An authentication service, the protocol that is used by that service, or the code that is used to implement that service.
SEAM is an authentication implementation that is closely based on Kerberos V5.
While technically different, "SEAM" and "Kerberos" are often used interchangeably in SEAM documentation. The same is true for "Kerberos" and "Kerberos V5."
Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates of Hades in Greek mythology.
1. An entry (principal name) in a keytab file. See also keytab file.
2. An encryption key, of which there are three types:
A private key - An encryption key that is shared by a principal and the KDC, and distributed outside the bounds of the system. See also private key.
A service key - This key serves the same purpose as the private key, but is used by servers and services. See also service key.
A session key - A temporary encryption key that is used between two principals, with a lifetime limited to the duration of a single login session. See also session key.
A key table file that contains one or more keys (principals). A host or service uses a keytab file in the much the same way that a user uses a password.
Key version number. A sequence number that tracks a particular key in order of generation. The highest kvno is the latest and most current key.
The scope in which a role is permitted to operate, that is, an individual host or all hosts that are served by a specified name service such as NIS, NIS+, or LDAP. Scopes are applied to Solaris Management Console toolboxes.
The main KDC in each realm, which includes a Kerberos administration server, kadmind, and an authentication and ticket-granting daemon, krb5kdc. Each realm must have at least one master KDC, and can have many duplicate, or slave, KDCs that provide authentication services to clients.
A software package that specifies cryptographic techniques to achieve data authentication or confidentiality. Examples: Kerberos V5, Diffie-Hellman public key.
A server that provides a network application, such as ftp. A realm can contain several network application servers.
Network Time Protocol. Software from the University of Delaware that enables you to manage precise time or network clock synchronization, or both, in a network environment. You can use NTP to maintain clock skew in a Kerberos environment. See also clock skew.
Pluggable Authentication Module. A framework that allows for multiple authentication mechanisms to be used without having to recompile the services that use them. PAM enables SEAM session initialization at login.
A set of rules, initiated when SEAM is installed or administered, that govern ticket usage. Policies can regulate principals' accesses, or ticket parameters, such as lifetime.
A postdated ticket does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to run late at night, since the ticket, if stolen, cannot be used until the batch job is run. When a postdated ticket is issued, it is issued as invalid and remains that way until a) its start time has passed, and b) the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the postdated ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life time of the ticket-granting ticket. See also invalid ticket, renewable ticket.
1. A uniquely named client/user or server/service instance that participates in a network communication. Kerberos transactions involve interactions between principals (service principals and user principals) or between principals and KDCs. In other words, a principal is a unique entity to which Kerberos can assign tickets. See also principal name, service principal, user principal.
A key that is given to each user principal, and known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. See also key.
In private-key encryption, the sender and receiver use the same key for encryption. See also public-key encryption.
An application that can override system controls and that checks for specific UIDs, GIDs, or authorizations.
A shell used in RBAC that enables a role (or user) to run any privileged applications that are assigned to the role's rights profiles from the command line. The profile shells are pfsh, pfcsh, and pfksh. They correspond to the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.