Glossary

admin principal

A user principal with a name of the form username/admin (as in joe/admin). An admin principal can have more privileges (for example, to change policies) than a regular user principal. See also principal name, user principal.

application server

See network application server.

authentication

The process of verifying the claimed identity of a principal.

authenticator

Authenticators are passed by clients when requesting tickets (from a KDC) and services (from a server). They contain information, generated using a session key known only by the client and server, that can be shown to be of recent origin, thus indicating the transaction is secure. When used with a ticket, an authenticator can be used to authenticate a user principal. An authenticator includes the principal name of the user, the IP address of the user's host, and a timestamp. Unlike a ticket, an authenticator can be used only once, usually when access to a service is requested. An authenticator is encrypted using the session key for that client and that server.

authorization

The process of determining whether a principal can use a service, which objects the principal is allowed to access, and the type of access allowed for each.

client

• Narrowly, a process that makes use of a network service on behalf of a user; for example, an application that uses rlogin. In some cases, a server can itself be a client of some other server or service.

• More broadly, a host that a) receives a Kerberos credential and b) makes use of a service provided by a server.

Informally, a principal that makes use of a service.

client principal

(RPCSEC_GSS API) A client (a user or an application) that uses RPCSEC_GSS-secured network services. Client principal names are stored in the form of rpc_gss_principal_t structures.

clock skew

The maximum amount of time that the internal system clocks on all hosts participating in the Kerberos authentication system can differ. If the clock skew is exceeded between any of the participating hosts, requests will be rejected. Clock skew can be specified in the krb5.conf file.

confidentiality

See privacy.

credential

An information package that includes a ticket and a matching session key. Used to authenticate the identity of a principal. See also ticket, session key.

credential cache

A storage space (usually a file) containing credentials received from the KDC.

flavor

Historically, security flavor and authentication flavor meant the same thing, as a flavor indicated a type of authentication (AUTH_UNIX, AUTH_DES, AUTH_KERB). RPCSEC_GSS is also a security flavor, even though it provides integrity and privacy services in addition to authentication.

forwardable ticket

A ticket that can be used by a client to request a ticket on a remote host without the client having to go through the full authentication process on that host. For example, if the user david obtains a forwardable ticket while on jennifer's machine, he can log in to his own machine without having to get a new ticket (and thus authenticate himself again). See also proxiable ticket.

FQDN

Fully Qualified Domain Name. For example, denver.mtn.acme.com (as opposed to simply denver).

GSS-API

The Generic Security Service Application Programming Interface. A network layer providing support for various modular security services (including SEAM). GSS-API provides for security authentication, integrity, and privacy services. See also authentication, integrity, privacy.

host

A machine accessible over a network.

host principal

A particular instance of a service principal in which the principal (signified by the primary name host) is set up to provide a range of network services, such as ftp, rcp, or rlogin. host/boston.eng.acme.com@ENG.ACME.COM is an example of a host principal. See also server principal.

initial ticket

A ticket that is issued directly (that is, not based on an existing ticket-granting ticket). Some services, such as applications that change passwords, might require tickets to be marked initial so as to assure themselves that the client can demonstrate a knowledge of its secret key -- because an initial ticket indicates that the client has recently authenticated itself (instead of relying on a ticket-granting ticket, which might have been around for a long time).

instance

The second part of a principal name, an instance qualifies the principal's primary. In the case of a service principal, the instance is required and is the host's fully qualified domain name, as in host/boston.eng.acme.com. For user principals, an instance is optional; note, however, that joe and joe/admin are unique principals. See also principal name, service principal, user principal.

integrity

A security service that, in addition to user authentication, provides for the validity of transmitted data through cryptographic checksumming. See also authentication, privacy.

invalid ticket

A postdated ticket that has not yet become usable. It will be rejected by an application server until it becomes validated. To be validated, it must be presented to the KDC by the client in a TGS request, with the VALIDATE flag set, after its start time has passed. See also postdated ticket.

