An access control list (ACL) provides finer-grained file security than traditional UNIX file protection provides. For example, an ACL enables you to allow group read access to a file, while allowing only one member of that group to write to the file.
A user principal with a name of the form username/admin (as in jdoe/admin). An admin principal can have more privileges (for example, to change policies) than a regular user principal. See also principal name, user principal.
Advanced Encryption Standard. A symmetric 128-bit block data encryption technique. The U.S. government adopted the Rijndael variant of the algorithm as its encryption standard in October 2000. AES replaces user principal encryption as the government standard.
A cryptographic algorithm. This is an established, recursive computational procedure that encrypts or hashes input.
Asynchronous events are the minority of system events. These events are not associated with any process, so no process is available to be blocked and later woken up. Initial system boot and PROM enter and exit events are examples of asynchronous events
Binary audit logs. Audit files are stored separately in an audit partition.
A hard disk partition that is configured to hold audit files.
The global and per-user settings that determine which audit events are recorded. The global settings that apply to the audit service typically affect which pieces of optional information are included in the audit trail. Two settings, cnt and ahlt, affect the operation of the system when the audit queue fills. For example, audit policy might require that a sequence number be part of every audit record.
The collection of all audit files from all hosts.
The process of verifying the claimed identity of a principal.
Authenticators are passed by clients when requesting tickets (from a KDC) and services (from a server). They contain information that is generated by using a session key known only by the client and server, that can be verified as of recent origin, thus indicating that the transaction is secure. When used with a ticket, an authenticator can be used to authenticate a user principal. An authenticator includes the principal name of the user, the IP address of the user's host, and a time stamp. Unlike a ticket, an authenticator can be used only once, usually when access to a service is requested. An authenticator is encrypted by using the session key for that client and that server.
1. In Kerberos, the process of determining if a principal can use a service, which objects the principal is allowed to access, and the type of access that is allowed for each object.
2. In role-based access control (RBAC), a permission that can be assigned to a role or user (or embedded in a rights profile) for performing a class of actions that are otherwise prohibited by security policy.
The Solaris auditing service and device allocation. Together, these features satisfy the C2 level of security.
The set of privileges that are assigned to a user's process at login. On an unmodified system, each user's initial inheritable set equals the basic set at login.
A symmetric block cipher algorithm that takes a variable-length key from 32 bits to 448 bits. Its author, Bruce Schneier, claims that Blowfish is optimized for applications where the key does not change often.
Narrowly, a process that makes use of a network service on behalf of a user; for example, an application that uses rlogin. In some cases, a server can itself be a client of some other server or service.
More broadly, a host that a) receives a Kerberos credential, and b) makes use of a service that is provided by a server.
Informally, a principal that makes use of a service.
(RPCSEC_GSS API) A client (a user or an application) that uses RPCSEC_GSS-secured network services. Client principal names are stored in the form of rpc_gss_principal_t structures.
The maximum amount of time that the internal system clocks on all hosts that are participating in the Kerberos authentication system can differ. If the clock skew is exceeded between any of the participating hosts, requests are rejected. Clock skew can be specified in the krb5.conf file.
In the Solaris Cryptographic Framework, a consumer is a user of the cryptographic services that come from providers. Consumers can be applications, end users, or kernel operations. Kerberos, IKE, and IPsec are examples of consumers. For examples of providers, see provider.
A storage space (usually a file) that contains credentials that are received from the KDC.
Data Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.
Device protection at the user level. Device allocation enforces the exclusive use of a device by one user at a time. Device data is purged before device reuse. Authorizations can be used to limit who is permitted to allocate a device.
Device protection at the kernel level. Device policy is implemented as two sets of privileges on a device. One set of privileges controls read access to the device. The second set of privileges controls write access to the device. See also policy.
Also known as public key cryptography. An asymmetric cryptographic key agreement protocol that was developed by Diffie and Hellman in 1976. The protocol enables two users to exchange a secret key over an insecure medium without any prior secrets. Diffie-Hellman is used by Kerberos.
