- Access Control List (ACL)
An access control list (ACL) provides finer-grained file security than traditional UNIX file protection
provides. For example, an ACL enables you to allow group read access to
a file, while allowing only one member of that group to write to
- admin principal
A user principal with a name of the form username/admin (as in
jdoe/admin). An admin principal can have more privileges (for example, to change policies)
than a regular user principal. See also principal name, user principal.
Advanced Encryption Standard. A symmetric 128-bit block data encryption technique. The U.S. government
adopted the Rijndael variant of the algorithm as its encryption standard in October
2000. AES replaces user principal encryption as the government standard.
A cryptographic algorithm. This is an established, recursive computational procedure that encrypts or
- application server
See network application server.
- audit files
Binary audit logs. Audit files are stored separately in an audit partition.
- audit partition
A hard disk partition that is configured to hold audit files.
- audit policy
The global and per-user settings that determine which audit events are recorded. The
global settings that apply to the audit service typically affect which pieces of
optional information are included in the audit trail. Two settings, cnt and ahlt,
affect the operation of the system when the audit queue fills. For example,
audit policy might require that a sequence number be part of every audit
- audit trail
The collection of all audit files from all hosts.
The process of verifying the claimed identity of a principal.
Authenticators are passed by clients when requesting tickets (from a KDC) and services
(from a server). They contain information that is generated by using a session
key known only by the client and server, that can be verified as
of recent origin, thus indicating that the transaction is secure. When used with
a ticket, an authenticator can be used to authenticate a user principal. An
authenticator includes the principal name of the user, the IP address of the
user's host, and a time stamp. Unlike a ticket, an authenticator can be
used only once, usually when access to a service is requested. An authenticator
is encrypted by using the session key for that client and that server.
1. In Kerberos, the process of determining if a principal can use a
service, which objects the principal is allowed to access, and the type of
access that is allowed for each object.
2. In role-based access control (RBAC), a permission that can be assigned to
a role or user (or embedded in a rights profile) for performing a
class of actions that are otherwise prohibited by security policy.
- Basic Security Module (BSM)
The Solaris auditing service and device allocation. Together, these features satisfy the C2
level of security.
- basic set
The set of privileges that are assigned to a user's process at login.
On an unmodified system, each user's initial inheritable set equals the basic set
A symmetric block cipher algorithm that takes a variable-length key from 32 bits
to 448 bits. Its author, Bruce Schneier, claims that Blowfish is optimized for
applications where the key does not change often.
Narrowly, a process that makes use of a network service on behalf of
a user; for example, an application that uses rlogin. In some cases, a
server can itself be a client of some other server or service.
More broadly, a host that a) receives a Kerberos credential, and b) makes
use of a service that is provided by a server.
Informally, a principal that makes use of a service.
- client principal
(RPCSEC_GSS API) A client (a user or an application) that uses RPCSEC_GSS-secured network
services. Client principal names are stored in the form of rpc_gss_principal_t structures.
- clock skew
The maximum amount of time that the internal system clocks on all hosts
that are participating in the Kerberos authentication system can differ. If the
clock skew is exceeded between any of the participating hosts, requests are rejected.
Clock skew can be specified in the krb5.conf file.
In the Solaris Cryptographic Framework, a consumer is a user of the cryptographic
services that come from providers. Consumers can be applications, end users, or kernel
operations. Kerberos, IKE, and IPsec are examples of consumers. For examples of providers,
An information package that includes a ticket and a matching session key. Used
to authenticate the identity of a principal. See also ticket, session key.
- credential cache
A storage space (usually a file) that contains credentials that are received from
- cryptographic algorithm
Data Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by
ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.
- device allocation
Device protection at the user level. Device allocation enforces the exclusive use of
a device by one user at a time. Device data is purged before
device reuse. Authorizations can be used to limit who is permitted to allocate
- device policy
Device protection at the kernel level. Device policy is implemented as two sets
of privileges on a device. One set of privileges controls read access to
the device. The second set of privileges controls write access to the device.
See also policy.
- Diffie-Hellman protocol
Also known as public key cryptography. An asymmetric cryptographic key agreement protocol that
was developed by Diffie and Hellman in 1976. The protocol enables two users
to exchange a secret key over an insecure medium without any prior secrets.
Diffie-Hellman is used by Kerberos.
See message digest.
Digital Signature Algorithm. A public key algorithm with a variable key size from
512 to 4096 bits. The U.S. Government standard, DSS, goes up to 1024
bits. DSA relies on SHA1 for input.
- effective set
The set of privileges that are currently in effect on a process.