KDC

(Key Distribution Center) A machine that has three Kerberos V5 components:

• Principal and key database

• Authentication service

• Ticket-granting service

Each realm has a master KDC and should have one or more slave KDCs.

Kerberos

An authentication service, the protocol used by that service, or the code used to implement that service.

SEAM is an authentication implementation closely based on Kerberos V5.

While technically different, "SEAM" and "Kerberos" are often used interchangeably in SEAM documentation; the same is true for "Kerberos" and "Kerberos V5."

Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates of Hades in Greek mythology.

key

1. An entry (principal name) in a keytab. (See keytab.)

2. An encryption key, of which there are three types:

   1. A private key. An encryption key shared by a principal and the KDC, distributed outside the bounds of the system. See also private key.

   2. A service key. This key serves the same purpose as the private key, but is used by servers and services. See also service key.

   3. A session key. A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login session. See also session key.

keytab

A key table file containing one or more keys (principals). A host or service uses a keytab file in the much the same way that a user uses a password.

kvno

Key Version Number. A sequence number tracking a particular key in order of generation. The highest kvno is the latest and current key.

master KDC

The main KDC in each realm, including a Kerberos administration server, kadmind, and an authentication and ticket-granting daemon, krb5kdc. Each realm must have at least one master KDC, and can have many duplicate, or slave, KDCs that provide authentication services to clients.

mechanism

A software package that specifies cyptographic techniques to achieve data authentication or confidentiality. Examples: Kerberos V5, Diffie-Hellman public key.

network application server

A server providing an network application, such as ftp. A realm can contain several network application servers.

NTP

(Network Time Protocol) Software from the University of Delaware that enables you to manage precise time and/or network clock synchronization in a network environment. You can use NTP to maintain clock skew in a Kerberos environment.

PAM

(Pluggable Authentication Module) A framework that allows for multiple authentication mechanisms to be used without having to recompile the services using them. PAM enables SEAM session initialization at login.

policy

A set of rules, initiated when SEAM is installed or administered, governing ticket usage. Policies can regulate principals' accesses, or ticket parameters, such as lifespan.

postdated ticket

A postdated ticket is one that does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs intended to be run late at night, since the ticket, if stolen, cannot be used until the batch job is to be run. When a postdated ticket is issued, it is issued as invalid and remains that way until a) its start time has passed, and b) the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket; however, if it is marked renewable, its lifetime is normally set to be equal to the duration of the full life of the ticket-granting ticket. See also invalid ticket, renewable ticket.

primary

The first part of a principal name. See also instance, principal name, realm.

principal

1. A uniquely named client/user or server/service instance that participates in a network communication; Kerberos transactions involve interactions between principals (service principals and user principals) or between principals and KDCs. Put another way, a principal is a unique entity to which Kerberos can assign tickets. See also principal name, service principal, user principal.

2. (RPCSEC_GSS API) See client principal, server principal.

principal name

1. The name of a principal, having the format of primary/instance@REALM. See also instance, primary, realm.

2. (RPCSEC_GSS API) See client principal, server principal.

privacy

A security service, in which transmitted data is encrypted before being sent. Privacy also includes data integrity and user authentication. See also authentication, integrity, service.

private key

A key is given to each user principal and known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. See also key.

private-key encryption

In private-key encryption, the sender and receiver use the same key for encryption. See also public-key encryption.

proxiable ticket

A ticket that can be used by a service on behalf of a client to perform an operation for the client. (Thus the service is said to act as the client's proxy.) With the ticket, the service can take on the identity of the client. The service can use this to obtain a service ticket to another service, but it cannot obtain a ticket-granting ticket. The difference between a proxiable ticket and a forwardable ticket is that a proxiable ticket is only valid for a single operation. See also forwardable ticket.

public-key encryption

An encryption scheme in which each user has two keys, one public and one private. In public-key encryption, the sender uses the receiver's public key to encrypt the message, and the receiver uses a private key to decrypt it. SEAM is a private-key system. See also private-key encryption.

