Subject : Introduction to NIS+

Description :


1. NIS+ ¿ë¾îÁ¤¸®

* domain : directory object ¿Í ±× ÀڽĵéÀÇ ¸ðµç°Í.
* namespace : root directory ÇÏÀÇ ¸ðµç  domain À¸·Î ±¸¼ºµÊ.
* directory object : NIS+ objects ÀÇ database ¸¦ ³ªÅ¸³»°í  ±× database ÀÇ
   ¼ÓÇÏ´Â objects ´Â ±× directory object ÀÇ children À¸·Î Ç¥ÇöµÈ´Ù.

- directory ¿Í domain  Àº  ´Ù¼Ò °°Àº°ÍÀ¸·Î °í·ÁµÉ¼öÀÖ´Ù.
  ±â¼úÀûÀ¸·Î domains Àº groups_dir °ú org_dir sub-directories ¸¦ Æ÷ÇÔ
  ÇÏ°í ÀÖ´Â NIS+ directories ÀÌ´Ù.

- NIS+ names are not case-sensitive.

* Structure of Names : ÀÌ character sequences ´Â label ·Î ºÒ¸°´Ù.
¿¹: table_name.org_dir.domainname
   hosts table --> hosts.org_dir.domainname 

* Serach Path : file  °ú ¸¸Âù°¡Áö·Î search path ´Â table °ú °°Àº object ¸¦ 
  ã´Âµ¥ »ç¿ëµÈ´Ù. NIS+ ´Â domainname À» objects ¸¦ ã±âÀ§ÇÑ path ·Î
   »ç¿ëÇÑ´Ù. ±×·¯¹Ç·Î ÇϳªÀÇ table À» ÂüÁ¶ÇϱâÀ§Çؼ­ ´ç½ÅÀº directory name
   org_dir À» table name °ú Á¦ÇÑÇؾßÇÑ´Ù.
  NIS+ ´Â domainname À» ºÙÀδÙ. default search path ¸¦ º¸±âÀ§Çؼ­´Â
   nisdefaults ¸¦ »ç¿ëÇÑ´Ù. default search path ¸¦ º¯°æÇϱâÀ§Çؼ­´Â 
   NIS_PATH º¯¼ö¸¦ setting  ÇÑ´Ù.
  
ex)hyundai3% nisdefaults
Principal Name : nobody (not authenticated)
Domain Name    : svc.hei.co.kr.
Host Name      : hyundai3.svc.hei.co.kr.
Group Name     : 
Access Rights  : ----rmcdr---r---
Time to live   : 12:00:00
Search Path    : svc.hei.co.kr.
                 hei.co.kr.
                 co.kr.
hyundai3% 
hyundai3% setenv NIS_PATH hei.co.kr
hyundai3% nisdefaults
Principal Name : nobody (not authenticated)
Domain Name    : svc.hei.co.kr.
Host Name      : hyundai3.svc.hei.co.kr.
Group Name     : 
Access Rights  : ----rmcdr---r---
Time to live   : 12:00:00
Search Path    : hei.co.kr.



* root server : . ÀÇ server ·Î¼­ namespace ±¸Á¶ÀÇ top  ¿¡ À§Ä¡ÇÑ´Ù.
  domain ´ç ÇϳªÀÇ root server °¡ ÀÖ´Ù.

* master server : Çϳª´Ì domain À» serve ÇÑ´Ù.ÇϳªÀÇ master server ´Â
  °èÃþ±¸Á¶¿¡¼­ »óÀ§ server ÀÇ client ÀÌ´Ù.

* replica server : master server ÀÇ copy. service availability ¿Í better
  performance ¸¦ À§ÇØ ¸¸µé¾îÁø´Ù.

* client : name service ¸¦ ¿äûÇϴ°Í.


2. NIS+ ÀÇ ÀÕÁ¡.

*  °èÃþ±¸ÀúÀÇ namespace
*  ºü¸¥ table ÀÇ Àü¼Û
*  È®ÀåµÈ º¸¾È.

