3 — Security Integration Architecture

3.1 Overview of SIA

The Security Integration Architecture (SIA) is a framework that supports multiple security mechanisms on Tru64 UNIX. All configured security mechanisms that run on the Tru64 UNIX operating system run under the SIA. The SIA allows you to layer various local and distributed security mechanisms onto Tru64 UNIX with no modification to either the security-sensitive commands (such as login, su, and passwd), or the application programming interface (API) routines that obtain password or group entries, particularly getpwnam and getgrgid.

The Tru64 UNIX operating system provides two local security mechanisms: Berkeley Standard Distribution (BSD) security and C2 class security. The default Tru64 UNIX configuration has BSD security enabled.

DCE Security, provided by OSF DCE, is a distributed network security service based on secret-key technology. It provides secure communications (authentication and data protection) and controlled access to resources (authorization) in the distributed environment. Within a DCE cell, DCE registry databases on the Security server nodes (where the Security server daemons, secd, run) contain information about principals, groups, organizations, accounts, and so forth. The local system administrator can create a DCE password override file, /opt/dcelocal/etc/passwd_override, to exclude people from using the local machine, to establish a local root password, or to tailor the local user environments.

3.2 Benefits of SIA

The local system administrator can configure DCE security to use the local SIA facility. Doing so permits users to establish a local terminal session and DCE credentials with a single login command and password.

Enabling DCE SIA also integrates DCE security with the local security mechanism. In addition, Tru64 UNIX account-related functions (such as getpwent) can display information from both the local and DCE registries.

DCE SIA allows you to use the DCE registry as the sole repository for all user accounts. This makes account maintenance easier because there is one central DCE registry to manage. This means that you can log in to any DCE client system if you have a DCE account, even if you do not have a local account on that system.

When a DCE system is initially configured with SIA support, you may want to use the passwd_import utility to migrate local accounts to the DCE registry. Account information stored on a local system in /etc/passwd and /etc/group can selectively be merged into the DCE registry. The passwd_import command with the check option, -c, displays a listing of the differences between the local registry and the DCE registry. After the command is executed, the system administrator can decide what data to merge. Having run passwd_import to create a brand new account in the DCE registry, you must then modify the account with rgy_edit to assign a password and then enable the account for DCE logins. Refer to the OSF DCE Administration Guide — Core Components for more information on passwd_import.

3.3 Using SIA

The local security mechanism for Tru64 UNIX always uses SIA. The system administrator can select DCE SIA when the machine is configured in a DCE cell. The dcesetup utility asks the administrator whether DCE SIA should be enabled. The default response is to enable SIA. See the Gradient DCE for Tru64 UNIX Installation and Configuration Guide for further instructions. Once you have configured a machine in a DCE cell, you can run dcesetup at any time to enable or disable DCE SIA.

When dcesetup enables DCE SIA, it modifies a system SIA configuration file, /etc/sia/matrix.conf. File matrix.conf is a function dispatch table used by all Tru64 UNIX security-related commands (such as login and su). Security commands call subcommands, which are in turn dispatched to one or more security mechanisms that appear in the table. Users should not modify matrix.conf, which is a text file, unless they need to implement a highly specialized security mechanism.

When you enable or disable SIA using dcesetup, you should reboot your machine. This ensures that account attribute inconsistencies are not introduced into system daemons and applications running at the time this DCE modification takes place.

When SIA is enabled and one or more servers in the cell are reconfigured, the client systems must also be reconfigured. Otherwise, DCE services cannot operate.

3.4 Using the SIA Configuration Program

The SIACFG configuration program helps system administrators to manage their SIA environments. Administrators can use SIACFG to display and resolve inconsistencies between UNIX account information stored in the DCE/Kerberos user database and corresponding information stored in the user database of the local machine.

SIACFG aids administrators in an environment where DCE SIA has been selected to control system logon based on shared/network user configuration data (that is, passwords, uids, group memberships, and gids), and where the administrator may not have the option of discarding an existing local user account database, replete with its own uid assignments, group memberships, etc.

