SEAM Files
Table 7-1 SEAM Files|
File Name |
Description |
|---|---|
|
~/.gkadmin |
Default values for creating new principals in the SEAM Administration Tool |
|
~/.k5login |
List of principals to grant access to a Kerberos account |
|
/etc/gss/gsscred.conf |
Default file types for the gsscred table |
|
/etc/gss/mech |
Mechanisms for RPCSEC_GSS |
|
/etc/gss/qop |
Quality of Protection parameters for RPCSEC_GSS |
|
/etc/init.d/kdc |
init script to start or stop krb5kdc |
|
/etc/init.d/kdc.master |
init script to start or stop kadmind |
|
/etc/krb5/kadm5.acl |
Kerberos access control list file; includes principal names of KDC administrators and their Kerberos administration privileges |
|
/etc/krb5/kadm5.keytab |
Keytab for kadmin service on master KDC |
|
/etc/krb5/kdc.conf |
KDC configuration file |
|
/etc/krb5/kpropd.acl |
Kerberos database propagation configuration file |
|
/etc/krb5/krb5.conf |
Kerberos realm configuration file |
|
/etc/krb5/krb5.keytab |
Keytab for network application servers |
|
/etc/krb5/warn.conf |
Kerberos warning configuration file |
|
/etc/pam.conf |
PAM configuration file |
|
/tmp/krb5cc_uid |
Default credentials cache (uid is the decimal UID of the user) |
|
/tmp/ovsec_adm.xxxxxx |
Temporary credentials cache for the lifetime of the password changing operation (xxxxxx is a random string) |
|
/var/krb5/.k5.REALM |
KDC stash file; contains encrypted copy of the KDC master key |
|
/var/krb5/kadmin.log |
Log file for kadmind |
|
/var/krb5/kdc.log |
Log file for the KDC |
|
/var/krb5/principal.db |
Kerberos principal database |
|
/var/krb5/principal.kadm5 |
Kerberos administrative database; contains policy information |
|
/var/krb5/principal.kadm5.lock |
Kerberos administrative database lock file |
|
/var/krb5/principal.ok |
Kerberos principal database initialization file; created when the Kerberos database is initialized successfully |
|
/var/krb5/slave_datatrans |
Backup file of the KDC that the kprop_script uses for propagation |
PAM Configuration File
The default PAM configuration file delivered with SEAM includes entries to handle the new Kerberized applications. The new file includes entries for the authentication service, account management, session management, and password management modules.
For the authentication module, the new entries are for rlogin, login, dtlogin, krlogin, ktelnet, and krsh. An example of these entries is shown below. All of these services use the new PAM library, /usr/lib/security/pam_krb5.so.1, to provide Kerberos authentication.
The first three entries employ the try_first_pass option, which requests authentication using the user's initial password. Using the initial password means that the user is not prompted for another password even if multiple mechanisms are listed.
The next three entries use the acceptor option to prevent that PAM module from performing the step to obtain the initial ticket-granting ticket. For kerberized server applications, the exchange is already performed by the application so the step does not need to be done using PAM. In addition, an other entry is included as the default entry for all entries requiring authentication that are not specified.
# cat /etc/pam.conf . . rlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass login auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass dtlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass krlogin auth required /usr/lib/security/pam_krb5.so.1 acceptor ktelnet auth required /usr/lib/security/pam_krb5.so.1 acceptor krsh auth required /usr/lib/security/pam_krb5.so.1 acceptor other auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass |
For the account management, dtlogin has a new entry that uses the Kerberos library, as shown below. An other entry is included to provide a default rule. Currently no actions are taken by the other entry.
dtlogin account optional /usr/lib/security/pam_krb5.so.1 other account optional /usr/lib/security/pam_krb5.so.1 |
The last two entries in the /etc/pam.conf file are shown below. The other entry for session management destroys user credentials. The new other entry for password management selects the Kerberos library.
other session optional /usr/lib/security/pam_krb5.so.1 other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass |
- © 2010, Oracle Corporation and/or its affiliates