 radiusd[389276]: [4]:ACCESS-ACCEPT -
74 10.10.10.10 (client1.ibm.com)
18 10:01:53 server2 radiusd[389276]: [4]:send_accept() :
18 10:01:53 server2 radiusd[389276]: [4]: = 2, = 74, = 31
18 10:01:53 server2 radiusd[389276]: [4]:*** Process_Packet() **
9
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
**********************
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
18 10:03:56 server1
294
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
[1]:*** Process_Packet() ***

[1]: :
[1]: = 1, = 77, = 58
[1]: = 0xE6CB0F9C22BB4E799854E734104FB2D5
[1]:
= 1, = 8, = 0x67656E747931
[1]:
= 4, = 6, = 0x00000000
[1]:
= 2, = 18, = 0x**********
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
radiusd[389278]:
[1]:
= 7, = 6, = 0x00000001
[1]: parse_packet()
[1]: 1, = 77, = 41638 = 10.10.10.10
[1]:User-Name = "user_id1"
AIX 5.3:
18 10:03:56 server1 radiusd[389278]: [1]:NAS-IP-Address = 10.10.10.10

18 10:03:56 server1 radiusd[389278]: [1]:Framed-Protocol = PPP
18 10:03:56 server1 radiusd[389278]: [1]: parse_packet()
18 10:03:56 server1 radiusd[389278]: [1]: Message-Authenticator
18 10:03:56 server1 radiusd[389278]: [1]: proxy_request_needed()
18 10:03:56 server1 radiusd[389278]: [1]:Proxy
18 10:03:56 server1 radiusd[389278]: [1]: = [user_id1]
18 10:03:56 server1 radiusd[389278]: [1]:IP- = [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: parse_for_login( user_id1 )
18 10:03:56 server1 radiusd[389278]: [1]:User_id = [user_id1]
18 10:03:56 server1 radiusd[389278]: [1]: rad_authenticate()
18 10:03:56 server1 radiusd[389278]: [1]: [client1.austin.ibm.com]
18 10:03:56 server1 radiusd[389278]: [1]: get_ldap_user() LDAP
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user: LDAP: user_id1.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user:LDAP max_login_cnt:2.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user:LDAP EAP_type: 4.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_user:LDAP passwordexpiredweeks: 9.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_active_sessions: = 2.
18 10:03:56 server1 radiusd[389278]: [1]:get_ldap_active_session:dn retrieved=
radiusuniqueidentifier=user_id11,ou=radiusActiveUsers,cn=aixradius.
18 10:03:56 server1 radiusd[389278]: [1]: get_client_secret ip-:10.10.10.10
18 10:03:56 server1 radiusd[389278]: [1]: NAS-IP = [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: .

18 10:03:56 server1 radiusd[389278]: [1]:is_ldap_pw:
IP- [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]: rad_authorize().
18 10:03:56 server1 radiusd[389278]: [1]:
read_authorize_policy : /etc/radius/authorization/user_id1.policy.
18 10:03:56 server1 radiusd[389278]: [1]:
read_authorize_file : s/etc/radius/authorization/user_id1.policy.
18 10:03:56 server1 radiusd[389278]: [1]:
/etc/radius/authorization/user_id1.policy file. , .
18 10:03:56 server1 radiusd[389278]: [1]: :
/etc/radius/authorization/user_id1.policy.
18 10:03:56 server1 radiusd[389278]: [1]:rad_authorize:
.
18 10:03:56 server1 radiusd[389278]: [1]: create_def_copy().
18 10:03:56 server1 radiusd[389278]: [1]: .
18 10:03:56 server1 radiusd[389278]: [1]: read_authorize_file :
/etc/radius/authorization/user_id1.auth.
18 10:03:56 server1 radiusd[389278]: [1]:
/etc/radius/authorization/user_id1.auth. , .
18 10:03:56 server1 radiusd[389278]: [1]:rad_authorize:
.
IP- [10.10.10.10]
18 10:03:56 server1 radiusd[389278]: [1]:ACCESS-ACCEPT -
77 10.10.10.10 (client1.austin.ibm.com)
18 10:03:56 server1 radiusd[389278]: [1]: proxy_response_needed()
18 10:03:56 server1 radiusd[389278]: [1]: get_client_secret ip-:10.10.10.10
18 10:03:56 server1 radiusd[389278]: [1]: .
18 10:03:56 server1 radiusd[389278]: [1]: = 2, = 77, = 31
18 10:03:56 server1 radiusd[389278]: [1]: = 2, = 77, = 31
18 10:03:56 server1 radiusd[389278]: [1]: = 0xCCB2B645BBEE86F5E4FC5BE24E904B2A
18 10:03:56 server1 radiusd[389278]: [1]:
= 18, = 11, = 0x476F6F646E65737321
18 10:04:18 server1 radiusd[389278]: [2]: :
18 10:04:18 server1 radiusd[389278]: [2]: = 1, = 79, = 58
18 10:04:18 server1 radiusd[389278]: [2]: = 0x774298A2B6DD90D7C33B3C10C4787D41
18 10:04:18 server1 radiusd[389278]: [2]:
= 1, = 8, = 0x67656E747931
18 10:04:18 server1 radiusd[389278]: [2]:
= 4, = 6, = 0x00000000
18 10:04:18 server1 radiusd[389278]: [2]:
= 2, = 18, = 0x*******
295
*************************
18 10:04:18 server1 radiusd[389278]: [2]:
= 7, = 6, = 0x00000001
18 10:04:18 server1 radiusd[389278]: [2]: 1, = 79, = 41638 = 10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]:User-Name = "user_id1"
18 10:04:18 server1 radiusd[389278]: [2]:NAS-IP-Address = 10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]:Framed-Protocol = PPP
18 10:04:18 server1 radiusd[389278]: [2]: proxy_request_needed()
18 10:04:18 server1 radiusd[389278]: [2]:Username = [user_id1]
18 10:04:18 server1 radiusd[389278]: [2]:IP- = [10.10.10.10]
18 10:04:18 server1 radiusd[389278]: [2]: parse_for_login( user_id1 )
18 10:04:18 server1 radiusd[389278]: [2]: rad_authenticate()
18 10:04:18 server1 radiusd[389278]: [2]: [client1.austin.ibm.com]
18 10:04:18 server1 radiusd[389278]: [2]: get_ldap_user() LDAP
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user: LDAP: user_id1.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user:LDAP max_login_cnt:2.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user:LDAP EAP_type: 4.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_user:LDAP passwordexpiredweeks: 9.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_active_sessions: = 2.
18 10:04:18 server1 radiusd[389278]: [2]:get_ldap_active_session:dn retrieved=
radiusuniqueidentifier=user_id11, ou=radiusActiveUsers, cn=aixradius.
18 10:04:18 server1 radiusd[389278]: [2]:
get_client_secret ip-:10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]: .
18 10:04:18 server1 radiusd[389278]: [2]:authenticate_password_PAP:
,
18 10:04:18 server1 radiusd[389278]: [2]:
[user_id1] IP- [10.10.10.10]
18 10:04:18 server1 radiusd[389278]: [2]:ACCESS-REJECT -
79 10.10.10.10 (client1.austin.ibm.com)
18 10:04:18 server1 radiusd[389278]: [2]:
proxy_response_needed()
18 10:04:18 server1 radiusd[389278]: [2]:
get_client_secret ip-:10.10.10.10
18 10:04:18 server1 radiusd[389278]: [2]: .
18 10:04:18 server1 radiusd[389278]: [2]: = 3, = 79, = 30
18 10:04:18 server1 radiusd[389278]: [2]: = 3, = 79, = 30
18 10:04:18 server1 radiusd[389278]: [2]: = 0x05D4865C6EBEFC1A9300D2DC66F3DBE9
18 10:04:18 server1 radiusd[389278]: [2]:
= 18, = 10, = 0x4261646E65737321
18 10:04:18 server1 radiusd[389278]: [2]: Leave_Packet()

