Lecture – Authentication Services

Slides:



Advertisements
Similar presentations
CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
Advertisements

Linux Users and Groups Management
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 4: Implementing User, Group, and Computer Accounts
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Working with Workgroups and Domains
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Samba Advanced System Administration Course James Lwali University computing Centre Ltd, University of Dar es salaam,
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 21 Administering User Accounts and Groups 1.
1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.
Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide.
Module 7: Implementing Security Using Group Policy.
Lesson 3-Touring Utilities and System Features. Overview Employing fundamental utilities. Linux terminal sessions. Managing input and output. Using special.
SCSC 455 Computer Security Chapter 3 User Security.
VIRTUAL HOSTING WITH PureFTPd And MYSQL (Quota And Bandwidth Management) BY Odoh Kenneth Emeka Sun Yu Patrick Appiah.
Michael Tinker September 16, 2004
Plugged Authentication Module Enijmax 4/23/2004 8/17/2004 updated.
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions.
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
1 Example security systems n Kerberos n Secure shell.
This slide deck is for LPI Academy instructors to use for lectures for LPI Academy courses. ©Copyright Network Development Group Module 14 Managing.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Overview – SOE Sudo SEP 2014.
Authenticate local Linux accounts against Windows Active Directory
Chapter 11: Managing Users
Overview – SOE Sudo September 2016.
Radius, LDAP, Radius used in Authenticating Users
Overview – SOE Sudo November 2015.
IS3440 Linux Security Unit 3 User Account Management
PAM Pluggable Autthentication Modules
SECURITY IN THE LINUX OPERATING SYSTEM
Presentation transcript:

Lecture – Authentication Services

Contents Introduction to Authentication Pluggable Authentication Modules (PAM) Password Security Flexible Root Privileges (sudo) Network Authentication

Authentication: 4 steps Proof Of Identity (Authentication) Verifies the identity of the user, by using Shared secret (password) Token (Kerberos Ticket or RSA Public Key) Grant of Access (Authorization) Identity verified, system has to decide if the user is allowed access, based on time of day, IP address etc.

Authentication: 4 steps Update of Credentials If the credential is no longer valid, the authentication process can ask the user for a new one Session Initialisation At the end of authentication, the user’s session is initialised If this is not successful, the authentication can still be terminated This stage can start the user’s shell, set their environment, run captive programs etc.

Authentication Basics This process used to be handled by the login application alone, making customisation difficult, or impossible With PAMs, a standard is now available to simplify the procedures

PAM Service Profile Type Packages Configuration Related Set of libraries Packages Pam, util-linux, authconfig Configuration (Apps) /etc/pam.d/* (libs) /etc/nswitch.conf Related Pam_smb, pam_krb, nss_ldap

PAM Operation Application calls libpam.so for authentication Additional libraries are called, based on configuration of the system Config decides how the individual libraries’ exit codes result in overall success or failure

PAM Configuration An application <service> linked against libpam.so looks up /etc/pam.d/<service> for config. details E.g. /etc/pam.d/login for login process If this file does not exist PAM defaults to /etc/pam.d/other Based on the file, additional libraries will be called together to determine the overall success or failure of the service access How each individual library affects the overall result depends on the configuration

PAM Example Each line of the config file has the following syntax module-type control-flag module-path arguments #%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so

PAM Configuration Module-Type auth: authentication account: authorization, account management password: update of credentials session: modification of the user’s environment

PAM Configuration Control-Flag required: success is required, failure will still call the remaining modules, but the result is already determined requisite: Failure will immediately terminate the authentication process, success continues sufficient: success bypasses the remaining modules, failure is ignored optional: the result is ignored

PAM Example /etc/pam.d/login auth requisite pam_securetty.so auth required pam_unix.so nullok account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 session required pam_unix.so session required pam_limits.so session optional pam_console.so

Core PAM Modules pam_unix: standard authentication Authenticates users with the getpw() function, the UNIX standard. Can connect to several directory services for network authentication pam_env: sets environment variables Can set environment variables pam_securetty: limits root logins to secure terminals Prevents root logins from an insecure terminal. A list of allowed terminals is kept in /etc/securetty

