cis 193a – lesson2cis 193a - lesson2 authorization & authentication sudo and pam
TRANSCRIPT
CIS 193A – Lesson2CIS 193A - Lesson2
Authorization & Authentication
Sudo and PAM
CIS 193A – Lesson2
Quote of the Day
In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility.
Taekyoung KwonDept. of Computer Engineering Sejong University, Seoul
CIS 193A – Lesson2
Focus Question
What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?
CIS 193A – Lesson2
The Sudo Facility
The sudo facility consists of:• the sudo command: /usr/bin/sudo
• a configuration file: /etc/sudoers
The sudoers file specifies who is able to run what commands as what user on which hosts.
CIS 193A – Lesson2
Sudoers Syntaxwho hosts = [ (as who) ] [ tags ] commands• who::= username | %groupname• hosts::= localhost | hostname | IP address• as who::= username• tags::= NOPASSWD | NOEXEC | NOSETENV• Commands::= command [options] [args]
Keyword: ALL represents any possible value:%wheel ALL = (ALL) ALL
Aliases may be used to represent any of the above as a list of values
CIS 193A – Lesson2
Sudo Examples
• Allow user john to run all commands as root on the local machine.
john localhost = (root) ALL
• Allow the group admins to run the kill command as any member of the users group on any host.
%admins ALL = (%users) /bin/kill
CIS 193A – Lesson2
Use of the sudo command• Run a command as another user:
sudo –u user commandPassword:_ # must supply your password, # not the targeted user.
• Run a command as root:
sudo commandPassword: # your password, not root’s
Note: when running successive sudo commands, you will be prompted for a password only on the first invocation.
CIS 193A – Lesson2
PAMPluggable
Authentication
Modules
CIS 193A – Lesson2
The PAM Facility
The PAM facility consists of:• the PAM libraries: /lib/security/pam_*.so
• a configuration file: /etc/pam.conf or
a configuration directory: /etc/pam.dwith configuration files for each service
Other configuration files associated with the libraries occur in the /etc and /etc/security.
CIS 193A – Lesson2
PAM File Syntax
Type Control PAM Library Parameters
Example configuration file: system-auth
auth required pam_env.soauth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 500 quiet
account required pam_unix.so broken_shadowaccount sufficient pam_succeed_if.so uid < 500 quiet
password requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so sha512 shadow nullok use_authtok
session optional pam_keyinit.so revokesession required pam_limits.so
CIS 193A – Lesson2
PAM Module Types
Auth authenticates a user and set up user credentials
Password used to define passwords
Account checks for account privileges, such as expiration or time-of-day restrictions.
Session once a user is authenticated,this controls the setup and break down of the session.
CIS 193A – Lesson2
PAM Control Flags
Required The module check must be successful, but continue on with other modules regardless.
Requisite The module check must be successful, if it isn’t, the authentication fails immediately and no other modules are checked.
Sufficient If this module check is successful, and there are no Required flag failures, then authentication is granted immediately.
Optional Not used unless no other module has determined a success or failure.
CIS 193A – Lesson2
Common PAM Libraries pam_access.so pam_keyinit.so pam_permit.so
pam_ccreds.so pam_krb5.so pam_chroot.so pam_postgresok.so pam_time.so pam_pwhistory.so pam_timestamp.so pam_cracklib.so pam_lastlog.so pam_tty_audit.so pam_debug.so pam_ldap.so pam_rhosts.so pam_umask.so pam_deny.so pam_limits.so pam_rootok.so pam_unix_acct.so pam_echo.so pam_listfile.so pam_rps.so pam_unix_auth.so pam_env.so pam_localuser.so pam_securetty.so pam_exec.so pam_loginuid.so pam_selinux.so pam_mail.so pam_shells.so pam_unix.so pam_mkhomedir.so pam_smb_auth.so pam_userdb.so pam_filter.so pam_motd.so pam_smbpass.so pam_warn.so pam_ftp.so pam_namespace.so pam_stack.so pam_wheel.so pam_group.so pam_nologin.so pam_issue.so pam_passwdqc.so pam_succeed_if.so pam_xauth.so
CIS 193A – Lesson2
Review
CIS 193A – Lesson2
Focus Question
What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?
Authentication verifies that you are who you say you are. Once authentication is accomplished, authorization answers what you are allowed to do. PAM performs authentication, sudo handles authorization.
CIS 193A – Lesson2
Multi-Factor Authentication
• Single factor:– Based upon something you have
• Two factor:– Based on something you have and– Something you know
• Three factor:– Based on something you have,– Something you know, and– Something you are