This chapter lists many of the files, commands, and daemons that are part of the SEAM product. In addition, this chapter provides detailed information about how the Kerberos authentication system works.
This is a list of the reference information in this chapter.
Table 12-1 SEAM Files
PAM Configuration File
The default PAM configuration file includes entries for the authentication service, account management, session management, and password management modules.
For the authentication module, the new entries are created for rlogin, login, and dtlogin if SEAM 1.0 or 1.0.1 are installed. An example of these entries follows. All these services use the new PAM library, /usr/lib/security/pam_krb5.so.1, to provide Kerberos authentication.
These entries use the try_first_pass option, which requests authentication by using the user's initial password. Using the initial password means that the user is not prompted for another password, even if multiple mechanisms are listed.
# cat /etc/pam.conf . . rlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass login auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass dtlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass other auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
For the account management module, dtlogin has a new entry that uses the Kerberos library, as follows. An other entry is included to provide a default rule. Currently, no actions are taken by the other entry.
dtlogin account optional /usr/lib/security/pam_krb5.so.1 other account optional /usr/lib/security/pam_krb5.so.1
The last two entries in the /etc/pam.conf file are shown next. The other entry for session management destroys user credentials. The new other entry for password management selects the Kerberos library.
other session optional /usr/lib/security/pam_krb5.so.1 other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass
This section lists some commands that are included in the SEAM product.
Table 12-2 SEAM Commands
The following table lists the daemons that the SEAM product uses.
Table 12-3 SEAM Daemons
The following section presents terms and their definitions. Those terms are used throughout the SEAM documentation. In order to grasp SEAM concepts, an understanding of these terms is essential.
You need to understand the terms in this section in order to administer KDCs.
The Key Distribution Center or KDC is the component of SEAM that is responsible for issuing credentials. These credentials are created by using information that is stored in the KDC database. Each realm needs at least two KDCs, a master and at least one slave. All KDCs generate credentials, but only the master KDC handles any changes to the KDC database.
A stash file contains an encrypted copy of the master key for the KDC. This key is used when a server is rebooted to automatically authenticate the KDC before starting the kadmind and krb5kdc commands. Because this file includes the master key, the file and any backups of the file should be kept secure. If the encryption is compromised, then the key could be used to access or modify the KDC database.
You need to know the terms in this section to understand the authentication process. Programmers and system administrators should be familiar with these terms.
A client is the software that runs on a user's workstation. The SEAM software that runs on the client makes many requests during this process. So, it is important to differentiate the actions of this software from the user.
The terms server and service are often used interchangeably. To clarify, the term server is used to define the physical system that SEAM software is running on. The term service corresponds to a particular function that is being supported on a server (for instance, nfs). Documentation often mentions servers as part of a service, but this definition clouds the meaning of the terms. Therefore, the term server refers to the physical system. The term service refers to the software.
The SEAM product includes three types of keys. One key is the private key. The private key is given to each user principal and is known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. For servers and services, the key is known as a service key. The service key serves the same purpose as the private key, but is used by servers and services. The third type of key is a session key. A session key is a key that is generated by the authentication service or the ticket-granting service. A session key is generated to provide secure transactions between a client and a service.
A ticket is an information packet that is used to securely pass the identity of a user to a server or service. A ticket is valid for only a single client and a particular service on a specific server. A ticket contains the principal name of the service, the principal name of the user, the IP address of the user's host, a time stamp, and a value to define the lifetime of the ticket. A ticket is created with a random session key to be used by the client and the service. After a ticket has been created, it can be reused until the ticket expires.
A credential is a packet of information that includes a ticket and a matching session key. Credentials are often encrypted by using either a private key or a service key, depending on which software decrypts the credential.
An authenticator is another type of information. When used with a ticket, an authenticator can be used to authenticate a user principal. An authenticator includes the principal name of the user, the IP address of the user's host, and a time stamp. Unlike a ticket, an authenticator can be used once only, usually when access to a service is requested. An authenticator is encrypted by using the session key for that client and that server.