HP-UX Reference (11i v2 04/09) - 1M System Administration Commands N-Z (vol 4)
n
nisaddcred(1M) nisaddcred(1M)
UID 0 (root) are identified with the host principal. Unlike LOCAL, there cannot be more than one DES
credential entry for one NIS+ principal in the NIS+ namespace.
The public information in an entry of authentication type DES is the public key for the principal. The
private information in this entry is the private key of the principal encrypted by the principal’s network
password.
User clients of NIS+ should have credentials of both types in their home domain. In addition, a principal
must have a LOCAL entry in the
cred.org_dir
table of each domain from which the principal wishes
to make authenticated requests. A client of NIS+ that makes a request from a domain in which it does
not have a LOCAL entry will be unable to acquire DES credentials. An NIS+ service running at security
level 2 or higher will consider such users unauthenticated and assign them the name nobody for deter-
mining access rights.
This command can only be run by those NIS+ principals who are authorized to add or delete the entries
in the
cred table.
If credentials are being added for the caller itself,
nisaddcred automatically performs a keylogin for
the caller.
Options
-p principal Use the principal name principal to fill the auth_name field for this entry. For LOCAL
credentials, the name supplied with this option should be a string specifying a UID. For
DES credentials, the name should be a Secure RPC netname of the form
unix.id@domain, as described earlier. If the -p option is not specified, the auth_name
field is constructed from the effective UID of the current process and the name of the
local domain.
-P nis_principal
Use the NIS+ principal name nis_principal. This option should be used when creating
LOCAL credentials for users whose home domain is different from the local machine’s
default domain.
Whenever the
-P option is not specified, nisaddcred constructs a principal name for
the entry as follows. When it is not creating an entry of type LOCAL, nisaddcred calls
nis_local_principal
, which looks for an existing LOCAL entry for the effective
UID of the current process in the
cred.org_dir table and uses the associated princi-
pal name for the new entry. When creating an entry of authentication type LOCAL,
nisaddcred constructs a default NIS+ principal name by taking the login name of the
effective UID for its own process and appending to it a dot (‘‘.’’) followed by the local
machine’s default domain. If the caller is a superuser, the machine name is used instead
of the login name.
-l login_password
Use the login_password specified as the password to encrypt the secret key for the
credential entry. This overrides the prompting for a password from the shell. This
option is intended for administration scripts only. Prompting guarantees not only that no
one can see your password on the command line using ps(1), but it also checks to make
sure you have not made any mistakes. NOTE: login_password does not really HAVE to
be the user’s password, but if it is, it simplifies logging in.
-r [ nis_principal ]
Remove all credentials associated with the principal nis_principal from the
cred.org_dir table. This option can be used when removing a client or user from the
system. If nis_principal is not specified, the default is to remove credentials for the
current user .Ifdomain_name is not specified, the operation is executed in the default
NIS+ domain.
Notes
The
cred.org_dir NIS+ table replaces the maps publickey.byname and netid.byname used in NIS
(YP).
RETURN VALUE
This command returns
0 on success and 1 on failure.
HP-UX 11i Version 2: September 2004 − 2 − Hewlett-Packard Company Section 1M−−551