Glossary

admin principal

A user principal with a name of the form username/admin (as in joe/admin). An admin principal can have more privileges (for example, to change policies) than a regular user principal. See also principal name, user principal.

application server

See network application server.

authentication

The process of verifying the claimed identity of a principal.

authenticator

Authenticators are passed by clients when requesting tickets (from a KDC) and services (from a server). They contain information that is generated by using a session key known only by the client and server, that can be verified as of recent origin, thus indicating that the transaction is secure. When used with a ticket, an authenticator can be used to authenticate a user principal. An authenticator includes the principal name of the user, the IP address of the user's host, and a timestamp. Unlike a ticket, an authenticator can be used only once, usually when access to a service is requested. An authenticator is encrypted by using the session key for that client and that server.

authorization

1. The process of determining if a principal can use a service, which objects the principal is allowed to access, and the type of access that is allowed for each object.

2. In role-based access control (RBAC), a permission that can be assigned to a role or user (or embedded in a rights profile) for performing a class of actions that are otherwise prohibited by security policy.

client

Narrowly, a process that makes use of a network service on behalf of a user; for example, an application that uses rlogin. In some cases, a server can itself be a client of some other server or service.

More broadly, a host that a) receives a Kerberos credential, and b) makes use of a service that is provided by a server.

Informally, a principal that makes use of a service.

client principal

(RPCSEC_GSS API) A client (a user or an application) that uses RPCSEC_GSS-secured network services. Client principal names are stored in the form of rpc_gss_principal_t structures.

clock skew

The maximum amount of time that the internal system clocks on all hosts that are participating in the Kerberos authentication system can differ. If the clock skew is exceeded between any of the participating hosts, requests are rejected. Clock skew can be specified in the krb5.conf file.

confidentiality

See privacy.

credential

An information package that includes a ticket and a matching session key. Used to authenticate the identity of a principal. See also ticket, session key.

credential cache

A storage space (usually a file) that contains credentials that are received from the KDC.

flavor

Historically, security flavor and authentication flavor had the same meaning, as a flavor that indicated a type of authentication (AUTH_UNIX, AUTH_DES, AUTH_KERB). RPCSEC_GSS is also a security flavor, even though it provides integrity and privacy services in addition to authentication.

forwardable ticket

A ticket that a client can use to request a ticket on a remote host without requiring the client to go through the full authentication process on that host. For example, if the user david obtains a forwardable ticket while on user jennifer's machine, he can log in to his own machine without being required to get a new ticket (and thus authenticate himself again). See also proxiable ticket.

FQDN

Fully qualified domain name. For example, denver.mtn.example.com (as opposed to simply denver).

GSS-API

The Generic Security Service Application Programming Interface. A network layer that provides support for various modular security services (including SEAM). GSS-API provides for security authentication, integrity, and privacy services. See also authentication, integrity, privacy.

host

A machine that is accessible over a network.

host principal

A particular instance of a service principal in which the principal (signified by the primary name host) is set up to provide a range of network services, such as ftp, rcp, or rlogin. An example of a host principal is host/boston.eng.example.com@ENG.EXAMPLE.COM. See also server principal.

initial ticket

A ticket that is issued directly (that is, not based on an existing ticket-granting ticket). Some services, such as applications that change passwords, might require tickets to be marked initial so as to assure themselves that the client can demonstrate a knowledge of its secret key. This assurance is important because an initial ticket indicates that the client has recently authenticated itself (instead of relying on a ticket-granting ticket, which might existed for a long time).

instance

The second part of a principal name, an instance qualifies the principal's primary. In the case of a service principal, the instance is required and is the host's fully qualified domain name, as in host/boston.eng.example.com. For user principals, an instance is optional. Note, however, that joe and joe/admin are unique principals. See also primary, principal name, service principal, user principal.

integrity

A security service that, in addition to user authentication, provides for the validity of transmitted data through cryptographic checksumming. See also authentication, privacy.

invalid ticket

A postdated ticket that has not yet become usable. An invalid ticket is rejected by an application server until it becomes validated. To be validated, an invalid ticket must be presented to the KDC by the client in a TGS request, with the VALIDATE flag set, after its start time has passed. See also postdated ticket.

KDC

Key Distribution Center. A machine that has three Kerberos V5 components:

• Principal and key database

• Authentication service

• Ticket-granting service

Each realm has a master KDC and should have one or more slave KDCs.

Kerberos

An authentication service, the protocol that is used by that service, or the code that is used to implement that service.

