AIX 5L security enhancements

AIX 5L version 5.3 security enhancements

Pluggable Authentication Module (PAM)
The PAM infrastructure has been enhanced in AIX 5.3 to provide an industry- standard set of interfaces. With these enhancements, PAM standard-compliant modules will be able to operate on AIX.

Also, the new AIX release ships multiple PAM modules for varied modes of authentication capabilities.

LDAP authentication and user management
Clients can now communicate and administer the Lightweight Directory Access Protocol (LDAP) server-based user data using proxy identities. This avoids privileged access to the LDAP server database, thus preventing a client administrator from having access rights over the entire LDAP based data.

The AIX LDAP authentication and user management can be configured to communicate with multiple LDAP servers and provides for failover. When the main server fails, the operations will be directed towards the listed secondary servers.

This function has been enhanced in AIX v5.3 to support:

NIS/NIS+ enhancements
Network Information Services (NIS) infrastructure has been enhanced to support netgroups in LDAP and client support for shadow passwords (encrypted passwords in the /etc/security/passwd file).

Enable IP security with intervening NAT devices
With new IPSec Network Address Translations (NAT) support, devices that are configured behind a node that performs network address translation are able to establish an IPsec tunnel.

IP security IKE with DHCP assigned addresses
When the number of Dynamic Host Configuration Protocol (DHCP) clients with whom you wish to establish tunnels is large, you can use RSA Signature authentication and define a "Group ID" as a remote tunnel endpoint of a Virtual Private Network (VPN).

rsh Login control
AIX 5.3 introduces a new user attribute, "rcmds", to the "chuser" command. This attribute controls the r-command execution by allowing or denying a user's ability to run the r shell commands.

chpasswd command
Allows a user to change his password in a non-interactive form.

Initial login license increased
The initial license limit has been changed to 32,767. The previous limit was set at 2.

Long user and group name support
AIX 5.3 provides for long user and group names. By changing the system-wide parameters, an administrator can set the user and group name size to be a maximum of 8 to 255 characters.

Note: Decreasing the name size is supported. However, this could lead to potential problems if there are existing users in the system with a name length longer than the new value being set.

Support for multiple ACL types
AIX 5.3 supports an infrastructure to enable multiple Access Control List (ACL) types on the AIX platform. Using this infrastructure of tools and interfaces, JFS2 file system supports NFS version 4 protocol based ACL natively on AIX. The native support is very similar to the ACL support found under NFSv4 client-server implementation, except the identity mapping issue.

AIX provides an extensive ACL framework that could be used by external vendors (such as file system vendors) to enable their own ACL type on AIX. Using the framework various AIX ACL tools could be made aware of the new ACL type to manage the same.

Native implementation
NFS4 ACL is defined by NFSv4 RFC and is intended for NFS based implementation. Whereas AIX has picked up the ingredients of NFS4 ACL and implemented on AIX natively, it's not necessary to do anything in regards to NFS to use the NFS4 ACL. Note that NFS4 ACL is available currently on JFS2 file system and soon should be enabled on GPFS.

Secure Network Installation
A new service, NIM Service Handler (nimsh), eliminates the need for rsh services during NIM client communication. The NIM client daemon's service ports are registered as well-known ports (3901 and 3902) and install as part of the bos.sysmgt.nim.client fileset.

If cryptographic authentication during nimsh usage is desired, OpenSSL may be configured within the NIM environment. When OpenSSL is installed on NIM clients, SSL socket connections are established during nimsh service authentication.

Contact an IBM Sales Specialist

Browse Power Systems

Next generation applications for big data and analytics and cognitive computing are providing unprecedented insights into opportunities, threats and efficiencies. IBM Power Systems is at the forefront of delivering solutions to gain faster insights from analyzing both structured information and unstructured big data. With the secure, flexible and open platform of IBM Power Systems plus solutions and software, organizations can outpace their competitors by delivering faster services, providing differentiated offerings and turning operational cost into investment opportunity.

To draw insights and make better decisions, businesses rely on the secure, flexible and open platform of IBM Power Systems. Built with the first processor designed for big data workloads, the design of Power Systems combines the computing power, memory bandwidth and I/O in ways that are easier to consume and manage, building on strong resiliency, availability and security.

IBM Power Systems deliver flexibility and choice of operating systems to enable your business to support the next generation applications for big data and analytics and cognitive computing that are transforming how organizations work today. Whether running 1, 2, or all 3 - coupled with PowerVM, they maximize the benefit of Power Systems in your business.

Transform your business with Systems Software that enables virtualization, high availability, flexibility, security and compliance on Power Systems™. IBM’s integrated approach to developing Systems and Systems Software together delivers optimized results with Power Systems.

As an open innovation platform, Power Systems is optimized for big data and analytics performance and to deliver scale-out economics and security for the cloud. IBM and IBM Business Partner solutions exploit key capabilities in IBM Power Systems.

Over the last five years thousands of clients have migrated to IBM Power Systems for choice and flexibility. Learn how Power Systems has helped them revolutionise the way IT is developed and delivered, optimise for big data and analytics, and support private, public and hybrid offerings for scale-out or scale-up implementations all while improving business performance, reducing risk, and establishing a platform for growth.

Additional information