In AIX versions 4.3.2 and later, NIM can be used to install machines in an environment configured for Kerberos 5 authentication. Normally, NIM relies on the .rhost command to be granted by client machines for the NIM master to remotely execute commands. By using Kerberos 5 authentication, a more secure mechanism of remote command execution can be used. Clients configured for Kerberos 5 authentication will contain a $HOME/.k5login file for the root user. This file will contain an entry that specifies what host token is required to allow remote command execution. This entry will follow the form:
hosts/hostname/self@cell
The NIM master and all secure clients must have DCE installed and configured at a level greater than or equal to 2.2.1.
If secure clients will be reinstalled with BOS (Base Operating System), the authentication methods on the NIM master should be set for both Kerberos 5 and Standard UNIX. This is because the client will not have DCE or Kerberos 5 configured and running after the BOS is installed. NIM will therefore have to rely on standard rhosts to remotely execute commands on the client until it can be configured with Kerberos 5 and made into a secure client.
If only software customization and maintenace will be performed, then the NIM master must have its authentication methods set to match those of the clients. To manage secure clients, the master will need authentication methods set to include Standard UNIX.
See the Kerberos Version 5 Installation Guide for more information on installing and configuring Kerberos 5.