Historically, security flavor and authentication flavor had the same meaning, as a flavor that
indicated a type of authentication (AUTH_UNIX, AUTH_DES, AUTH_KERB). RPCSEC_GSS is also a security flavor,
even though it provides integrity and privacy services in addition to authentication.
- forwardable ticket
A ticket that a client can use to request a ticket on
a remote host without requiring the client to go through the full authentication
process on that host. For example, if the user david obtains a forwardable ticket
while on user jennifer's machine, he can log in to his own machine
without being required to get a new ticket (and thus authenticate himself again).
See also proxiable ticket.
Fully qualified domain name. For example, central.example.com (as opposed to simply denver).
The Generic Security Service Application Programming Interface. A network layer that provides support
for various modular security services, including the Kerberos service. GSS-API provides for security
authentication, integrity, and privacy services. See also authentication, integrity, privacy.
The modification of the default configuration of the operating system to remove security
vulnerabilities that are inherent in the host.
- hardware provider
In the Solaris Cryptographic Framework, a device driver and its hardware accelerator. Hardware
providers offload expensive cryptographic operations from the computer system, thus freeing CPU resources
for other uses. See also provider.
A machine that is accessible over a network.
- host principal
A particular instance of a service principal in which the principal (signified by
the primary name host) is set up to provide a range of network
services, such as ftp, rcp, or rlogin. An example of a host
principal is host/[email protected]. See also server principal.
- inheritable set
The set of privileges that a process can inherit across a call to
- initial ticket
A ticket that is issued directly (that is, not based on an existing
ticket-granting ticket). Some services, such as applications that change passwords, might require tickets
to be marked initial so as to assure themselves that the client can
demonstrate a knowledge of its secret key. This assurance is important because an
initial ticket indicates that the client has recently authenticated itself (instead of relying
on a ticket-granting ticket, which might existed for a long time).
The second part of a principal name, an instance qualifies the principal's primary.
In the case of a service principal, the instance is required. The instance
the host's fully qualified domain name, as in host/central.example.com. For user principals,
an instance is optional. Note, however, that jdoe and jdoe/admin are unique principals. See
also primary, principal name, service principal, user principal.
A security service that, in addition to user authentication, provides for the validity
of transmitted data through cryptographic checksumming. See also authentication, privacy.
- invalid ticket
A postdated ticket that has not yet become usable. An invalid ticket is
rejected by an application server until it becomes validated. To be validated, an
invalid ticket must be presented to the KDC by the client in a
TGS request, with the VALIDATE flag set, after its start time has passed.
See also postdated ticket.
Key Distribution Center. A machine that has three Kerberos V5 components:
Each realm has a master KDC and should have one or more
An authentication service, the protocol that is used by that service, or the
code that is used to implement that service.
The Solaris Kerberos implementation that is closely based on Kerberos V5 implementation.
While technically different, “Kerberos” and “Kerberos V5” are often used interchangeably in the
Kerberos (also spelled Cerberus) was a fierce, three-headed mastiff who guarded the gates
of Hades in Greek mythology.
- Kerberos policy
A set of rules that governs password usage in the Kerberos service. Policies
can regulate principals' accesses, or ticket parameters, such as lifetime.
1. Generally, one of two main types of keys:
A symmetric key – An encryption key that is identical to the decryption key. Symmetric keys are used to encrypt files.
An asymmetric key or public key – A key that is used in public key algorithms, such as Diffie-Hellman or RSA. Public keys include a private key that is known only by one user, a public key that is used by the server or general resource, and a private-public key pair that combines the two. A private key is also called a secret key. The public key is also called a shared key or common key.
2. An entry (principal name) in a keytab file. See also keytab file.
3. In Kerberos, an encryption key, of which there are three types:
A private key – An encryption key that is shared by a principal and the KDC, and distributed outside the bounds of the system. See also private key.
A service key – This key serves the same purpose as the private key, but is used by servers and services. See also service key.
A session key – A temporary encryption key that is used between two principals, with a lifetime limited to the duration of a single login session. See also session key.
- keytab file
A key table file that contains one or more keys (principals). A host
or service uses a keytab file in the much the same way
that a user uses a password.
Key version number. A sequence number that tracks a particular key in order
of generation. The highest kvno is the latest and most current key.
- limit set
The outside limit of what privileges are available to a process and its
1. See message authentication code (MAC).
2. Also called labeling. In government security terminology, MAC is Mandatory Access Control.
Labels such as Top Secret and Confidential are examples of MAC. MAC contrasts
with DAC, which is Discretionary Access Control. UNIX permissions are an example of
3. In hardware, the unique machine address on a LAN. If the machine
is on an Ethernet, the MAC is the Ethernet address.
