SEAM - overview of Sun Enterprise Authentication Mechanism


     SEAM (Sun Enterprise Authentication Mechanism) authenticates
     clients  in a network environment, allowing for secure tran-
     sactions.  (A client may be a user  or  a  network  service)
     SEAM validates the identity of a client and the authenticity
     of transferred data. SEAM is a single-sign-on system,  mean-
     ing  that  a  user  needs  to provice a password only at the
     beginning of a session. SEAM is based on the Kerberos system
     developed at MIT, and is compatible with Kerberos V5 systems
     over heterogeneous networks.

     SEAM works by granting clients tickets, which uniquely iden-
     tify  a  client,  and which have a finite lifetime. A client
     possessing a ticket is automatically validated  for  network
     services  for which it is entitled; for example, a user with
     a valid SEAM ticket may rlogin into another machine  running
     SEAM  without having to identify itself. Because each client
     has a unique ticket, its identity is guaranteed.

     To obtain tickets, a client must first initialize  the  SEAM
     session,  either  by  using  the  kinit(1) command  or a PAM
     module. (See pam_krb5(5)). kinit prompts for a password, and
     then communicates with a Key Distribution Center (KDC).  The
     KDC returns a Ticket-Granting Ticket (TGT) and prompts for a
     confirmation password.  If the client confirms the password,
     it can use the Ticket-Granting Ticket to obtain tickets  for
     specific network services. Because tickets are granted tran-
     sparently, the user need not worry about  their  management.
     Current  tickets  may  be viewed by using the  klist(1) com-

     Tickets are valid according to the system policy set  up  at
     installation  time.   For  example,  tickets  have a default
     lifetime for which they are valid.   A  policy  may  further
     dictate  that privileged tickets, such as those belonging to
     root, have very short lifetimes.  Policies  may  allow  some
     defaults  to be overruled; for example, a client may request
     a ticket with a lifetime greater or less than the default.

     Tickets can be renewed using kinit. Tickets  are  also  for-
     wardable,  allowing  you  to  use  a  ticket  granted on one
     machine on a different host. Tickets  can  be  destroyed  by
     using  kdestroy(1).   It is a good idea to include a call to
     kdestroy in your .logout file.

     Under SEAM, a client is referred to as a principal. A  prin-
     cipal takes the following form:


           A user, a host, or a service.

           A qualification of the primary. If the  primary  is  a
           host  -  indicated  by  the  keyword  host-  then  the
           instance is the fully-qualified domain  name  of  that
           host.  If  the  primary is a user or service, then the
           instance is optional. Some instances, such as admin or
           root, are privileged.

     realm The Kerberos equivalent of a domain; in fact, in  most
           cases  the  realm  is  directly mapped to a DNS domain
           name. SEAM realms are given in  upper-case  only.  For
           examples of principal names, see the EXAMPLES.

     By taking advantage of the  General  Security  Services  API
     (GSS-API),  SEAM  offers,  besides  user authentication, two
     other types of security service: integrity, which  authenti-
     cates  the  validity of transmitted data, and privacy, which
     encrypts transmitted data. Developers can take advantage  of
     the  GSS-API through the use of the RPCSEC_GSS API interface
     (see rpcsec_gss(3NSL)).


     Example 1: Examples of valid principal names

     The following are examples of valid principal names:


     The first four cases are user principals.  In the first  two
     cases, it is assumed that the user  joe is in the same realm
     as the client, so no realm is specified.  Note  that  joeand
     joe/admin  are  different  principals, even if the same user
     uses them; joe/admin has different privileges from joe.  The
     fifth case is a service principal, while the final case is a
     host principal. The word host is required for  host  princi-
     pals. With host principals, the instance is the fully quali-
     fied hostname. Note  that  the  words  admin  and  host  are
     reserved keywords.


     kdestroy(1), kinit(1), klist(1), kpasswd(1), krb5.conf(5)

     Sun Enterprise Authentication Mechanism Guide


     If you enter your username and kinit responds with this mes-

     Principal unknown (kerberos)

     you haven't been registered as a SEAM user. See your  system
     administrator or the Sun Enterprise Authentication Mechanism

Man(1) output converted with man2html