System Administration Guide: Security Services

Chapter 12 SEAM (Reference)

This chapter lists many of the files, commands, and daemons that are part of the SEAM product. In addition, this chapter provides detailed information about how the Kerberos authentication system works.

This is a list of the reference information in this chapter.

SEAM Files

Table 12–1 SEAM Files


File Name	Description
`~/.gkadmin`	Default values for creating new principals in the SEAM Administration Tool
`~/.k5login`	List of principals to grant access to a Kerberos account
`/etc/init.d/kdc`	`init` script to start or stop `krb5kdc`
`/etc/init.d/kdc.master`	`init` script to start or stop `kadmind`
`/etc/krb5/kadm5.acl`	Kerberos access control list file; includes principal names of KDC administrators and their Kerberos administration privileges
`/etc/krb5/kadm5.keytab`	Keytab file for `kadmin` service on master KDC
`/etc/krb5/kdc.conf`	KDC configuration file
`/etc/krb5/kpropd.acl`	Kerberos database propagation configuration file
`/etc/krb5/krb5.conf`	Kerberos realm configuration file
`/etc/krb5/krb5.keytab`	Keytab file for network application servers
`/etc/krb5/warn.conf`	Kerberos warning configuration file
`/etc/pam.conf`	PAM configuration file
`/tmp/krb5cc_uid`	Default credentials cache (`uid` is the decimal UID of the user)
`/tmp/ovsec_adm.xxxxxx`	Temporary credentials cache for the lifetime of the password changing operation (`xxxxxx` is a random string)
`/var/krb5/.k5.REALM`	KDC stash file; contains encrypted copy of the KDC master key
`/var/krb5/kadmin.log`	Log file for `kadmind`
`/var/krb5/kdc.log`	Log file for the KDC
`/var/krb5/principal.db`	Kerberos principal database
`/var/krb5/principal.kadm5`	Kerberos administrative database; contains policy information
`/var/krb5/principal.kadm5.lock`	Kerberos administrative database lock file
`/var/krb5/principal.ok`	Kerberos principal database initialization file; created when the Kerberos database is initialized successfully
`/var/krb5/slave_datatrans`	Backup file of the KDC that the `kprop_script` script uses for propagation

PAM Configuration File

The default PAM configuration file includes entries for the authentication service, account management, session management, and password management modules.

For the authentication module, the new entries are created for rlogin, login, and dtlogin if SEAM 1.0 or 1.0.1 are installed. An example of these entries follows. All these services use the new PAM library, /usr/lib/security/pam_krb5.so.1, to provide Kerberos authentication.

These entries use the try_first_pass option, which requests authentication by using the user's initial password. Using the initial password means that the user is not prompted for another password, even if multiple mechanisms are listed.

# cat /etc/pam.conf
 .
 .
rlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
login auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
other auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass

For the account management module, dtlogin has a new entry that uses the Kerberos library, as follows. An other entry is included to provide a default rule. Currently, no actions are taken by the other entry.

dtlogin account optional /usr/lib/security/pam_krb5.so.1 
other account optional /usr/lib/security/pam_krb5.so.1

The last two entries in the /etc/pam.conf file are shown next. The other entry for session management destroys user credentials. The new other entry for password management selects the Kerberos library.

other session optional /usr/lib/security/pam_krb5.so.1 
other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass

SEAM Commands

This section lists some commands that are included in the SEAM product.

Table 12–2 SEAM Commands


Command	Description
`/usr/lib/krb5/kprop`	Kerberos database propagation program
`/usr/sbin/gkadmin`	Kerberos database administration GUI program; used to manage principals and policies
`/usr/sbin/kadmin`	Remote Kerberos database administration program (run with Kerberos authentication); used to manage principals, policies, and keytab files
`/usr/sbin/kadmin.local`	Local Kerberos database administration program (run without Kerberos authentication; must be run on master KDC); used to manage principals, policies, and keytab files
`/usr/sbin/kdb5_util`	Creates Kerberos databases and stash files

SEAM Daemons

The following table lists the daemons that the SEAM product uses.

Table 12–3 SEAM Daemons


Daemon	Description
`/usr/lib/krb5/kadmind`	Kerberos database administration daemon
`/usr/lib/krb5/kpropd`	Kerberos database propagation daemon
`/usr/lib/krb5/krb5kdc`	Kerberos ticket processing daemon

SEAM Terminology

The following section presents terms and their definitions. Those terms are used throughout the SEAM documentation. In order to grasp SEAM concepts, an understanding of these terms is essential.