3. Secure RPC

* Secure RPC ´Â NIS+  ¿¡ ÀÖ¾î ±âº»ÀûÀÌ´Ù. ÀÌ°ÍÀÇ ¸ñÇ¥´Â
time-shared system °ú °°ÀºÁ¤µµÀÇ ¾ÈÀüÇÑ ½Ã½ºÅÛÀ» ¸¸µå´Â°ÍÀÌ´Ù.
Áï, time-sharing system Àº login passwd ¸¦ ÅëÇÏ¿© ÇϳªÀÇ user ¸¦ °ËÁõÇÑ´Ù.
DES(Data encryption standard) µµ ¸¶Âù°¡ÁöÀÌ´Ù. user ´Â local terminal ¿¡
login ÇÒ¼öÀִ°Ͱú ¸¶Âù°¡Áö·Î ¾î¶°ÇÑ remote machine ¿¡µµ login ÇÒ¼öÀÖ´Ù.
time-sharing system ¿¡ À־ °ËÁõµÈ »ç¶÷(trusted person) Àº ½Ã½ºÅÛ °ü¸®ÀÚ
À̸ç ÀÌ´Â µµ´öÀûÀÎ Àǹ«¸¦ °¡Áö¸ç ´©±º°¡¸¦ ±¸Ã¼È­ÇϱâÀ§ÇØ passwd ¸¦ º¯°æÇؼ­´Â
¾ÈµÈ´Ù.
secure RPC ¿¡¼­µµ network admin Àº public keys °¡ ÀúÀåµÈ database ³»¿¡¼­ 
entry ¸¦ ¹Ù²ÙÁö ¾Ê¾Æ¾ßÇÑ´Ù.
¿©±â¼­ ´ç½ÅÀº  RPC authentication system À» ÀÌÇØÇϱâÀ§Çؼ­´Â µÎ°¡ÁöÀÇ
¿ë¾î¿¡ Àͼ÷ÇؾßÇÑ´Ù. credentials ¿Í verifiers.
¿¹·Î¼­ ID badge ¸¦ »ç¿ëÇÒ¶§, credential Àº »ç¶÷À» ±¸º°Çϴ°ÍÀÌ´Ù.
Áï, name, address, birth date µîµî.
verifier´Â ±× badge ¿¡ ºÙÀº »çÁøÀÌ´Ù. º¸Åë badge ´Â badge »ó¿¡ »çÁøÀ» °Ë»çÇÏ¿©
»ç¶÷ÀÌ ±×°ÍÀ» À߸ø°¡Áö°í °¡´Â°ÍÀ» ¹æÁöÇÑ´Ù.

In RPC, client ´Â °¢°¢ RPC request ¿¡ °ü·ÃµÈ server ¿¡ credential °ú verifier
¸¦ °°À̺¸³½´Ù.À̶§ server ´Â ´ÜÁö verifier(»çÁø)¸¸ º¸³½´Ù. ¿Ö³ÄÇϸé
client ´Â ¹ú½á server ÀÇ credential ¸¦ ¾Ë°íÀֱ⶧¹®ÀÌ´Ù.

RPC °ËÁõÀº °³¹æÀûÀε¥ ÀÌ°ÍÀº ¿©·¯Á¾·ùÀÇ °ËÁõ½Ã½ºÅ۵鿡 RPC °ËÁõÀÌ Àû¿ë
µÉ¼ö ÀÖ´Ù´ÂÀǹ̷νá ÇöÀç µÎ°¡Áö ½Ã½ºÅÛÀÌ ÀÖ´Ù.(UNIX and DES).

network service ¿¡ ÀÇÇØ UNIX °ËÁõÀÌ »ç¿ëµÉ¶§, credential Àº
client ÀÇ machine name, user id, gid group access list¸¦ Æ÷ÇÔÇÏÁö¸¸
verifier ´Â ¾Æ¹«°Íµµ °¡ÁöÁö¾Ê´Â´Ù. ¿Ö³ÄÇϸé verifier °¡ ¾øÀ¸¸ç 
superuser °¡ su °°Àº command ·Î¼­ ÀûÀýÇÑ crednetials ¸¦ À¯ÃßÇÒ¼öÀֱ⶧¹®ÀÌ´Ù.

UNIX °ËÁõ¿¡ ´Ù¸¥ ¹®Á¦Á¡Àº network »óÀÇ ¸ðµç machine µéÀÌ UNIX machine À̶ó°í
°¡Á¤Çϱ⶧¹®ÀÌ´Ù. ±×·¡¼­ heterogeneous network »ó¿¡¼­ ´Ù¸¥ OS ¿¡ 
Àû¿ëµÉ¶§ UNIX °ËÁõÀº ½ÇÆÐÇÑ´Ù.

