System Administration Guide: Security Services

Kerberos

An authentication service, the protocol that is used by that service, or the code that is used to implement that service.

SEAM is an authentication implementation that is closely based on Kerberos V5.

While technically different, "SEAM" and "Kerberos" are often used interchangeably in SEAM documentation. The same is true for "Kerberos" and "Kerberos V5."

Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates of Hades in Greek mythology.

key

1. An entry (principal name) in a keytab file. See also keytab file.

2. An encryption key, of which there are three types:

A private key - An encryption key that is shared by a principal and the KDC, and distributed outside the bounds of the system. See also private key.
A service key - This key serves the same purpose as the private key, but is used by servers and services. See also service key.
A session key - A temporary encryption key that is used between two principals, with a lifetime limited to the duration of a single login session. See also session key.

keytab file

A key table file that contains one or more keys (principals). A host or service uses a keytab file in the much the same way that a user uses a password.

kvno

Key version number. A sequence number that tracks a particular key in order of generation. The highest kvno is the latest and most current key.

name service scope

The scope in which a role is permitted to operate, that is, an individual host or all hosts that are served by a specified name service such as NIS, NIS+, or LDAP. Scopes are applied to Solaris Management Console toolboxes.

master KDC

The main KDC in each realm, which includes a Kerberos administration server, kadmind, and an authentication and ticket-granting daemon, krb5kdc. Each realm must have at least one master KDC, and can have many duplicate, or slave, KDCs that provide authentication services to clients.

mechanism

A software package that specifies cryptographic techniques to achieve data authentication or confidentiality. Examples: Kerberos V5, Diffie-Hellman public key.

network application server

A server that provides a network application, such as ftp. A realm can contain several network application servers.

NTP

Network Time Protocol. Software from the University of Delaware that enables you to manage precise time or network clock synchronization, or both, in a network environment. You can use NTP to maintain clock skew in a Kerberos environment. See also clock skew.

PAM

Pluggable Authentication Module. A framework that allows for multiple authentication mechanisms to be used without having to recompile the services that use them. PAM enables SEAM session initialization at login.

policy

A set of rules, initiated when SEAM is installed or administered, that govern ticket usage. Policies can regulate principals' accesses, or ticket parameters, such as lifetime.

postdated ticket

A postdated ticket does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to run late at night, since the ticket, if stolen, cannot be used until the batch job is run. When a postdated ticket is issued, it is issued as invalid and remains that way until a) its start time has passed, and b) the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the postdated ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life time of the ticket-granting ticket. See also invalid ticket, renewable ticket.

primary

The first part of a principal name. See also instance, principal name, realm.

principal

1. A uniquely named client/user or server/service instance that participates in a network communication. Kerberos transactions involve interactions between principals (service principals and user principals) or between principals and KDCs. In other words, a principal is a unique entity to which Kerberos can assign tickets. See also principal name, service principal, user principal.

2. (RPCSEC_GSS API) See client principal, server principal.

principal name

1. The name of a principal, in the format primary/instance@REALM. See also instance, primary, realm.

2. (RPCSEC_GSS API) See client principal, server principal.

privacy

A security service, in which transmitted data is encrypted before being sent. Privacy also includes data integrity and user authentication. See also authentication, integrity, service.

private key

A key that is given to each user principal, and known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. See also key.

private-key encryption

In private-key encryption, the sender and receiver use the same key for encryption. See also public-key encryption.

privileged application

An application that can override system controls and that checks for specific UIDs, GIDs, or authorizations.

profile shell

A shell used in RBAC that enables a role (or user) to run any privileged applications that are assigned to the role's rights profiles from the command line. The profile shells are pfsh, pfcsh, and pfksh. They correspond to the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.


	Kerberos An authentication service, the protocol that is used by that service, or the code that is used to implement that service. SEAM is an authentication implementation that is closely based on Kerberos V5. While technically different, "SEAM" and "Kerberos" are often used interchangeably in SEAM documentation. The same is true for "Kerberos" and "Kerberos V5." Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates of Hades in Greek mythology. key 1. An entry (principal name) in a keytab file. See also keytab file. 2. An encryption key, of which there are three types: A private key - An encryption key that is shared by a principal and the KDC, and distributed outside the bounds of the system. See also private key. A service key - This key serves the same purpose as the private key, but is used by servers and services. See also service key. A session key - A temporary encryption key that is used between two principals, with a lifetime limited to the duration of a single login session. See also session key. keytab file A key table file that contains one or more keys (principals). A host or service uses a keytab file in the much the same way that a user uses a password. kvno Key version number. A sequence number that tracks a particular key in order of generation. The highest kvno is the latest and most current key. name service scope The scope in which a role is permitted to operate, that is, an individual host or all hosts that are served by a specified name service such as NIS, NIS+, or LDAP. Scopes are applied to Solaris Management Console toolboxes. master KDC The main KDC in each realm, which includes a Kerberos administration server, `kadmind`, and an authentication and ticket-granting daemon, `krb5kdc`. Each realm must have at least one master KDC, and can have many duplicate, or slave, KDCs that provide authentication services to clients. mechanism A software package that specifies cryptographic techniques to achieve data authentication or confidentiality. Examples: Kerberos V5, Diffie-Hellman public key. network application server A server that provides a network application, such as `ftp`. A realm can contain several network application servers. NTP Network Time Protocol. Software from the University of Delaware that enables you to manage precise time or network clock synchronization, or both, in a network environment. You can use NTP to maintain clock skew in a Kerberos environment. See also clock skew. PAM Pluggable Authentication Module. A framework that allows for multiple authentication mechanisms to be used without having to recompile the services that use them. PAM enables SEAM session initialization at login. policy A set of rules, initiated when SEAM is installed or administered, that govern ticket usage. Policies can regulate principals' accesses, or ticket parameters, such as lifetime. postdated ticket A postdated ticket does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to run late at night, since the ticket, if stolen, cannot be used until the batch job is run. When a postdated ticket is issued, it is issued as invalid and remains that way until a) its start time has passed, and b) the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the postdated ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life time of the ticket-granting ticket. See also invalid ticket, renewable ticket. primary The first part of a principal name. See also instance, principal name, realm. principal 1. A uniquely named client/user or server/service instance that participates in a network communication. Kerberos transactions involve interactions between principals (service principals and user principals) or between principals and KDCs. In other words, a principal is a unique entity to which Kerberos can assign tickets. See also principal name, service principal, user principal. 2. (RPCSEC_GSS API) See client principal, server principal. principal name 1. The name of a principal, in the format primary/instance@REALM. See also instance, primary, realm. 2. (RPCSEC_GSS API) See client principal, server principal. privacy A security service, in which transmitted data is encrypted before being sent. Privacy also includes data integrity and user authentication. See also authentication, integrity, service. private key A key that is given to each user principal, and known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. See also key. private-key encryption In private-key encryption, the sender and receiver use the same key for encryption. See also public-key encryption. privileged application An application that can override system controls and that checks for specific UIDs, GIDs, or authorizations. profile shell A shell used in RBAC that enables a role (or user) to run any privileged applications that are assigned to the role's rights profiles from the command line. The profile shells are `pfsh`, `pfcsh`, and `pfksh`. They correspond to the Bourne shell (`sh`), C shell (`csh`), and Korn shell (`ksh`), respectively.