JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

Ways to Administer Kerberos Principals and Policies

SEAM Tool

Command-Line Equivalents of the SEAM Tool

The Only File Modified by the SEAM Tool

Print and Online Help Features of the SEAM Tool

Working With Large Lists in the SEAM Tool

How to Start the SEAM Tool

Administering Kerberos Principals

Administering Kerberos Principals (Task Map)

Automating the Creation of New Kerberos Principals

How to View the List of Kerberos Principals

How to View a Kerberos Principal's Attributes

How to Create a New Kerberos Principal

How to Duplicate a Kerberos Principal

How to Modify a Kerberos Principal

How to Delete a Kerberos Principal

How to Set Up Defaults for Creating New Kerberos Principals

How to Modify the Kerberos Administration Privileges

Administering Kerberos Policies

Administering Kerberos Policies (Task Map)

How to View the List of Kerberos Policies

How to View a Kerberos Policy's Attributes

How to Create a New Kerberos Policy

How to Duplicate a Kerberos Policy

How to Modify a Kerberos Policy

How to Delete a Kerberos Policy

SEAM Tool Reference

SEAM Tool Panel Descriptions

Using the SEAM Tool With Limited Kerberos Administration Privileges

Administering Keytab Files

Administering Keytab Files (Task Map)

How to Add a Kerberos Service Principal to a Keytab File

How to Remove a Service Principal From a Keytab File

How to Display the Keylist (Principals) in a Keytab File

How to Temporarily Disable Authentication for a Service on a Host

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

SEAM Tool Reference

This section provides descriptions of each panel in the SEAM Tool. Also, information about using limited privileges with SEAM Tool are provided.

SEAM Tool Panel Descriptions

This section provides descriptions for each principal and policy attribute that you can either specify or view in the SEAM Tool. The attributes are organized by the panel in which they are displayed.

Table 23-2 Attributes for the Principal Basics Panel of the SEAM Tool

Attribute
Description
Principal Name
The name of the principal (which is the primary/instance part of a fully qualified principal name). A principal is a unique identity to which the KDC can assign tickets.

If you are modifying a principal, you cannot edit its name.

Password
The password for the principal. You can use the Generate Random Password button to create a random password for the principal.
Policy
A menu of available policies for the principal.
Account Expires
The date and time on which the principal's account expires. When the account expires, the principal can no longer get a ticket-granting ticket (TGT) and might be unable to log in.
Last Principal Change
The date on which information for the principal was last modified. (Read only)
Last Changed By
The name of the principal that last modified the account for this principal. (Read only)
Comments
Comments that are related to the principal (for example, “Temporary Account”).

Table 23-3 Attributes for the Principal Details Panel of the SEAM Tool

Attribute
Description
Last Success
The date and time when the principal last logged in successfully. (Read only)
Last Failure
The date and time when the last login failure for the principal occurred. (Read only)
Failure Count
The number of times a login failure has occurred for the principal. (Read only)
Last Password Change
The date and time when the principal's password was last changed. (Read only)
Password Expires
The date and time when the principal's current password expires.
Key Version
The key version number for the principal. This attribute is normally changed only when a password has been compromised.
Maximum Lifetime (seconds)
The maximum length of time for which a ticket can be granted for the principal (without renewal).
Maximum Renewal (seconds)
The maximum length of time for which an existing ticket can be renewed for the principal.

Table 23-4 Attributes of the Principal Flags Panel of the SEAM Tool

Attribute (Radio Buttons)
Description
Disable Account
When checked, prevents the principal from logging in. This attribute provides an easy way to temporarily freeze a principal account.
Require Password Change
When checked, expires the principal's current password, which forces the user to use the kpasswd command to create a new password. This attribute is useful if a security breach occurs, and you need to make sure that old passwords are replaced.
Allow Postdated Tickets
When checked, allows the principal to obtain postdated tickets.

For example, you might need to use postdated tickets for cron jobs that must run after hours, but you cannot obtain tickets in advance because of short ticket lifetimes.

Allow Forwardable Tickets
When checked, allows the principal to obtain forwardable tickets.

Forwardable tickets are tickets that are forwarded to the remote host to provide a single-sign-on session. For example, if you are using forwardable tickets and you authenticate yourself through ftp or rsh, then other services, such as NFS services, are available without your being prompted for another password.

Allow Renewable Tickets
When checked, allows the principal to obtain renewable tickets.

A principal can automatically extend the expiration date or time of a ticket that is renewable (rather than having to get a new ticket after the first ticket expires). Currently, the NFS service is the ticket service that can renew tickets.

