Lecture –Authentication Services

Contents

Introduction to Authentication Pluggable Authentication Modules (PAM) Password Security Flexible Root Privileges (sudo) Network Authentication

Authentication: 4 steps

Proof Of Identity (Authentication) Verifies the identity of the user, by using

Shared secret (password) Token (Kerberos Ticket or RSA Public Key)

Grant of Access (Authorization) Identity verified, system has to decide if the user

is allowed access, based on time of day, IP address etc.

Authentication: 4 steps

Update of Credentials If the credential is no longer valid, the authentication

process can ask the user for a new one

Session Initialisation At the end of authentication, the user’s session is initialised If this is not successful, the authentication can still be

terminated This stage can start the user’s shell, set their environment,

run captive programs etc.

Authentication Basics

This process used to be handled by the login application alone, making customisation difficult, or impossible

With PAMs, a standard is now available to simplify the procedures

PAM Service Profile

Type Set of libraries

Packages Pam, util-linux, authconfig

Configuration (Apps) /etc/pam.d/* (libs) /etc/nswitch.conf

Related Pam_smb, pam_krb, nss_ldap

PAM Operation

Application calls libpam.so for authentication Additional libraries are called, based on

configuration of the system Config decides how the individual libraries’

exit codes result in overall success or failure

PAM Configuration

An application <service> linked against libpam.so looks up /etc/pam.d/<service> for config. details E.g. /etc/pam.d/login for login process

If this file does not exist PAM defaults to /etc/pam.d/other

Based on the file, additional libraries will be called together to determine the overall success or failure of the service access

How each individual library affects the overall result depends on the configuration

PAM Example Each line of the config file has the following syntax

module-type control-flag module-path arguments

#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3password required pam_unix.so shadow

nullok use_authtok session required pam_unix.so

PAM Configuration

Module-Type auth: authentication account: authorization, account management password: update of credentials session: modification of the user’s environment

PAM Configuration

Control-Flag required: success is required, failure will still call

the remaining modules, but the result is already determined

requisite: Failure will immediately terminate the authentication process, success continues

sufficient: success bypasses the remaining modules, failure is ignored

optional: the result is ignored

PAM Example /etc/pam.d/login

auth requisite pam_securetty.soauth required pam_unix.so nullok

account required pam_unix.so

password required pam_cracklib.sopassword required pam_unix.so shadow md5

session required pam_unix.sosession required pam_limits.sosession optional pam_console.so

Core PAM Modules

pam_unix: standard authentication Authenticates users with the getpw() function, the UNIX

standard. Can connect to several directory services for network authentication

pam_env: sets environment variables Can set environment variables

pam_securetty: limits root logins to secure terminals Prevents root logins from an insecure terminal. A list of

allowed terminals is kept in /etc/securetty

…Core PAM Modules...

pam_stack: calls another PAM service The overall result of the further modules is used

as the pam_stack’s exit code pam_nologin: tests for /etc/nologin

Prevents logins from non-root users if /etc/nologin exists. If possible, the content of this file is displayed to inform blocked users of the limitation

…Core PAM Modules…

pam_deny: always returns “failure” exit code Always returns a “failure” code

pam_console: sets privileges for users at the console Gives local users connected to the console extra

permissions. They may be allowed to execute certain root-only commands like poweroff Such users become temporary members of the “Console User Group”

Authentication Modules

Network Authentication Centralises the user database on one server,

simplifying the management of large groups of users

There are generic directory services like NIS or LDAP that maintain various administrative data (hosts, groups …)

PAM supports network authentication with several modules

Network Authentication

Pam_unix connects to the generic “name service switch” (NSS)

The NSS decides which resources are used for information from the /etc/nsswitch.conf file passwd: files nis ldap

This will lookup password data first in the local files, then in NIS and LDAP in that order

Network Authentication: SMB

PAM can authenticate against SMB (Samba or WindowsPDC)

SMB does not support user IDs, so two possible approaches exist pam_smb requires that UNIX users are mapped

against Windows users pam_winbind creates UserIDs as needed so

local UNIX users are not required

Other PAM Modules

pam_mkhomedir: make home directories pam_time: limits access based on time pam_access: location based control pam_tally: counts attempted logins pam_timestamp: access based on last logon pam_chroot: chroot’s specific users

Password Security

MD5 passwords can be up to 256 characters long RedHat LINUX uses MD5-hashed passwords. Algorithmis

more complex than traditional UNIX crypt method Directory-based or brute force password cracking takes a

lot longer with MD5

Shadow passwords enhance password security Passwords cannot be accessed by users Password ageing and locking supported

Password Aging

chage –m 90 username Implements password aging, with a 90-day

expiration In a heterogeneous NIS system, it may be

necessary to switch off these additional mechanisms, as not all UNIX flavours support MD5

Password Policy

Part of the security policy, it focuses on Password Aging Password Strength Failed Login Monitoring

IF the password policy is too strict, users will start to write down passwords, or will simply rotate previous password strings

Example/etc/pam.d/system-auth:password required pam_cracklib.so \

minlength=20 \ocredit=5dcredit=5ucredit=5lcredit=5

password required pam_unix.somd5 authokshadownisremember=5

Minlength = the minimum value of the password

lcredit = the value of each lower case character in the password

ucredit = the value of each upper case character in the password

dcredit = the value of each digit in the password

ocredit = the value of any other character in the password

Authok= take the password entered into cracklib

Password Histories

Pam_unix can store old password hashes in /etc/security/opasswd if the remember parameter is used

Resource Limits

pam_limits.so enforces resource limits like the ulimit command

/etc/security/limits.conf Called by default in /etc/pam.d/system-auth Limits can be set by user or by group

User Access Control

Pam_listfile.so allows or denies users based on a simple text file

Configuration example: account required pam_listfile.so item=user

sense=allow onerr=fail file=/etc/security/validusers

This library controls access based on a simple text file that contains a list of users Can also be used to restrict usage based on terminal or

server (using ssh) the system is being accessed from.

Sudo

Users listed in /etc/sudoers can execute commands with Effective user id of 0 Group id of root’s group Admin alert will be sent if a user not listed in sudoers

attempts to use sudo

Edit with visudo Allows specified users to execute specified

commands without needing to su (or login) as root

Sudo configuration

1. Define User Groups in the user alias specification section• User_Alias FT2114=rbradley,mdeegan

2. Define Command Groups in the command alias specification section

• Cmnd_Alias MIN=/etc/rc.d/init.d/httpd• Cmnd_Alias SHELLS=/bin/sh,/bin/bash

3. Associate Users with Commands in the user privilege specification section

• FT2114 ALL=MIN

PAM Logs PAM logs events in the authpriv (private authentication

messages) section of syslog Normally only login events and error messages are produced,

but the debug parameter for most PAM libraries can be used to produce a more detailed log.

Changes to PAM configuration are effective immediately, so you should test them before you log out.

You can use getent <database> <key> to get information from nsswitch managed databases• getent passwd mdeegan• getent hosts www.tcd.ie• getent group ft228-3