The basic function of SIACFG is to compare each account and group defined in the local user database to determine if an entity with the same name and type exists in the DCE registry. If a match is found, a more detailed comparison is performed to determine if there are any inconsistencies (for example, same name but different uids, or same name but different membership lists) between the corresponding entities.

When an inconsistency is detected, SIACFG provides the administrator with an opportunity to resolve the conflict by designing an override entry. (See passwd_override(5sec) in OSF DCE Command Reference for a description of overrides and their format.)

When a local account or group has no analogous entity in the registry, the administrator will be asked to choose whether the account or group should have local-only or cell-wide/public significance. If local-only is chosen, SIACFG will add an override entry to the plan. When published, the plan will insure that the local entity remains distinct from any equivalently named and typed entity that might be added to the DCE registry. If the administrator chooses cell-wide, SIACFG will add directions to the plan to create a corresponding entity in the DCE registry.

For information on activating SIACFG, see the Gradient DCE for Tru64 UNIX Installation and Configuration Guide.

3.5 How DCE Security Affects the Security-Sensitive Commands and Routines

Enabling DCE SIA affects three areas of security:

Login-related commands
Registry information change commands
Registry information inquiry routines

The following sections discuss these commands and routines.

A log file (/opt/dcelocal/var/adm/security/sialog) briefly logs the history of executing DCE SIA routines and the configured security mechanisms. You can use this file for troubleshooting or diagnosing security-related problems. You should clean up this file occasionally.

3.5.1 Login-Related Commands

SIA isolates the security-sensitive commands (login, su, ftp, xdm, lock, dxsession, telnet, rtools, and dtools) from the specific security mechanisms which eliminates the need to modify them for each new security mechanism. When DCE SIA is enabled in the matrix.conf file, SIA invokes DCE routines in response to these commands, to authenticate the login session. The following sections explain the login and the su commands in more detail. The other commands are similar to the login command.

3.5.1.1 login Command

When DCE SIA is enabled, using the login command to start a session invokes both the local security mechanism and DCE. If the login command accepts the password you enter, you have DCE credentials and are also logged in to the local security system.

NOTE: You may be logged in to the local security system even if you have no account on the local system, or if you supplied a valid DCE password that is not your local password.

If you have identical account names in both the local BSD registry and the DCE registry, account attributes in the DCE registry override those in the local registry. In other words, DCE account attributes supersede attributes in /etc/passwd and /etc/group.

If, during login, DCE security rejects your password, the local security mechanism still attempts to validate the login. If your name is in the local account database and your password is valid, you are logged in to the local system, but without DCE credentials; otherwise, the login attempt fails.

Once you have successfully logged in to DCE, a shell variable called KRB5CCNAME is created to point to the current session's login context and ticket cache. This variable points to a filename, such as the following:

/opt/dcelocal/var/security/creds/dcecred_68b91c00

Help prevent misuse of credentials by requiring users to remove their credentials (by running kdestroy) before terminating their login sessions. If your login shell is csh, you can insert the following lines as part of your logout profile:

if (\Qprintenv KRB5CCNAME\Q != "") then
echo "Removing login context and ticket cache..."
kdestroy
endif

If you run ksh, you can add the following line to your .profile:

trap 'echo Removing login context and ticket cache; kdestroy' EXIT

3.5.1.2 The su Command

DCE does not support a superuser in its environment. When you issue an su command on a Tru64 UNIX system with DCE turned on, four results are possible. Table 3-1 summarizes these combinations

NOTE: User1 and user2 are nonprivileged accounts.

Table 3-1: User Combinations

Combination Current UID New UID
1

user1

user2

2

user1

root

3

root

user2

4

root

root

Table 3-1: User Combinations
Combination	Current UID	New UID
1	user1	user2
2	user1	root
3	root	user2
4	root	root

The following paragraphs discuss each combination.