QOP

(Quality of Protection) A parameter used to select the cryptographic algorithms to be used in conjunction with the integrity or privacy service.

realm

1. The logical network served by a single SEAM database and a set of Key Distribution Centers (KDCs).

2. The third part of a principal name. For the principal name joe/admin@ENG.ACME.COM, the realm is ENG.ACME.COM. See also principal name.

relation

A configuration variable or relationship defined in the kdc.conf or krb5.conf files.

renewable ticket

Because it is a security risk to have tickets with very long lives, tickets can be designated as renewable. A renewable ticket has two expiration times: the time at which the current instance of the ticket expires, and maximum lifetime for any ticket. If a client wants to continue to use a ticket, it renews it before the first expiration occurs. For example, a ticket can be valid for one hour, with all tickets having a maximum lifetime of ten hours. If the client holding the ticket wants to keep it for more than an hour, it must renew it. When a ticket reaches the maximum ticket lifetime, it automatically expires and cannot be renewed.

SEAM

(Sun Enterprise Authentication Mechanism) A system for authenticating users over a network, based on the Kerberos V5 technology developed at the Massachusetts Institute of Technology.

"SEAM" and "Kerberos" are often used interchangeably in the SEAM documentation.

secret key

See private key.

security flavor

See flavor.

security mechanism

See mechanism.

security service

See service.

server

A particular principal that provides a resource to network clients. For example, if you rlogin to the machine boston.eng.acme.com, then that machine is the server providing the rlogin service. See also service principal.

server principal

(RPCSEC_GSS API) A principal providing a service. It is stored as an ASCII string of the form service@host. See also client principal.

service

1. A resource provided to network clients; often provided by more than one server. For example, if you rlogin to the machine boston.eng.acme.com, then that machine is the server providing the rlogin service.

2. A security service -- either integrity or privacy, providing a level of protection beyond authentication. See also integrity and privacy.

service key

An encryption key shared by a service principal and the KDC, distributed outside the bounds of the system. See also key.

service principal

A principal that provides a Kerberos authentication for a service or services. For service principals, the primary name is a name of a service, such as ftp, and its instance is the fully qualified hostname of the system that provides the service. See also host principal, user principal.

session key

A key generated by the authentication service or the ticket-granting service. A session key is generated to provide secure transactions between a client and a service. Its lifetime is limited to a single login session. See also key.

slave KDC

A copy of a master KDC, capable of performing most of the functions of the master. Each realm usually has several slave KDCs (and only one master KDC). See also KDC, master KDC.

stash file

A stash file contains an encrypted copy of the master key for the KDC. This key is used when a server is rebooted to automatically authenticate the KDC before starting kadmind and krb5kdc processes. Because this file includes the master key, the file and any backups of the file should be kept secure. If the encryption is compromised, then the key could be used to access or modify the KDC database.

ticket

An information packet used to securely pass the identity of a user to a server or service. A ticket is good for only a single client and a particular service on a specific server. It contains the principal name of the service, the principal name of the user, the IP address of the user's host, a timestamp, and a value to define the lifetime of the ticket. A ticket is created with a random session key to be used by the client and the service. Once a ticket has been created, it can be reused until the ticket expires. A ticket only serves to authenticate a client when presented along with a fresh authenticator. See also authenticator, credential, service, session key.

ticket file

See credential cache.

TGS

(Ticket-Granting Service) That portion of the KDC that is responsible for issuing tickets.

TGT

(Ticket-Granting Ticket) A ticket issued by the KDC that enables a client to request tickets for other services.

user principal

A principal attributed to a particular user, whose primary name is a user name and its optional instance is a name used to described the intended use of the corresponding credentials (for example, joe or joe/admin). Also known as a user instance. See also service principal.