RADIUS
RADIUS.
,
. AIX.
.
RADIUS .
radiusd.conf ,
RADIUS. .
Password_Expired_Reply_Message,
password-expired.
PAP.
296
AIX 5.3:

(VSA) , ,
, RADIUS.
.
RADIUS.
.
NAS ,
.
, VSA
User-Name Password. , ,
Access-Request, .
, , NAS
. =
-.policy.
VSA :
########################################################################
#
#
# , #
# (VSA).
#
# "Cisco". /
#
# "VENDOR".
#
#
#
# :
#
#
#
# VENDOR
Cisco
9
#
#
#
# VENDOR: , , , #
# Cisco.
#
# Cisco :
#
# 9
: , RFC "Assigned Numbers"
#
#
#
########################################################################
#VENDOR
Cisco
#ATTRIBUTE
Cisco-AVPair
1
string
#ATTRIBUTE
Cisco-NAS-Port
2
string
#ATTRIBUTE
Cisco-Disconnect-Cause
195
integer
#
#----------------Cisco-Disconnect-Cause---------------------------------#
#
#VALUE
Unknown
2
#VALUE
CLID-Authentication-Failure 4
#VALUE
No-Carrier
10
#VALUE
Lost-Carrier
11
#VALUE
No-Detected-Result-Codes
12
#VALUE
User-Ends-Session
20
#VALUE
Idle-Timeout
21
#VALUE
Exit-Telnet-Session
22
#VALUE
No-Remote-IP-Addr
23
RADIUS
- , radiusd.conf.
NAS AP . ,
. , ,
297
.
. .
RADIUS :
v
v
v CHAP
v
radiusd.conf
.
SMIT. 256 .
:
1. radiusd radiusd.conf
.
2. .
3. ,
. , , .
4. ,
.
5. , CHAP
.
IP RADIUS
RADIUS IP- IP.
IP- .
IP-.
IP- RADIUS :
v Framed-Pool
v
v IP RADIUS
Framed-Pool
(NAS) IP -. RADIUS
Framed-Pool ( 88 ), NAS
RFC2869. NAS
, Framed-Pool
default.auth user.auth RADIUS. RADIUS
:
ATTRIBUTE
Framed-Pool
88
NAS , .
NAS IP-. NAS IP-,
, .

(ISV) Framed-Pool,
IP-. RADIUS
298
AIX 5.3:
(VSA). , Cisco NAS

Cisco-AVPair. RADIUS :
VENDOR
TTRIBUTE
Cisco
Cisco-AVPair
9
1
NAS
Cisco-AVPair=ip:addr-pool=-, - - ,
NAS. RADIUS
. NAS IP- .
NAS
, VSA default.auth user.auth
RADIUS.
IP RADIUS
RADIUS , IP- IP-. IP-
Framed-IP-Address .
IP- SMIT. /etc/radius/
ippool_def. etc/radius/clients.
NAS. RADIUS
etc/radius/clients /etc/radius/ippool_def.
IP- ,
RADIUS . RADIUS
(/etc/radius/radius.conf) , IP- (Enable_IP_Pooling=YES),
IP- (IP_pool_flag) On.
poolname.data. ,
. .
, etc/radius/clients
/etc/radius/ippool_def. poolname.data 256
( AIX). poolname.data 256 ,
RADIUS .
IP /etc/radius/ippool_def IP-
. IP- NAS, NAS IN
USE. - NAS-IP NAS-port.
, UDP , IP-
NAS. , NAS -,
etc/radius/clients.
. , NAS-IP
NAS-port in use () RADIUS. IP-
Framed-IP-Address NAS .
poolname.data , , .
, RADIUS .
IP- , NAS
RADIUS .
:
v NOT_POOLED nas_ip.
v POOL_EXHAUSTED nas_ip , .
299
NAS NAS-, IP-,

, IN USE Off
NAS-IP-address NAS-port. IP-.
IP- , RADIUS NAS .
NAS-IP-address NAS-port. ippool_mem
:
v IP-. IN USE true.
v . IP- in use
false.

poolname.data . IP-
ON OFF Enable_IP_Pooling RADIUS (radiusd.conf).
, IP- default.auth
user.auth. , IP-,
Enable_IP_Pool = NO.
/etc/radius/ippool_def, SMIT:

Floor5
192.165.1.1
192.165.1.125
Floor6
192.165.1.200
192.165.1.253
/etc/radiusclients, SMIT:
NAS-IP
1.2.3.4
Secret1
Floor5
1.2.3.5
Secret2
Floor6
1.2.3.6
Secret3
Floor5
1.2.3.7
Secret4
, NAS-IP-Address 1.2.3.7 . NAS IP-

( IP_pool_flag = True).
, RADIUS .
, IP-,
default.auth user.auth. NAS-Port .
IP , IP-
default.auth, user.auth, .
RADIUS IP- , , NAS. IP-
, ( ) .
IP-, auth, .
IP , NAS , NAS-IP
, NAS,
.
Floor5.data, :
300
AIX 5.3:
IP-
NAS-IP
NAS-Port
In Use
192.165.1.1
1.2.3.4
192.165.1.2
1.2.3.4
.......
....
....
192.165.1.124
1.2.3.6
192.165.1.125
1.2.3.6
............
Floor6.data, :
IP-
NAS-IP
NAS-Port
In Use
192.165.200
1.2.3.4
192.165.201
1.2.3.4
............
.......
....
....
192.165.1.252
1.2.3.4
192.165.1.253
1.2.3.4
NAS IP- (, NAS),

poolname.data IP- .
SMIT:
v IP
v IP
SMIT IP
( ).
64 . , IP-
, RADIUS IP-,
Framed-IP-Address.
IP :
v IP
v IP
v / IP
v IP
v IP
v IP
IP: , IP-
IP- .
IP: , .
ippool_def.
.
RADIUS .
/ IP:
. .
. Enter ippool_def.
RADIUS .
301
IP: .
?, .
ippool_def rmippool.
RADIUS .
IP : IN-USE 0 IP-,
NAS. , IP- NAS .
RADIUS .
IP: ?,
ippool_mem.
RADIUS .
SMIT RADIUS
, (*),
RADIUS SMIT.
SMIT:
smitty radius
RADIUS:
RADIUS

Proxy

RADIUS
RADIUS
RADIUS, SMIT:
302
AIX 5.3:

RADIUS
*
AVL

/etc/radius
[UNIX]
[dbdata.bin]
[]
[]
[3]
[]
[]
[]
[]
[]
[]
*
*
[1812]
[1813]
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
LDAP
[]
[389]
[]
[]
[cn=aixradius]
[0]
[0]
[10]
[0]
Proxy
Proxy
Proxy
Proxy
Proxy
:
Proxy
Proxy
- Proxy
UNIX
IP
[]
[]
[]
[$/]
[@.]
[]
[2]
[30]
[]
[]

OpenSSL
[TLS, MD5]
[ ]
SMIT F1.

RADIUS.
,
RADIUS , ,
. AIX RADIUS
/dev/urandom.
. NIST
.
NLS
RADIUS raddbm SMIT NLS.
API AIX NLS.

: installp, mkuser raddbm
303
AIX
AIX ,
, .
,
AIX.

: chfilt, ckfilt, expfilt, genfilt, impfilt, lsfilt, mkfilt, mvfilt, rmfilt.

, ,
. AIX

.
:
bos.net.ipsec.
IP (IPsec) AIX.
:
, ,
IPsec. ,
, .
- , .
.
genfilt. ,
, .
mkfilt. , mkfilt
.
.
,
.

.
. , ,
, sendmail,
SMTP 25 sendmail.
, .
genfilt , ,
Web- http://www.clamav.net.
:
: , .
.
304
AIX 5.3:

- ASCII,
:
GET /../../../../../../../../

:
0x33c0b805e0cd16b807e0cd1650558becc7460200f05d0733ffb8c800b9fffff3abb00150
e670e47132c0e67158fec03c8075f033c033c9b002fa99cd26fb4183f90575f5c3
:
0x.