ÀÌ·¯ÇÑ UNIX °ËÁõÀÇ ¹®Á¦Á¡À» ±Øº¹ÇϱâÀ§Çؼ­ secure RPC  ´Â DES °ËÁõÀ» »ç¿ë
ÇÑ´Ù. ÀÌ°ÍÀº verifiers ¸¦ »ç¿ëÇÏ¸ç ´ëºÎºÐÀÇ OS ¿¡ÀÇÇØ »ç¿ëµÇ¾îµµ ÃæºÐÇÏ´Ù.


4. DES Authentication

* DES °ËÁõÀº DES(Data Encryption Standard) °ú public key cryptography ¸¦ 
»ç¿ëÇÏ¿© network »óÀÇ user ¿Í machine À» °ËÁõÇÑ´Ù.
DES ´Â Ç¥ÁØ ¾Ïȣȭ ±â¹ýÀÌ´Ù.public key cryptography(°ø°³Å° ¾ÏÈ£ÀÛ¼º¹× Çص¶¹ý)
´Â µÎ°³ÀÇ key ¸¦ °¡Áö°í Çص¶ÇÏ´Â °ÍÀÌ´Ù.(one public and one private)

* DES °ËÁõ¹æ¹ýÀÇ º¸¾ÈÀº  ÇöÀç½Ã°£À» ¾ÏȣȭÇÏ´Â º¸³»´Â»ç¶÷ÀÇ ´É·ÂÀ» ±âº»À¸·Î
ÇÏ°íÀÖÀ¸¸ç ÀÌ´Â ¹Þ´ÂÂÊÀÌ  Çص¶ÇÏ°í ÀÚ½ÅÀÇ ½Ã°£°ú check ÇÒ¼ö°¡ ÀÖ¾î¾ßÇÑ´Ù.
ÀÌ timestamp ´Â DES ¿Í °°ÀÌ ¾ÏȣȭµÈ´Ù. ÀÌ timestamp ´Â µÎ°¡ÁöÀÏÀÌ ÇÊ¿äÇÏ´Ù.
ù¹ø°´Â  µÎ agent ´Â ÇöÀç½Ã°£À» ÀÏÄ¡½ÃÄѾ߸¸µÇ°í µÎ¹ø°´Â  º¸³»´ÂÂÊ°ú
¹Þ´ÂÂÊÀº µ¿ÀÏÇÑ ¾Ïȣȭ key ¸¦ »ç¿ëÇؾ߸¸ ÇÑ´Ù.

¸¸¾à, ÇϳªÀÇ network ÀÌ ÇϳªÀÇ syncronization program À» ¿î¿ëÇÑ´Ù¸é 
±×¶§ client ¿Í server ´Â ÀÚµ¿ÀûÀ¸·Î syncronize µÈ´Ù. ¸¸¾à,
time synchronization ÀÌ °¡´ÉÇÏÁö¾Ê´Ù¸é, timestamp ´Â  network time ´ë½Å¿¡
server  time À» »ç¿ëÇÏ¿© °è»êµÇ¾îÁú¼ö ÀÖ´Ù.
client ´Â RPC session À» »ç¿ëÇϱâÀü¿¡ server ¿¡°Ô ½Ã°£À» ¿äûÇÒ¼öÀÖ°í ±×¶§
ÀÚ½ÅÀÇ clock °ú server clock °£ÀÇ Â÷À̸¦ °è»êÇÒ¼ö ÀÖ´Ù.
ÀÌ·¯ÇÑ ½Ã°£Â÷ÀÌ´Â timestamp ¸¦ °è»ê½Ã¿¡ client clock ÀÇ offset À¸·Î »ç¿ëµÈ´Ù.
¸¸¾à, client ¿Í server clock ÀÌ sync ¸¦ ÇÒ¼ö°¡ ¾øÀ»°æ¿ì server ´Â clientÀÇ
request ¸¦ reject Çϱâ½ÃÀÛÇÏ°í DES °ËÁõÀº  server ¿Í resynchronize ÇÑ´Ù.

client ¿Í server °¡  random conversation key ¸¦ »ý¼ºÇÒ¶§¿¡ °°Àº encrytion
key °¡ ¸¸µé¾îÁö¸é ±×¶§ public key cryptography ¸¦ »ç¿ëÇÏ¿© common key ¸¦ 
À¯ÃßÇÑ´Ù. common key ´Â  ´ÜÁö client¿Í server ¸¸ÀÌ deducing ÇÒ¼ö ÀÖ´Â
Å° À̸ç conversation key ´Â  client ÀÇ timestamp ¸¦ ¾Ïȣȭ ÇÏ°í Çص¶Çϴµ¥
»ç¿ëµÇ´Â key ÀÌ´Ù.
common key ´Â conversation key ¸¦ ¾Ïȣȭ ÇÏ°í Çص¶Çϴµ¥ »ç¿ëµÊ.

