Document Information
Preface
Part I Security Overview
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
11. Privileges (Tasks)
12. Privileges (Reference)
Part IV Solaris Cryptographic Services
13. Solaris Cryptographic Framework (Overview)
14. Solaris Cryptographic Framework (Tasks)
15. Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
17. Using PAM
18. Using SASL
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
Part VI Kerberos Service
21. Introduction to the Kerberos Service
What Is the Kerberos Service?
How the Kerberos Service Works
Kerberos Security Services
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Solaris Auditing
28. Solaris Auditing (Overview)
29. Planning for Solaris Auditing
30. Managing Solaris Auditing (Tasks)
31. Solaris Auditing (Reference)
Glossary
Index
|
The Components of Various Kerberos Releases
Components of the Kerberos service have been included in many releases. Originally, the
Kerberos service and changes to the base operating system to support the Kerberos
service were released using the product name “Sun Enterprise Authentication Mechanism” which was
shortened to SEAM. As more parts of the SEAM product were included in
the Solaris software, the contents of the SEAM release decreased. For the Solaris
10 release, all parts of the SEAM product are included, so there is
no longer a need for the SEAM product. The SEAM product name exists
in the documentation for historical reasons. The following table describes which components are included in each release. Each product
release is listed in chronological order. All components are described in the following
sections. Table 21-1 Kerberos Release ContentsRelease Name |
Contents |
SEAM 1.0 in Solaris Easy Access Server 3.0 |
Full release of the
Kerberos service for the Solaris 2.6 and 7 releases |
The Kerberos service in
the Solaris 8 release |
Kerberos client software only |
SEAM 1.0.1 in the Solaris 8
Admin Pack |
Kerberos KDC and remote applications for the Solaris 8 release |
The Kerberos
service in the Solaris 9 release |
Kerberos KDC and client software only |
SEAM 1.0.2 |
Kerberos
remote applications for the Solaris 9 release |
The Kerberos service in the Solaris
10 release |
Full release of the Kerberos service with enhancements |
Kerberos Components
Similar to the MIT distribution of the Kerberos V5 product, the Solaris Kerberos
service includes the following:
Key Distribution Center (KDC):
Kerberos database administration daemon – kadmind.
Kerberos ticket processing daemon – krb5kdc.
Database administration programs – kadmin (master only), kadmin.local and kdb5_util.
Database propagation software – kprop (slave only) and kpropd.
User programs for managing credentials – kinit, klist, and kdestroy.
User program for changing your Kerberos password – kpasswd.
Remote applications – ftp, rcp, rdist, rlogin, rsh, ssh, and telnet.
Remote application daemons – ftpd, rlogind, rshd, sshd, and telnetd.
Keytab administration utility – ktutil.
The Generic Security Service Application Programming Interface (GSS-API) – Enables applications to use multiple security mechanisms without requiring you to recompile the application every time a new mechanism is added. The GSS-API uses standard interfaces that allow applications to be portable to many operating systems. GSS-API provides applications with the ability to include the integrity and privacy security services, as well as authentication. Both ftp and ssh use the GSS-API.
The RPCSEC_GSS Application Programming Interface (API) – Enables NFS services to use Kerberos authentication. RPCSEC_GSS is a security flavor that provides security services that are independent of the mechanisms being used. RPCSEC_GSS sits on top of the GSS-API layer. Any pluggable GSS_API-based security mechanism can be used by applications that use RPCSEC_GSS.
In addition, the Solaris Kerberos service includes the following:
Graphical Kerberos Administration Tool (gkadmin) – Enables you to administer the principals and principal policies. This JavaTM technology-based GUI is an alternative to the kadmin command.
A Kerberos V5 service module for PAM – Provides authentication, account management, session management and password management for the Kerberos service. The module can be used to make Kerberos authentication transparent to the user.
Kernel modules – Provides kernel-based implementations of the kerberos service for use by the NFS service, which greatly improves performance.
Kerberos Additions for the Solaris Express Community Edition Release
In build 90, the kclient script was enhanced. The script includes the feature
of joining Microsoft Active Directory servers. See How to Interactively Configure a Kerberos Client and How to Configure a Kerberos Client for an Active Directory Server for instructions.
In addition, the script includes a -T option that may be used to
identify the KDC server type for the client. All of the options for
this script are covered in the kclient(1M) man page.
Kerberos Additions for the Solaris Express Developer Edition 1/08 Release
These enhancements are available starting in the Solaris Express Developer Edition 1/08
release:
The Solaris Kerberos software has been synchronized with the MIT 1.4 version. In particular, the software for the KDC, the kinit command and the Kerberos mechanism have been updated.