.
Web- http://www.clamav.net.
:
/
.
,
, ,
.
,
, , ,
.
, 37, ,
, . 37
, ,
, .
, .
:
1. , ,
, .
2. lsfilt -a.

, .

,
.
305
:
, ,
. IF, ELSE ENDIF
,
.
, .
mkfilt -u ELSE ,
IF. IF IF ,
mkfilt -u.
ckfilt
, , :
%ckfilt -v4
IPv4.
Rule 2
IF Rule 3
IF Rule 4
Rule 5
ELSE Rule 6
Rule 7
ENDIF Rule 8
ELSE Rule 9
Rule 10
ENDIF Rule 11
Rule 0
:
,
mkfilt -v [4|6] -u.
genfilt -e.
mkfilt genfilt.
: IF, ELSE ENDIF.
,
. .
SMIT
SMIT.
SMIT .
1. : smitty ipsec4
2. IP.
3. IP.
4. IP.
306
AIX 5.3:
IP
.
Enter.
[]
[ ]
*
[permit]
* IP-
[]
* IP-
[]
IP-
[]
IP-
[]
* (PERMIT/) []
*
[]
* / ICMP
[]
* / ICMP
[0]
* / ICMP
[]
* / ICMP
[0]
*
[]
*
[]
*
[]
*
[0]
*
[]
()
[]

[]
/
[]
[]
" " :
x
+
+
+
#
+
#
+
+
+
+
+
#
+
x#
x
x
action : permit, deny, shun_host, shun_port, if, else, endif.

,
mkfilt -a. /etc/security/ipsec_filter.
AIX
AIX (TCP, NET, IPSEC,
).
AIX .
bos.aixpert. AIX ,
, AIX, 300
,
. AIX
,
.
AIX .

. ,
.
AIX WSM (Web- ), SMIT
aixpert.
307
AIX
:

AIX

AIX .

AIX
,
.
,
. , AIX.
AIX
.
UNIX.
(, ),
.
, -
. , telnet rlogin,
.
, .
, , , ,
,
.

NIST 800-70, NIST IT .
AIX
AIX .
.
, ( ,
), ,
.
.
308
AIX 5.3:
13. AIX -

mindiff
/etc/security/user,
, ,
.
,
AIX

4

3

AIX

minage
/etc/security/user,
, .

4

AIX

maxage
/etc/security/user,
, .

13

13

52
AIX

minlen
/etc/security/user,
.

8

8
AIX

minalpha
/etc/security/user,
.

1

AIX

309
13. AIX - ()

,
AIX
histexpire
/etc/security/user, ,
.

13

13

26
AIX

maxrepeats
/etc/security/user,
.

AIX
8
histsize
/etc/security/user,
, .

20

4

4
AIX

maxexpired
/etc/security/user,
, maxage,
.

4

8
AIX
-1

,
,
minother
/etc/security/user,
, , .

2

1

AIX

310
AIX 5.3:
13. AIX - ()
,
AIX
pwdwarntime
/etc/security/user, ,
5

.

14

5
AIX

AIX
AIX , .
14. AIX -
,
AIX
:
% grpck -y ALL
AIX

TCB
tcbck
TCB. :
% tcbck -y ALL
: TCB ,
TCB.
(prereqtcb)
.
: TCB
.
sysck
/etc/objrepos/inventory:
% sysck -i -f \
/etc/security/sysck.cfg.rte
AIX
AIX

311
14. AIX -
()
,
AIX
:
% pwdck -y ALL
AIX

.

:
% usrck -y ALL
AIX

AIX
AIX .
: , ,
, , ,
su, , , root,
, root. ,
root,
.
15. AIX -
,
AIX
logininterval

/etc/security/login.cfg,
300
( ),
, ,
. , logininterval 60
60
logindisable 4, ,

.
AIX

312
AIX 5.3:
15. AIX - ()

loginretries
/etc/security/user,

, , .
root.
,
AIX

3

4

AIX

root
rlogin /etc/security/user,
,
root.

AIX
loginreenable
( ), ,
, -
logindisable.

360

30

AIX

logindisable

,
.

10

10

AIX

logintimeout
, .

30

60

60
AIX
60
313
15. AIX - ()

logindelay
( )
.
. ,
logindelay 5,

.
, 10 (2*5),
,
15 (3*5).
,
AIX

10

5

5
AIX

login /etc/security/user,
,
root.

AIX

AIX
AIX .
, ,
,
(). , , :
1. , .
, AIX
.
2. 100 ,
, /audit 100.
AIX .
.
1. JFS /audit.
100 .
2. . /etc/security/audit/config
:
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds
= /etc/security/audit/bincmds
.
.
etc
314
AIX 5.3:
3. ,
.
4. , .
5. ,
. , auditclasses
/usr/lib/security/mkuser.default.
6. /audit, cronjob.
.
, AIX
:
16. , AIX

AIX
/etc/security/audit/config
:
Root:
Root:
Root:
General
Src
Mail
Cron
Tcpip
Ipsec
Lvm
User:
General
Src
Cron
Tcpip

/usr/lib/security/
mkuser.default

:
General
Src
Tcpip
General
Tcpip
User:
General
User:
General
Tcpip

/usr/lib/security/
mkuser.default

:

/usr/lib/security/
mkuser.default

:
default=login
login = USER_SU,
USER_Login,
USER_Logout,
TERM_Logout,
USER_Exit
auditclasses=general
auditclasses=general,
tcpip
auditclasses=general,SRC,
cron,tcpip
, cronjob /audit.
true,
. ,
/audit . /audit ,
( ,
/audit/trail /audit/trailOneLevelBack ).
AIX /etc/inittab
AIX /etc/inittab,
.
315
17. AIX - /etc/inittab
qdaemon
/ qdaemon /etc/inittab:
qdaemon:2:wait:/usr/bin/startsrc sqdaemon
,

AIX

AIX

lpd /
lpd

/etc/inittab:
lpd:2:once:/usr/bin/startsrc -s lpd

AIX
CDE /
CDE
LFT,
/etc/inittab:
dt:2:wait:/etc/rc.dt

AIX

piobe /
piobe

/etc/inittab:
piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit
>/dev/null 2>&1

AIX
316
AIX 5.3:
/etc/rc.tcpip
AIX
AIX /etc/rc.tcpip,
.
, /etc/rc.tcpip,
.
18. AIX /etc/rc.tcpip

/etc/rc.tcpip:
start /usr/lib/sendmail "$src_running"
,
AIX

AIX

/etc/rc.tcpip:
start /usr/sbin/routed "$src_running" -q

AIX

mrouted

/etc/rc.tcpip:
start /usr/sbin/mrouted "$src_running"

AIX

timed

/etc/rc.tcpip:
start /usr/sbin/timed

AIX
317
18. AIX /etc/rc.tcpip ()

rwhod

/etc/rc.tcpip:
start /usr/sbin/rwhod "$src_running"
,
AIX

AIX

/etc/rc.tcpip:
start /usr/sbin/lpd "$src_running"

AIX

SNMP /
SNMP

/etc/rc.tcpip:
start /usr/sbin/snmpd "$src_running"

AIX
DHCP
Agent

/etc/rc.tcpip:
start /usr/sbin/dhcprd "$src_running"

AIX

DHCP
/etc/rc.tcpip:
start /usr/sbin/dhcpsd "$src_running"

AIX
318
AIX 5.3:

autoconf6

/etc/rc.tcpip:
start /usr/sbin/autoconf6 "
,
AIX

AIX

DNS
/etc/rc.tcpip:
start /usr/sbin/named "$src_running"

AIX

gated

/etc/rc.tcpip:
start /usr/sbin/gated "$src_running"

AIX
DHCP
Client

/etc/rc.tcpip:
start /usr/sbin/dhcpd "$src_running"