- master KDC
The main KDC in each realm, which includes a Kerberos administration server, kadmind,
and an authentication and ticket-granting daemon, krb5kdc. Each realm must have at least
one master KDC, and can have many duplicate, or slave, KDCs that provide
authentication services to clients.
An iterative cryptographic hash function that is used for message authentication, including digital
signatures. The function was developed in 1991 by Rivest.
1. A software package that specifies cryptographic techniques to achieve data authentication or
confidentiality. Examples: Kerberos V5, Diffie-Hellman public key.
2. In the Solaris Cryptographic Framework, an implementation of an algorithm for a
particular purpose. For example, a DES mechanism that is applied to authentication, such
as CKM_DES_MAC, is a separate mechanism from a DES mechanism that is applied
to encryption, CKM_DES_CBC_PAD.
- message authentication code (MAC)
MAC provides assurance of data integrity and authenticates data origin. MAC does not
protect against eavesdropping.
- message digest
A message digest is a hash value that is computed from a
message. The hash value almost uniquely identifies the message. A digest is useful for
verifying the integrity of a file.
The installation of the minimal operating system that is necessary to run the
server. Any software that does not directly relate to the operation of
the server is either not installed, or deleted after the installation.
- name service scope
The scope in which a role is permitted to operate, that is, an
individual host or all hosts that are served by a specified name
service such as NIS, NIS+, or LDAP. Scopes are applied to Solaris Management
- network application server
A server that provides a network application, such as ftp. A realm
can contain several network application servers.
- nonattributable audit event
An audit event whose initiator cannot be determined, such as the AUE_BOOT event.
Network Time Protocol. Software from the University of Delaware that enables you to
manage precise time or network clock synchronization, or both, in a network environment.
You can use NTP to maintain clock skew in a Kerberos environment. See
also clock skew.
Pluggable Authentication Module. A framework that allows for multiple authentication mechanisms to be
used without having to recompile the services that use them. PAM enables Kerberos
session initialization at login.
A phrase that is used to verify that a private key was
created by the passphrase user. A good passphrase is 10-30 characters long, mixes alphabetic
and numeric characters, and avoids simple prose and simple names. You are prompted
for the passphrase to authenticate use of the private key to encrypt and
- password policy
The encryption algorithms that can be used to generate passwords. Can also refer
to more general issues around passwords, such as how often the passwords must
be changed, how many mis-entries are permitted, and other security considerations. Security policy
requires passwords. Password policy might require passwords to be encrypted with the MD5
algorithm, and might make further requirements related to password strength.
- permitted set
The set of privileges that are available for use by a process.
Generally, a plan or course of action that influences or determines decisions and
actions. For computer systems, policy typically means security policy. Your site's security policy
is the set of rules that define the sensitivity of the information that
is being processed and the measures that are used to protect the information
from unauthorized access. For example, security policy might require that systems be audited,
that devices be protected with privileges, and that passwords be changed every six
For the implementation of policy in specific areas of the Solaris OS, see
audit policy, policy in the cryptographic framework, device policy, Kerberos policy, password policy, and RBAC policy.
- policy for public key technologies
In the Key Management Framework (KMF), policy is the management of certificate usage.
The KMF policy database can put constraints on the use of the keys
and certificates that are managed by the KMF library.
- policy in the cryptographic framework
In the Solaris Cryptographic Framework, policy is the disabling of existing cryptographic mechanisms.
The mechanisms then cannot be used. Policy in the cryptographic framework might prevent
the use of a particular mechanism, such as CKM_DES_CBC, from a provider, such
- postdated ticket
A postdated ticket does not become valid until some specified time after its
creation. Such a ticket is useful, for example, for batch jobs that are
intended to run late at night, since the ticket, if stolen, cannot be
used until the batch job is run. When a postdated ticket is
issued, it is issued as invalid and remains that way until a) its start
time has passed, and b) the client requests validation by the KDC. A
postdated ticket is normally valid until the expiration time of the ticket-granting ticket.
However, if the postdated ticket is marked renewable, its lifetime is normally set
to be equal to the duration of the full life time of the
ticket-granting ticket. See also invalid ticket, renewable ticket.
The first part of a principal name. See also instance, principal name, realm.
1. A uniquely named client/user or server/service instance that participates in a network
communication. Kerberos transactions involve interactions between principals (service principals and user principals) or between
principals and KDCs. In other words, a principal is a unique entity to
which Kerberos can assign tickets. See also principal name, service principal, user principal.
