Administering Remote Procedure Calls (RPC)

Maintaining the master public key file

The /etc/publickey file is a database of public/secret key pairs. The file contains pairs for users and hosts authorized to use Secure RPC. Remote procedures that use the DES authentication protocol (built into the RPC software) expect to find public/secret key pairs (for the processes that call them) in /etc/publickey. A system administrator must therefore add an entry to /etc/publickey for each user/host to be granted access to Secure RPC resources. A single /etc/publickey file (on a master server or on a collection of master and slave servers) is used and shared over the network using NIS by machines having access to the file.

NOTE: Secure RPC programs are not required to be hosted by the same machine that hosts the master /etc/publickey file. The master /etc/publickey machine is not necessarily the server for any of the Secure RPC application programs or commands.

Adding RPC users

On the domain master server machine (only), the system administrator grants a user or host access to Secure RPC in that domain by adding an entry to the /etc/publickey file. This is accomplished using the newkey(1Mbnu) command.

NOTE: The newkey command must be executed on the master server machine by the RPC administrator. In addition, the machine's Secure RPC domain name must have been set prior to using newkey.

For example, to add an entry for the user alice the system administrator would enter the following command on the master server:

newkey -u alice

The -u option signifies that alice is a user ID. The domain field for this entry is the domain of the master server on which this command is executed. This is the only way that user alice can get access to this particular Secure RPC domain.

The newkey command with the -h option can also be used by root on the master server to give access to hosts:

newkey -h client

Within the domain of Secure RPC users having entries in a master /etc/publickey file, all user names and IDs must be unique. The -h option is provided to allow more than one root user to have access to Secure RPC. Because root users on different machines have the same name and ID, it would be impossible for more than one of them to be a Secure RPC user. The -h option solves this problem, allowing root users to use their unique machine name and address as a user name and ID for RPC purposes.

Changing a network password

If you are using NIS, notify client users of their passwords when they are given access to Secure RPC. Modify their .profile files to execute keylogout when they log out.

Users are prompted for their Secure RPC passwords when keylogin is executed by /etc/profile. They can change their passwords by entering the following command on the master server:


See chkey(1bnu) for more information.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004