AIX

DPID2

/etc/rc.tcpip:
start /usr/sbin/dpid2 "$src_running"

AIX
319

NTP
/etc/rc.tcpip:
start /usr/sbin/xntpd "$src_running"
,
AIX

AIX
/etc/inetd.conf
AIX
AIX /etc/inetd.conf.
AIX ,
. AIX
/etc/inetd.conf.
AIX .
,
/etc/inetd.conf.
19. AIX - /etc/inetd.conf

sprayd
/etc/inetd.conf:
/etc/inetd.conf sprayd sunrpc_udp udp wait root \

/usr/lib/netsvc/
,
AIX

AIX
UDP
chargen
/etc/inetd.conf

/etc/inetd.conf:
chargen dgram udp wait root internal

AIX
320
AIX 5.3:
19. AIX - /etc/inetd.conf ()

telnet /
telnet
/etc/inetd.conf:
telnet stream tcp6 nowait root \
/usr/sbin/telnetd telnetd
,
AIX

AIX

UDP Echo
/etc/inetd.conf

/etc/inetd.conf:
echo dgram udp wait root internal

AIX
tftp
/etc/inetd.conf

/etc/inetd.conf:
tftp dgram udp6 SRC nobody \
/usr/sbin/tftpd tftpd -n

AIX

krshd
/etc/inetd.conf:
kshell stream tcp nowait root \
/usr/sbin/krshd krshd

AIX
rusersd
/etc/inetd.conf

/etc/inetd.conf:
rusersd sunrpc_udp udp wait root \
/usr/lib/netsvc/

AIX
321

rexecd
/etc/inetd.conf:
/etc/inetd.conf / exec stream tcp6 nowait root \
rexecd
/usr/sbin/rexecd rexecd
/etc/inetd.conf
,
AIX

AIX

POP3D

/etc/inetd.conf:
pop3 stream tcp nowait root \
/usr/sbin/pop3d pop3d

AIX
pcnfsd
/etc/inetd.conf:
/etc/inetd.conf pcnfsd sunrpc_udp udp wait root \

/usr/sbin/rpc.pcnfsd pcnfsd

AIX
bootpd
/etc/inetd.conf

/etc/inetd.conf:
bootps dgram udp wait root \
/usr/sbin/bootpd

AIX
rwalld
/etc/inetd.conf:
/etc/inetd.conf rwalld sunrpc_udp udp wait root \

/usr/lib/netsvc/

AIX
322
AIX 5.3:

UDP
discard
/etc/inetd.conf

/etc/inetd.conf:
discard dgram udp wait root \
internal
,
AIX

AIX
/etc/inetd.conf:
TCP
daytime
daytime stream tcp nowait root \
/etc/inetd.conf / internal

TCP daytime
/etc/inetd.conf

AIX

netstat
/etc/inetd.conf:
/etc/inetd.conf netstat stream tcp nowait nobody \

/usr/bin/netstat

AIX

/etc/inetd.conf:
rshd /
rshd
shell stream tcp6 nowait root \
/usr/sbin/rshd rshd rshd
AIX

cmsd
/etc/inetd.conf:
/etc/inetd.conf / cmsd sunrpc_udp udp wait root \

/usr/dt/bin/rpc.cms cmsd
cmsd
/etc/inetd.conf

AIX

323

ttdbserver /etc/inetd.conf:
ttdbserver sunrpc_tcp tcp wait \

/etc/inetd.conf / root /usr/dt/bin/

ttdbserver
/etc/inetd.conf
,
AIX

AIX

uucpd
/etc/inetd.conf:
/etc/inetd.conf / uucp stream tcp nowait root \
uucpd /usr/sbin/uucpd uucpd
/etc/inetd.conf

AIX

UDP time /etc/inetd.conf:

/etc/inetd.conf / time dgram udp wait root internal

UDP time
/etc/inetd.conf

AIX

TCP time /etc/inetd.conf:
/etc/inetd.conf / time stream tcp nowait root \

internal
TCP time
/etc/inetd.conf

AIX

rexd
/etc/inetd.conf

/etc/inetd.conf:
rexd sunrpc_tcp tcp wait root \
/usr/sbin/tpc.rexd.rexd rexd
AIX
324
AIX 5.3:

TCP
chargen
/etc/inetd.conf

/etc/inetd.conf:
chargen stream tcp nowait root \
internal
,
AIX

AIX
rlogin
/etc/inetd.conf:
/etc/inetd.conf / login stream tcp6 nowait root \

rlogin /usr/sbin/rlogind rlogind
/etc/inetd.conf

AIX

talk
/etc/inetd.conf

/etc/inetd.conf:
talk dgram udp wait root \
/usr/sbin/talkd talkd
AIX

fingerd
/etc/inetd.conf

/etc/inetd.conf:
finger stream tcp nowait nobody \
/usr/sbin/fingerd fingerd

AIX
FTP /
FTP

/etc/inetd.conf:
ftp stream tcp6 nowait root \
/usr/sbin/ftpd ftpd

AIX

325

IMAPD

/etc/inetd.conf:
imap2 stream tcp nowait root \
/usr/sbin/imapd imapd
,
AIX

AIX
comsat
/etc/inetd.conf

/etc/inetd.conf:
comsat dgram udp wait root \
/usr/sbin/comsat comsat

AIX
rquotad
/etc/inetd.conf

/etc/inetd.conf:
rquotad sunrpc_udp udp wait root \
/usr/sbin/rpc.rquotad
AIX
/etc/inetd.conf:
UDP
daytime
daytime dgram udp wait root internal
/etc/inetd.conf /

UDP daytime
/etc/inetd.conf

AIX

krlogind
/etc/inetd.conf

/etc/inetd.conf:
klogin stream tcp nowait root \
/usr/sbin/krlogind krlogind

AIX
326
AIX 5.3:

TCP
Discard
/etc/inetd.conf

/etc/inetd.conf:
discard stream tcp nowait root \
internal
,
AIX

AIX
TCP echo /etc/inetd.conf:

/etc/inetd.conf echo stream tcp nowait root internal

AIX
sysstat
/etc/inetd.conf:
/etc/inetd.conf systat stream tcp nowait nodby \

/usr/bin/ps ps -ef

AIX
rstatd
/etc/inetd.conf

/etc/inetd.conf:
rstatd sunrpc_udp udp wait root \
/usr/sbin/rpc.rstatd rstatd

AIX
dtspc
/etc/inetd.conf

/etc/inetd.conf:
dtspc stream tcp nowait root \
/usr/dt/bin/dtspcd

AIX
SUID AIX
, SUID. ,
. AIX
SUID .
v rcp
327
v
v
v
v
v
rdist
remsh
rexec
rlogin
rsh
20. SUID - AIX

SUID
SUID
:
v /usr/bin/rcp
v /usr/bin/rdist
v /usr/bin/remsh
v /usr/bin/rexec
v /usr/bin/rlogin
v /usr/bin/rsh
SUID
SUID
:
v /usr/bin/rcp
v /usr/bin/rdist
v /usr/bin/remsh
v /usr/bin/rexec
v /usr/bin/rlogin
v /usr/bin/rsh
,
AIX

AIX

AIX
AIX
AIX .
,
. ,
, .
, .
AIX, .
v rcp
v rlogin
v
v
v
v
v
rsh
tftp
rlogind
rshd
tftpd
328
AIX 5.3:
21. AIX -

TCB, rlogind,
rshd tftpd, sysck
. TCB ,
rlogind, rshd tftpd.
,
AIX

AIX

1. TCB, rcp,
rlogin, rsh tftp sysck
. TCB

, rcp, rlogin

rsh.
2. rcp, rlogin,
rsh, tftp uftp, -

AIX.
3. tcpip: /etc/security/config,
.netrc ftp rexec.
1. TCB , rcp,
rlogin, rsh tftp sysck
. TCB
, rcp, rlogin rsh.
2. /etc/security/config.