See message digest.
Digital Signature Algorithm. A public key algorithm with a variable key size from 512 to 4096 bits. The U.S. Government standard, DSS, goes up to 1024 bits. DSA relies on SHA1 for input.
The set of privileges that are currently in effect on a process.
Historically, security flavor and authentication flavor had the same meaning, as a flavor that indicated a type of authentication (AUTH_UNIX, AUTH_DES, AUTH_KERB). RPCSEC_GSS is also a security flavor, even though it provides integrity and privacy services in addition to authentication.
A ticket that a client can use to request a ticket on a remote host without requiring the client to go through the full authentication process on that host. For example, if the user david obtains a forwardable ticket while on user jennifer's machine, he can log in to his own machine without being required to get a new ticket (and thus authenticate himself again). See also proxiable ticket.
Fully qualified domain name. For example, central.example.com (as opposed to simply denver).
The Generic Security Service Application Programming Interface. A network layer that provides support for various modular security services, including the Kerberos service. GSS-API provides for security authentication, integrity, and privacy services. See also authentication, integrity, privacy.
The modification of the default configuration of the operating system to remove security vulnerabilities that are inherent in the host.
In the Solaris Cryptographic Framework, a device driver and its hardware accelerator. Hardware providers offload expensive cryptographic operations from the computer system, thus freeing CPU resources for other uses. See also provider.
A machine that is accessible over a network.
A particular instance of a service principal in which the principal (signified by the primary name host) is set up to provide a range of network services, such as ftp, rcp, or rlogin. An example of a host principal is host/central.example.com@EXAMPLE.COM. See also server principal.
The set of privileges that a process can inherit across a call to exec.
A ticket that is issued directly (that is, not based on an existing ticket-granting ticket). Some services, such as applications that change passwords, might require tickets to be marked initial so as to assure themselves that the client can demonstrate a knowledge of its secret key. This assurance is important because an initial ticket indicates that the client has recently authenticated itself (instead of relying on a ticket-granting ticket, which might existed for a long time).
The second part of a principal name, an instance qualifies the principal's primary. In the case of a service principal, the instance is required. The instance the host's fully qualified domain name, as in host/central.example.com. For user principals, an instance is optional. Note, however, that jdoe and jdoe/admin are unique principals. See also primary, principal name, service principal, user principal.
A postdated ticket that has not yet become usable. An invalid ticket is rejected by an application server until it becomes validated. To be validated, an invalid ticket must be presented to the KDC by the client in a TGS request, with the VALIDATE flag set, after its start time has passed. See also postdated ticket.
Key Distribution Center. A machine that has three Kerberos V5 components:
Principal and key database
Each realm has a master KDC and should have one or more slave KDCs.
An authentication service, the protocol that is used by that service, or the code that is used to implement that service.
The Solaris Kerberos implementation that is closely based on Kerberos V5 implementation.
While technically different, “Kerberos” and “Kerberos V5” are often used interchangeably in the Kerberos documentation.
Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates of Hades in Greek mythology.
A set of rules that governs password usage in the Kerberos service. Policies can regulate principals' accesses, or ticket parameters, such as lifetime.
1. Generally, one of two main types of keys:
A symmetric key – An encryption key that is identical to the decryption key. Symmetric keys are used to encrypt files.
An asymmetric key or public key – A key that is used in public key algorithms, such as Diffie-Hellman or RSA. Public keys include a private key that is known only by one user, a public key that is used by the server or general resource, and a private-public key pair that combines the two. A private key is also called a secret key. The public key is also called a shared key or common key.
2. An entry (principal name) in a keytab file. See also keytab file.
3. In Kerberos, an encryption key, of which there are three types:
A private key – An encryption key that is shared by a principal and the KDC, and distributed outside the bounds of the system. See also private key.
A service key – This key serves the same purpose as the private key, but is used by servers and services. See also service key.
A session key – A temporary encryption key that is used between two principals, with a lifetime limited to the duration of a single login session. See also session key.
