Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   20652 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

SEAM(5)		      Standards, Environments, and Macros	       SEAM(5)

NAME
       SEAM - overview of Sun Enterprise Authentication Mechanism

DESCRIPTION
       SEAM (Sun Enterprise Authentication Mechanism) authenticates clients in
       a network environment, allowing for secure transactions. (A client  may
       be a user or a network service) SEAM validates the identity of a client
       and the authenticity of transferred data. SEAM is a single-sign-on sys‐
       tem, meaning that a user needs to provice a password only at the begin‐
       ning of a session. SEAM is based on the Kerberos™ system	 developed  at
       MIT, and is compatible with Kerberos V5 systems over heterogeneous net‐
       works.

       SEAM works by granting  clients	tickets,  which	 uniquely  identify  a
       client,	and which have a finite lifetime. A client possessing a ticket
       is automatically validated for network services for which it  is	 enti‐
       tled;  for  example,  a	user  with a valid SEAM ticket may rlogin into
       another machine running SEAM without having to identify itself. Because
       each client has a unique ticket, its identity is guaranteed.

       To  obtain  tickets,  a	client must first initialize the SEAM session,
       either  by  using  the  kinit(1)	 command  or  a	 PAM   module.	  (See
       pam_krb5(5)).  kinit prompts for a password, and then communicates with
       a Key Distribution Center (KDC).	 The  KDC  returns  a  Ticket-Granting
       Ticket  (TGT)  and  prompts  for a confirmation password. If the client
       confirms the password, it can use the Ticket-Granting Ticket to	obtain
       tickets	for  specific  network	services.  Because tickets are granted
       transparently, the user need not worry about their management.  Current
       tickets may be viewed by using the klist(1) command.

       Tickets are valid according to the system policy set up at installation
       time. For example, tickets have a default lifetime for which  they  are
       valid.  A  policy  may further dictate that privileged tickets, such as
       those belonging to root, have very short lifetimes. Policies may	 allow
       some  defaults  to  be  overruled;  for example, a client may request a
       ticket with a lifetime greater or less than the default.

       Tickets can be renewed  using  kinit.  Tickets  are  also  forwardable,
       allowing	 you  to  use  a  ticket granted on one machine on a different
       host. Tickets can be destroyed by using kdestroy(1). It is a good  idea
       to include a call to kdestroy in your .logout file.

       Under  SEAM,  a client is referred to as a principal. A principal takes
       the following form:

       primary/instance@REALM

       primary		       A user, a host, or a service.

       instance		       A qualification of the primary. If the  primary
			       is a host — indicated by the keyword host— then
			       the instance is the fully-qualified domain name
			       of  that host. If the primary is a user or ser‐
			       vice,  then  the	 instance  is  optional.  Some
			       instances,  such	 as  admin or root, are privi‐
			       leged.

       realm		       The Kerberos equivalent of a domain;  in	 fact,
			       in most cases the realm is directly mapped to a
			       DNS domain  name.  SEAM	realms	are  given  in
			       upper-case  only.  For  examples	 of  principal
			       names, see the EXAMPLES.

       By taking advantage of the General  Security  Services  API  (GSS-API),
       SEAM  offers,  besides user authentication, two other types of security
       service: integrity, which authenticates	the  validity  of  transmitted
       data, and privacy, which encrypts transmitted data. Developers can take
       advantage of the GSS-API through the use of the RPCSEC_GSS  API	inter‐
       face (see rpcsec_gss(3NSL)).

EXAMPLES
       Example 1: Examples of valid principal names

       The following are examples of valid principal names:

	    joe
	    joe/admin
	    joe@ENG.ACME.COM
	    joe/admin@ENG.ACME.COM
	    rlogin/bigmachine.eng.acme.com@ENG.ACME.COM
	    host/bigmachine.eng.acme.com@ENG.ACME.COM

       The first four cases are user principals. In the first two cases, it is
       assumed that the user joe is in the same realm as  the  client,	so  no
       realm  is  specified.  Note that joeand joe/admin are different princi‐
       pals, even if the same user uses them; joe/admin has  different	privi‐
       leges  from joe. The fifth case is a service principal, while the final
       case is a host principal. The word host is required  for	 host  princi‐
       pals.  With  host principals, the instance is the fully qualified host‐
       name. Note that the words admin and host are reserved keywords.

SEE ALSO
       kdestroy(1),    kinit(1),    klist(1),	 kpasswd(1),	 krb5.conf(4),
       krb5envvar(5)

       Sun Enterprise Authentication Mechanism Guide

NOTES
       If you enter your username and kinit responds with this message:

       Principal unknown (kerberos)

       you haven't been registered as a SEAM user. See your system administra‐
       tor or the Sun Enterprise Authentication Mechanism Guide.

SunOS 5.10			  17 Nov 1999			       SEAM(5)

Vote for polarhome