Kerberos-Specific Terminology

You need to understand the terms in this section in order to administer KDCs.

The Key Distribution Center or KDC is the component of SEAM that is responsible for issuing credentials. These credentials are created by using information that is stored in the KDC database. Each realm needs at least two KDCs, a master and at least one slave. All KDCs generate credentials, but only the master KDC handles any changes to the KDC database.

A stash file contains an encrypted copy of the master key for the KDC. This key is used when a server is rebooted to automatically authenticate the KDC before starting the kadmind and krb5kdc commands. Because this file includes the master key, the file and any backups of the file should be kept secure. If the encryption is compromised, then the key could be used to access or modify the KDC database.

Authentication-Specific Terminology

You need to know the terms in this section to understand the authentication process. Programmers and system administrators should be familiar with these terms.

A client is the software that runs on a user's workstation. The SEAM software that runs on the client makes many requests during this process. So, it is important to differentiate the actions of this software from the user.

The terms server and service are often used interchangeably. To clarify, the term server is used to define the physical system that SEAM software is running on. The term service corresponds to a particular function that is being supported on a server (for instance, nfs). Documentation often mentions servers as part of a service, but this definition clouds the meaning of the terms. Therefore, the term server refers to the physical system. The term service refers to the software.

The SEAM product includes three types of keys. One key is the private key. The private key is given to each user principal and is known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. For servers and services, the key is known as a service key. The service key serves the same purpose as the private key, but is used by servers and services. The third type of key is a session key. A session key is a key that is generated by the authentication service or the ticket-granting service. A session key is generated to provide secure transactions between a client and a service.

A ticket is an information packet that is used to securely pass the identity of a user to a server or service. A ticket is valid for only a single client and a particular service on a specific server. A ticket contains the principal name of the service, the principal name of the user, the IP address of the user's host, a time stamp, and a value to define the lifetime of the ticket. A ticket is created with a random session key to be used by the client and the service. After a ticket has been created, it can be reused until the ticket expires.

A credential is a packet of information that includes a ticket and a matching session key. Credentials are often encrypted by using either a private key or a service key, depending on which software decrypts the credential.

An authenticator is another type of information. When used with a ticket, an authenticator can be used to authenticate a user principal. An authenticator includes the principal name of the user, the IP address of the user's host, and a time stamp. Unlike a ticket, an authenticator can be used once only, usually when access to a service is requested. An authenticator is encrypted by using the session key for that client and that server.

Types of Tickets

Tickets have properties that govern how they can be used. These properties are assigned to the ticket when it is created, although you can modify a ticket's properties later. For example, a ticket can change from forwardable to forwarded. You can view ticket properties with the klist command. See How to View Tickets.

Tickets can be described by one or more of the following terms:

Forwardable/forwarded

A forwardable ticket can be sent from one host to another, obviating the need for a client to reauthenticate itself. For example, if the user david obtains a forwardable ticket while on user jennifer's machine, he can log in to his own machine without having to get a new ticket (and thus authenticate himself again). See Example—Creating a Ticket for an example of a forwardable ticket.

Initial

An initial ticket is a ticket that is issued directly, not based on a ticket-granting ticket. Some services, such as applications that change passwords, can require tickets to be marked initial in order to assure themselves that the client can demonstrate a knowledge of its secret key. An initial ticket indicates that the client has recently authenticated itself (instead of relying on a ticket-granting ticket, which might have been around for a long time).

Invalid

An invalid ticket is a postdated ticket that has not yet become usable. An invalid ticket will be rejected by an application server until it becomes validated. To be validated, a ticket must be presented to the KDC by the client in a TGS request, with the VALIDATE flag set, after its start time has passed.

Postdatable/postdated

A postdated ticket is a ticket that does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to be run late at night, since the ticket, if stolen, cannot be used until the batch job is to be run. When a postdated ticket is issued, it is issued as Invalid and remains that way until: its start time has passed, and the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life of the ticket-granting ticket.

Proxiable/proxy

At times, it is necessary for a principal to allow a service to perform an operation on its behalf. An example might be when a principal requests a service to run a print job on a third host. The service must be able to take on the identity of the client, but need only do so for that single operation. In that case, the server is said to be acting as a proxy for the client. The principal name of the proxy must be specified when the ticket is created.

