Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

Published byRickey Boardley Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM."— Presentation transcript:

1 CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM

2 CIS 193A – Lesson2 Quote of the Day In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility. Taekyoung Kwon Dept. of Computer Engineering Sejong University, Seoul

3 CIS 193A – Lesson2 Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?

4 CIS 193A – Lesson2 The Sudo Facility The sudo facility consists of: the sudo command: /usr/bin/sudo a configuration file: /etc/sudoers The sudoers file specifies who is able to run what commands as what user on which hosts.

5 CIS 193A – Lesson2 Sudoers Syntax who hosts = [ (as who) ] [ tags ] commands who::= username | %groupname hosts::= localhost | hostname | IP address as who::= username tags::= NOPASSWD | NOEXEC | NOSETENV Commands::= command [options] [args] Keyword: ALL represents any possible value: %wheel ALL = (ALL) ALL Aliases may be used to represent any of the above as a list of values

6 CIS 193A – Lesson2 Sudo Examples Allow user john to run all commands as root on the local machine. john localhost = (root) ALL Allow the group admins to run the kill command as any member of the users group on any host. %admins ALL = (%users) /bin/kill

7 CIS 193A – Lesson2 Use of the sudo command Run a command as another user: sudo –u user command Password:_ # must supply your password, # not the targeted user. Run a command as root: sudo command Password: # your password, not root’s Note: when running successive sudo commands, you will be prompted for a password only on the first invocation.

8 CIS 193A – Lesson2 PAM Pluggable Authentication Modules

9 CIS 193A – Lesson2 The PAM Facility The PAM facility consists of: the PAM libraries: /lib/security/pam_*.so a configuration file: /etc/pam.conf or a configuration directory: /etc/pam.d with configuration files for each service Other configuration files associated with the libraries occur in the /etc and /etc/security.

10 CIS 193A – Lesson2 PAM File Syntax Type Control PAM Library Parameters Example configuration file: system-auth auth required pam_env.so auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 500 quiet account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok use_authtok session optional pam_keyinit.so revoke session required pam_limits.so

11 CIS 193A – Lesson2 PAM Module Types Auth authenticates a user and set up user credentials Password used to define passwords Account checks for account privileges, such as expiration or time-of-day restrictions. Session once a user is authenticated, this controls the setup and break down of the session.

12 CIS 193A – Lesson2 PAM Control Flags Required The module check must be successful, but continue on with other modules regardless. Requisite The module check must be successful, if it isn’t, the authentication fails immediately and no other modules are checked. Sufficient If this module check is successful, and there are no Required flag failures, then authentication is granted immediately. Optional Not used unless no other module has determined a success or failure.

13 CIS 193A – Lesson2 Common PAM Libraries pam_access.so pam_keyinit.so pam_permit.so pam_ccreds.so pam_krb5.so pam_chroot.so pam_postgresok.so pam_time.so pam_pwhistory.so pam_timestamp.so pam_cracklib.so pam_lastlog.so pam_tty_audit.so pam_debug.so pam_ldap.so pam_rhosts.so pam_umask.so pam_deny.so pam_limits.so pam_rootok.so pam_unix_acct.so pam_echo.so pam_listfile.so pam_rps.so pam_unix_auth.so pam_env.so pam_localuser.so pam_securetty.so pam_exec.so pam_loginuid.so pam_selinux.so pam_mail.so pam_shells.so pam_unix.so pam_mkhomedir.so pam_smb_auth.so pam_userdb.so pam_filter.so pam_motd.so pam_smbpass.so pam_warn.so pam_ftp.so pam_namespace.so pam_stack.so pam_wheel.so pam_group.so pam_nologin.so pam_issue.so pam_passwdqc.so pam_succeed_if.so pam_xauth.so

14 CIS 193A – Lesson2 Review

15 CIS 193A – Lesson2 Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts? Authentication verifies that you are who you say you are. Once authentication is accomplished, authorization answers what you are allowed to do. PAM performs authentication, sudo handles authorization.

16 CIS 193A – Lesson2 Multi-Factor Authentication Single factor: –Based upon something you have Two factor: –Based on something you have and –Something you know Three factor: –Based on something you have, –Something you know, and –Something you are

Download ppt "CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Linux Users and Groups Management

Linux Users and Groups Management
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Understanding WebLogic Security

Understanding WebLogic Security
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.

NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.
Chapter 3 Rootly Powers. Computer Center, CS, NCTU 2 The Root  Root Root is God, also called super-user. UID is 0  UNIX permits the superuser to perform.

Chapter 3 Rootly Powers. Computer Center, CS, NCTU 2 The Root  Root Root is God, also called super-user. UID is 0  UNIX permits the superuser to perform.
Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.

Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.
CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang
1. This presentation covers :  User Interface Administration  Files System and Services Management 2.

1. This presentation covers :  User Interface Administration  Files System and Services Management 2.
Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.
1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.

1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Similar presentations

Ads by Google