320 likes | 506 Views
Lecture – Authentication Services. Contents. Introduction to Authentication Pluggable Authentication Modules (PAM) Password Security Flexible Root Privileges (sudo) Network Authentication. Authentication: 4 steps. Proof Of Identity (Authentication)
E N D
Contents • Introduction to Authentication • Pluggable Authentication Modules (PAM) • Password Security • Flexible Root Privileges (sudo) • Network Authentication
Authentication: 4 steps • Proof Of Identity (Authentication) • Verifies the identity of the user, by using • Shared secret (password) • Token (Kerberos Ticket or RSA Public Key) • Grant of Access (Authorization) • Identity verified, system has to decide if the user is allowed access, based on time of day, IP address etc.
Authentication: 4 steps • Update of Credentials • If the credential is no longer valid, the authentication process can ask the user for a new one • Session Initialisation • At the end of authentication, the user’s session is initialised • If this is not successful, the authentication can still be terminated • This stage can start the user’s shell, set their environment, run captive programs etc.
Authentication Basics • This process used to be handled by the login application alone, making customisation difficult, or impossible • With PAMs, a standard is now available to simplify the procedures
PAM Service Profile • Type • Set of libraries • Packages • Pam, util-linux, authconfig • Configuration • (Apps) /etc/pam.d/* • (libs) /etc/nswitch.conf • Related • Pam_smb, pam_krb, nss_ldap
PAM Operation • Application calls libpam.so for authentication • Additional libraries are called, based on configuration of the system • Config decides how the individual libraries’ exit codes result in overall success or failure
PAM Configuration • An application <service> • linked against libpam.so looks up • /etc/pam.d/<service> for config. details • E.g. /etc/pam.d/login for login process • If this file does not exist • PAM defaults to /etc/pam.d/other • Based on the file, additional libraries will be called together to determine the overall success or failure of the service access • How each individual library affects the overall result depends on the configuration
PAM Example • Each line of the config file has the following syntax • module-type control-flag module-path arguments #%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
PAM Configuration • Module-Type • auth: authentication • account: authorization, account management • password: update of credentials • session: modification of the user’s environment
PAM Configuration • Control-Flag • required: success is required, failure will still call the remaining modules, but the result is already determined • requisite: Failure will immediately terminate the authentication process, success continues • sufficient: success bypasses the remaining modules, failure is ignored • optional: the result is ignored
PAM Example • /etc/pam.d/login auth requisite pam_securetty.so auth required pam_unix.so nullok account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 session required pam_unix.so session required pam_limits.so session optional pam_console.so
Core PAM Modules • pam_unix: standard authentication • Authenticates users with the getpw() function, the UNIX standard. Can connect to several directory services for network authentication • pam_env: sets environment variables • Can set environment variables • pam_securetty: limits root logins to secure terminals • Prevents root logins from an insecure terminal. A list of allowed terminals is kept in /etc/securetty
…Core PAM Modules... • pam_stack: calls another PAM service • The overall result of the further modules is used as the pam_stack’s exit code • pam_nologin: tests for /etc/nologin • Prevents logins from non-root users if /etc/nologin exists. If possible, the content of this file is displayed to inform blocked users of the limitation
…Core PAM Modules… • pam_deny: always returns “failure” exit code • Always returns a “failure” code • pam_console: sets privileges for users at the console • Gives local users connected to the console extra permissions. They may be allowed to execute certain root-only commands like poweroff Such users become temporary members of the “Console User Group”
Authentication Modules • Network Authentication • Centralises the user database on one server, simplifying the management of large groups of users • There are generic directory services like NIS or LDAP that maintain various administrative data (hosts, groups …) • PAM supports network authentication with several modules
Network Authentication • Pam_unix connects to the generic “name service switch” (NSS) • The NSS decides which resources are used for information from the /etc/nsswitch.conf file • passwd: files nis ldap • This will lookup password data first in the local files, then in NIS and LDAP in that order
Network Authentication: SMB • PAM can authenticate against SMB (Samba or WindowsPDC) • SMB does not support user IDs, so two possible approaches exist • pam_smb requires that UNIX users are mapped against Windows users • pam_winbind creates UserIDs as needed so local UNIX users are not required
Other PAM Modules • pam_mkhomedir: make home directories • pam_time: limits access based on time • pam_access: location based control • pam_tally: counts attempted logins • pam_timestamp: access based on last logon • pam_chroot: chroot’s specific users
Password Security • MD5 passwords can be up to 256 characters long • RedHat LINUX uses MD5-hashed passwords. Algorithmis more complex than traditional UNIX crypt method • Directory-based or brute force password cracking takes a lot longer with MD5 • Shadow passwords enhance password security • Passwords cannot be accessed by users • Password ageing and locking supported
Password Aging • chage –m 90 username • Implements password aging, with a 90-day expiration • In a heterogeneous NIS system, it may be necessary to switch off these additional mechanisms, as not all UNIX flavours support MD5
Password Policy • Part of the security policy, it focuses on • Password Aging • Password Strength • Failed Login Monitoring • IF the password policy is too strict, users will start to write down passwords, or will simply rotate previous password strings
Example /etc/pam.d/system-auth: password required pam_cracklib.so \ minlength=20 \ ocredit=1 dcredit=3 ucredit=5 lcredit=2 password required pam_unix.so md5 authok shadow nis remember=5 Minlength = the minimum value of the password lcredit = the value of each lower case character in the password ucredit = the value of each upper case character in the password dcredit = the value of each digit in the password ocredit = the value of any other character in the password Authok= take the password entered into cracklib
Password Histories • Pam_unix can store old password hashes in /etc/security/opasswd if the remember parameter is used
Resource Limits • pam_limits.so enforces resource limits like the ulimit command • /etc/security/limits.conf • Called by default in /etc/pam.d/system-auth • Limits can be set by user or by group • Hard limits cannot be exceeded • Soft limits can be exceeded with the ulimit command • developer hard proc 100
User Access Control Pam_listfile.so allows or denies users based on a simple text file Configuration example: account required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/validusers This library controls access based on a simple text file that contains a list of users Can also be used to restrict usage based on terminal or server (using ssh) the system is being accessed from.
Sudo • Users listed in /etc/sudoers can execute commands with • Effective user id of 0 • Group id of root’s group • Admin alert will be sent if a user not listed in sudoers attempts to use sudo • Edit with visudo • Allows specified users to execute specified commands without needing to su (or login) as root
Sudo configuration • Define User Groups in the user alias specification section • User_Alias FT2283=rbradley,mdeegan • Define Command Groups in the command alias specification section • Cmd_Alias MIN=/etc/rc.d/init.d/httpd • Cmd_Alias SHELLS=/bin/sh,/bin/bash • Associate Users with Commands in the user privilege specification section • FT2283 ALL=MIN
PAM Logs • PAM logs events in the authpriv (private authentication messages) section of syslog • Normally only login events and error messages are produced, but the debug parameter for most PAM libraries can be used to produce a more detailed log. • Changes to PAM configuration are effective immediately, so you should test them before you log out. • You can use getent <database> <key> to get information from nsswitch managed databases • getent passwd mdeegan • getent hosts www.tcd.ie • getent group ft228-3