Lecture – Authentication Services
Dec 31, 2015
Contents
Introduction to Authentication Pluggable Authentication Modules (PAM) Password Security Flexible Root Privileges (sudo) Network Authentication
Authentication: 4 steps
Proof Of Identity (Authentication) Verifies the identity of the user, by using
Shared secret (password) Token (Kerberos Ticket or RSA Public Key)
Grant of Access (Authorization) Identity verified, system has to decide if the user
is allowed access, based on time of day, IP address etc.
Authentication: 4 steps
Update of Credentials If the credential is no longer valid, the authentication
process can ask the user for a new one
Session Initialisation At the end of authentication, the user’s session is initialised If this is not successful, the authentication can still be
terminated This stage can start the user’s shell, set their environment,
run captive programs etc.
Authentication Basics
This process used to be handled by the login application alone, making customisation difficult, or impossible
With PAMs, a standard is now available to simplify the procedures
PAM Service Profile
Type Set of libraries
Packages Pam, util-linux, authconfig
Configuration (Apps) /etc/pam.d/* (libs) /etc/nswitch.conf
Related Pam_smb, pam_krb, nss_ldap
PAM Operation
Application calls libpam.so for authentication Additional libraries are called, based on
configuration of the system Config decides how the individual libraries’
exit codes result in overall success or failure
PAM Configuration
An application <service> linked against libpam.so looks up /etc/pam.d/<service> for config. details E.g. /etc/pam.d/login for login process
If this file does not exist PAM defaults to /etc/pam.d/other
Based on the file, additional libraries will be called together to determine the overall success or failure of the service access
How each individual library affects the overall result depends on the configuration
PAM Example Each line of the config file has the following syntax
module-type control-flag module-path arguments
#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3password required pam_unix.so shadow
nullok use_authtok session required pam_unix.so
PAM Configuration
Module-Type auth: authentication account: authorization, account management password: update of credentials session: modification of the user’s environment
PAM Configuration
Control-Flag required: success is required, failure will still call
the remaining modules, but the result is already determined
requisite: Failure will immediately terminate the authentication process, success continues
sufficient: success bypasses the remaining modules, failure is ignored
optional: the result is ignored
PAM Example /etc/pam.d/login
auth requisite pam_securetty.soauth required pam_unix.so nullok
account required pam_unix.so
password required pam_cracklib.sopassword required pam_unix.so shadow md5
session required pam_unix.sosession required pam_limits.sosession optional pam_console.so
Core PAM Modules
pam_unix: standard authentication Authenticates users with the getpw() function, the UNIX
standard. Can connect to several directory services for network authentication
pam_env: sets environment variables Can set environment variables
pam_securetty: limits root logins to secure terminals Prevents root logins from an insecure terminal. A list of
allowed terminals is kept in /etc/securetty
…Core PAM Modules...
pam_stack: calls another PAM service The overall result of the further modules is used
as the pam_stack’s exit code pam_nologin: tests for /etc/nologin
Prevents logins from non-root users if /etc/nologin exists. If possible, the content of this file is displayed to inform blocked users of the limitation
…Core PAM Modules…
pam_deny: always returns “failure” exit code Always returns a “failure” code
pam_console: sets privileges for users at the console Gives local users connected to the console extra
permissions. They may be allowed to execute certain root-only commands like poweroff Such users become temporary members of the “Console User Group”
Authentication Modules
Network Authentication Centralises the user database on one server,
simplifying the management of large groups of users
There are generic directory services like NIS or LDAP that maintain various administrative data (hosts, groups …)
PAM supports network authentication with several modules
Network Authentication
Pam_unix connects to the generic “name service switch” (NSS)
The NSS decides which resources are used for information from the /etc/nsswitch.conf file passwd: files nis ldap
This will lookup password data first in the local files, then in NIS and LDAP in that order
Network Authentication: SMB
PAM can authenticate against SMB (Samba or WindowsPDC)
SMB does not support user IDs, so two possible approaches exist pam_smb requires that UNIX users are mapped
against Windows users pam_winbind creates UserIDs as needed so
local UNIX users are not required
Other PAM Modules
pam_mkhomedir: make home directories pam_time: limits access based on time pam_access: location based control pam_tally: counts attempted logins pam_timestamp: access based on last logon pam_chroot: chroot’s specific users
Password Security
MD5 passwords can be up to 256 characters long RedHat LINUX uses MD5-hashed passwords. Algorithmis
more complex than traditional UNIX crypt method Directory-based or brute force password cracking takes a
lot longer with MD5
Shadow passwords enhance password security Passwords cannot be accessed by users Password ageing and locking supported
Password Aging
chage –m 90 username Implements password aging, with a 90-day
expiration In a heterogeneous NIS system, it may be
necessary to switch off these additional mechanisms, as not all UNIX flavours support MD5
Password Policy
Part of the security policy, it focuses on Password Aging Password Strength Failed Login Monitoring
IF the password policy is too strict, users will start to write down passwords, or will simply rotate previous password strings
Example/etc/pam.d/system-auth:password required pam_cracklib.so \
minlength=20 \ocredit=5dcredit=5ucredit=5lcredit=5
password required pam_unix.somd5 authokshadownisremember=5
Minlength = the minimum value of the password
lcredit = the value of each lower case character in the password
ucredit = the value of each upper case character in the password
dcredit = the value of each digit in the password
ocredit = the value of any other character in the password
Authok= take the password entered into cracklib
Password Histories
Pam_unix can store old password hashes in /etc/security/opasswd if the remember parameter is used
Resource Limits
pam_limits.so enforces resource limits like the ulimit command
/etc/security/limits.conf Called by default in /etc/pam.d/system-auth Limits can be set by user or by group
User Access Control
Pam_listfile.so allows or denies users based on a simple text file
Configuration example: account required pam_listfile.so item=user
sense=allow onerr=fail file=/etc/security/validusers
This library controls access based on a simple text file that contains a list of users Can also be used to restrict usage based on terminal or
server (using ssh) the system is being accessed from.
Sudo
Users listed in /etc/sudoers can execute commands with Effective user id of 0 Group id of root’s group Admin alert will be sent if a user not listed in sudoers
attempts to use sudo
Edit with visudo Allows specified users to execute specified
commands without needing to su (or login) as root
Sudo configuration
1. Define User Groups in the user alias specification section• User_Alias FT2114=rbradley,mdeegan
2. Define Command Groups in the command alias specification section
• Cmnd_Alias MIN=/etc/rc.d/init.d/httpd• Cmnd_Alias SHELLS=/bin/sh,/bin/bash
3. Associate Users with Commands in the user privilege specification section
• FT2114 ALL=MIN
PAM Logs PAM logs events in the authpriv (private authentication
messages) section of syslog Normally only login events and error messages are produced,
but the debug parameter for most PAM libraries can be used to produce a more detailed log.
Changes to PAM configuration are effective immediately, so you should test them before you log out.
You can use getent <database> <key> to get information from nsswitch managed databases• getent passwd mdeegan• getent hosts www.tcd.ie• getent group ft228-3