A proxiable ticket is similar to a forwardable ticket, except that it is valid only for a single service, whereas a forwardable ticket grants the service the complete use of the client's identity. A forwardable ticket can therefore be thought of as a sort of super-proxy.

Renewable

Because it is a security risk to have tickets with very long lives, tickets can be designated as renewable. A renewable ticket has two expiration times: the time at which the current instance of the ticket expires, and the maximum lifetime for any ticket. If a client wants to continue to use a ticket, the client renews it before the first expiration occurs. For example, a ticket can be valid for one hour, with all tickets having a maximum lifetime of 10 hours. If the client that is holding the ticket wants to keep it for more than an hour, the client must renew it within that hour. When a ticket reaches the maximum ticket lifetime (10 hours), it automatically expires and cannot be renewed.

For information on how to view tickets to see what their attributes are, see How to View Tickets.

Ticket Lifetimes

Any time a principal obtains a ticket, including a ticket–granting ticket, the ticket's lifetime is set as the smallest of the following lifetime values:

The lifetime value that is specified by the -l option of kinit, if kinit is used to get the ticket.
The maximum lifetime value (max_life) that is specified in the kdc.conf file.
The maximum lifetime value that is specified in the Kerberos database for the service principal that provides the ticket. In the case of kinit, the service principal is krbtgt/realm.
The maximum lifetime value that is specified in the Kerberos database for the user principal that requests the ticket.

Figure 12–1 shows how a TGT's lifetime is determined and where the four lifetime values come from. Even though this figure shows how a TGT's lifetime is determined, basically the same thing happens when any principal obtains a ticket. The only differences are that kinit doesn't provide a lifetime value, and the service principal that provides the ticket provides a maximum lifetime value (instead of the krbtgt/realm principal).

Figure 12–1 How a TGT's Lifetime is Determined

Diagram shows that a ticket lifetime is the smallest value allowed by the kinit command, the user principal, the site default, and the ticket granter.

The renewable ticket lifetime is also determined from the minimum of four values, but renewable lifetime values are used instead, as follows:

The renewable lifetime value that is specified by the -r option of kinit, if kinit is used to obtain or renew the ticket.
The maximum renewable lifetime value (max_renewable_life) that is specified in the kdc.conf file.
The maximum lifetime renewable value that is specified in the Kerberos database for the service principal that provides the ticket. In the case of kinit, the service principal is krbtgt/realm.
The maximum lifetime renewable value that is specified in the Kerberos database for the user principal that requests the ticket.

Principal Names

Each ticket is identified by a principal name. The principal name can identify a user or a service. Here are examples of several principal names.

Table 12–4 Examples of Principal Names


Principal Name	Description
`root/boston.example.com@EXAMPLE.COM`	A principal that is associated with the `root` account on an NFS client. This principal is called a `root` principal and is needed for authenticated NFS-mounting to succeed.
`host/boston.example.com@EXAMPLE.COM`	A principal that is used by the Kerberized applications (`klist` and `kprop`, for example). This principal is called a `host` or service principal.
`username@EXAMPLE.COM`	A principal for a user.
`username/admin@EXAMPLE.COM`	An `admin` principal that can be used to administer the KDC database.
`nfs/boston.example.com@EXAMPLE.COM`	A principal that is used by the NFS service. This principal can be used instead of a `host` principal.
`K/M@EXAMPLE.COM`	The master key name principal. There is one master key name principal that is associated with each master KDC.
`kadmin/history@EXAMPLE.COM`	A principal which includes a key used to keep password histories for other principals. Each master KDC has one of these principals.
`kadmin/kdc1.example.com@EXAMPLE.COM`	A principal for the master KDC server that allows access to the KDC by using `kadmind`.
`changepw/kdc1.example.com@EXAMPLE.COM`	A principal for the master KDC server that allows access to the KDC when you are changing passwords.
`krbtgt/EXAMPLE.COM@EXAMPLE.COM`	This principal is used when you generate a ticket-granting ticket.

How the Authentication System Works

Applications allow you to log in to a remote system if you can provide a ticket that proves your identity, and a matching session key. The session key contains information that is specific to the user and the service that is being accessed. A ticket and session key are created by the KDC for all users when they first log in. The ticket and the matching session key form a credential. While using multiple networking services, a user can gather many credentials. The user needs to have a credential for each service that runs on a particular server. For instance, access to the ftp service on a server named boston requires one credential. Access to the ftp service on another server requires its own credential.

The process of creating and storing the credentials is transparent. Credentials are created by the KDC that sends the credential to the requester. When received, the credential is stored in a credential cache.