Combination 1: User1 to User2

You are currently user1 and may or may not have DCE credentials. You issue an su user2 command and are prompted for a password. The username user2 and the password are presented to DCE Security. If they pass the security check, you get a new process with UID and DCE credentials of user2. If they do not pass the DCE security check (see Section 3.5.1 on page 37), the username and password are presented to BSD security. If they pass the BSD security check, the new process has user2's UID but does not have DCE credentials. If they do not pass the BSD security check, the su command fails.

Combination 2: User1 to Root

You are currently user1 and may or may not have DCE credentials. You issue an su or su root command and are prompted for a password. The username root and the password are presented to DCE Security. Because the passwd-override file overrides the root account, you are not allowed to log in to DCE root. However, you get the principal credentials of the local host machine (/.:/hosts/<hostname>/self) after you pass the BSD security check for the root account.

Combination 3: Root to User2

If you only use BSD security, no password is required because root has the power to become anyone. This transformation is not possible in a DCE environment, because root (on this system) does not have any special privileges and cannot be permitted to become any principal in the cell. In this case, you are currently root and may or may not have DCE credentials. You issue an su user2 command and are prompted with the following message:

(DCE) Enter DCE password to obtain DCE credentials,
(DCE) or press return for none.
Password:

The username user2 and password are presented to DCE Security. If they pass the DCE security check, you get a new process with the UID and DCE credentials of user2. If they do not pass the DCE security check, or if you press <Return> at the prompt, the username user2 and password are presented to BSD security. Because you are root, they will pass the BSD security check and the new process has user2's UID but does not have DCE credentials.

Combination 4: Root to Root

In this case, you are also prompted for a password, as in case 3. The username root and the password are presented to DCE Security. Because the passwd-override file overrides the root account, you are not allowed to log in to DCE root. However, because you are root, you pass the BSD security check, and the new process has a UID of zero and DCE credentials for the local host machine principal (/.:/hosts/<hostname>/self).

3.5.2 Registry Information Change Commands

The registry information change commands — passwd (change password), chsh (change shell), and chfn (change finger information) — change information in one of the configured security mechanism's registries. These commands invoke SIA routines, which prompt for a choice of the configured security mechanisms. In the following example, DCE SIA and BSD security are enabled.

You are registered with the following security mechanisms

1   DCE
2   BSD

Select ONE item by number:

If you choose option 1 (DCE), SIA displays the following message:

You have selected:
DCE

SIA then invokes DCE routines that allow you to make changes in the passwd_override file, if your requested information exists, or in the DCE registry. The system displays the following message:

You can change information in passwd_override or DCE registry

1  passwd_override file
2  DCE registry

Select ONE item by number:

The rest of the dialog is similar to the BSD dialog. When DCE SIA is enabled, there is no practical reason to maintain identical passwords in both the local and DCE security registries. A login succeeds when a valid DCE account and password are presented if the host remains configured as a DCE client and the DCE security service is available. In any event, presenting a valid local password always results in a successful local login.

The commands passwd, chsh, and chfn provide most functions of the OSF DCE utility chpass, a platform-dependent tool intended as a reference implementation from OSF. This product does not provide chpass.

The commands adduser, removeuser, and vipw do not affect the DCE registry regardless of whether DCE SIA is enabled.

Refer to the passwd_override(5sec) reference page in the OSF DCE Command Reference for details of the passwd_override command.

3.5.3 Registry Information Inquiry Routines

There are ten registry information inquiry routines:

getpwent
getpwuid
getpwnam
setpwent
endpwent
getgrent
getgrgid
getgrnam
setgrent
endgrent

These API calls also include their reentrant routines, if they exist. For these registry information inquiry routines, SIA invokes the configured security mechanism routines in the order in which they are placed in the SIA configuration file (matrix.conf file) until it finds the needed information. If none of the configured mechanisms fulfills the request, the get call fails. For example, the following line exists in the matrix.conf file:

siad_getgrnam=(DCE,/usr/shlib/libdcesiad.so), (BSD, libc.so)

The getgrnam (get a group entry by its name) call first calls the DCE siad_getgrnam routine to try to extract the requested information from either the passwd_override file, if it exists, or the DCE registry. If it succeeds, the getgrnam call returns the DCE information in its return group structure. If DCE fails, it continues to call the BSD siad_getgrnam routine to get the needed information. If it succeeds, the getgrnam routine returns the BSD information in its return group structure. If the getgrnam routine does not find the requested information in either DCE or BSD, it returns a failure; that is, a NULL pointer.