AIX

AIX
1. TCB,

rlogind, rshd tftpd
sysck .

TCB , rlogind,

rshd tftpd .
NFS
2. rlogind,
rshd tftpd, -

AIX.
v NFS
v NFS
v NFS /etc/inittab
AIX

AIX

329
21. AIX - ()
,
AIX
NFS
v /etc/exports
v /etc/inittab /etc/rc.nfs

v /etc/rc.nfs

AIX
,
, AIX
AIX ,
.
/etc/hosts.equiv, $HOME/.rhosts
, .
, .
22. AIX - ,

rhosts netrc
.rhosts .netrc

, .
, AIX

.rhosts .netrc
,
root.

.rhosts .netrc
,
root.

.rhosts .netrc
root.
AIX
.rhosts .netrc
,
root.

/etc/hosts.equiv
/etc/hosts.equiv

$HOME/.rhosts, ,

.

,

.

/etc/hosts.equiv.

/etc/hosts.equiv.

/etc/hosts.equiv.
AIX
/etc/hosts.equiv.
AIX
.
0, , 1, .
330
AIX 5.3:
,
. ,
.
23. AIX -

ipsrcrouteforward
, ,
ICMP.
ipsrcrouteforward, ,

.
,
AIX

0

0

AIX
1
ipignoreredirects
.

AIX

clean_partial_conns
,
(SYN).

1

1
AIX

ipsrcrouterecv
, ,
ICMP.
ipsrcrouterecv, ,

.

AIX

ipforwarding
, .
ipforwarding,
.

AIX

331
23. AIX -
()

,
AIX
ipsendredirects
,
. ipsendredirects,
.

AIX
1

ip6srcrouteforward
, IPv6,
ICMP.
ip6srcrouteforward, ,

.

AIX
1

ip6srcrouteforward
,
.
directed_broadcast,
.

0

0
AIX

tcp_pmtu_discover
MTU
TCP. tcp_pmtu_discover,
,
.

0

0
AIX
1
bcastping
ICMP,
. bcastping,
smurf (,

IP-).

0

0

0
AIX

332
AIX 5.3:
23. AIX -
()

icmpaddressmas ,
ICMP. icmpaddressmask,
,
.
,
AIX

0

0

0
AIX

udp_pmtu_discover
MTU
UDP. udp_pmtu_discover,
,
.

0

0
AIX
1
ipsrcroutesend
,
ICMP. ipsrcroutesend,
,
.

AIX
1
nonlocsrcroute
, IP
.
nonlocsrcroute, ,

.

AIX

, .
24. AIX -

rfc1323
rfc1323
TCP.
,
AIX

1

1

1
AIX

333
24. AIX - ()

tcp_sendspace
tcp_sendspace
,
, ,
.
,
AIX

262144

262144

262144
AIX
16384
tcp_mssdflt
,
.

1448

1448

1448
AIX
1460
extendednetstats
.

1

1
AIX

tcp_recvspace
tcp_recvspace
,
.

262144

262144

262144
AIX
16384
sb_max
sb_max
,
,
,
.

1048576

1048576

1048576
AIX
1048576
IPsec AIX
AIX IPsec.
334
AIX 5.3:
25. AIX - IPsec

,
tcp udp .
,
.
,
AIX

AIX

.

,
.
.

AIX

AIX
AIX ,
.
26. - AIX

,
AIX

root
$HOME/.profile , $HOME/.kshrc,
$HOME/.cshrc $HOME/.login "."
PATH, .
AIX
, cron
root.

cron.allow

root
cron.deny.

AIX
cron.allow

cron.deny.
335
26. - AIX ()

/etc/environment
. PATH
/etc/environment.
,
AIX

AIX

-root
. PATH
$HOME/.profile, $HOME/.kshrc, $HOME/.cshrc
$HOME/.login , root.

AIX

root
/etc/ftpusers
root /etc/ftpusers,
, ftp
root.

AIX
root
/etc/ftpusers
root /etc/ftpusers, ,
ftp
root.

AIX
, /etc/security/login.cfg
herald
herald. herald ,
herald="Unauthorized use of
. herald ,
this system is
en_US -
prohibited.\nlogin:"
. ,
herald

Unauthorized use of this \
this system is
system is prohibited.\nlogin:
:
.
,
.

this system is
AIX
herald=
336
AIX 5.3:
26. - AIX ()

guest
guest
,
.
AIX, guest .
:
,
AIX
.
,
AIX

guest

guest

guest
AIX

guest.

Crontab
, crontab root

root.
AIX

X-Server

X-Server.

AIX

umask
/etc/security/user,
077
.

027

AIX
022

core
core
/etc/security/limits,
core root.
:
.
,
.

0

0

0
AIX
2097151
AIX
AIX .
337
AIX .
27. AIX
,

X-Server ,

,
root
AIX
guest ,

TCB ,
AIX
AIX .
AIX,
. -
AIX,
/etc/security/aixpert/check_report.txt
AIX.
, talkd /etc/inetd.conf, .
talkd , ,
check_report.txt :
coninetdconf.ksh: Service talk using protocol udp should be disabled, however it is enabled now.
, check_report.txt .
, , ,
, AIX.
,
.
AIX
AIX .
/etc/security/aixpert/core/aixpertall.xml
XML .
/etc/security/aixpert/core/appliedaixpert.xml
XML .
/etc/security/aixpert/core/secaixpert.xml
XML AIX
GUI.
/etc/security/aixpert/log/aixpert.log
. AIX
syslog; AIX
/etc/security/aixpert/log/aixpert.log.
: AIX XML
:
/etc/security/aixpert/
drwx------
338
AIX 5.3:
/etc/security/aixpert/core/
drwx-----/etc/security/aixpert/core/aixpertall.xml
r-------/etc/security/aixpert/core/appliedaixpert.xml
/etc/security/aixpert/core/secaixpert.xml
/etc/security/aixpert/log
drwx-----/etc/security/aixpert/log/aixpert.log
-rw------/etc/security/aixpert/core/secundoaixpert.xml
rw------/etc/security/aixpert/check_report.txt
rw-------

AIX
AIX.
AIX
(NIST) IT -
( Web- NIS:
http://www.nist.gov/index.html). , - ,
. , .
, .
, .
, .
Internet. Internet, ,
HTTP,
. ISP,
.
, .
telnet, rlogin, ftp ,
. Internet.
, openssh.
AIX, , -
, .
.
HTTP , .
, AIX ,
.
.
, Internet.

AIX
AIX.
339
, ,
. .
, telnet ftp.
, ,
,
. ,
.

AIX
AIX.
.
. .
, .
.
AIX

AIX.
AIX ,
. , AIX AIX.
, , AIX
( ).
. ,
AIX. ,
, /etc/security/aixpert/core/
appliedaixpert.xml . ,
, , :
aixpert -f appliedaixpert.xml

.
,
.
v AIX . :
, CDE, GNOME KDE.
, . ,
, ,
Web- IBM System p eServer Support Fixes (http://www-03.ibm.com/servers/eserver/
support/unixservers/aixfixes.html).
.
v .
v , , daemon, bin, sys, adm, lp
uucp. , (,
) .
,
.
340
AIX 5.3:
v /etc/inetd.conf, /etc/inittab, /etc/rc.nfs /etc/rc.tcpip

.
v , :
-rw-rw-r--rw-rw-r--rw-------rw-r--r--rw-r--r--rw-rw----
root
root
root
root
root
root
system
system
system
system
system
audit
/etc/filesystems
/etc/hosts
/etc/inittab
/etc/vfs
/etc/security/failedlogin
/etc/security/audit/hosts
v root.
.
v .
. 84.
v .
. 26.
v xhost.
X11 CDE . 32.
v PATH.
PATH . 51.
v telnet, rlogin rsh. TCP/IP .
164.
v .
. 49.
v .
. 59.
v .
. 68.
v su .
the su /var/adm/sulog.
v X-Windows.
v cron at ,
.
v ls, .
v rm, .
v .
. 172.
v .
v , .
,
, , : Web-,
.
Web-,
AIX Virtual Private Networks: http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/index.html)
CERIAS (Center for Education and Research in Information Assurance and Security): http://www.cerias.purdue.edu/
CERT (Computer Emergency Response Team -): http://www.cert.org/
341
Computer Security Resource Clearinghouse: http://csrc.ncsl.nist.gov/

