1 / 29

Lecture – Authentication Services

Lecture – Authentication Services. Contents. Introduction to Authentication Pluggable Authentication Modules (PAM) Password Security Flexible Root Privileges (sudo) Network Authentication. Authentication: 4 steps. Proof Of Identity (Authentication)

yardley-hoover
Télécharger la présentation

Lecture – Authentication Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture –Authentication Services

  2. Contents • Introduction to Authentication • Pluggable Authentication Modules (PAM) • Password Security • Flexible Root Privileges (sudo) • Network Authentication

  3. Authentication: 4 steps • Proof Of Identity (Authentication) • Verifies the identity of the user, by using • Shared secret (password) • Token (Kerberos Ticket or RSA Public Key) • Grant of Access (Authorization) • Identity verified, system has to decide if the user is allowed access, based on time of day, IP address etc.

  4. Authentication: 4 steps • Update of Credentials • If the credential is no longer valid, the authentication process can ask the user for a new one • Session Initialisation • At the end of authentication, the user’s session is initialised • If this is not successful, the authentication can still be terminated • This stage can start the user’s shell, set their environment, run captive programs etc.

  5. Authentication Basics • This process used to be handled by the login application alone, making customisation difficult, or impossible • With PAMs, a standard is now available to simplify the procedures

  6. PAM Service Profile • Type • Set of libraries • Packages • Pam, util-linux, authconfig • Configuration • (Apps) /etc/pam.d/* • (libs) /etc/nswitch.conf • Related • Pam_smb, pam_krb, nss_ldap

  7. PAM Operation • Application calls libpam.so for authentication • Additional libraries are called, based on configuration of the system • Config decides how the individual libraries’ exit codes result in overall success or failure

  8. PAM Configuration • An application <service> • linked against libpam.so looks up • /etc/pam.d/<service> for config. details • E.g. /etc/pam.d/login for login process • If this file does not exist • PAM defaults to /etc/pam.d/other • Based on the file, additional libraries will be called together to determine the overall success or failure of the service access • How each individual library affects the overall result depends on the configuration

  9. PAM Example • Each line of the config file has the following syntax • module-type control-flag module-path arguments #%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so

  10. PAM Configuration • Module-Type • auth: authentication • account: authorization, account management • password: update of credentials • session: modification of the user’s environment

  11. PAM Configuration • Control-Flag • required: success is required, failure will still call the remaining modules, but the result is already determined • requisite: Failure will immediately terminate the authentication process, success continues • sufficient: success bypasses the remaining modules, failure is ignored • optional: the result is ignored

  12. PAM Example • /etc/pam.d/login auth requisite pam_securetty.so auth required pam_unix.so nullok account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 session required pam_unix.so session required pam_limits.so session optional pam_console.so

  13. Core PAM Modules • pam_unix: standard authentication • Authenticates users with the getpw() function, the UNIX standard. Can connect to several directory services for network authentication • pam_env: sets environment variables • Can set environment variables • pam_securetty: limits root logins to secure terminals • Prevents root logins from an insecure terminal. A list of allowed terminals is kept in /etc/securetty

  14. …Core PAM Modules... • pam_stack: calls another PAM service • The overall result of the further modules is used as the pam_stack’s exit code • pam_nologin: tests for /etc/nologin • Prevents logins from non-root users if /etc/nologin exists. If possible, the content of this file is displayed to inform blocked users of the limitation

  15. …Core PAM Modules… • pam_deny: always returns “failure” exit code • Always returns a “failure” code • pam_console: sets privileges for users at the console • Gives local users connected to the console extra permissions. They may be allowed to execute certain root-only commands like poweroff Such users become temporary members of the “Console User Group”

  16. Authentication Modules • Network Authentication • Centralises the user database on one server, simplifying the management of large groups of users • There are generic directory services like NIS or LDAP that maintain various administrative data (hosts, groups …) • PAM supports network authentication with several modules

  17. Network Authentication • Pam_unix connects to the generic “name service switch” (NSS) • The NSS decides which resources are used for information from the /etc/nsswitch.conf file • passwd: files nis ldap • This will lookup password data first in the local files, then in NIS and LDAP in that order

  18. Network Authentication: SMB • PAM can authenticate against SMB (Samba or WindowsPDC) • SMB does not support user IDs, so two possible approaches exist • pam_smb requires that UNIX users are mapped against Windows users • pam_winbind creates UserIDs as needed so local UNIX users are not required

  19. Other PAM Modules • pam_mkhomedir: make home directories • pam_time: limits access based on time • pam_access: location based control • pam_tally: counts attempted logins • pam_timestamp: access based on last logon • pam_chroot: chroot’s specific users

  20. Password Security • MD5 passwords can be up to 256 characters long • RedHat LINUX uses MD5-hashed passwords. Algorithmis more complex than traditional UNIX crypt method • Directory-based or brute force password cracking takes a lot longer with MD5 • Shadow passwords enhance password security • Passwords cannot be accessed by users • Password ageing and locking supported

  21. Password Aging • chage –m 90 username • Implements password aging, with a 90-day expiration • In a heterogeneous NIS system, it may be necessary to switch off these additional mechanisms, as not all UNIX flavours support MD5

  22. Password Policy • Part of the security policy, it focuses on • Password Aging • Password Strength • Failed Login Monitoring • IF the password policy is too strict, users will start to write down passwords, or will simply rotate previous password strings

  23. Example /etc/pam.d/system-auth: password required pam_cracklib.so \ minlength=20 \ ocredit=1 dcredit=3 ucredit=5 lcredit=2 password required pam_unix.so md5 authok shadow nis remember=5 Minlength = the minimum value of the password lcredit = the value of each lower case character in the password ucredit = the value of each upper case character in the password dcredit = the value of each digit in the password ocredit = the value of any other character in the password Authok= take the password entered into cracklib

  24. Password Histories • Pam_unix can store old password hashes in /etc/security/opasswd if the remember parameter is used

  25. Resource Limits • pam_limits.so enforces resource limits like the ulimit command • /etc/security/limits.conf • Called by default in /etc/pam.d/system-auth • Limits can be set by user or by group • Hard limits cannot be exceeded • Soft limits can be exceeded with the ulimit command • developer hard proc 100

  26. User Access Control Pam_listfile.so allows or denies users based on a simple text file Configuration example: account required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/validusers This library controls access based on a simple text file that contains a list of users Can also be used to restrict usage based on terminal or server (using ssh) the system is being accessed from.

  27. Sudo • Users listed in /etc/sudoers can execute commands with • Effective user id of 0 • Group id of root’s group • Admin alert will be sent if a user not listed in sudoers attempts to use sudo • Edit with visudo • Allows specified users to execute specified commands without needing to su (or login) as root

  28. Sudo configuration • Define User Groups in the user alias specification section • User_Alias FT2283=rbradley,mdeegan • Define Command Groups in the command alias specification section • Cmd_Alias MIN=/etc/rc.d/init.d/httpd • Cmd_Alias SHELLS=/bin/sh,/bin/bash • Associate Users with Commands in the user privilege specification section • FT2283 ALL=MIN

  29. PAM Logs • PAM logs events in the authpriv (private authentication messages) section of syslog • Normally only login events and error messages are produced, but the debug parameter for most PAM libraries can be used to produce a more detailed log. • Changes to PAM configuration are effective immediately, so you should test them before you log out. • You can use getent <database> <key> to get information from nsswitch managed databases • getent passwd mdeegan • getent hosts www.tcd.ie • getent group ft228-3

More Related