( Digital SIA

Info Catalog ( Authentication modules ( Authentication modules ( IRIX
 5.1.1 Digital SIA
 How to install the SIA module depends on which OS version you're
 running. Tru64 5.0 has a new command, `siacfg', which makes this
 process quite simple. If you have this program, you should just be able
 to run:
      siacfg -a KRB5 /usr/athena/lib/
 On older versions, or if you want to do it by hand, you have to do the
 following (not tested by us on Tru64 5.0):
    * Make sure `' is available in `/usr/athena/lib'. If
      `/usr/athena' is not on local disk, you might want to put it in
      `/usr/shlib' or someplace else. If you do, you'll have to edit
      `krb5_matrix.conf' to reflect the new location (you will also have
      to do this if you installed in some other directory than
      `/usr/athena'). If you built with shared libraries, you will have
      to copy the shared `', `', `', and
      `' to a place where the loader can find them (such as
    * Copy (your possibly edited) `krb5_matrix.conf' to `/etc/sia'.
    * Apply `security.patch' to `/sbin/init.d/security'.
    * Turn on KRB5 security by issuing `rcmgr set SECURITY KRB5' and
      `rcmgr set KRB5_MATRIX_CONF krb5_matrix.conf'.
    * Digital thinks you should reboot your machine, but that really
      shouldn't be necessary.  It's usually sufficient just to run
      `/sbin/init.d/security start' (and restart any applications that
      use SIA, like `xdm'.)
 Users with local passwords (like `root') should be able to login safely.
 When using Digital's xdm the `KRB5CCNAME' environment variable isn't
 passed along as it should (since xdm zaps the environment). Instead you
 have to set `KRB5CCNAME' to the correct value in
 `/usr/lib/X11/xdm/Xsession'. Add a line similar to
      KRB5CCNAME=FILE:/tmp/krb5cc`id -u`_`ps -o ppid= -p $$`; export KRB5CCNAME
 If you use CDE, `dtlogin' allows you to specify which additional
 environment variables it should export. To add `KRB5CCNAME' to this
 list, edit `/usr/dt/config/Xconfig', and look for the definition of
 `exportList'. You want to add something like:
      Dtlogin.exportList:     KRB5CCNAME
 Notes to users with Enhanced security
 Digital's `ENHANCED' (C2) security, and Kerberos solve two different
 problems. C2 deals with local security, adds better control of who can
 do what, auditing, and similar things. Kerberos deals with network
 To make C2 security work with Kerberos you will have to do the
    * Replace all occurrences of `krb5_matrix.conf' with
      `krb5+c2_matrix.conf' in the directions above.
    * You must enable "vouching" in the `default' database.  This will
      make the OSFC2 module trust other SIA modules, so you can login
      without giving your C2 password. To do this use `edauth' to edit
      the default entry `/usr/tcb/bin/edauth -dd default', and add a
      `d_accept_alternate_vouching' capability, if not already present.
    * For each user who does _not_ have a local C2 password, you should
      set the password expiration field to zero. You can do this for each
      user, or in the `default' table. To do this use `edauth' to set
      (or change) the `u_exp' capability to `u_exp#0'.
    * You also need to be aware that the shipped `login', `rcp', and
      `rshd', don't do any particular C2 magic (such as checking for
      various forms of disabled accounts), so if you rely on those
      features, you shouldn't use those programs. If you configure with
      `--enable-osfc2', these programs will, however, set the login UID.
      Still: use at your own risk.
 At present `su' does not accept the vouching flag, so it will not work
 as expected.
 Also, kerberised ftp will not work with C2 passwords. You can solve this
 by using both Digital's ftpd and our on different ports.
 *Remember*, if you do these changes you will get a system that most
 certainly does _not_ fulfil the requirements of a C2 system. If C2 is
 what you want, for instance if someone else is forcing you to use it,
 you're out of luck.  If you use enhanced security because you want a
 system that is more secure than it would otherwise be, you probably got
 an even more secure system. Passwords will not be sent in the clear,
 for instance.
Info Catalog ( Authentication modules ( Authentication modules ( IRIX
automatically generated byinfo2html