System Administration Guide: Security Services

SEAM Files

Table 12–1 SEAM Files


File Name	Description
`~/.gkadmin`	Default values for creating new principals in the SEAM Administration Tool
`~/.k5login`	List of principals to grant access to a Kerberos account
`/etc/init.d/kdc`	`init` script to start or stop `krb5kdc`
`/etc/init.d/kdc.master`	`init` script to start or stop `kadmind`
`/etc/krb5/kadm5.acl`	Kerberos access control list file; includes principal names of KDC administrators and their Kerberos administration privileges
`/etc/krb5/kadm5.keytab`	Keytab file for `kadmin` service on master KDC
`/etc/krb5/kdc.conf`	KDC configuration file
`/etc/krb5/kpropd.acl`	Kerberos database propagation configuration file
`/etc/krb5/krb5.conf`	Kerberos realm configuration file
`/etc/krb5/krb5.keytab`	Keytab file for network application servers
`/etc/krb5/warn.conf`	Kerberos warning configuration file
`/etc/pam.conf`	PAM configuration file
`/tmp/krb5cc_uid`	Default credentials cache (`uid` is the decimal UID of the user)
`/tmp/ovsec_adm.xxxxxx`	Temporary credentials cache for the lifetime of the password changing operation (`xxxxxx` is a random string)
`/var/krb5/.k5.REALM`	KDC stash file; contains encrypted copy of the KDC master key
`/var/krb5/kadmin.log`	Log file for `kadmind`
`/var/krb5/kdc.log`	Log file for the KDC
`/var/krb5/principal.db`	Kerberos principal database
`/var/krb5/principal.kadm5`	Kerberos administrative database; contains policy information
`/var/krb5/principal.kadm5.lock`	Kerberos administrative database lock file
`/var/krb5/principal.ok`	Kerberos principal database initialization file; created when the Kerberos database is initialized successfully
`/var/krb5/slave_datatrans`	Backup file of the KDC that the `kprop_script` script uses for propagation

PAM Configuration File

The default PAM configuration file includes entries for the authentication service, account management, session management, and password management modules.

For the authentication module, the new entries are created for rlogin, login, and dtlogin if SEAM 1.0 or 1.0.1 are installed. An example of these entries follows. All these services use the new PAM library, /usr/lib/security/pam_krb5.so.1, to provide Kerberos authentication.

These entries use the try_first_pass option, which requests authentication by using the user's initial password. Using the initial password means that the user is not prompted for another password, even if multiple mechanisms are listed.

# cat /etc/pam.conf
 .
 .
rlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
login auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
other auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass

For the account management module, dtlogin has a new entry that uses the Kerberos library, as follows. An other entry is included to provide a default rule. Currently, no actions are taken by the other entry.

dtlogin account optional /usr/lib/security/pam_krb5.so.1 
other account optional /usr/lib/security/pam_krb5.so.1

The last two entries in the /etc/pam.conf file are shown next. The other entry for session management destroys user credentials. The new other entry for password management selects the Kerberos library.

other session optional /usr/lib/security/pam_krb5.so.1 
other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass