AIX 5L version 5.3 security enhancements
Pluggable Authentication Module (PAM)
The PAM infrastructure has been enhanced in AIX 5.3 to provide an industry- standard set of interfaces. With these enhancements, PAM standard-compliant modules will be able to operate on AIX.
Also, the new AIX release ships multiple PAM modules for varied modes of authentication capabilities.
LDAP authentication and user management
Clients can now communicate and administer the Lightweight Directory Access Protocol (LDAP) server-based user data using proxy identities. This avoids privileged access to the LDAP server database, thus preventing a client administrator from having access rights over the entire LDAP based data.
The AIX LDAP authentication and user management can be configured to communicate with multiple LDAP servers and provides for failover. When the main server fails, the operations will be directed towards the listed secondary servers.
This function has been enhanced in AIX v5.3 to support:
Network Information Services (NIS) infrastructure has been enhanced to support netgroups in LDAP and client support for shadow passwords (encrypted passwords in the /etc/security/passwd file).
Enable IP security with intervening NAT devices
With new IPSec Network Address Translations (NAT) support, devices that are configured behind a node that performs network address translation are able to establish an IPsec tunnel.
IP security IKE with DHCP assigned addresses
When the number of Dynamic Host Configuration Protocol (DHCP) clients with whom you wish to establish tunnels is large, you can use RSA Signature authentication and define a "Group ID" as a remote tunnel endpoint of a Virtual Private Network (VPN).
rsh Login control
AIX 5.3 introduces a new user attribute, "rcmds", to the "chuser" command. This attribute controls the r-command execution by allowing or denying a user's ability to run the r shell commands.
Allows a user to change his password in a non-interactive form.
Initial login license increased
The initial license limit has been changed to 32,767. The previous limit was set at 2.
Long user and group name support
AIX 5.3 provides for long user and group names. By changing the system-wide parameters, an administrator can set the user and group name size to be a maximum of 8 to 255 characters.
Note: Decreasing the name size is supported. However, this could lead to potential problems if there are existing users in the system with a name length longer than the new value being set.
Support for multiple ACL types
AIX 5.3 supports an infrastructure to enable multiple Access Control List (ACL) types on the AIX platform. Using this infrastructure of tools and interfaces, JFS2 file system supports NFS version 4 protocol based ACL natively on AIX. The native support is very similar to the ACL support found under NFSv4 client-server implementation, except the identity mapping issue.
AIX provides an extensive ACL framework that could be used by external vendors (such as file system vendors) to enable their own ACL type on AIX. Using the framework various AIX ACL tools could be made aware of the new ACL type to manage the same.
NFS4 ACL is defined by NFSv4 RFC and is intended for NFS based implementation. Whereas AIX has picked up the ingredients of NFS4 ACL and implemented on AIX natively, it's not necessary to do anything in regards to NFS to use the NFS4 ACL. Note that NFS4 ACL is available currently on JFS2 file system and soon should be enabled on GPFS.
Secure Network Installation
A new service, NIM Service Handler (nimsh), eliminates the need for rsh services during NIM client communication. The NIM client daemon's service ports are registered as well-known ports (3901 and 3902) and install as part of the bos.sysmgt.nim.client fileset.
If cryptographic authentication during nimsh usage is desired, OpenSSL may be configured within the NIM environment. When OpenSSL is installed on NIM clients, SSL socket connections are established during nimsh service authentication.