A key table file that contains one or more keys (principals). A host or service uses a keytab file in the much the same way that a user uses a password.
Key version number. A sequence number that tracks a particular key in order of generation. The highest kvno is the latest and most current key.
The outside limit of what privileges are available to a process and its children.
2. Also called labeling. In government security terminology, MAC is Mandatory Access Control. Labels such as Top Secret and Confidential are examples of MAC. MAC contrasts with DAC, which is Discretionary Access Control. UNIX permissions are an example of DAC.
3. In hardware, the unique machine address on a LAN. If the machine is on an Ethernet, the MAC is the Ethernet address.
The main KDC in each realm, which includes a Kerberos administration server, kadmind, and an authentication and ticket-granting daemon, krb5kdc. Each realm must have at least one master KDC, and can have many duplicate, or slave, KDCs that provide authentication services to clients.
An iterative cryptographic hash function that is used for message authentication, including digital signatures. The function was developed in 1991 by Rivest.
1. A software package that specifies cryptographic techniques to achieve data authentication or confidentiality. Examples: Kerberos V5, Diffie-Hellman public key.
2. In the Solaris Cryptographic Framework, an implementation of an algorithm for a particular purpose. For example, a DES mechanism that is applied to authentication, such as CKM_DES_MAC, is a separate mechanism from a DES mechanism that is applied to encryption, CKM_DES_CBC_PAD.
MAC provides assurance of data integrity and authenticates data origin. MAC does not protect against eavesdropping.
A message digest is a hash value that is computed from a message. The hash value almost uniquely identifies the message. A digest is useful for verifying the integrity of a file.
The installation of the minimal operating system that is necessary to run the server. Any software that does not directly relate to the operation of the server is either not installed, or deleted after the installation.
The scope in which a role is permitted to operate, that is, an individual host or all hosts that are served by a specified name service such as NIS, NIS+, or LDAP. Scopes are applied to Solaris Management Console toolboxes.
A server that provides a network application, such as ftp. A realm can contain several network application servers.
An audit event whose initiator cannot be determined, such as the AUE_BOOT event.
Network Time Protocol. Software from the University of Delaware that enables you to manage precise time or network clock synchronization, or both, in a network environment. You can use NTP to maintain clock skew in a Kerberos environment. See also clock skew.
Pluggable Authentication Module. A framework that allows for multiple authentication mechanisms to be used without having to recompile the services that use them. PAM enables Kerberos session initialization at login.
A phrase that is used to verify that a private key was created by the passphrase user. A good passphrase is 10-30 characters long, mixes alphabetic and numeric characters, and avoids simple prose and simple names. You are prompted for the passphrase to authenticate use of the private key to encrypt and decrypt communications.
The encryption algorithms that can be used to generate passwords. Can also refer to more general issues around passwords, such as how often the passwords must be changed, how many mis-entries are permitted, and other security considerations. Security policy requires passwords. Password policy might require passwords to be encrypted with the MD5 algorithm, and might make further requirements related to password strength.
The set of privileges that are available for use by a process.
Generally, a plan or course of action that influences or determines decisions and actions. For computer systems, policy typically means security policy. Your site's security policy is the set of rules that define the sensitivity of the information that is being processed and the measures that are used to protect the information from unauthorized access. For example, security policy might require that systems be audited, that devices be protected with privileges, and that passwords be changed every six weeks.
In the Key Management Framework (KMF), policy is the management of certificate usage. The KMF policy database can put constraints on the use of the keys and certificates that are managed by the KMF library.
In the Solaris Cryptographic Framework, policy is the disabling of existing cryptographic mechanisms. The mechanisms then cannot be used. Policy in the cryptographic framework might prevent the use of a particular mechanism, such as CKM_DES_CBC, from a provider, such as DES.
A postdated ticket does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to run late at night, since the ticket, if stolen, cannot be used until the batch job is run. When a postdated ticket is issued, it is issued as invalid and remains that way until a) its start time has passed, and b) the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the postdated ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life time of the ticket-granting ticket. See also invalid ticket, renewable ticket.
