1 / 28

CIT 500: IT Fundamentals

CIT 500: IT Fundamentals. Users. Topics. Identity User Accounts /etc/{passwd,shadow} User Commands Passwords Groups. What is Identity?. Computer’s representation of an entity. Authentication binds a principal to an identity. Example: username expresses your identity.

sumrall
Télécharger la présentation

CIT 500: IT Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 500: IT Fundamentals Users

  2. Topics • Identity • User Accounts • /etc/{passwd,shadow} • User Commands • Passwords • Groups

  3. What is Identity? Computer’s representation of an entity. Authentication binds a principal to an identity. Example: • username expresses your identity. • password binds the person typing to that particular identity (username).

  4. Purpose of Identity Access Control • Most systems base access rights on identity of principal executing the process. Accountability • Logging and auditing functions. • Need to track identity across account/role changes (e.g., su, sudo).

  5. What is Authentication? Binding of an identity to a subject. Based on one of the following factors: • What the entity knows (e.g., passwords) • What the entity has (e.g., access card) • What the entity is (e.g., fingerprints) • Where the entity is (e.g., local terminal) Or a combination of two or more factors.

  6. Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Users often need to share access to files, and thus are taken as groups. A role is a group that ties membership to function

  7. User Types Regular users • Humans with accounts on system. • May log in via network or on console. Special users • Non-human users for specific programs, i.e. http. • Used for file permission purposes. Superuser • Admin user with UID 0 has special permissions. • Username is typically root.

  8. User Accounts UNIX accounts described by the following fields • User ID (UID) • Group ID (GID) • Password • Comment (a/k/a GCOS field) • Home directory • Login shell User account data stored in /etc/passwd • Except password itself, which is in /etc/shadow

  9. /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh waldenj:x:100:100:James Walden, faculty:/home/waldenj:/bin/bash smith:x:101:101:John Smith, student:/home/smithj:/bin/bash

  10. /etc/shadow Root-only readable file for password storage • Prevents users from reading encrypted passwords • Additional fields support password aging features. One line per account, including fields for • Username • Encrypted password • Days since 1/1/1970 password was last changed • Days before password may be changed • Days after which password must be changed • Days before password is to expire that user is warned • Days after password expires that account is disabled • Days since 1/1/1970 that account is disabled

  11. /etc/shadow root:$1$A4h5.ZbC$DekjN2J7W5jymRS8gAbcT2:14565:0:99999:7::: daemon:*:14537:0:99999:7::: bin:*:14537:0:99999:7::: sys:*:14537:0:99999:7::: games:*:14537:0:99999:7::: man:*:14537:0:99999:7::: lp:*:14537:0:99999:7::: mail:*:14537:0:99999:7::: news:*:14537:0:99999:7::: uucp:*:14537:0:99999:7::: waldenj:$1$0nAbDEFg$HiJk9l1mNopQRlhTUVW5x.:14537:0:99999:7::: smith:$1$j02bHyTU$.vwXYz1ABcDEcfGH83IjK/:14565:0:99999:7::: Note that not all fields are currently used: see blank fields at end of each line.

  12. Accessing Account Information Direct access to account information grep username /etc/{passwd,shadow} grep username /etc/group What if account information is elsewhere? getent passwd username getent group username Where else might account info be stored? NIS LDAP

  13. User Identification Commands The whoami command provides username of the current user. > whoami waldenj The id command provides complete user and group information with user and group names and UIDs and GIDs. > id uid=100(waldenj) gid=100(waldenj) groups=100(waldenj),1001(faculty) > id smithj uid=101(smithj) gid=101(smithj) groups=101(smithj),1001(faculty)

  14. Changing your Identity The su command changes your UID. • Without an argument, changes to root. • Requires a password unless you are already root. • Use exit command to change back. The sudo command runs a command as root. • Use your own password to authenticate. • sudo cat /etc/shadow • sudo useradd