Support for accessing Kerberos principal and policy records using LDAP from a directory server has been added. This change simplifies administration and can provide greater availability, depending on the deployment of the KDCs and the DSs. See Managing a KDC on an LDAP Directory Server for a list of LDAP-related procedures.
The new kdcmgr command which can be used to automatically or interactively setup any KDC. This command works to create both master and slave KDC servers. Also, used with the status option, the kdcmgr command shows information about any KDC installed on the localhost. Look for the pointers to the automatic or interactive procedures in Table 23-1.
Support for Solaris clients that require no additional setup has been added to this release. Changes were made to the Kerberos service and to some default settings. Solaris Kerberos clients work with no client-side configuration in environments that are appropriately configured. See Client Configuration Options for more information.
Kerberos Additions for the Solaris 10 8/07 Release
The MIT Kerberos V5 application programming interface (krb5-api) is supported in the Solaris
10 8/07 release. See the libkrb5(3LIB) and krb5-config(1) man pages for
more information. Also, see the MIT Kerberos V5 project web pages at
mit.edu for more detailed documentation as it becomes available. Although the krb5-api is now available, Sun strongly encourages the use of the
GSS-API for network authentication and integrity and privacy as the GSS-API is security-mechanism
independent and an IETF standard. See the libgss(3LIB) man page for more information.
Kerberos Additions for the Solaris 10 6/06 Release
In the Solaris 10 6/06 release, the ktkt_warnd daemon can automatically renew credentials,
rather than just warn the user when the credential is about to expire.
The user must be logged in for the credential to be renewed automatically.
Kerberos Enhancements in the Solaris 10 3/05 Release
These Kerberos enhancements are included in the Solaris 10 Release. Several of the
enhancements were introduced in prior Software Express releases and updated in the Solaris
10 Beta releases.
Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnet. See the man pages for each command or daemon and the krb5_auth_rules(5) man page for more information.
The Kerberos principal database can now be transferred by incremental update instead of by transferring the entire database each time. Incremental propagation provides these advantages:
Increased database consistencies across servers
The need for fewer resources (network, CPU, and so forth)
Much more timely propagation of updates
An automated method of propagation
A new script to help automatically configure a Kerberos client is now available. The script helps an administrator quickly and easily set up a Kerberos client. For procedures using the new script, see Configuring Kerberos Clients. Also, see the kclient(1M) man page for more information.
Several new encryption types have been added to the Kerberos service. These new encryption types increase security and enhance compatibility with other Kerberos implementations that support these encryption types. See Using Kerberos Encryption Types for more information. The encryption types include:
The AES encryption type can be used for high speed, high security encryption of Kerberos sessions.
ARCFOUR-HMAC provides better compatibility with other Kerberos implementations.
Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.
The encryption types are enabled through the Cryptographic Framework. The framework can provide for hardware accelerated cryptography for the Kerberos service.
The KDC software, the user commands, and user applications now support the use of the TCP network protocol. This enhancement provides more robust operation and better interoperability with other Kerberos implementations, including Microsoft's Active Directory. The KDC now listens on both the traditional UDP ports as well as TCP ports so it can respond to requests using either protocol. The user commands and applications first try UDP when sending a request to the KDC, and if that fails, then try TCP.
Support for IPv6 was added to the KDC software, which includes the kinit, klist and kprop commands. Support for IPv6 addresses is provided by default. There are no configuration parameters to change to enable IPv6 support. No IPv6 support is available for the kadmin and kadmind commands.
A new -e option has been included to several subcommands of the kadmin command. This new option allows for the selection of the encryption type during the creation of principals. See the kadmin(1M) man page for more information.
Additions to the pam_krb5 module to manage the Kerberos credentials cache by using the PAM framework. See the pam_krb5(5) man page for more information.
Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings by using DNS lookups. This enhancement reduces some of the steps needed to install a Kerberos client. The client is able to locate a KDC server by using DNS instead of by reading a configuration file. See the krb5.conf(4) man page for more information.
A new PAM module called pam_krb5_migrate has been introduced. The new module helps in the automatic migration of users to the local Kerberos realm, if they do not already have Kerberos accounts. See the pam_krb5_migrate(5) man page for more information.
The ~/.k5login file can now be used with the GSS applications ftp and ssh. For more information, see the gss_auth_rules(5) man page.
The kproplog utility has been updated to output all attribute names per log entry. For more information, see the kproplog(1M) man page.
Strict TGT verification can now be disabled using a configuration option in the krb5.conf file. See the krb5.conf(4) man page for more information.
Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from clients that do not run Solaris software. See the kadmind(1M) man page for more information.
The default location of the replay cache has been moved from RAM-based file systems to persistent storage in /var/krb5/rcache/. The new location protects against replays if a system is rebooted. Performance enhancements were made to the rcache code. However, overall replay cache performance might be slower due to the use of persistent storage.