2. (RPCSEC_GSS API) See client principal, server principal.
- principal name
1. The name of a principal, in the format primary/[email protected]. See also
instance, primary, realm.
2. (RPCSEC_GSS API) See client principal, server principal.
A security service, in which transmitted data is encrypted before being sent. Privacy
also includes data integrity and user authentication. See also authentication, integrity, service.
- private key
A key that is given to each user principal, and known only to
the user of the principal and to the KDC. For user
principals, the key is based on the user's password. See also key.
- private-key encryption
In private-key encryption, the sender and receiver use the same key for encryption.
See also public-key encryption.
A discrete right on a process in a Solaris system. Privileges offer a
finer-grained control of processes than does root. Privileges are defined and enforced in
the kernel. For a full description of privileges, see the privileges(5) man page.
- privilege model
A stricter model of security on a computer system than the superuser model.
In the privilege model, processes require privilege to run. Administration of the system
can be divided into discrete parts that are based on the privileges that
administrators have in their processes. Privileges can be assigned to an administrator's login
process. Or, privileges can be assigned to be in effect for certain commands
- privilege set
A collection of privileges. Every process has four sets of privileges that determine
whether a process can use a particular privilege. See limit set, effective set set, permitted set
set, and inheritable set set.
Also, the basic set set of privileges is the collection of privileges that are
assigned to a user's process at login.
- privileged application
An application that can override system controls. The application checks for security attributes,
such as specific UIDs, GIDs, authorizations, or privileges.
- profile shell
In RBAC, a shell that enables a role (or user) to run
from the command line any privileged applications that are assigned to the role's rights
profiles. The profile shells are pfsh, pfcsh, and pfksh. They correspond to
the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.
In the Solaris Cryptographic Framework, a cryptographic service that is provided to consumers.
PKCS #11 libraries, kernel cryptographic modules, and hardware accelerators are examples of providers.
Providers plug in to the Solaris Cryptographic Framework, so are also called plugins. For
examples of consumers, see consumer.
- proxiable ticket
A ticket that can be used by a service on behalf of
a client to perform an operation for the client. Thus, the service is
said to act as the client's proxy. With the ticket, the service can
take on the identity of the client. The service can use a proxiable
ticket to obtain a service ticket to another service, but it cannot obtain
a ticket-granting ticket. The difference between a proxiable ticket and a forwardable ticket
is that a proxiable ticket is only valid for a single operation. See
also forwardable ticket.
- public-key encryption
An encryption scheme in which each user has two keys, one public key
and one private key. In public-key encryption, the sender uses the receiver's public
key to encrypt the message, and the receiver uses a private key to
decrypt it. The Kerberos service is a private-key system. See also private-key encryption.
Quality of Protection. A parameter that is used to select the cryptographic algorithms
that are used in conjunction with the integrity service or privacy service.
Role-Based Access Control. An alternative to the all-or-nothing superuser model. RBAC lets an
organization separate superuser's capabilities and assign them to special user accounts called roles.
Roles can be assigned to specific individuals according to their responsibilities.
- RBAC policy
The security policy that is associated with a command. Currently, suser and
solaris are the valid policies. The solaris policy recognizes privileges and setuid
security attributes. The suser policy recognizes only setuid security attributes. Trusted SolarisTM systems, which can
interoperate with a Solaris system, provide a tsol policy, which recognizes privileges, setuid security
attributes, and labels on processes.
1. The logical network that is served by a single Kerberos database and
a set of Key Distribution Centers (KDCs).
2. The third part of a principal name. For the principal name jdoe/[email protected],
the realm is ENG.EXAMPLE.COM. See also principal name.
A configuration variable or relationship that is defined in the kdc.conf or krb5.conf
- renewable ticket
Because having tickets with very long lives is a security risk, tickets can
be designated as renewable. A renewable ticket has two expiration times: a) the
time at which the current instance of the ticket expires, and b) maximum
lifetime for any ticket. If a client wants to continue to use a
ticket, the client renews the ticket before the first expiration occurs. For example,
a ticket can be valid for one hour, with all tickets having a
maximum lifetime of ten hours. If the client that holds the ticket wants
to keep it for more than an hour, the client must renew the
ticket. When a ticket reaches the maximum ticket lifetime, it automatically expires and
cannot be renewed.
- rights profile
Also referred to as a right or a profile. A collection of overrides
used in RBAC that can be assigned to a role or user.
A rights profile can consist of authorizations, commands with security attributes, and other rights
A special identity for running privileged applications that only assigned users can assume.