5. A Secure RPC Client-Server Session

´ÙÀ½Àº secure RPC ¸¦ »ç¿ëÇÑ client-server session ¿¡¼­¹ß»ýÇÏ´Â
transaction ÀÇ  °úÁ¤ÀÌ´Ù.

a. transaction ÀÇ ¾Õ¼­¼­ user  ´Â public key ¿Í secret key ¸¦ »ý¼ºÇÏ´Â
 ÇϳªÀÇ ÇÁ·Î±×·¥À» µ¹¸°´Ù.
(°¢ À¯Àú´Â À¯ÀÏÇÑ public key ¿Í secret key ¸¦ °¡Áø´Ù.)
ÀÌ Å°´Â ¾ÏȣȭµÈ ÇüÅ·Π/etc/publickey file ¿¡ ÀúÀåµÈ´Ù.
NIS map Àº  publickey.byname, NIS+ ´Â cred.org_dir ÀÌ´Ù.

b.  ±× user ´Â login ÇÏ¿© keylogin program À» ¼öÇàÇÑ´Ù.(¶Ç´Â keylogin
program Àº /etc/profile ¿¡ Æ÷ÇԵǾîÀ־ user °¡ login ÇÒ¶§¸¶´Ù ÀÚµ¿ÀûÀ¸·Î
µ¹¾Æ°£´Ù.

ÀÌ keylogin program Àº user ¿¡°Ô secure RPC passwd ¸¦ ¹°¾îº¸°í ÀÌ°ÍÀ»ÀÌ¿ëÇÏ¿©
±× secret key ¸¦ Çص¶ÇÑ´Ù.
ÀÌ keylogin program Àº ±×¶§ passwd ·Î secret key ¸¦ Çص¶ÇÏ¿© keyserv daemon
¿¡°Ô ´øÁ®ÁØ´Ù À̶§ keyserv daemon Àº Çؼ®µÈ secret key  ¸¦ ÀúÀåÇÏ°í server¿Í
transaction À» ½ÃÀÛÇϱâÀ§ÇØ¿© user ¸¦ wait ÇÑ´Ù.

c. user °¡ server ¿Í transaction À» ½ÃÀÛÇÒ¶§
  1)keyserv ´Â ÀÓÀÇ´ë·Î ÇϳªÀÇ conversation key ¸¦ ¸¸µç´Ù.
  2)À̶§ kernel Àº conversation key ¸¦ client ÀÇ timestamp (´Ù¸¥°ÍÁß¿¡¼­)
   ¸¦ ¾ÏȣȭÇÑ´Ù.
  3)keyserv ´Â public databasde ¿¡¼­ server ÀÇ public key ¸¦ ã´Â´Ù.
  4)keyserv´Â client ÀÇ secret key ¿Í server ÀÇ public ley ¸¦ °¡Áö°í
    common key ¸¦ ¸¸µç´Ù.
  5)keyserv ´Â common key ¸¦ °¡Áö°í conversation key ¸¦ ¾ÏȣȭÇÑ´Ù.

d. timestamp ¿Í conversation key ¸¦ Æ÷ÇÔÇÏ´Â transmission Àº À̶§ server
 ¿¡ º¸³»Áø´Ù. Àü¼Û¿¡´Â ÇϳªÀÇ credential °ú ÇϳªÀÇ verifier ¸¦ Æ÷ÇÔÇÑ´Ù.
 credential Àº ´ÙÀ½ ¼¼°¡Áö¸¦ Æ÷ÇÔÇÑ´Ù.
 ( client ÀÇ À̸§, common key ·Î ¾ÏȣȭµÈ conversation key,
  conversation key   ·Î ¾ÏȣȭµÈ ÇϳªÀÇ window.)
 ±× window ´Â  server colck °ú client timestamp °£ÀÇ Çã¿ëµÇ´Â Â÷ÀÌÀÌ´Ù. 
 ¸¸¾à server clock °ú timestamp °£ÀÇ Â÷ÀÌ°¡ ±× window º¸´ÙÅ©¸é, ±× server ´Â
 client ÀÇ request ¸¦ °ÅÀýÇؾ߸¸ ÇÑ´Ù.
 client ÀÇ verifier ´Â ¾ÏȣȭµÈ timestamp ¿Í 1 ¾¿ Áõ°¡Çϴ ƯÁ¤ÇÑ window ÀÇ
 ¾ÏȣȭµÈ verifier ¸¦ °¡Áö°í ÀÖ´Ù.

e. server  °¡ client ·Î ºÎÅÍ transmission À» ¹Þ¾ÒÀ»¶§
  1)keyserv local Àº server ÀÇ public database ¿¡¼­ client ÀÇ public key
   ¸¦ ã´Â´Ù.