  15. Superuser can Read any file. Modify any file. Add / remove users. Become any user. Kill any process. Reprioritize processes. Configure network. Set date/time. Shutdown / reboot. Superuser can’t Change read-only filesystem. Decrypt hashed passwords. Modify NFS-mounted filesystems. Read or modify SELinux protected files. Superuser Powers

  16. Creating an Account useradd –c “John Smith” username • Creates account with specified username. • Sets comment to “John Smith” to store name. • Uses defaults from /etc/login.defs for other fields, such as home directory, shell, password aging, &c. To set password become root and run • passwd username

  17. Modifying an Account usermod [options] username -c comment -d homedir -e password-expire-date -G group1,group2 [adds groups] -l newusername [changes username] -L [locks account, prevents logins] -s shell

  18. Removing an Account The userdel command removes an account Must supply –r option to remove homedir.

  19. Passwords Passwords • Most common type of authentication. • Authentication binds a person to an identity. • Use passwd command to change. Attacks against passwords • Reading passwords from disk storage. • Intercepting passwords via wiretapping. • Guessing passwords.

  20. Protecting Passwords Against disk storage attacks • Store password in secure file, /etc/shadow. • Store one-way hash of password, not password itself. • Compare hash of password entered by user with hash of password stored on disk to login. Against wiretapping • Do not send passwords over email. • Use encrypted protocols like ssh to login. Against guessing • Do not use dictionary words, birthdates, names. • Choose a long password.

  21. People Don’t Choose Random Passwords

  22. 123456 letmein password 12345678 dragon qwerty michael 654321 harley ranger iwantu xxxxxxx turtle united porsche guitar black diamond nascar jun0389 06031989 amanda phoenix mickey tigers purple xmen94 aaaaaa Commonly Used Bad Passwords • prince • beach • amateur • ncc1701 • tennis • startrek • swimming • kitty • rainbox • 112233 • 232323 • giants • enter • 0 • cupcake • 8675309 • marlboro • newyork • diablo • sexsex • access14 • abgrtyu • 123123 • dragon123 • applepie • 31415926 • 99skip • just4fun • xcvb • typewriter

  23. How to Select Good Passwords • Long passwords, consisting of multiple words.. Use nth letter of each word if phrase too long. • Themes: • Word combinations: 3 blind katz • E-mail or URL: yoda@strong-this-password-is.net • Phone number: (888) 888-eight eight • Bracketing: Starfleet -> *!-Starfleet-!* • Add a word: shopping -> Goin’ shopping • Repetition: Pirate--PirateShip • Letter swapping: Sour Grape -> Gour Srape

  24. Password Aging Requirement that password be changed after a period of time or after an event has occurred. If expected time to guess is 180 days, should change password more frequently than 180 days. • If change time too short, users have difficulty recalling passwords. • Cannot allow users to change password to current one. • Also prevent users from changing passwords too soon. • Give notice of impending password change requirement. • Expire account to prevent logins if password not changed within time specified by policy.

  25. Groups Users belong to one or more groups. • User always has a primary group. • Files are created with GID of primary group. • User can access files accessible to any of the groups to which the user belongs. Groups contain zero or more users. • Created by the system administrator. • Some groups exist for programs like special users. • Other groups exist for human users.

  26. /etc/group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: waldenj:x:100: smithj:x:101: faculty:x:1001:smithj,waldenj

  27. Group Commands groupadd [-g GID] groupname Creates a new group. groupmod groupname -n newgroupname -g newgroupID usermod –G modifies group membership groupdel removes a group

  28. References • Red Hat, RHEL Installation Guide, http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/index.html, 2009. • Syed Mansoor Sarwar, Robert Koretsky, Syed Ageel Sarwar, UNIX: The Textbook, 2nd edition, Addison-Wesley, 2004. • Nicholas Wells, The Complete Guide to Linux System Administration, Thomson Course Technology, 2005.

More Related