A method for obtaining digital signatures and public key cryptosystems. The method was
first described in 1978 by its developers, Rivest, Shamir, and Adleman.
- scan engine
A third-party application, residing on an external host, that examines a file for
Sun Enterprise Authentication Mechanism. The product name for the initial versions of a
system for authenticating users over a network, based on the Kerberos V5 technology
that was developed at the Massachusetts Institute of Technology. The product is now
called the Kerberos service. SEAM refers to parts the Kerberos service that were
not included in various Solaris releases.
- secret key
See private key.
- Secure Shell
A special protocol for secure remote login and other secure network services over
an insecure network.
- security attributes
In RBAC, overrides to security policy that enable an administrative command to succeed
when the command is run by a user other than superuser. In the
superuser model, the setuid and setgid programs are security attributes. When these attributes
are applied to a command, the command succeeds no matter who runs the
command. In the privilege model, security attributes are privileges. When a privilege is
given to a command, the command succeeds. The privilege model is compatible with
the superuser model, in that the privilege model also recognizes the setuid and
setgid programs as security attributes.
- security flavor
- security mechanism
- security policy
- security service
A numeric starter for generating random numbers. When the starter originates from a
random source, the seed is called a random seed.
A principal that provides a resource to network clients. For example, if you
rlogin to the machine central.example.com, then that machine is the server that
provides the rlogin service. See also service principal.
- server principal
(RPCSEC_GSS API) A principal that provides a service. The server principal is stored
as an ASCII string in the form service@host. See also client principal.
1. A resource that is provided to network clients, often by more than
one server. For example, if you rlogin to the machine central.example.com, then that
machine is the server that provides the rlogin service.
2. A security service (either integrity or privacy) that provides a level of
protection beyond authentication. See also integrity and privacy.
- service key
An encryption key that is shared by a service principal and the KDC,
and is distributed outside the bounds of the system. See also key.
- service principal
A principal that provides Kerberos authentication for a service or services. For service
principals, the primary name is a name of a service, such as ftp,
and its instance is the fully qualified host name of the system that
provides the service. See also host principal, user principal.
- session key
A key that is generated by the authentication service or the ticket-granting service.
A session key is generated to provide secure transactions between a client and
a service. The lifetime of a session key is limited to a single
login session. See also key.
Secure Hashing Algorithm. The algorithm operates on any input length less than 264
to produce a message digest. The SHA1 algorithm is input to DSA.
- single-system image
A single-system image is used in Solaris auditing to describe a group of
audited machines that use the same naming service. These machines send their audit
records to a central audit server, where the records can be compared as
if the records came from one machine.
- slave KDC
A copy of a master KDC, which is capable of performing most functions
of the master. Each realm usually has several slave KDCs (and only one
master KDC). See also KDC, master KDC.
- software provider
In the Solaris Cryptographic Framework, a kernel software module or a PKCS #11
library that provides cryptographic services. See also provider.
- stash file
A stash file contains an encrypted copy of the master key for the
KDC. This master key is used when a server is rebooted to
automatically authenticate the KDC before it starts the kadmind and krb5kdc processes. Because
the stash file includes the master key, the stash file and any backups
of it should be kept secure. If the encryption is compromised, then the
key could be used to access or modify the KDC database.
- superuser model
The typical UNIX model of security on a computer system. In the superuser
model, an administrator has all-or-nothing control of the machine. Typically, to administer the
machine, a user becomes superuser (root) and can do all administrative activities.
Ticket-Granting Service. That portion of the KDC that is responsible for issuing tickets.
Ticket-Granting Ticket. A ticket that is issued by the KDC that enables a
client to request tickets for other services.
An information packet that is used to securely pass the identity of a
user to a server or service. A ticket is valid for only
a single client and a particular service on a specific server. A ticket
contains the principal name of the service, the principal name of the user,
the IP address of the user's host, a time stamp, and a value
that defines the lifetime of the ticket. A ticket is created with a
random session key to be used by the client and the service. Once
a ticket has been created, it can be reused until the ticket expires.
A ticket only serves to authenticate a client when it is presented along
with a fresh authenticator. See also authenticator, credential, service, session key.
- ticket file
See credential cache.
- user principal
A principal that is attributed to a particular user. A user principal's primary
name is a user name, and its optional instance is a name that
is used to described the intended use of the corresponding credentials (for example,
jdoe or jdoe/admin). Also known as a user instance. See also service principal.
- virtual private network (VPN)
A network that provides secure communication by using encryption and tunneling to connect
users over a public network.