FIRST (Forum of Incident Response and Security Teams): http://www.first.org/
IBM eServer Security Planner: http://publib.boulder.ibm.com/infocenter/eserver/v1r1/en_US/index.htm?info/secplanr/
securwiz.htm
OpenSSH: http://www.openssh.org/
IBM Security: http://www.ibm.com/servers/eserver/pseries/security/
,
CERT: http://www.cert.org/contact_cert/
IBM System p eServer : http://www14.software.ibm.com/webapp/set2/subscriptions/
pqvcmjd
comp.security.unix: news:comp.security.unix

faqs.org: http://www.faqs.org/faqs/computer-security/
IBM AIX Information Center: http://publib16.boulder.ibm.com/pseries/index.htm
AIX
AIX. ,
.
,
:
v /etc/inetd.conf
v /etc/inittab
v /etc/rc.nfs
v /etc/rc.tcpip
inetd/bootps
inetd
/etc/inetd.conf
v NIM
.
v tftp.
v
.
inetd/chargen
inetd
/etc/inetd.conf
).
v
TCP UDP.
v
" ".
v ,
.
342
AIX 5.3:
inetd/cmsd
inetd
/etc/inetd.conf
(
CDE).
v root,

.
v CDE,
.
v .
inetd/comsat
inetd
/etc/inetd.conf
v root,

.
v .
v .
inetd/daytime
inetd
/etc/inetd.conf

(
).
v root.
v
TCP UDP.
v
" "
PING.
v
.
v .
inetd/discard
inetd
/etc/inetd.conf
/dev/null
(
).
v
TCP UDP.
v
" ".
v
v .
inetd/dtspc
inetd
/etc/inetd.conf
CDE.
v
inetd
CDE
.

.
v CDE.
v CDE
.
v ,

inetd/echo
inetd
etc/inetd.conf

(
).
v
TCP UDP.
v
" " "Smurf".
v
- -

.
v .
343
inetd/exec
inetd
/etc/inetd.conf
v root.
v
,
.
v
.
v .
inetd/finger
inetd
/etc/inetd.conf
v root.
v
.
v .
inetd/ftp
inetd
/etc/inetd.conf
v root.
v
,
.
v
.
inetd/imap2
inetd
/etc/inetd.conf
Internet.
v
.
v

.

.
v
.
inetd/klogin
inetd
/etc/inetd.conf

Kerberos.
v ,

Kerberos.
inetd/kshell
inetd
/etc/inetd.conf
Kerberos.
v ,

Kerberos.
inetd/login
inetd
/etc/inetd.conf

rlogin.
v IP DNS.
v ,
,
.
v root.
v
.
inetd/netstat
inetd/ntalk
inetd
inetd
/etc/inetd.conf
/etc/inetd.conf
v
.
v root.
v .
v
.
v ,

344
AIX 5.3:
inetd/pcnfsd
inetd
/etc/inetd.conf

PC.
v ,
.
inetd/pop3
inetd
/etc/linetd.conf
v ,

Samba, pcnfsd

Microsoft
SMB.
v

.
.
v ,

,
POP3
v POP3
IMAP,
IMAP, POP3s.

SSL.
v ,

,
POP.
inetd/rexd
inetd
/etc/inetd.conf
v root.
v on.
v .
v
rsh rshd.
inetd/quotad
inetd
/etc/inetd.conf
v

NFS.

v
,
NFS.

quota
v ,

.
inetd/rstatd
inetd
/etc/inetd.conf
v
SNMP,
.
v
rup.
inetd/rusersd
inetd
/etc/inetd.conf
v .
.
v root.
v rusers

.
345
inetd/rwalld
inetd
/etc/inetd.conf

- .
v root.
v

,
.
v
.
v .
inetd/shell
inetd
/etc/inetd.conf
rsh.
v .

.
v
,
TCP,

.
v Xhier.
inetd/sprayd
inetd
/etc/inetd.conf

RPC
spray.
v root.
v
NFS.
v ,
NFS.
inetd/systat
inetd
/etc/inted.conf
"ps -ef".
v

.
v
.
,
.
inetd/talk
inetd/ntalk
inetd/telnet
inetd
inetd
inetd
/etc/inetd.conf
/etc/inetd.conf
/etc/inetd.conf
-
.
v .

talk.
-
.
v .
telnet.
v
.
.
v talk.
v UDP 517.
v ,

UNIX
v talk.
v UDP 517.
v ,

UNIX
v ,

.
346
AIX 5.3:
inetd/tftp
inetd
/etc/inetd.conf
v UDP 69.
v root.
v NIM.
v ,
NIM

.
inetd/time
inetd
/etc/inetd.conf
v inetd,
rdate.
v
TCP UDP.
v

.
v .
ntpdate
v

(/).
,
.
inetd/ttdbserver
inetd
/etc/inetd.conf

tool-talk
( CDE).
v rpc.ttdbserverd
root.
v
CDE, CDE
.
v
,
.
inetd/uucp
inetd
/etc/inetd.conf

UUCP.
v ,
,
UUCP.
inittab/dt
init
/etc/rc.dt /etc/inittab

CDE.
v X11.
v
X11 (xdcmp),

X11.
v

.
.
inittab/dt_nogb
inittab/httpdlite
init
init
/etc/inittab
/etc/inittab

CDE
(
).
v

.
Web-
docsearch.
v Web-
.
v , inittab/dt
v ,

.
347
inittab/i4ls
init
/etc/inittab
-
.
v ,
.
v .
v ,

.
v
,
.
inittab/imqss
inittab/lpd
init
init
/etc/inittab
/etc/inittab
v Web-
.
BSD.
v ,
.
v ,

.
v ,

.
v , ,

.
inittab/nfs
init
/etc/inittab
v NFS NIS
UDP/RPC.
v
.
v
.
inittab/piobe
init
/etc/inittab
v ,
,

qdaemon
v ,

,
.
inittab/qdaemon
init
/etc/inittab

( ).
v
piobe.
v ,

.
inittab/uprintfd
init
/etc/inittab
inittab/writesrv
init
/etc/inittab
v .
v .
v

UNIX
v ,

,
.
v
.
348
AIX 5.3:
inittab/xdm
init
/etc/inittab
X11.
v
.
v
,

X11.
v
,
.
rc.nfs/automountd
rc.nfs/biod
rc.nfs/keyserv
/etc/rc.nfs
/etc/rc.nfs
/etc/rc.nfs
v
, NFS.

-
(
NFS).
v
NFS.

RPC.
v ,
RPC.
v

,

.
v
NFS, ,
nfsd rpc.mountd
v NIS+.
v ,
NFS, NIS NIS+.
rc.nfs/nfsd
/etc/rc.nfs
NFS
(
NFS).
v .
v .
v ,
NFS.
v ,
biod, nfsd
rpc.mountd.
rc.nfs/rpc.lockd
/etc/rc.nfs
NFS.
v ,
NFS.
v ,

.
v lockd

, SANS
Top Ten Security Threats.
rc.nfs/rpc.mountd
/etc/rc.nfs
NFS
(

NFS).
v .
v .
v
, NFS.
v ,
biod nfsd.
rc.nfs/rpc.statd
/etc/rc.nfs
NFS (
.).
NFS.
v ,
NFS.
349
rc.nfs/rpc.yppasswdd
/etc/rc.nfs

NIS (
NIS).
v
.
v
NIS.
.
rc.nfs/ypupdated
/etc/rc.nfs
v NIS
NIS
NIS.
(
v
NIS).

