CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
-
Upload
rickey-boardley -
Category
Documents
-
view
232 -
download
1
Transcript of CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
![Page 1: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/1.jpg)
CIS 193A – Lesson2CIS 193A - Lesson2
Authorization & Authentication
Sudo and PAM
![Page 2: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/2.jpg)
CIS 193A – Lesson2
Quote of the Day
In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility.
Taekyoung KwonDept. of Computer Engineering Sejong University, Seoul
![Page 3: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/3.jpg)
CIS 193A – Lesson2
Focus Question
What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?
![Page 4: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/4.jpg)
CIS 193A – Lesson2
The Sudo Facility
The sudo facility consists of:• the sudo command: /usr/bin/sudo
• a configuration file: /etc/sudoers
The sudoers file specifies who is able to run what commands as what user on which hosts.
![Page 5: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/5.jpg)
CIS 193A – Lesson2
Sudoers Syntaxwho hosts = [ (as who) ] [ tags ] commands• who::= username | %groupname• hosts::= localhost | hostname | IP address• as who::= username• tags::= NOPASSWD | NOEXEC | NOSETENV• Commands::= command [options] [args]
Keyword: ALL represents any possible value:%wheel ALL = (ALL) ALL
Aliases may be used to represent any of the above as a list of values
![Page 6: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/6.jpg)
CIS 193A – Lesson2
Sudo Examples
• Allow user john to run all commands as root on the local machine.
john localhost = (root) ALL
• Allow the group admins to run the kill command as any member of the users group on any host.
%admins ALL = (%users) /bin/kill
![Page 7: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/7.jpg)
CIS 193A – Lesson2
Use of the sudo command• Run a command as another user:
sudo –u user commandPassword:_ # must supply your password, # not the targeted user.
• Run a command as root:
sudo commandPassword: # your password, not root’s
Note: when running successive sudo commands, you will be prompted for a password only on the first invocation.
![Page 8: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/8.jpg)
CIS 193A – Lesson2
PAMPluggable
Authentication
Modules
![Page 9: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/9.jpg)
CIS 193A – Lesson2
The PAM Facility
The PAM facility consists of:• the PAM libraries: /lib/security/pam_*.so
• a configuration file: /etc/pam.conf or
a configuration directory: /etc/pam.dwith configuration files for each service
Other configuration files associated with the libraries occur in the /etc and /etc/security.
![Page 10: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/10.jpg)
CIS 193A – Lesson2
PAM File Syntax
Type Control PAM Library Parameters
Example configuration file: system-auth
auth required pam_env.soauth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 500 quiet
account required pam_unix.so broken_shadowaccount sufficient pam_succeed_if.so uid < 500 quiet
password requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so sha512 shadow nullok use_authtok
session optional pam_keyinit.so revokesession required pam_limits.so
![Page 11: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/11.jpg)
CIS 193A – Lesson2
PAM Module Types
Auth authenticates a user and set up user credentials
Password used to define passwords
Account checks for account privileges, such as expiration or time-of-day restrictions.
Session once a user is authenticated,this controls the setup and break down of the session.
![Page 12: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/12.jpg)
CIS 193A – Lesson2
PAM Control Flags
Required The module check must be successful, but continue on with other modules regardless.
Requisite The module check must be successful, if it isn’t, the authentication fails immediately and no other modules are checked.
Sufficient If this module check is successful, and there are no Required flag failures, then authentication is granted immediately.
Optional Not used unless no other module has determined a success or failure.
![Page 13: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/13.jpg)
CIS 193A – Lesson2
Common PAM Libraries pam_access.so pam_keyinit.so pam_permit.so
pam_ccreds.so pam_krb5.so pam_chroot.so pam_postgresok.so pam_time.so pam_pwhistory.so pam_timestamp.so pam_cracklib.so pam_lastlog.so pam_tty_audit.so pam_debug.so pam_ldap.so pam_rhosts.so pam_umask.so pam_deny.so pam_limits.so pam_rootok.so pam_unix_acct.so pam_echo.so pam_listfile.so pam_rps.so pam_unix_auth.so pam_env.so pam_localuser.so pam_securetty.so pam_exec.so pam_loginuid.so pam_selinux.so pam_mail.so pam_shells.so pam_unix.so pam_mkhomedir.so pam_smb_auth.so pam_userdb.so pam_filter.so pam_motd.so pam_smbpass.so pam_warn.so pam_ftp.so pam_namespace.so pam_stack.so pam_wheel.so pam_group.so pam_nologin.so pam_issue.so pam_passwdqc.so pam_succeed_if.so pam_xauth.so
![Page 14: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/14.jpg)
CIS 193A – Lesson2
Review
![Page 15: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/15.jpg)
CIS 193A – Lesson2
Focus Question
What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?
Authentication verifies that you are who you say you are. Once authentication is accomplished, authorization answers what you are allowed to do. PAM performs authentication, sudo handles authorization.
![Page 16: CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.](https://reader036.fdocuments.in/reader036/viewer/2022062404/551c3b7b550346a3488b4837/html5/thumbnails/16.jpg)
CIS 193A – Lesson2
Multi-Factor Authentication
• Single factor:– Based upon something you have
• Two factor:– Based on something you have and– Something you know
• Three factor:– Based on something you have,– Something you know, and– Something you are