Gaining Access to a Service Using SEAM

In order for a user to access a specific service on a specific server, the user must obtain two credentials. The first credential is for the ticket-granting service (known as the TGT). Once the ticket-granting service has decrypted this credential, the service creates a second credential for the server that the user is requesting access to. This second credential can then be used to request access to the service on the server. After the server has successfully decrypted the second credential, then the user is given access. The following sections describe this process in more detail.

Obtaining a Credential for the Ticket-Granting Service

To start the authentication process, the client sends a request to the authentication server for a specific user principal. This request is sent without encryption. There is no secure information included in the request, so it is not necessary to use encryption.
When the request is received by the authentication service, the principal name of the user is looked up in the KDC database. If a principal matches, the authentication service obtains the private key for that principal. The authentication service then generates a session key to be used by the client and the ticket-granting service (call it session key 1) and a ticket for the ticket-granting service (ticket 1). This ticket is also known as the ticket-granting ticket (TGT). Both the session key and the ticket are encrypted by using the user's private key, and the information is sent back to the client.
The client uses this information to decrypt session key 1 and ticket 1, by using the private key for the user principal. Since the private key should only be known by the user and the KDC database, the information in the packet should be safe. The client stores the information in the credentials cache.

During this process, a user is normally prompted for a password. If the password the user enters is the same as the password that was used to build the private key stored in the KDC database, then the client can successfully decrypt the information that is sent by the authentication service. Now the client has a credential to be used with the ticket-granting service. The client is ready to request a credential for a server.

Figure 12–2 Obtaining a Credential for the Ticket-Granting Service

Flow diagram shows a client requesting a credential for server access from the KDC, and using a password to decrypt the returned credential.

Obtaining a Credential for a Server

To request access to a specific server, a client must first have obtained a credential for that server from the authentication service. See Obtaining a Credential for the Ticket-Granting Service. The client then sends a request to the ticket-granting service, which includes the service principal name, ticket 1, and an authenticator that was encrypted with session key 1. Ticket 1 was originally encrypted by the authentication service by using the service key of the ticket-granting service.
Because the service key of the ticket-granting service is known to the ticket-granting service, ticket 1 can be decrypted. The information in ticket 1 includes session key 1, so the ticket-granting service can decrypt the authenticator. At this point, the user principal is authenticated with the ticket-granting service.
Once the authentication is successful, the ticket-granting service generates a session key for the user principal and the server (session key 2), and a ticket for the server (ticket 2). Session key 2 and ticket 2 are then encrypted by using session key 1. Since session key 1 is known only to the client and the ticket-granting service, this information is secure and can be safely sent over the network.
When the client receives this information packet, the client decrypts the information by using session key 1, which it had stored in the credential cache. The client has obtained a credential to be used with the server. Now the client is ready to request access to a particular service on that server.

Figure 12–3 Obtaining a Credential for a Server

Flow diagram shows a client sending a request encrypted with Session Key 1 to the KDC, and then decrypting the returned credential with the same key.

Obtaining Access to a Specific Service

To request access to a specific service, the client must first have obtained a credential for the ticket-granting service from the authentication server, and a server credential from the ticket-granting service. See Obtaining a Credential for the Ticket-Granting Service and Obtaining a Credential for a Server. The client can send a request to the server including ticket 2 and another authenticator. The authenticator is encrypted by using session key 2.
Ticket 2 was encrypted by the ticket-granting service with the service key for the service. Since the service key is known by the service principal, the service can decrypt ticket 2 and get session key 2. Session key 2 can then be used to decrypt the authenticator. If the authenticator is successfully decrypted, the client is given access to the service.

Figure 12–4 Obtaining Access to a Specific Service

Flow diagram shows a client using Ticket 2 and an authenticator encrypted with Session Key 2 to obtain access permission to the server.

Using the `gsscred` Table

The gsscred table is used by an NFS server when the server is trying to identify a SEAM user. The NFS services use UNIX IDs to identify users. These IDs are not part of a user principal or credential. The gsscred table provides a mapping from UNIX UIDs (from the password file) to principal names. The table must be created and administered after the KDC database is populated.

When a client request comes in, the NFS services try to map the principal name to a UNIX ID. If the mapping fails, the gsscred table is consulted. With the kerberos_v5 mechanism, a root/hostname principal is automatically mapped to UID 0, and the gsscred table is not consulted. Thus, there is no way to do special remappings of root through the gsscred table.