Operations that depend on registry information can behave more reliably when you maintain consistency between names that exist in both the local registry and the DCE registry. For instance, if a user account is registered in /etc/passwd and DCE, consistent password information, default shell, and similar information lets users log in using the same password even if the DCE registry is not available.

Consistency between group names in the local registry and the DCE registry is also desirable. The initial DCE cell configuration procedure declares several standard UNIX group names (such as system, bin, and kmem) in the DCE registry.

Because DCE SIA has precedence in the SIA matrix, a call to getgrnam( ) for the bin group extracts the group attribute record from DCE rather than /etc/group. This has a subtle effect on such programs as newgrp, which call getgrpnam( ) implicitly. In the example % newgrp bin, the membership list for the bin group is consulted to determine if the primary group of the caller can be set to bin. However, newgrp will simply fail if membership in the bin group is denied in the DCE bin record, even though it is granted in /etc/group.

NOTE: The su command does not call getgrnam( ) to determine membership in the system group. Therefore users can be granted privilege to su root simply by adding them to the system record in /etc/group. Also, note that the attribute values of three groups (system, bin, and kmem) are further qualified by their presence, by default, in the group_override file. See Section 3.9.2 on page 47 for more information.

UNIX account functions such as finger and getpwent also get their attribute data from the DCE registry. Consequently, attributes such as default directory and shell must be properly maintained in the local and DCE registries. Any unintentional inconsistencies between the two registries can be troublesome. Administrators must also be careful not to inadvertently break a local account by creating an identical account name in the DCE registry for another user elsewhere on the network.

3.6 Using DCE SIA With the Tru64 UNIX Enhanced Security Option

This section explains special considerations for using the DCE SIA feature with the Tru64 UNIX Enhanced Security option.

The Tru64 UNIX Enhanced Security option, also known as C2 security, is the stricter of two security mechanisms supplied with Tru64 UNIX. The other, BSD, is supplied with the base operating system and is enabled by default. Enhanced Security is offered as an optional product, and is documented in the Tru64 UNIX Security Manual.

Enhanced Security derives much of its value from a more conservative approach toward security management. When DCE uses Enhanced Security via SIA, it operates under restrictions that affect ease of use for the DCE user and administrator. This added inconvenience is the price of a more secure system.

DCE SIA under Enhanced Security is best described by a comparison with BSD security. Table 3-2 compares the relative SIA advantages available when the underlying security mechanism is Enhanced Security or BSD security.

Table 3-2: Benefits of Using SIA with BSD Security or Enhanced Security

SIA BSD Security SIA Enhanced Security (C2) Option
BSD security enabled

Strict C2 security enabled

Integrated login

Integrated login (password consistency must be maintained between local and remote (DCE) registries).

Local and remote registries synchronized with passwd_export

Manual synchronization of local and remote (DCE) registry required. (the passwd_export utility is not currently available.)

Local login even without an account in the local registry

Local login requires an account in the local registry

Table 3-2: Benefits of Using SIA with BSD Security or Enhanced Security
SIA BSD Security	SIA Enhanced Security (C2) Option
BSD security enabled	Strict C2 security enabled
Integrated login	Integrated login (password consistency must be maintained between local and remote (DCE) registries).
Local and remote registries synchronized with passwd_export	Manual synchronization of local and remote (DCE) registry required. (the passwd_export utility is not currently available.)
Local login even without an account in the local registry	Local login requires an account in the local registry