1 / 16

CIS 193A - Lesson2

CIS 193A - Lesson2. Authorization & Authentication. Sudo and PAM. Quote of the Day. In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility. Taekyoung Kwon Dept. of Computer Engineering

alda
Télécharger la présentation

CIS 193A - Lesson2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM

  2. Quote of the Day In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility. Taekyoung Kwon Dept. of Computer Engineering Sejong University, Seoul

  3. Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?

  4. The Sudo Facility The sudo facility consists of: • the sudo command: /usr/bin/sudo • a configuration file: /etc/sudoers The sudoers file specifies who is able to run what commands as what user on which hosts.

  5. Sudoers Syntax who hosts = [ (as who) ] [ tags ] commands • who::= username | %groupname • hosts::= localhost | hostname | IP address • as who::= username • tags::= NOPASSWD | NOEXEC | NOSETENV • Commands::= command [options] [args] Keyword: ALL represents any possible value:%wheel ALL = (ALL) ALL Aliases may be used to represent any of the above as a list of values

  6. Sudo Examples • Allow user john to run all commands as root on the local machine.john localhost = (root) ALL • Allow the group admins to run the kill command as any member of the users group on any host.%admins ALL = (%users) /bin/kill

  7. Use of the sudo command • Run a command as another user:sudo –u user commandPassword:_ # must supply your password, # not the targeted user. • Run a command as root:sudo commandPassword: # your password, not root’s Note: when running successive sudo commands, you will be prompted for a password only on the first invocation.

  8. PAM Pluggable Authentication Modules

  9. The PAM Facility The PAM facility consists of: • the PAM libraries: /lib/security/pam_*.so • a configuration file: /etc/pam.conf ora configuration directory: /etc/pam.dwith configuration files for each service Other configuration files associated with the libraries occur in the /etc and /etc/security.

  10. PAM File Syntax Type Control PAM Library Parameters Example configuration file: system-auth auth required pam_env.so auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 500 quiet account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok use_authtok session optional pam_keyinit.so revoke session required pam_limits.so

  11. PAM Module Types

  12. PAM Control Flags

  13. Common PAM Libraries pam_access.so pam_keyinit.so pam_permit.sopam_ccreds.so pam_krb5.so pam_chroot.so pam_postgresok.so pam_time.so pam_pwhistory.so pam_timestamp.so pam_cracklib.so pam_lastlog.so pam_tty_audit.so pam_debug.so pam_ldap.so pam_rhosts.so pam_umask.so pam_deny.so pam_limits.so pam_rootok.so pam_unix_acct.so pam_echo.so pam_listfile.so pam_rps.so pam_unix_auth.so pam_env.so pam_localuser.so pam_securetty.so pam_exec.so pam_loginuid.so pam_selinux.so pam_mail.so pam_shells.so pam_unix.so pam_mkhomedir.so pam_smb_auth.so pam_userdb.so pam_filter.so pam_motd.so pam_smbpass.so pam_warn.so pam_ftp.so pam_namespace.so pam_stack.so pam_wheel.so pam_group.so pam_nologin.so pam_issue.so pam_passwdqc.so pam_succeed_if.so pam_xauth.so

  14. Review

  15. Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts? Authentication verifies that you are who you say you are. Once authentication is accomplished, authorization answers what you are allowed to do. PAM performs authentication, sudo handles authorization.

  16. Multi-Factor Authentication • Single factor: • Based upon something you have • Two factor: • Based on something you have and • Something you know • Three factor: • Based on something you have, • Something you know, and • Something you are

More Related