|Previous||Table of Contents||Next|
Before you can share a file system from the server and mount file systems on clients with Kerberos authentication, Kerberos Version 4 authentication must be enabled on the network.
To share a file system with Kerberos authentication, you specify the -o sec=krb4 option to the share command:
To mount a file system with Kerberos authentication, you specify the -o sec=krb4 option to the mount command:
You log in to the Kerberos service by using the kinit -l<username> command.
To log in to the Kerberos service:
In the following example, user ray logs in to Kerberos service with a ticket lifetime of 60 minutes:
seachild% kinit -l ray SunOS (seachild) Kerberos Initialization for "ray" Kerberos ticket lifetime (minutes): 60 Password: seachild%
You list tickets by using the klist command. The following example shows a ticket for user ray.
seachild% klist Ticket file: /tmp/tkt8765 Principal: ray@Castle.Abc.COM Issued Expires Principal Oct 10 15:15:56 Oct10:16:15:56 krbtgt.Castle.Abc.COM@Castle.Abc.com
You access a Kerberos mounted directory just as you would any other mounted directory: by typing cd /<mountpoint>. You can list the files in the directory by using the ls command or list the Kerberos tickets by using the klist command.
You destroy Kerberos tickets by using the kdestroy command. You should destroy Kerberos tickets when the session is over so that an unauthorized user cannot gain access to them. If you want to reinitiate Kerberos authentication after tickets are destroyed, use the kinit command.
The following example shows how to destroy Kerberos tickets. After the tickets are destroyed, if the user tries to change to or list a Kerberos-protected directory, the ticket server denies access.
seachild% kdestroy Tickets destroyed seachild% ls /mntkrb Can't get Kerberos key: No ticket file (tf_util) NSF getattr failed for server castle: RPC: Authentication error cannot access directory /mntkrb. seachild%
PAM enables you to "plug in" new authentication technologies without changing system entry services such as login, ftp, telnet, and so on. You can also use PAM to integrate UNIX login with other security mechanisms such as DES or Kerberos. You can also plug in mechanisms for account, session, and password management by using this framework. The PAM framework enables you to choose any combination of system entry services (for example, ftp, login, telnet, or rsh) for user authentication.
PAM employs run-time pluggable modules to provide authentication for system entry services. These modules are broken down into four different types based on their function:
A stacking feature is provided to let you authenticate users through multiple services. Depending on the configuration, users can be prompted for passwords for each authentication method. The order in which the authentication services are used is determined through the PAM configuration file, /etc.pam.conf.
The stacking method can require that a user remember several passwords. With the password-mapping feature, the primary password is used to decrypt the other passwords so that the user does not need to remember or enter multiple passwords. The other option is to synchronize the passwords across each authentication mechanism. Note that synchronizing passwords can increase the security risk, because the security of each mechanism is limited by the least secure password method used in the stack.
The PAM software consists of a library, several modules, and a configuration file. New versions of several system entry commands or daemons that take advantage of the PAM interfaces are also included.
Figure 19-1 shows the relationship between the applications, the PAM library, the pam.conf file, and the PAM modules.
Figure 19-1 How PAM works.
The ftp, telnet, and login programs use the PAM library to access the appropriate module. The pam.conf file defines which modules to use, and in what order they are to be used with each command. Responses from the modules are passed back through the library to the application.
|Previous||Table of Contents||Next|