User's Manual
Solaris 9 Security CX-310-301 62
¾ Make sure the module is owned by root and the permissions should be equal to 555 ( or r-xr-xr-x
). You should note that the default installation puts permissions at 755, so you might want to
change these
¾ Edit the PAM configuration file, /etc/pam.conf and add the new module to the services it is going
to provide authentication for
¾ It is always advisable to reboot the system and then test the new module to ensure it is working as
expected. A reboot is not mandatory, but is good practice
For more information on PAM, see http://docs.sun.com
and goto the System Administration Guide:Security
Services manual for Solaris 9.
Kerberos / SEAM
SEAM (Sun Enterprise Authentication Mechanism) is a single sign-on utility that is based on the Kerberos
version 5 security ticketing system.
Kerberos basically works on a system of granting tickets which provide access to systems or applications. It
is a client/server based service that handles authentication across a network.
How Kerberos Works
The following steps explain how Kerberos functions to provide NFS access to a client:
¾ A client wants to access an NFS file system and requests a “ticket granting ticket” or TGT from a
“key distribution center” or KDC. A KDC is a server that authenticates the client and issues the
TGT
¾ The client uses its own password to decrypt the TGT, thereby proving the identity to be authentic
¾ Having obtained a TGT, the client can now request tickets to access the NFS server that is sharing
the required file system
¾ The client issues a request for the NFS access to the KDC and also sends its TGT as proof of
identity
¾ The KDC checks the TGT for authenticity and then issues a ticket for access to the NFS server
¾ The client, now in possession of a ticket to access NFS, sends the ticket to the NFS server
¾ The NFS server allow the client to access its resources
Limitations of Kerberos
Even though Kerberos is a fairly robust solution to network authentication, it does have the following
limitations: