Accounts and Authentication

1. Accounts and Authentication By: Tom Ockenhouse

2. What is Authentication? • The process of attempting to verify the digital identity of the sender of a communication such as a request to log in. • The sender being authenticated may be a person using a computer, a computer itself or a computer program. • A blind credential does not establish identity at all, but only a narrow right or status of the user or program.

3. What is an User Account? • Where is it stored? • Most of the user account information is stored in the passwd file. • Password encryption and password aging is stored in the passwd file when using NIS or NIS+ authentication standards • passwd file consists of 6 fields: • username • password • uid • gid • comment • home-directory • login-shell • All Unix systems have an account called root. • aka superuser. • Admin or Superuser grants access to new users

4. Common Users on UNIX

5. Locating User Accounts • finger • Get users that are currently logged in • Determine if account is active • Last accessed • rusers • Returns remote user info • whois • Responsible for certain domain and active accounts • Often treated as attacks • Will refuse these commands

6. Authentication Standards • NIS • Network Information Service • Distributing system configuration data such as user and host names between computers on a computer network. • Used for maintenance and distribution of a central directory of user and group information, hostnames, e-mail aliases and other text-based tables of information in a computer network. • NIS can be configured to serve password data used to authenticate users against as well

7. Kerberos • Allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. • Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. • protocol messages are protected against eavesdropping and replay attacks. • Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication. • Drawbacks • Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. • Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have time availability period and, if the host clock is not synchronized with the clock of Kerberos server, the authentication will fail. • Secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys.

8. Lightweight Directory Access Protocol (LDAP) • Protocol for querying and modifying directory services running over TCP/IP • LDAP is often used by other services for authentication, despite the security problems this causes. • Most advanced and secure of the three standards

9. LDAP/Kerberos replacing NIS • NIS is the most commonbut, it is also completely insecure. • Weakly encrypted passwords are sent over the network in the clear. • Difficult to firewall. • Clients have no way to ensure that the server they are talking to is actually an official server. • Most LDAP server implementations support pretty good security through SSL for authentication and transport encryption, fine grained access controls, etc. • Thus many sites are based on using Kerberos for authentication and LDAP for directory services

10. Bibliography • http://jeremy.zawodny.com/perl/AcctInfo/AcctInfo.html • http://docs.sun.com/app/docs/doc/802-2002/6i60dq84q?l=ru&a=view • http://www.nmrc.org/pub/faq/hackfaq/hackfaq-27.html • http://aput.net/~jheiss/krbldap/howto.html • http://en.wikipedia.org/wiki/Network_Information_Service