NIS.
rc.tcpip/autoconf6
/etc/rc.tcpip
IPv6.
v ,
IPv6
rc.tcpip/dhcpcd
/etc/rc.tcpip

().
v

DHCP.
.
v DHCP,
.
rc.tcpip/dhcprd
/etc/rc.tcpip
DHCP

.
(-
v
).
.
v ,
DHCP
.
rc.tcpip/dhcpsd
/etc/rc.tcpip

().
v DHCP,

;
, , IP-,
, ,

.
v ,
DHCP.
v
, ,
DHCP.
rc.tcpip/dpid2
/etc/rc.tcpip
SNMP.
v ,
SNMP.
rc.tcpip/gated
/etc.rc.tcpip
v
.
inetd.
v

,

.
rc.tcpip/inetd
/etc/rc.tcpip
v
RIP .
v
,

Web-.
350
AIX 5.3:

rc.tcpip/mrouted
/etc/rc.tcpip
v

.
v .
.
rc.tcpip/names
/etc/rc.tcpip

(DNS).
v
,
DNS.
v
, ,
,
.
rc.tcpip/ndp-host
/etc/rc.tcpip

IPv6.
v ,
IPv6
rc.tcpip/ndp-router
/etc/rc.tcpip
-
IPv6.
v ,
IPv6. IPv6
.
rc.tcpip/portmap
/etc/rc.tcpip

RPC.
v .
v RPC
portmap. ,

RPC,
portmap, ,
.
v portmap
,
RPC.
rc.tcpip/routed
/etc/rc.tcpip
-
RIP
.
v
.
v ,

.
rc.tcpip/rwhod
/etc/rc.tcpip
v
"who".
.
rc.tcpip/sendmail
/etc/rc.tcpip
. v root.
v .
v ,

.
v ,

:
crontab
.
/usr/lib/sendmail -q.
DNS
,

- .
rc.tcpip/snmpd
/etc/rc.tcpip
v ,

.
SNMP.
v SNMP
.
351
rc.tcpip/syslogd
/etc/rc.tcpip
v
.
v "
".
v .
rc.tcpip/timed
/etc/rc.tcpip
v
xntp.
rc.tcpip/xntpd
/etc/rc.tcpip
v
.
v .
v

cron,
ntpdate.
dt login
/usr/dt/config/Xaccess
CDE
.
v
CDE X11,
dtlogin
.
FTP
user rmuser -p <>
ftp.
v FTP

,
FTP.
v
ftp,
rmuser -p ftp.
v

/etc/ftpusers ,

FTP.

FTP.
FTP.
v ftp
- .
v
FTP

,
.
v /etc/ftpusers
,
.
v ,

FTP: root, daemon,
bin.sys, admin.uucp, guest, nobody, lpd,
nuucp, ladp.
v
ftpusers
: chown
root:system /etc/ftpusers
v
ftpusers
: chmod 644 /etc/ftpusers
352
AIX 5.3:
ftp.restrict
root.access
snmpd.readWrite
/etc/security/user
/etc/snmpd.conf

FTP.
v ftpusers

root
rlogin/telnet.
v rlogin
etc/security/user false.
v ,
root,

root
su;
.
SNMP v SNMP,
readWrite.
SNMP.
v

/etc/snmpd.conf.
v 'public'
IP-,
.
syslog.conf
syslogd.
v
/etc/syslog.conf,
.
v syslog.conf

, .

. (0) (1) .
, no.
bcastping
/usr/sbin/no -o bcastping=0
ICMP,

. ,
Smurf
(,

IP-).
clean_partial_conns
/usr/sbin/no -o clean_partial_conns=1
,
SYN (,

SYN

).
directed_broadcast
/usr/sbin/no -o directed_broadcast=0
,
.

0,
.
353
icmpaddressmask
/usr/sbin/no -o icmpaddressmask=0
,
ICMP.
,
,
.
ipforwarding
/usr/sbin/no -o ipforwarding=0
,
. ,

.
ipignoreredirects
/usr/sbin/no -o ipignoreredirects=1
ipsendredirects
/usr/sbin/no -o ipsendredirects=0
,
.
,
.
ip6srcrouteforward
/usr/sbin/no -o ip6srcrouteforward=0
,
IPv6,
ICMP. ,
,

.
ipsrcrouteforward
/usr/sbin/no -o ipsrcrouteforward=0
,
,
ICMP. ,
,

.
ipsrcrouterecv
/usr/sbin/no -o ipsrcrouterecv=0
,
,
. ,
,

.
ipsrcroutesend
/usr/sbin/no -o ipsrcroutesend=0
,

ICMP. ,
,

.
nonlocsroute
/usr/sbin/no -o nonlocsrcroute=0
,
IP
. ,
,

.
tcp_icmpsecure
/usr/sbin/no -o tcp_icmpsecurer=1
TCP ICMP
(
Internet-)
PMTUD ( MTU
).
ICMP-, ,
TCP

. : 0=off
( ); 1=on.
ip_nfrag
/usr/sbin/no -o ip_nfrag=200

IP,
IP
(
200 - IP
200
IP-).
354
AIX 5.3:
tcp_pmtu_discover
/usr/sbin/no -o tcp_pmtu_discover=0
,
,
.
tcp_tcpsecure
/usr/sbin/no -o tcp_tcpsecure=7
TCP.
: 0= ;
1=
SYN; 2=

RST; 3=
TCP; 57=
.
udp_pmtu_discover
/usr/sbin/no -o udp_pmtu_discover=0

MTU
TCP. ,
,

.
355
356
AIX 5.3:

, .
IBM ,
. , ,
IBM . , IBM
, , .
, ,
IBM .
, .
IBM
. -
. :
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
, ,
: INTERNATIONAL BUSINESS MACHINES
CORPORATION " ",
- , ,
, ,
- .
,
.
.
,
. IBM ,
, .
: (i)
( ) (ii)
, , :
IBM Corporation
Dept. LRAS/Bldg. 903
11501 Burnet Road
Austin, TX 78758-3400
U.S.A.
, -
.

IBM IBM,
IBM .
357
, ,
(DBCS), IBM
:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
IBM
- .
,
. IBM
,
.
.
Web-
Web-.
, Web-,
IBM. Web- .
,
. , ,
.
.

IBM, IBM ibm.com
International Business Machines Corp .
IBM . IBM
Web- Copyright and trademark information :
www.ibm.com/legal/copytrade.shtml.
Adobe, Adobe, PostScript PostScript
Adobe Systems Incorporated / .
Java Java
Sun Microsystems, Inc. .
Linux / .
Microsoft, Windows, Windows NT Windows Microsoft Corporation
/ .
UNIX - The Open Group ..
,
.
358
AIX 5.3:

.
.netrc 166
/dev/urandom 303
/usr/lib/security/audit/config
166
A
Active Directory, LDAP
AIX 102
AIX
Active Directory, LDAP
102
C
CAPP/EAL4+
.
4+ 6
CAPP/EAL4+ (NIM) 9
Kerberos ()
()
rsh 258
telnet 258
AIX 260
, Windows 104

Kerberos KRB5 261

Kerberos KRB5A 266
kerbos, 271
KRB5 261
KRB5A 266
LDAP
KRB5LDAP
115
mksecldap 113
LDAP 97
99
112
97
104
106, 108
Light Directory Access Protocol (LDAP) 97
EIM
.
256
D
dacinet 170
DES,
dist_uniqid 40
243
mgrsecurity
F
ftp
258
41, 46, 59
IKE
178
Internet Key Exchange
IKE 178
IP
Internet 176
IPv4
. . IP- 176
IPv6 176
ITDS 101

98
NFS ( )
NFS 248
253
254
254
253
252
252
250
255
250
/etc/publickey 252
NIS+
240
241
Kerberos 258

ftp 258
rcp 258
rlogin 258
OpenSSH
Web- 158
158
160
Kerberos 5 162
359
OpenSSH ()
Kerberos 5
158
RADIUS ()
()
radiusd.conf 272
rcp 258
rlogin 258
root, 41
root
rsh 258
163
P
PAM
151
150
157