1. A uniquely named client/user or server/service instance that participates in a network communication. Kerberos transactions involve interactions between principals (service principals and user principals) or between principals and KDCs. In other words, a principal is a unique entity to which Kerberos can assign tickets. See also principal name, service principal, user principal.
A key that is given to each user principal, and known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. See also key.
In private-key encryption, the sender and receiver use the same key for encryption. See also public-key encryption.
A discrete right on a process in a Solaris system. Privileges offer a finer-grained control of processes than does root. Privileges are defined and enforced in the kernel. For a full description of privileges, see the privileges(5) man page.
A stricter model of security on a computer system than the superuser model. In the privilege model, processes require privilege to run. Administration of the system can be divided into discrete parts that are based on the privileges that administrators have in their processes. Privileges can be assigned to an administrator's login process. Or, privileges can be assigned to be in effect for certain commands only.
A collection of privileges. Every process has four sets of privileges that determine whether a process can use a particular privilege. See limit set, effective set set, permitted set set, and inheritable set set.
Also, the basic set set of privileges is the collection of privileges that are assigned to a user's process at login.
An application that can override system controls. The application checks for security attributes, such as specific UIDs, GIDs, authorizations, or privileges.
In RBAC, a shell that enables a role (or user) to run from the command line any privileged applications that are assigned to the role's rights profiles. The profile shells are pfsh, pfcsh, and pfksh. They correspond to the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.
In the Solaris Cryptographic Framework, a cryptographic service that is provided to consumers. PKCS #11 libraries, kernel cryptographic modules, and hardware accelerators are examples of providers. Providers plug in to the Solaris Cryptographic Framework, so are also called plugins. For examples of consumers, see consumer.
A ticket that can be used by a service on behalf of a client to perform an operation for the client. Thus, the service is said to act as the client's proxy. With the ticket, the service can take on the identity of the client. The service can use a proxiable ticket to obtain a service ticket to another service, but it cannot obtain a ticket-granting ticket. The difference between a proxiable ticket and a forwardable ticket is that a proxiable ticket is only valid for a single operation. See also forwardable ticket.
An encryption scheme in which each user has two keys, one public key and one private key. In public-key encryption, the sender uses the receiver's public key to encrypt the message, and the receiver uses a private key to decrypt it. The Kerberos service is a private-key system. See also private-key encryption.
Quality of Protection. A parameter that is used to select the cryptographic algorithms that are used in conjunction with the integrity service or privacy service.
Role-Based Access Control. An alternative to the all-or-nothing superuser model. RBAC lets an organization separate superuser's capabilities and assign them to special user accounts called roles. Roles can be assigned to specific individuals according to their responsibilities.
The security policy that is associated with a command. Currently, suser and solaris are the valid policies. The solaris policy recognizes privileges and setuid security attributes. The suser policy recognizes only setuid security attributes. Trusted Solaris systems, which can interoperate with a Solaris system, provide a tsol policy, which recognizes privileges, setuid security attributes, and labels on processes.
1. The logical network that is served by a single Kerberos database and a set of Key Distribution Centers (KDCs).
2. The third part of a principal name. For the principal name jdoe/admin@ENG.EXAMPLE.COM, the realm is ENG.EXAMPLE.COM. See also principal name.
A configuration variable or relationship that is defined in the kdc.conf or krb5.conf files.
Because having tickets with very long lives is a security risk, tickets can be designated as renewable. A renewable ticket has two expiration times: a) the time at which the current instance of the ticket expires, and b) maximum lifetime for any ticket. If a client wants to continue to use a ticket, the client renews the ticket before the first expiration occurs. For example, a ticket can be valid for one hour, with all tickets having a maximum lifetime of ten hours. If the client that holds the ticket wants to keep it for more than an hour, the client must renew the ticket. When a ticket reaches the maximum ticket lifetime, it automatically expires and cannot be renewed.
Also referred to as a right or a profile. A collection of overrides used in RBAC that can be assigned to a role or user. A rights profile can consist of authorizations, commands with security attributes, and other rights profiles.