…Core PAM Modules... pam_stack: calls another PAM service The overall result of the further modules is used as the pam_stack’s exit code pam_nologin: tests for /etc/nologin Prevents logins from non-root users if /etc/nologin exists. If possible, the content of this file is displayed to inform blocked users of the limitation

…Core PAM Modules… pam_deny: always returns “failure” exit code Always returns a “failure” code pam_console: sets privileges for users at the console Gives local users connected to the console extra permissions. They may be allowed to execute certain root-only commands like poweroff Such users become temporary members of the “Console User Group”

Authentication Modules Network Authentication Centralises the user database on one server, simplifying the management of large groups of users There are generic directory services like NIS or LDAP that maintain various administrative data (hosts, groups …) PAM supports network authentication with several modules

Network Authentication Pam_unix connects to the generic “name service switch” (NSS) The NSS decides which resources are used for information from the /etc/nsswitch.conf file passwd: files nis ldap This will lookup password data first in the local files, then in NIS and LDAP in that order

Network Authentication: SMB PAM can authenticate against SMB (Samba or WindowsPDC) SMB does not support user IDs, so two possible approaches exist pam_smb requires that UNIX users are mapped against Windows users pam_winbind creates UserIDs as needed so local UNIX users are not required

Other PAM Modules pam_mkhomedir: make home directories pam_time: limits access based on time pam_access: location based control pam_tally: counts attempted logins pam_timestamp: access based on last logon pam_chroot: chroot’s specific users

Password Security MD5 passwords can be up to 256 characters long RedHat LINUX uses MD5-hashed passwords. Algorithmis more complex than traditional UNIX crypt method Directory-based or brute force password cracking takes a lot longer with MD5 Shadow passwords enhance password security Passwords cannot be accessed by users Password ageing and locking supported

Password Aging chage –m 90 username Implements password aging, with a 90-day expiration In a heterogeneous NIS system, it may be necessary to switch off these additional mechanisms, as not all UNIX flavours support MD5

Password Policy Part of the security policy, it focuses on Password Aging Password Strength Failed Login Monitoring IF the password policy is too strict, users will start to write down passwords, or will simply rotate previous password strings

Example /etc/pam.d/system-auth: password required pam_cracklib.so \ minlength=20 \ ocredit=1 dcredit=3 ucredit=5 lcredit=2 password required pam_unix.so md5 authok shadow nis remember=5 Minlength = the minimum value of the password lcredit = the value of each lower case character in the password ucredit = the value of each upper case character in the password dcredit = the value of each digit in the password ocredit = the value of any other character in the password Authok= take the password entered into cracklib

Password Histories Pam_unix can store old password hashes in /etc/security/opasswd if the remember parameter is used

Resource Limits pam_limits.so enforces resource limits like the ulimit command /etc/security/limits.conf Called by default in /etc/pam.d/system-auth Limits can be set by user or by group Hard limits cannot be exceeded Soft limits can be exceeded with the ulimit command developer hard proc 100

User Access Control Pam_listfile.so allows or denies users based on a simple text file Configuration example: account required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/validusers This library controls access based on a simple text file that contains a list of users Can also be used to restrict usage based on terminal or server (using ssh) the system is being accessed from. 26

Sudo Users listed in /etc/sudoers can execute commands with Effective user id of 0 Group id of root’s group Admin alert will be sent if a user not listed in sudoers attempts to use sudo Edit with visudo Allows specified users to execute specified commands without needing to su (or login) as root

Sudo configuration Define User Groups in the user alias specification section User_Alias FT2283=rbradley,mdeegan Define Command Groups in the command alias specification section Cmd_Alias MIN=/etc/rc.d/init.d/httpd Cmd_Alias SHELLS=/bin/sh,/bin/bash Associate Users with Commands in the user privilege specification section FT2283 ALL=MIN

PAM Logs PAM logs events in the authpriv (private authentication messages) section of syslog Normally only login events and error messages are produced, but the debug parameter for most PAM libraries can be used to produce a more detailed log. Changes to PAM configuration are effective immediately, so you should test them before you log out. You can use getent <database> <key> to get information from nsswitch managed databases getent passwd mdeegan getent hosts www.tcd.ie getent group ft228-3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.