Allow Proxiable Tickets
When checked, allows the principal to obtain proxiable tickets.

A proxiable ticket is a ticket that can be used by a service on behalf of a client to perform an operation for the client. With a proxiable ticket, a service can take on the identity of a client and obtain a ticket for another service. However, the service cannot obtain a ticket-granting ticket (TGT).

Allow Service Tickets
When checked, allows service tickets to be issued for the principal.

You should not allow service tickets to be issued for the kadmin/hostname and changepw/hostname principals. This practice ensures that only these principals can update the KDC database.

Allow TGT-Based Authentication
When checked, allows the service principal to provide services to another principal. More specifically, this attribute allows the KDC to issue a service ticket for the service principal.

This attribute is valid only for service principals. When unchecked, service tickets cannot be issued for the service principal.

Allow Duplicate Authentication
When checked, allows the user principal to obtain service tickets for other user principals.

This attribute is valid only for user principals. When unchecked, the user principal can still obtain service tickets for service principals, but not for other user principals.

Required Preauthentication
When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through software) that the principal is really the principal that is requesting the TGT. This preauthentication is usually done through an extra password, for example, from a DES card.

When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal.

Required Hardware Authentication
When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through hardware) that the principal is really the principal that is requesting the TGT. Hardware preauthentication can occur, for example, on a Java ring reader.

When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal.

Table 23-5 Attributes for the Policy Basics Pane of the SEAM Tool

Attribute
Description
Policy Name
The name of the policy. A policy is a set of rules that govern a principal's password and tickets.

If you are modifying a policy, you cannot edit its name.

Minimum Password Length
The minimum length for the principal's password.
Minimum Password Classes
The minimum number of different character types that are required in the principal's password.

For example, a minimum classes value of 2 means that the password must have at least two different character types, such as letters and numbers (hi2mom). A value of 3 means that the password must have at least three different character types, such as letters, numbers, and punctuation (hi2mom!). And so on.

A value of 1 sets no restriction on the number of password character types.

Saved Password History
The number of previous passwords that have been used by the principal, and a list of the previous passwords that cannot be reused.
Minimum Password Lifetime (seconds)
The minimum length of time that the password must be used before it can be changed.
Maximum Password Lifetime (seconds)
The maximum length of time that the password can be used before it must be changed.
Principals Using This Policy
The number of principals to which this policy currently applies. (Read only)

Using the SEAM Tool With Limited Kerberos Administration Privileges

All capabilities of the SEAM Tool are available if your admin principal has all the privileges to administer the Kerberos database. However, you might have limited privileges, such as only being allowed to view the list of principals or to change a principal's password. With limited Kerberos administration privileges, you can still use the SEAM Tool. However, various parts of the SEAM Tool change based on the Kerberos administration privileges that you do not have. Table 23-6 shows how the SEAM Tool changes based on your Kerberos administration privileges.

The most visual change to the SEAM Tool occurs when you don't have the list privilege. Without the list privilege, the List panels do not display the list of principals and polices for you to manipulate. Instead, you must use the Name field in the List panels to specify a principal or a policy that you want to manipulate.

If you log in to the SEAM Tool, and you do not have sufficient privileges to perform tasks with it, the following message displays and you are sent back to the SEAM Administration Login window:

Insufficient privileges to use gkadmin: ADMCIL. Please try using another principal.

To change the privileges for a principal so that it can administer the Kerberos database, go to How to Modify the Kerberos Administration Privileges.

Table 23-6 Using the SEAM Tool With Limited Kerberos Administration Privileges

Disallowed Privilege
How the SEAM Tool Changes
a (add)
The Create New and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the add privilege, you cannot create new principals or policies, or duplicate them.
d (delete)
The Delete button is unavailable in the Principal List and Policy List panels. Without the delete privilege, you cannot delete principals or policies.
m (modify)
The Modify button is unavailable in the Principal List and Policy List panels. Without the modify privilege, you cannot modify principals or policies.

Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege.

c (change password)
The Password field in the Principal Basics panel is read only and cannot be changed. Without the change password privilege, you cannot modify a principal's password.

Note that even if you have the change password privilege, you must also have the modify privilege to change a principal's password.

i (inquiry to database)
The Modify and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the inquiry privilege, you cannot modify or duplicate a principal or a policy.

Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege.

l (list)
The list of principals and policies in the List panels are unavailable. Without the list privilege, you must use the Name field in the List panels to specify the principal or the policy that you want to manipulate.