SEAM is an authentication implementation that is closely based on Kerberos V5.

While technically different, “SEAM” and “Kerberos” are often used interchangeably in SEAM documentation. The same is true for “Kerberos” and “Kerberos V5.”

Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates of Hades in Greek mythology.

key

1. An entry (principal name) in a keytab file. See also keytab file.

2. An encryption key, of which there are three types:

• A private key – An encryption key that is shared by a principal and the KDC, and distributed outside the bounds of the system. See also private key.

• A service key – This key serves the same purpose as the private key, but is used by servers and services. See also service key.

• A session key – A temporary encryption key that is used between two principals, with a lifetime limited to the duration of a single login session. See also session key.

keytab file

A key table file that contains one or more keys (principals). A host or service uses a keytab file in the much the same way that a user uses a password.

kvno

Key version number. A sequence number that tracks a particular key in order of generation. The highest kvno is the latest and most current key.

name service scope

The scope in which a role is permitted to operate, that is, an individual host or all hosts that are served by a specified name service such as NIS, NIS+, or LDAP. Scopes are applied to Solaris Management Console toolboxes.

master KDC

The main KDC in each realm, which includes a Kerberos administration server, kadmind, and an authentication and ticket-granting daemon, krb5kdc. Each realm must have at least one master KDC, and can have many duplicate, or slave, KDCs that provide authentication services to clients.

mechanism

A software package that specifies cryptographic techniques to achieve data authentication or confidentiality. Examples: Kerberos V5, Diffie-Hellman public key.

network application server

A server that provides a network application, such as ftp. A realm can contain several network application servers.

NTP

Network Time Protocol. Software from the University of Delaware that enables you to manage precise time or network clock synchronization, or both, in a network environment. You can use NTP to maintain clock skew in a Kerberos environment. See also clock skew.

PAM

Pluggable Authentication Module. A framework that allows for multiple authentication mechanisms to be used without having to recompile the services that use them. PAM enables SEAM session initialization at login.

policy

A set of rules, initiated when SEAM is installed or administered, that govern ticket usage. Policies can regulate principals' accesses, or ticket parameters, such as lifetime.

postdated ticket

A postdated ticket does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to run late at night, since the ticket, if stolen, cannot be used until the batch job is run. When a postdated ticket is issued, it is issued as invalid and remains that way until a) its start time has passed, and b) the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the postdated ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life time of the ticket-granting ticket. See also invalid ticket, renewable ticket.

primary

The first part of a principal name. See also instance, principal name, realm.

principal

1. A uniquely named client/user or server/service instance that participates in a network communication. Kerberos transactions involve interactions between principals (service principals and user principals) or between principals and KDCs. In other words, a principal is a unique entity to which Kerberos can assign tickets. See also principal name, service principal, user principal.

2. (RPCSEC_GSS API) See client principal, server principal.

principal name

1. The name of a principal, in the format primary/instance@REALM. See also instance, primary, realm.

2. (RPCSEC_GSS API) See client principal, server principal.

privacy

A security service, in which transmitted data is encrypted before being sent. Privacy also includes data integrity and user authentication. See also authentication, integrity, service.

private key

A key that is given to each user principal, and known only to the user of the principal and to the KDC. For user principals, the key is based on the user's password. See also key.

private-key encryption

In private-key encryption, the sender and receiver use the same key for encryption. See also public-key encryption.

privileged application

An application that can override system controls and that checks for specific UIDs, GIDs, or authorizations.

profile shell

A shell used in RBAC that enables a role (or user) to run any privileged applications that are assigned to the role's rights profiles from the command line. The profile shells are pfsh, pfcsh, and pfksh. They correspond to the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.

proxiable ticket

A ticket that can be used by a service on behalf of a client to perform an operation for the client. Thus, the service is said to act as the client's proxy. With the ticket, the service can take on the identity of the client. The service can use a proxiable ticket to obtain a service ticket to another service, but it cannot obtain a ticket-granting ticket. The difference between a proxiable ticket and a forwardable ticket is that a proxiable ticket is only valid for a single operation. See also forwardable ticket.

public-key encryption

An encryption scheme in which each user has two keys, one public key and one private key. In public-key encryption, the sender uses the receiver's public key to encrypt the message, and the receiver uses a private key to decrypt it. SEAM is a private-key system. See also private-key encryption.

QOP

Quality of Protection. A parameter that is used to select the cryptographic algorithms that are used in conjunction with the integrity service or privacy service.