  2)keyserv ´Â client ÀÇ public key ¿Í server ÀÇ secret key ¸¦ »ç¿ëÇÏ¿©
   common key ¸¦ À¯ÃßÇÑ´Ù.
  3)kernel Àº common key ·Î½á conversation key ¸¦ Çص¶ÇÑ´Ù.
  4) kernel Àº keyserv ¸¦ ºÒ·¯ Çص¶µÈ conversation key ¿Í client ÀÇ 
   timestamp ¸¦ Çص¶ÇÑ´Ù.

f. server °¡ client ÀÇ timestamp ¸¦ Çص¶ÈÄ, ÇϳªÀÇ credential table  dp 
   4 °³ÀÇ °ªÀ» ÀúÀåÇÑ´Ù.
 (client ÀÇ machine name, conversation key, window, client ÀÇ timestamp)


 server ´Â ³ªÁß»ç¿ëÀ» À§ÇØ Ã¹¹ø° 3 °³¸¦ ÀúÀåÇÑ´Ù.server ´Â ºÒ¹ýÀç»ç¿ë(replay)
 ¸¦ ¹æÁöÇϱâÀ§ÇØ timestamp ¸¦ ÀúÀåÇÑ´Ù. server ´Â ´ÜÁö ¸¶Áö¸·À¸·Î º»
 °Íº¸´Ù ½Ã°£ÀûÀ¸·Î ´õÅ« °Í¸¸ accept Çؼ­ ¾î¶² replay µÈ  transaction ÀÌ
 reject µÇ´Â°ÍÀ» guarantee  ÇÑ´Ù.

g. server ´Â client ¿¡°Ô ÇϳªÀÇ verifier ¸¦ return Çϴµ¥ ³»¿ëÀº
  index ID(a unique tarnsaction number:server °¡ ÀÚ½ÅÀÇ credential table
  ¿¡ µé·ÏÇÏ´Â ID) ¿Í conversation key ¿¡ ÀÇÇØ ¾ÏȣȭµÇ´Â client ÀÇ
  timestamp -1 ÇÑ °ªÀÌ´Ù.
 ¿©±â¼­ timestamp ·Î ºÎÅÍ -1 À» ÇÏ´ÂÀÌÀ¯´Â client verifier ·Î¼­
 Àç»ç¿ëµÉ¼ö ¾øµµ·Ï ÇϱâÀ§ÇÔÀÌ´Ù.

h. client ´Â verifier ¸¦ ¹Þ°í ±×  server ¸¦ °ËÁõÇÑ´Ù. Ŭ¶óÀ̾ðÆ®´Â ´ÜÁö
  ¼­¹ö°¡ ±× verifier ¸¦ º¸³ÂÀ»°ÍÀ̶ó°í ¾Ë°íÀִµ¥ ¿Ö³ÄÇÏ¸é ´ÜÁö server ¸¸ÀÌ
  client °¡ º¸³½ timestamp ¸¦ ¾Ë°íÀֱ⠶§¹®ÀÌ´Ù.

i. client ´Â ¼­¹ö¿¡°Ô ´Ù¸§ transaction ³»¿¡¼­  ±× index ID ¸¦ return ÇÏ°í
  ´Ù¸¥ ¾ÏȣȭµÈ timestamp ¸¦ º¸³½´Ù.

j. server ´Â conversation key ¿¡ ÀÇÇØ ¾ÏȣȭµÈ clinet ÀÇ timestamp ¿¡ -1 À»
  ÇÑÈÄ ´Ù½Ãº¸³»ÁØ´Ù.

  ù¹ø° ÈÄ¿¡ ¸ðµç transaction ¿¡¼­ client ´Â ±×°ÍÀÇ index ID ¿Í ´Ù¸¥
  ¾ÏȣȭµÈ timestamp  ¸¦ º¸³»°í server ´Â  timestamp -1 ¸¦ ÇÏ¿© return.



Revision History

ÀÛ¼ºÀÏÀÚ : 96.09.05
ÀÛ¼ºÀÚ : À̽ÂÈÆ

¼öÁ¤ÀÏÀÚ :
¼öÁ¤ÀÚ :