A special identity for running privileged applications that only assigned users can assume.
A method for obtaining digital signatures and public key cryptosystems. The method was first described in 1978 by its developers, Rivest, Shamir, and Adleman.
Sun Enterprise Authentication Mechanism. The product name for the initial versions of a system for authenticating users over a network, based on the Kerberos V5 technology that was developed at the Massachusetts Institute of Technology. The product is now called the Kerberos service. SEAM refers to parts the Kerberos service that were not included in various Solaris releases.
See private key.
A special protocol for secure remote login and other secure network services over an insecure network.
In RBAC, overrides to security policy that enable an administrative command to succeed when the command is run by a user other than superuser. In the superuser model, the setuid and setgid programs are security attributes. When these attributes are applied to a command, the command succeeds no matter who runs the command. In the privilege model, security attributes are privileges. When a privilege is given to a command, the command succeeds. The privilege model is compatible with the superuser model, in that the privilege model also recognizes the setuid and setgid programs as security attributes.
A numeric starter for generating random numbers. When the starter originates from a random source, the seed is called a random seed.
A principal that provides a resource to network clients. For example, if you rlogin to the machine central.example.com, then that machine is the server that provides the rlogin service. See also service principal.
(RPCSEC_GSS API) A principal that provides a service. The server principal is stored as an ASCII string in the form service@host. See also client principal.
1. A resource that is provided to network clients, often by more than one server. For example, if you rlogin to the machine central.example.com, then that machine is the server that provides the rlogin service.
An encryption key that is shared by a service principal and the KDC, and is distributed outside the bounds of the system. See also key.
A principal that provides Kerberos authentication for a service or services. For service principals, the primary name is a name of a service, such as ftp, and its instance is the fully qualified host name of the system that provides the service. See also host principal, user principal.
A key that is generated by the authentication service or the ticket-granting service. A session key is generated to provide secure transactions between a client and a service. The lifetime of a session key is limited to a single login session. See also key.
Secure Hashing Algorithm. The algorithm operates on any input length less than 264 to produce a message digest. The SHA1 algorithm is input to DSA.
A single-system image is used in Solaris auditing to describe a group of audited machines that use the same naming service. These machines send their audit records to a central audit server, where the records can be compared as if the records came from one machine.
In the Solaris Cryptographic Framework, a kernel software module or a PKCS #11 library that provides cryptographic services. See also provider.
A stash file contains an encrypted copy of the master key for the KDC. This master key is used when a server is rebooted to automatically authenticate the KDC before it starts the kadmind and krb5kdc processes. Because the stash file includes the master key, the stash file and any backups of it should be kept secure. If the encryption is compromised, then the key could be used to access or modify the KDC database.
The typical UNIX model of security on a computer system. In the superuser model, an administrator has all-or-nothing control of the machine. Typically, to administer the machine, a user becomes superuser (root) and can do all administrative activities.
The majority of audit events. These events are associated with a process in the system. A non-attributable event that is associated with a process is a synchronous event, such as a failed login.
Ticket-Granting Service. That portion of the KDC that is responsible for issuing tickets.
Ticket-Granting Ticket. A ticket that is issued by the KDC that enables a client to request tickets for other services.
An information packet that is used to securely pass the identity of a user to a server or service. A ticket is valid for only a single client and a particular service on a specific server. A ticket contains the principal name of the service, the principal name of the user, the IP address of the user's host, a time stamp, and a value that defines the lifetime of the ticket. A ticket is created with a random session key to be used by the client and the service. Once a ticket has been created, it can be reused until the ticket expires. A ticket only serves to authenticate a client when it is presented along with a fresh authenticator. See also authenticator, credential, service, session key.
See credential cache.
A principal that is attributed to a particular user. A user principal's primary name is a user name, and its optional instance is a name that is used to described the intended use of the corresponding credentials (for example, jdoe or jdoe/admin). Also known as a user instance. See also service principal.
A network that provides secure communication by using encryption and tunneling to connect users over a public network.