The replay cache can now be configured to use file or memory only storage. Refer to the krb5envvar(5) man page for more information about environment variables that can be configured for key table and credential cache types or locations.
The GSS credential table is no longer necessary for the Kerberos GSS mechanism. For more information, see Mapping GSS Credentials to UNIX Credentials or the gsscred(1M), gssd(1M), and gsscred.conf(4) man pages.
The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1. This change added new options to the kinit command and new subcommands to the ktutil command. For more information, see the kinit(1) and ktutil(1) man pages.
The Solaris Kerberos Key Distribution Center (KDC) and kadmind is now based on MIT Kerberos version 1.2.1. The KDC now defaults to a btree-based database, which is more reliable than the current hash-based database. See the kdb5_util(1M) man page for more information.
The kpropd, kadmind, krb5kdc and ktkt_warnd daemons are managed by the Service Management Facility. Administrative actions on this service, such as enabling, disabling, or restarting, can be performed using the svcadm command. The service's status for all daemons can be queried using the svcs command. For an overview of the Service Management Facility refer to Chapter 15, Managing Services (Overview), in System Administration Guide: Basic Administration.
Kerberos Components in the Solaris 9 Release
The Solaris 9 release includes all components included in Kerberos Components, except for
the remote applications.
SEAM 1.0.2 Components
The SEAM 1.0.2 release includes the remote applications. These applications are the only
part of SEAM 1.0 that have not been incorporated into the Solaris 9
release. The components for the remote applications are as follows:
Client applications – ftp, rcp, rlogin, rsh, and telnet
Server daemons – ftpd, rlogind, rshd, and telnetd
Kerberos Components in the Solaris 8 Release
The Solaris 8 release includes only the client-side portions of the Kerberos service,
so many components are not included. This product enables systems that run the
Solaris 8 release to become Kerberos clients without requiring you to install SEAM
1.0.1 separately. To use these capabilities, you must install a KDC that uses
either Solaris Easy Access Server 3.0 or the Solaris 8 Admin Pack, the
MIT distribution, or Windows 2000. The client-side components are not useful without a
configured KDC to distribute tickets. The following components are included in this release:
User programs for obtaining, viewing, and destroying tickets – kinit, klist, and kdestroy.
User program for changing your Kerberos password – kpasswd.
Key table administration utility – ktutil.
Additions to the Pluggable Authentication Module (PAM) – Enables applications to use various authentication mechanisms. PAM can be used to make logins and logouts transparent to the user.
GSS_API plug–ins – Provides Kerberos protocol and cryptographic support.
NFS client and server support.
SEAM 1.0.1 Components
The SEAM 1.0.1 release includes all components of the SEAM 1.0 release that
are not already included in the Solaris 8 release. The components are as
follows:
Key Distribution Center (KDC) (master):
Slave KDCs.
Database administration programs – kadmin and kadmin.local.
Database propagation software – kprop.
Remote applications – ftp, rcp, rlogin, rsh, and telnet.
Remote application daemons – ftpd, rlogind, rshd, and telnetd.
Administration utility – kdb5_util.
Graphical Kerberos Administration Tool (gkadmin) – Enables you to administer principals and principal policies. This Java technology-based GUI is an alternative to the kadmin command.
A preconfiguration procedure – Enables you to set the parameters for installing and configuring SEAM 1.0.1, which makes SEAM installation automatic. This procedure is especially useful for multiple installations.
Several libraries.
SEAM 1.0 Components
The SEAM 1.0 release includes all of the items included in Kerberos Components
as well as the following:
A utility (gsscred) and a daemon (gssd) – These programs help map UNIX user IDs (UIDs) to principal names. These programs are needed because NFS servers use UNIX UIDs to identify users and not principal names, which are stored in a different format.
The Generic Security Service Application Programming Interface (GSS-API) – Enables applications to use multiple security mechanisms without requiring you to recompile the application every time a new mechanism is added. Because GSS-API is machine-independent, it is appropriate for applications on the Internet. GSS-API provides applications with the ability to include the integrity and privacy security services, as well as authentication.
The RPCSEC_GSS Application Programming Interface (API) – Enables NFS services to use Kerberos authentication. RPCSEC_GSS is a security flavor that provides security services that are independent of the mechanisms being used. RPCSEC_GSS sits on top of the GSS-API layer. Any pluggable GSS_API-based security mechanism can be used by applications that use RPCSEC_GSS.
A preconfiguration procedure – Enables you to set the parameters for installing and configuring SEAM 1.0, which makes installation automatic. This procedure is especially useful for multiple installations.
|