RBAC

Role-Based Access Control. An alternative to the all-or-nothing superuser model. RBAC lets an organization separate superuser's capabilities and assign them to special user accounts called roles. Roles can be assigned to specific individuals, according to their job needs.

realm

1. The logical network that is served by a single SEAM database and a set of Key Distribution Centers (KDCs).

2. The third part of a principal name. For the principal name joe/admin@ENG.EXAMPLE.COM, the realm is ENG.EXAMPLE.COM. See also principal name.

relation

A configuration variable or relationship that is defined in the kdc.conf or krb5.conf files.

renewable ticket

Because having tickets with very long lives is a security risk, tickets can be designated as renewable. A renewable ticket has two expiration times: a) the time at which the current instance of the ticket expires, and b) maximum lifetime for any ticket. If a client wants to continue to use a ticket, the client renews the ticket before the first expiration occurs. For example, a ticket can be valid for one hour, with all tickets having a maximum lifetime of ten hours. If the client that holds the ticket wants to keep it for more than an hour, the client must renew the ticket. When a ticket reaches the maximum ticket lifetime, it automatically expires and cannot be renewed.

rights profile

Also referred to as right or profile. A collection of overrides used in RBAC that can be assigned to a role or user. A rights profile can consist of authorizations, commands with set UIDs or GIDs, which are referred to as security attributes, and other rights profiles.

role

A special identity for running privileged applications that only assigned users can assume.

SEAM

Sun Enterprise Authentication Mechanism. A system for authenticating users over a network, based on the Kerberos V5 technology that was developed at the Massachusetts Institute of Technology.

“SEAM” and “Kerberos” are often used interchangeably in the SEAM documentation.

secret key

See private key.

Secure Shell

A special protocol for secure remote login and other secure network services over an insecure network.

security flavor

See flavor.

security mechanism

See mechanism.

security service

See service.

server

A principal that provides a resource to network clients. For example, if you rlogin to the machine boston.eng.acme.com, then that machine is the server that provides the rlogin service. See also service principal.

server principal

(RPCSEC_GSS API) A principal that provides a service. The server principal is stored as an ASCII string in the form service@host. See also client principal.

service

1. A resource that is provided to network clients, often by more than one server. For example, if you rlogin to the machine boston.eng.example.com, then that machine is the server that provides the rlogin service.

2. A security service (either integrity or privacy) that provides a level of protection beyond authentication. See also integrity and privacy.

service key

An encryption key that is shared by a service principal and the KDC, and is distributed outside the bounds of the system. See also key.

service principal

A principal that provides Kerberos authentication for a service or services. For service principals, the primary name is a name of a service, such as ftp, and its instance is the fully qualified host name of the system that provides the service. See also host principal, user principal.

session key

A key that is generated by the authentication service or the ticket-granting service. A session key is generated to provide secure transactions between a client and a service. The lifetime of a session key is limited to a single login session. See also key.

slave KDC

A copy of a master KDC, which is capable of performing most functions of the master. Each realm usually has several slave KDCs (and only one master KDC). See also KDC, master KDC.

stash file

A stash file contains an encrypted copy of the master key for the KDC. This master key is used when a server is rebooted to automatically authenticate the KDC before it starts the kadmind and krb5kdc processes. Because the stash file includes the master key, the stash file and any backups of it should be kept secure. If the encryption is compromised, then the key could be used to access or modify the KDC database.

ticket

An information packet that is used to securely pass the identity of a user to a server or service. A ticket is valid for only a single client and a particular service on a specific server. A ticket contains the principal name of the service, the principal name of the user, the IP address of the user's host, a timestamp, and a value that defines the lifetime of the ticket. A ticket is created with a random session key to be used by the client and the service. Once a ticket has been created, it can be reused until the ticket expires. A ticket only serves to authenticate a client when it is presented along with a fresh authenticator. See also authenticator, credential, service, session key.

ticket file

See credential cache.

TGS

Ticket-Granting Service. That portion of the KDC that is responsible for issuing tickets.

TGT

Ticket-Granting Ticket. A ticket that is issued by the KDC that enables a client to request tickets for other services.

user principal

A principal that is attributed to a particular user. A user principal's primary name is a user name, and its optional instance is a name that is used to described the intended use of the corresponding credentials (for example, joe or joe/admin). Also known as a user instance. See also service principal.

VPN

Virtual Private Network. A network that provides secure communication by using encryption and tunneling to connect users over a public network.