Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture – Authentication Services

Published byAlfred Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture – Authentication Services"— Presentation transcript:

1 Lecture – Authentication Services

2 Contents Introduction to Authentication
Pluggable Authentication Modules (PAM) Password Security Flexible Root Privileges (sudo) Network Authentication

3 Authentication: 4 steps
Proof Of Identity (Authentication) Verifies the identity of the user, by using Shared secret (password) Token (Kerberos Ticket or RSA Public Key) Grant of Access (Authorization) Identity verified, system has to decide if the user is allowed access, based on time of day, IP address etc.

4 Authentication: 4 steps
Update of Credentials If the credential is no longer valid, the authentication process can ask the user for a new one Session Initialisation At the end of authentication, the user’s session is initialised If this is not successful, the authentication can still be terminated This stage can start the user’s shell, set their environment, run captive programs etc.

5 Authentication Basics
This process used to be handled by the login application alone, making customisation difficult, or impossible With PAMs, a standard is now available to simplify the procedures

6 PAM Service Profile Type Packages Configuration Related
Set of libraries Packages Pam, util-linux, authconfig Configuration (Apps) /etc/pam.d/* (libs) /etc/nswitch.conf Related Pam_smb, pam_krb, nss_ldap

7 PAM Operation Application calls libpam.so for authentication
Additional libraries are called, based on configuration of the system Config decides how the individual libraries’ exit codes result in overall success or failure

8 PAM Configuration An application <service>
linked against libpam.so looks up /etc/pam.d/<service> for config. details E.g. /etc/pam.d/login for login process If this file does not exist PAM defaults to /etc/pam.d/other Based on the file, additional libraries will be called together to determine the overall success or failure of the service access How each individual library affects the overall result depends on the configuration

9 PAM Example Each line of the config file has the following syntax
module-type control-flag module-path arguments #%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so

10 PAM Configuration Module-Type auth: authentication
account: authorization, account management password: update of credentials session: modification of the user’s environment

11 PAM Configuration Control-Flag
required: success is required, failure will still call the remaining modules, but the result is already determined requisite: Failure will immediately terminate the authentication process, success continues sufficient: success bypasses the remaining modules, failure is ignored optional: the result is ignored

12 PAM Example /etc/pam.d/login auth requisite pam_securetty.so
auth required pam_unix.so nullok account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 session required pam_unix.so session required pam_limits.so session optional pam_console.so

13 Core PAM Modules pam_unix: standard authentication
Authenticates users with the getpw() function, the UNIX standard. Can connect to several directory services for network authentication pam_env: sets environment variables Can set environment variables pam_securetty: limits root logins to secure terminals Prevents root logins from an insecure terminal. A list of allowed terminals is kept in /etc/securetty

14 …Core PAM Modules... pam_stack: calls another PAM service
The overall result of the further modules is used as the pam_stack’s exit code pam_nologin: tests for /etc/nologin Prevents logins from non-root users if /etc/nologin exists. If possible, the content of this file is displayed to inform blocked users of the limitation

15 …Core PAM Modules… pam_deny: always returns “failure” exit code
Always returns a “failure” code pam_console: sets privileges for users at the console Gives local users connected to the console extra permissions. They may be allowed to execute certain root-only commands like poweroff Such users become temporary members of the “Console User Group”

16 Authentication Modules
Network Authentication Centralises the user database on one server, simplifying the management of large groups of users There are generic directory services like NIS or LDAP that maintain various administrative data (hosts, groups …) PAM supports network authentication with several modules

17 Network Authentication
Pam_unix connects to the generic “name service switch” (NSS) The NSS decides which resources are used for information from the /etc/nsswitch.conf file passwd: files nis ldap This will lookup password data first in the local files, then in NIS and LDAP in that order

18 Network Authentication: SMB
PAM can authenticate against SMB (Samba or WindowsPDC) SMB does not support user IDs, so two possible approaches exist pam_smb requires that UNIX users are mapped against Windows users pam_winbind creates UserIDs as needed so local UNIX users are not required

19 Other PAM Modules pam_mkhomedir: make home directories
pam_time: limits access based on time pam_access: location based control pam_tally: counts attempted logins pam_timestamp: access based on last logon pam_chroot: chroot’s specific users

20 Password Security MD5 passwords can be up to 256 characters long
RedHat LINUX uses MD5-hashed passwords. Algorithmis more complex than traditional UNIX crypt method Directory-based or brute force password cracking takes a lot longer with MD5 Shadow passwords enhance password security Passwords cannot be accessed by users Password ageing and locking supported

21 Password Aging chage –m 90 username
Implements password aging, with a 90-day expiration In a heterogeneous NIS system, it may be necessary to switch off these additional mechanisms, as not all UNIX flavours support MD5

22 Password Policy Part of the security policy, it focuses on
Password Aging Password Strength Failed Login Monitoring IF the password policy is too strict, users will start to write down passwords, or will simply rotate previous password strings

23 Example /etc/pam.d/system-auth: password required pam_cracklib.so \
minlength=20 \ ocredit=1 dcredit=3 ucredit=5 lcredit=2 password required pam_unix.so md5 authok shadow nis remember=5 Minlength = the minimum value of the password lcredit = the value of each lower case character in the password ucredit = the value of each upper case character in the password dcredit = the value of each digit in the password ocredit = the value of any other character in the password Authok= take the password entered into cracklib

24 Password Histories Pam_unix can store old password hashes in /etc/security/opasswd if the remember parameter is used

25 Resource Limits pam_limits.so enforces resource limits like the ulimit command /etc/security/limits.conf Called by default in /etc/pam.d/system-auth Limits can be set by user or by group Hard limits cannot be exceeded Soft limits can be exceeded with the ulimit command developer hard proc 100

26 User Access Control Pam_listfile.so allows or denies users based on a simple text file Configuration example: account required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/validusers This library controls access based on a simple text file that contains a list of users Can also be used to restrict usage based on terminal or server (using ssh) the system is being accessed from. 26

27 Sudo Users listed in /etc/sudoers can execute commands with
Effective user id of 0 Group id of root’s group Admin alert will be sent if a user not listed in sudoers attempts to use sudo Edit with visudo Allows specified users to execute specified commands without needing to su (or login) as root

28 Sudo configuration Define User Groups in the user alias specification section User_Alias FT2283=rbradley,mdeegan Define Command Groups in the command alias specification section Cmd_Alias MIN=/etc/rc.d/init.d/httpd Cmd_Alias SHELLS=/bin/sh,/bin/bash Associate Users with Commands in the user privilege specification section FT2283 ALL=MIN

29 PAM Logs PAM logs events in the authpriv (private authentication messages) section of syslog Normally only login events and error messages are produced, but the debug parameter for most PAM libraries can be used to produce a more detailed log. Changes to PAM configuration are effective immediately, so you should test them before you log out. You can use getent <database> <key> to get information from nsswitch managed databases getent passwd mdeegan getent hosts getent group ft228-3

Download ppt "Lecture – Authentication Services"

Similar presentations

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
Linux Users and Groups Management

Linux Users and Groups Management
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Working with Workgroups and Domains

Working with Workgroups and Domains
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.

An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Similar presentations

Ads by Google