Chapter 1 SEAM Product Overview

This chapter provides a general overview of the Sun^TM Enterprise Authentication Mechanism (SEAM) product. The following topics are covered:

• "Release Contents"

• "SEAM Product Dependencies"

• "Status"

• "Known Bugs"

Introduction

The SEAM release is designed to improve system security by supporting Kerberos V5 authentication, privacy, and integrity. Security should also be improved by allowing single network sign-on when using the kerberized login mechanisms and by providing kerberized NFS^TM services.

Release Contents

This release includes the following:

• Key distribution center (KDC)

• KDC services

  • kadmind and krb5kdc

• KDC administration utilities

  • kadmin, kadmin.local, and gkadmin

  • kpropd

• Kerberos utilities

  • kdestroy, kinit, klist, and kpasswd

• Kerberized utilities and daemons

  • ftp, rcp, rlogin, rsh, and telnet

  • ftpd, rlogind, rshd, and telnetd

• Documentation including:

  • Sun Enterprise Authentication Mechanism Guide

  • SEAM Installation and Release Notes (this document)

  • Man pages

SEAM Product Dependencies

The Solaris 2.6 or 2.7 release must be installed for this product to function. XFN and JDK^TM 1.1 must also be installed.

Status

SEAM is an evolving specification and is subject to change.

SEAM Interoperability

SEAM interoperability has been tested against both MIT Kerberos V5 1.0 and NT 5.0 installations.

SEAM Interoperability with MIT

SEAM interoperates with an MIT installation with the following caveats:

1. gkadmin and kadmin do not work against MIT KDCs. The reason for this failure is that gkadmin and kadmin use the RPCSEC_GSS protocol to secure the connection to the KDC. The MIT Kerberos V5 1.0 installation uses a non-standard AUTH_GSSAPI protocol to provide security. Because these two protocols are different, you cannot use gkadmin and kadmin with an MIT KDC.

2. SEAM does not include the ksu command. Instead, PAM is used to let su do most of what ksu does. One area that is different is that ksu looks at the .k5login file to see if the user using su is allowed to do so without a password, if he has Kerberos V5 credentials. This check is not done in SEAM.

3. SEAM and MIT Kerberos V5 code are not intended to co-exist on the same host. While this is theoritically possible, it is not supported.

4. SEAM requires that rpcbind be run. This is not a requirement of the MIT Kerberos V5 installation.

SEAM Interoperability with NT

Information about SEAM interoperability with NT can be found at: http://www.connectathon.org/seam1.0. This site contains up-to-date information about the results of the testing and procedures that can be used to allow SEAM to interoperate with NT.

Known Bugs

This is a list of the known bugs in SEAM 1.0. Each item includes the bug number and bug synopsis, as well as a short description of the bug.

4084755: dtlockscreen uses traditional method of checking password rather than PAM

Description:

dtlockscreen uses the traditional method of checking to be sure a user's password is valid, rather than PAM. It makes a call to PAM only if this fails. This is a potential security problem, since a user might be able to gain access to a system that is displaying a screen lock using only the password defined in the name service for UNIX^TM authentication.

4189642: garbage in the kerberized rsh usage message

Description:

rsh, rlogin, and rcp print out the option string for illegal options. They should print out the program name.

4211978: gkadmin: Password Expires: field displayed misleading info

Description:

When gkadmin is used to change the password, the password expiration time changes, because it gets the expiration time from a policy assigned to the principal. The GUI does not make it obvious that the expiration time is coming from a policy. The effect on password expiration is true, regardless whether the password is changed with kadmin, kadmin.local, gkadmin, kpasswd, or passwd.

The users need to be aware that a there are two choices every time they change the password: either empty out the password expiration field to make the server fill it in by consulting the policy, or leave the field with a date in it to set the expiration date explicitly.

4143644: Kerberized rsh -f did not work correctly

Description:

If the user explicitly asks for forwardable credentials, rsh should fail if there are no forwardable credentials.

4159036: "telnet> encrypt enable DES_OFB64" hung the session

Description:

The encryption type DES_OFB64 cannot be used for data encryption in telnet. The only encryption that can be used is DES_CFB64, which is also the default encryption type.

4159419: gkadmin should try to consult policy if possible when generating random passwords

Description:

When a user uses gkadmin to generate a random password for a principal, the tool should try to consult the policy being applied to decide the number of characters and character classes to be used. This will result in the first generated password being accepted by the kadmin API, in most cases.

4170403: Kerberized rlogin in cross-realm does not fail with incorrect password

Description:

When Kerberized rlogin is enabled in inetd.conf and not enabled in pam.conf (on a host running an rlogin server), a user is authenticated correctly using Kerberos V5 when using rlogin between realms. However, if the user is prompted for a password, any password is accepted. This is not a security hole, since the user has been authenticated using Kerberos V5. Avoid disabling kerberized rlogin in pam.conf if enabling it in inetd.conf.

4172240: when -r option is used to telnet, telnet reports escape character as ^]

Description:

The escape character is ~, as described in the man page.