/etc/pam.conf 157
152
157

/etc/pam.conf 152
PKCS #11 115
118
117
PKI 119
155
SAK 5
SED 30
setgid,
80
setuid,
80
R
RADIUS 271
LDAP

284
283
283
proxy
288
288
288
297
303
272
280
280
IP 298
UNIX 280
290
SMIT 302
297
285
271
LDAP
282
proxy
288

CHAP 285
EAP 285
PAP 284
296
272
291
286
286
272
dictionary 278
proxy 279
278
287
360
AIX 5.3:
41
284
TCB 1
tcbck,
5
3
TCP/IP
.netrc 166
/etc/ftpusers 168
/etc/hosts.equiv 167
/usr/lib/security/audit/config 166
164
DOD 170
NTCB 169
SAK 165
TCP/IP 166, 168
164, 165
167
170
165
FTP 168
IP 176
223
231
IP
IKE 178
182
217
181
Internet 177
telnet 258
V
VPN
181
X
XML
188, 190

247
42
42
39
()
42
42
42
43
42
261, 266
103
104
Framed-Pool 298
mkhomeatlogin 39
,
298
, 202
73
307, 308, 311, 312, 314, 315, 317, 320, 327,
328, 330, 331, 334, 335, 338, 339, 340
(VPN) 176
43
42
, 51, 64

103

104
307
kadmind 265
secldapclntd 113
200
CA
201

42
IP- 176
NIS+ 240
247
240
240
244
241
242
241
root, 41
TCP/IP 164
1
46
40
307, 308, 311, 312, 314, 315, 317, 320, 327, 328,
330, 331, 334, 335, 338, 339, 340
59
239
307
()
307, 308, 311, 312, 314, 315, 317, 320, 327, 328, 330,
331, 334, 335, 338, 339, 340
IP
181
185
IP
SA 184
178
SA 184
184
179
180
184
239
239
RPC 239
239
Internet (IP) 176
218
211
182
217
181
IP
223
Internet- (IP)
231
NFS 248
64

5

4

3
86
1
2
tcbck 3

4

5
40
64
64, 242
64
, Windows
Kerberos 104
205
(SPI)

119
178
179

200
205
361
aixpert 307
chsec 40
keylogin
NFS 250
lsldap 113
mkgroup 40
mksecldap 113
mkuser 40
mount
NFS
255
aixpert 307
LDAP 113
, LDAP 113

87
90

86
watch 90
86, 91
84
87
84
, 94
87
84
84
86
(SA) 178
184
243
30
SED 30
pam_mkuserhome
, SED 31
39
307
304
305
304
305
306

SMIT 306
305

.
4+ 6
362
AIX 5.3:

Web- 190
XML 188

v_max_logname 47
47
30
30, 31
, 202
59
59
RPC 239
61
42, 43
63
/etc/password 60
RPC 239
LDAP 101
DN 105
104
42, 43
42, 43
244, 247
73
73
244
246
244
304
LDAP 115
256
257
NLS 303
setuid/setgid 33
setgid 33
setuid 33
Internet
176
177
IKE 178
176
IP 218
4+
7, 9
6
6
6
root
80
IP 298

LDAP 104
Internet (IETF) 176

kerbos 271
73

73
31
6,
SED 31
, SED 31

43
42
42
42
42
42
42
43
42

ITDS 98
Proxy, 288
RADIUS 298
LDAP 101
(CA)
201
203
202
204
CA 200
202
169
100
LDAP 100
307

69
69
68

. 68

4+ 6
RADIUS 271

119
261, 266
(NAS) 258
proxy, RADIUS 288
200
IKE
205
307
AIX 307
241
SA 184
184
179
185
IKE
CA 202
204
242
DES 243
243
26
, 29
27
CDE 28
26
29
29

73
71, 73
307, 308, 311, 312, 314, 315, 317, 320, 327, 328,
330, 331, 334, 335, 338, 339, 340
CAPP/EAL+ 7

49
/etc/publickey 252
/etc/radius/dictionary 278
/etc/radius/proxy 279
/var/radius/data/accounting 287
radiusd.conf 272
, RADIUS 272
/etc/radius/clients 278
default.auth 285
default.policy 285
ldap.client 272
ldap.server 272
radius.base 272
user_id.auth 285
184
180
, 211
31
, SED 31
ldap.cfg 114

201
203
202
204
200
IKE 205
202

200
204
205
305
305
305
363

NFS 250
AIX 307, 308, 311, 312, 314, 315, 317, 320,

327, 328, 330, 331, 334, 335, 338, 339, 340
307
307, 308, 311, 312, 314, 315, 317, 320,
327, 328, 330, 331, 334, 335, 338, 339, 340
328
/etc/inittab 315
340
331
307, 308, 311, 312, 314, 315, 317, 320, 327, 328,
330, 331, 334, 335, 338, 339, 340
/etc/inetd.conf 320
/etc/rc.tcpip 317
SUID 327
307
338
307
308
IPsec 334
338
335
312
314

311
339
340
340
,
330
338
364
AIX 5.3:

SC43-0499-07

Безопасность AIX

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Безопасность AIX

Загружено:

Авторское право:

Доступные форматы

AIX 5.

Copyright IBM Corp. 2002, 2010

Copyright IBM Corp. 2002, 2010

: SUID, SGID SVTX ,

jfh jsl, developers,

UID NFS v4.

mksecldap -s AIX LDAP

AIX NFS v4 AIX NFS v4

chsec AIX 5L 5.3: ,

chsec AIX 5L 5.3: ,

pwdprompt ": "

# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true

(mkgroup -R files id=234 acct1), LDAP , 234

UserAdmin, GroupAdmin, PasswdAdmin,

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

rexec, rsh, rcp, ssh, scp

rcmds=hostlogincontrol and hostsdeniedlogin=<target_hosts>

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

ttys = !REXEC, !RSH

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

ttys = !REXEC, !RSH, /dev/pts

ttys = !REXEC, !RSH, ALL

rexec, rsh, rcp, ssh, scp, rlogin, telnet, ftp, login

10. , /home/ftp/home drwxr-xr-x:

chmod 755 home

14. /home/ftp/etc/objrepos root system

17. /home/ftp/etc/security root security

23. /etc/passwd /home/ftp/etc/passwd :

25. , root, ftp test.

28. /home/ftp/etc/passwd root security

29. /etc/security/passwd /home/ftp/etc/security/passwd

35. /home/ftp/etc/security/passwd root

40. /home/ftp/etc/group root security

45. /home/ftp/etc/security/group root security

50. /home/ftp/home/test -rwx------ :

UNIX, AIX /etc/password,

/etc/passwd pwdck. pwdck

System V Interprocess Communication (SVIPC)

permit, deny specify . Mode

IDENTITY => '-IDENTITY:(IDENTITY- IDENTITY-, IDENTITY-):'

: SYNCHRONIZE Ace_Mask, s, AIX

v ACE , GID 100 READ_ACL,

aclput ACL FileObject,

, chk_access exit, ACL (rc = 0).

chk_access entry: type=NFS4 obj_mode=33587711 size=68 ps=1024 uid=100

5. SMIT crfs /audit.

4. audit start. FILE_Write.

AIX (ACL). ACL

lsuser -R LDAP nguser, lsuser nguser lsuser -R LDAP -a ALL

4. /etc/group +:, NIS:

lsuser nguser , nguser mygroup.

RFC 2307 AIX

AIX : unix_auth ldap_auth.

: LDAP SYSTEM default,

foo, foo host1

v ldapproxy keytab ldapproxy.keytab.

3. keytab ldap:/-- /usr/ldap/etc.

userbasedn: ou=people, cn=aixdata

program = /usr/lib/security/LDAP program_64

program = /usr/lib/security/LDAP program_64

program = /usr/lib/security/NIS program_64 =