CIS 193A – Lesson2 Quote of the Day In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility. Taekyoung Kwon Dept. of Computer Engineering Sejong University, Seoul
CIS 193A – Lesson2 Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?
CIS 193A – Lesson2 The Sudo Facility The sudo facility consists of: the sudo command: /usr/bin/sudo a configuration file: /etc/sudoers The sudoers file specifies who is able to run what commands as what user on which hosts.
CIS 193A – Lesson2 Sudoers Syntax who hosts = [ (as who) ] [ tags ] commands who::= username | %groupname hosts::= localhost | hostname | IP address as who::= username tags::= NOPASSWD | NOEXEC | NOSETENV Commands::= command [options] [args] Keyword: ALL represents any possible value: %wheel ALL = (ALL) ALL Aliases may be used to represent any of the above as a list of values
CIS 193A – Lesson2 Sudo Examples Allow user john to run all commands as root on the local machine. john localhost = (root) ALL Allow the group admins to run the kill command as any member of the users group on any host. %admins ALL = (%users) /bin/kill
CIS 193A – Lesson2 Use of the sudo command Run a command as another user: sudo –u user command Password:_ # must supply your password, # not the targeted user. Run a command as root: sudo command Password: # your password, not root’s Note: when running successive sudo commands, you will be prompted for a password only on the first invocation.
CIS 193A – Lesson2 The PAM Facility The PAM facility consists of: the PAM libraries: /lib/security/pam_*.so a configuration file: /etc/pam.conf or a configuration directory: /etc/pam.d with configuration files for each service Other configuration files associated with the libraries occur in the /etc and /etc/security.
CIS 193A – Lesson2 PAM Module Types Auth authenticates a user and set up user credentials Password used to define passwords Account checks for account privileges, such as expiration or time-of-day restrictions. Session once a user is authenticated, this controls the setup and break down of the session.
CIS 193A – Lesson2 PAM Control Flags Required The module check must be successful, but continue on with other modules regardless. Requisite The module check must be successful, if it isn’t, the authentication fails immediately and no other modules are checked. Sufficient If this module check is successful, and there are no Required flag failures, then authentication is granted immediately. Optional Not used unless no other module has determined a success or failure.
CIS 193A – Lesson2 Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts? Authentication verifies that you are who you say you are. Once authentication is accomplished, authorization answers what you are allowed to do. PAM performs authentication, sudo handles authorization.
CIS 193A – Lesson2 Multi-Factor Authentication Single factor: –Based upon something you have Two factor: –Based on something you have and –Something you know Three factor: –Based on something you have, –Something you know, and –Something you are