4177603: kprop command returns "Broken Pipe" when kpropd.acl is missing entry for master

Description:

If /etc/krb5/kpropd.acl is not set up properly on a slave KDC, the kprop command on the client fails with "Broken Pipe."

4178210: gkadmin: when the ticket expires it should return to login window for re-authentication

Description:

When the credential of the admin who is currently logged in gkadmin is expired, it would be nice if gkadmin would pop up the message saying the "Ticket/credential is expired"; then after the admin clicks on the "OK" button, gkadmin should close the current "SEAM Administration Tools" window and return the admin user to the "SEAM Administration Login" window with the prompt active on the "Password:" field to imply that the admin user needs to enter password for re-authentication.

4179331: gkadmin: Can not change the Principal/Policy name

Description:

gkadmin does not support the ability to change a principal's name or policy. To achieve the same effect, the principal or policy should be copied to the new name using the "Duplicate" button, then the old one should be deleted.

4184145: gkadmin: Some GUI items inside Properties window are missing some edges

Description:

The "..." button of "List Cache Timeout" is missing the right side. Also, after selecting "Show List" or "Cache Lists Forever", the hghlighted rectangle that surrounds these selectable buttons is missing the LEFT edge.

4188923: gkadmin: some minor problems with SEAM Print Helper

Description:

The SEAM Print Helper can display data entered before hitting "Cancel." Cancel should discard changes and restore whatever was there prior to that. Also, the text field of File Name in the SEAM Print Helper window does not clear properly.

4188935: gkadmin: Dismiss button does not work correctly on some Help windows

Description:

When xhosting the SEAM GUI Administration tool, the Dismiss button does not work correctly on some Help screens.

4189590: kadmin and gkadmin should print alternate string when lifetimes are 2^31-1

Description:

When the user creates a new principal wanting ticket lifetimes to be set on the KDC side, the values 2147483647 = 2^31-1 gets stored in the principal database. When viewing a principal, the CLI and GUI should not display the value 2147483647 (GUI) or 24855 days 03:14:07 (CLI) but instead show a more user friendly string. This sort of check is already being done in the case when the date 0 is printed out as "Never."

4191906: The time on the warning msg when the credential is expired is misleading

Description:

If the initial ticket expiration is less than the warning threshold in /etc/krb5/warn.conf, then the warning message that is sent out says that the ticket will expire within the time specified in warn.conf file and not the ticket expiration time.

4191933: service tickets do not get stored in ticket cache when kinit is used with a lifetime of less than 30 minutes

Description:

When a user acquires credentials (a ticket granting ticket) using kinit -l with a lifetime of less than 30 minutes, any service tickets derived from the credential do not show up in the ticket cache. The reason is that after a renewable credential has less than 30 minutes of lifetime, SEAM attempts to automatically renew the credential to maximize ease of use. Renewing a credential causes the previous credential and service tickets derived therein to be removed. There is no other impact, because any session created using the old service ticket lasts for the ticket lifetime. Do not invoke kinit with a -l option specifying a ticket lifetime of less than 30 minutes.

4193608: kinit -s has some issues

Description:

A user cannot use kinit to acquire a postdated ticket with a start time more than 19 days from today's date.

4193925: gkadmin: inconsistency of Enter key behavior when creating a new policy

Description:

Currently, after entering a policy name in the "Policy Details" panel with the default parameter values, hitting the Enter (Return) key does not automatically create the policy. Enter/Return key should have equivalent action as clicking the Done button.

4194001: gkadmin: "Last Changed By:" field does not display the full name

Description:

The "Last Changed By" field does not display the instance name so admin principals are not properly identified.

4206443: Document the lifetime and renewable lifetime negotiation in kinit man page

Description:

When a user specifies lifetime in the command line, the actual lifetime of the ticket obtained is the minimum of the following:

• Value specified in the command line

• Value specified in the KDC configuration file

• Value specified in the Kerberos data base for the server principal; in the case of kinit it is krbtgt/<realmname>.

• Value specified in the Kerberos database for the user principal

4210970: gkadmin: Date/Time Helper doesn't change Feb 29 to Feb 28 if year is changed

Description:

Changing the year on the Date/Time Helper does not recalculate the maximum allowable date for that month.

4218214: gkadmin: "Return" key doesn't work on highlighted GUI buttons

Description:

While mouse-clicking worked on GUI buttons, unfortunately pressing the "Enter" or "Return" key on the highlighted button does not work.

4220042: "kadmin: add_principal -expire "1/1/2000 7:00am" xhu" doesn't work

Description:

The -expire option to the add_principal command of kadmin does not work when an a.m. time is specified. For example:

kadmin: add_principal -expire "9/1/1999 7:00am" xhu Invalid date specification "9/1/1999 7:00am".

Using "pm" works. To get an a.m. time do not include "am" in the time specification for times before noon. The way to add this principal is:

kadmin: add_principal -expire "9/1/1999 7:00"

4245090: document how to add principals when not using DNS

Description:

The procedures in the SEAM documentation was written, based on using DNS, so all of the host and service principals use fully-qualified domain names. If you are not using DNS, then do not include the domain name when creating principals. As an example, kdc1.acme.com would be kdc1.