Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
  Previous   Contents   Next 
   
 
Chapter 12

SEAM (Reference)

This chapter lists many of the files, commands, and daemons that are part of the SEAM product. In addition, this chapter provides detailed information about how the Kerberos authentication system works.

This is a list of the reference information in this chapter.

SEAM Files

Table 12-1 SEAM Files

File Name

Description

~/.gkadmin

Default values for creating new principals in the SEAM Administration Tool

~/.k5login

List of principals to grant access to a Kerberos account

/etc/init.d/kdc

init script to start or stop krb5kdc

/etc/init.d/kdc.master

init script to start or stop kadmind

/etc/krb5/kadm5.acl

Kerberos access control list file; includes principal names of KDC administrators and their Kerberos administration privileges

/etc/krb5/kadm5.keytab

Keytab file for kadmin service on master KDC

/etc/krb5/kdc.conf

KDC configuration file

/etc/krb5/kpropd.acl

Kerberos database propagation configuration file

/etc/krb5/krb5.conf

Kerberos realm configuration file

/etc/krb5/krb5.keytab

Keytab file for network application servers

/etc/krb5/warn.conf

Kerberos warning configuration file

/etc/pam.conf

PAM configuration file

/tmp/krb5cc_uid

Default credentials cache (uid is the decimal UID of the user)

/tmp/ovsec_adm.xxxxxx

Temporary credentials cache for the lifetime of the password changing operation (xxxxxx is a random string)

/var/krb5/.k5.REALM

KDC stash file; contains encrypted copy of the KDC master key

/var/krb5/kadmin.log

Log file for kadmind

/var/krb5/kdc.log

Log file for the KDC

/var/krb5/principal.db

Kerberos principal database

/var/krb5/principal.kadm5

Kerberos administrative database; contains policy information

/var/krb5/principal.kadm5.lock

Kerberos administrative database lock file

/var/krb5/principal.ok

Kerberos principal database initialization file; created when the Kerberos database is initialized successfully

/var/krb5/slave_datatrans

Backup file of the KDC that the kprop_script script uses for propagation

PAM Configuration File

The default PAM configuration file includes entries for the authentication service, account management, session management, and password management modules.

For the authentication module, the new entries are created for rlogin, login, and dtlogin if SEAM 1.0 or 1.0.1 are installed. An example of these entries follows. All these services use the new PAM library, /usr/lib/security/pam_krb5.so.1, to provide Kerberos authentication.

These entries use the try_first_pass option, which requests authentication by using the user's initial password. Using the initial password means that the user is not prompted for another password, even if multiple mechanisms are listed.

# cat /etc/pam.conf
 .
 .
rlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
login auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
other auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass

For the account management module, dtlogin has a new entry that uses the Kerberos library, as follows. An other entry is included to provide a default rule. Currently, no actions are taken by the other entry.

dtlogin account optional /usr/lib/security/pam_krb5.so.1 
other account optional /usr/lib/security/pam_krb5.so.1

The last two entries in the /etc/pam.conf file are shown next. The other entry for session management destroys user credentials. The new other entry for password management selects the Kerberos library.

other session optional /usr/lib/security/pam_krb5.so.1 
other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass

SEAM Commands

This section lists some commands that are included in the SEAM product.

Table 12-2 SEAM Commands

Command

Description

/usr/lib/krb5/kprop

Kerberos database propagation program

/usr/sbin/gkadmin

Kerberos database administration GUI program; used to manage principals and policies

/usr/sbin/kadmin

Remote Kerberos database administration program (run with Kerberos authentication); used to manage principals, policies, and keytab files

/usr/sbin/kadmin.local

Local Kerberos database administration program (run without Kerberos authentication; must be run on master KDC); used to manage principals, policies, and keytab files

/usr/sbin/kdb5_util

Creates Kerberos databases and stash files

SEAM Daemons

The following table lists the daemons that the SEAM product uses.

Table 12-3 SEAM Daemons

Daemon

Description

/usr/lib/krb5/kadmind

Kerberos database administration daemon

/usr/lib/krb5/kpropd

Kerberos database propagation daemon

/usr/lib/krb5/krb5kdc

Kerberos ticket processing daemon

SEAM Terminology

The following section presents terms and their definitions. Those terms are used throughout the SEAM documentation. In order to grasp SEAM concepts, an understanding of these terms is essential.

Kerberos-Specific Terminology

You need to understand the terms in this section in order to administer KDCs.

The Key Distribution Center or KDC is the component of SEAM that is responsible for issuing credentials. These credentials are created by using information that is stored in the KDC database. Each realm needs at least two KDCs, a master and at least one slave. All KDCs generate credentials, but only the master KDC handles any changes to the KDC database.

A stash file contains an encrypted copy of the master key for the KDC. This key is used when a server is rebooted to automatically authenticate the KDC before starting the kadmind and krb5kdc commands. Because this file includes the master key, the file and any backups of the file should be kept secure. If the encryption is compromised, then the key could be used to access or modify the KDC database.

Authentication-Specific Terminology

You need to know the terms in this section to understand the authentication process. Programmers and system administrators should be familiar with these terms.

A client is the software that runs on a user's workstation. The SEAM software that runs on the client makes many requests during this process. So, it is important to differentiate the actions of this software from the user.

The terms server and service are often used interchangeably. To clarify, the term server is used to define the physical system that SEAM software is running on. The term service corresponds to a particular function that is being supported on a server (for instance, nfs). Documentation often mentions servers as part of a service, but this definition clouds the meaning of the terms. Therefore, the term server refers to the physical system. The term service refers to the software.

The SEAM product includes three types of keys. One key is the private key. The private key is given to each user principal and is known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. For servers and services, the key is known as a service key. The service key serves the same purpose as the private key, but is used by servers and services. The third type of key is a session key. A session key is a key that is generated by the authentication service or the ticket-granting service. A session key is generated to provide secure transactions between a client and a service.

A ticket is an information packet that is used to securely pass the identity of a user to a server or service. A ticket is valid for only a single client and a particular service on a specific server. A ticket contains the principal name of the service, the principal name of the user, the IP address of the user's host, a time stamp, and a value to define the lifetime of the ticket. A ticket is created with a random session key to be used by the client and the service. After a ticket has been created, it can be reused until the ticket expires.

A credential is a packet of information that includes a ticket and a matching session key. Credentials are often encrypted by using either a private key or a service key, depending on which software decrypts the credential.

An authenticator is another type of information. When used with a ticket, an authenticator can be used to authenticate a user principal. An authenticator includes the principal name of the user, the IP address of the user's host, and a time stamp. Unlike a ticket, an authenticator can be used once only, usually when access to a service is requested. An authenticator is encrypted by using the session key for that client and that server.

 
 
 
  Previous   Contents   Next