kenneth geisshirt
TRANSCRIPT
![Page 1: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/1.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 1/22
L i n u x F o r u m 2 0 0 7
Pluggable Authentication ModulesAuthentication in the UNIX world
Kenneth Geisshirthttp://kenneth.geisshirt.dk/
![Page 2: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/2.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 2/22
Agenda
● The auth problem
● Introduction to PAM
●
Examples● Testing PAM configuration
● Where to find more information
![Page 3: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/3.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 3/22
The auth problem
● Classic UNIX user databases are/etc/passwd and /etc/group
● Services like IMAP, POP3, and FTPmight have a set of users
● Adding web applications increase thenumber of auth databases
PAM is the solution
![Page 4: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/4.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 4/22
In t roduct ion to PAM
● PAM is a framework forauthentication
● Implemented by many operating
systems – Solaris (2.6 and later)
– GNU/Linux (most distributions)
– FreeBSD and NetBSD
– Mac OS X
– AIX (5.1 as add-on, native in 5.2 and later)
– HP-UX v11 (add-on)
![Page 5: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/5.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 5/22
In t roduct ion to PAM
● Benefits for system administrations – reuse user databases
– change mechanisms without recompilation or reboot
●
Benefits for application developers – use stable API for authentication
– leave configuration to system administrators
![Page 6: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/6.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 6/22
Director ies and f i les
● /etc/pam.conf – original mainconfiguration file
● /etc/pam.d/ - newer type of configuration
● /lib/security/ – PAM modules (so-files)
● /etc/security/ - extraconfiguration of modules
![Page 7: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/7.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 7/22
Key concepts
● service name – login, gdm,
● management group – auth, session, password, account
● control flags – requisite, required, sufficient, optional
● modules – pam_unix, pam_mount, pam_winbind,
![Page 8: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/8.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 8/22
Serv ices
● Applications register as services
● Often hard coded in the source code
●
Configuration file is/etc/pam.d/serviceint main(int argc, char *argv[]) {
pam_handle_t *pamh = NULL; /** PAM data structure **/
char *user = getlogin();
/** Creating and initializing a PAM session **/
retval = pam_start("vault", user, &conv, &pamh);
![Page 9: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/9.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 9/22
Stack ing
● Modules can be stacked
● They are “called” by order inconfiguration file
● Control flags are used for flowcontrol
auth required pam_unix.so nullok_secure
auth optional pam_mount.so use_first_pass
![Page 10: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/10.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 10/22
Management groups
● auth is for validating users andassignment of group membership
● session creates and destroys working
environment● account controls access to services
● password controls how passwordsare changed
![Page 11: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/11.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 11/22
Contro l f lags
●
Control flags is a kind of flowconstruction
– requisite; failure ⇒ terminated immediatelyand return not-OK
– required; failure ⇒ continue but will returnnot-OK
– sufficient; success ⇒ terminateimmediately and return OK
– optional; has not influence on flow andreturn code
![Page 12: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/12.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 12/22
Common opt i ons
● debug; write log messages usingsyslog (often /var/log/auth)
● try_first_pass; reuse the first
password, prompt for new if incorrect
● use_first_pass; reuse the firstpassword, does not prompt
![Page 13: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/13.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 13/22
Example 1
● Encrypted home directory
– laptops often hold sensitive data
– requires an empty partition● # apt-get install libpam-mount cryptsetup openssl
● # cryptsetup -c aes -h ripemd160 -s 256 -y createkneth /dev/sda2
●
Use your password as encryption key
![Page 14: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/14.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 14/22
Example 1
● Add the following line to/etc/security/pam_mount.conf:
volume kneth crypt - /dev/hda6 /home/kneth
cipher=aes - -
● The /etc/pam.d/{login,gdm} is:
auth required pam_unix.so nullok_secure
auth optional pam_mount.so use_first_pass
session required pam_unix.so
session optional pam_mount.so use_first_pass
![Page 15: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/15.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 15/22
Example 2
● Remote authentication usingMicrosoft Active Directory
● Samba's winbind is one solution
![Page 16: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/16.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 16/22
Example 2
● Modify /etc/samba/smb.conf
● Modify /etc/krb5.conf
●
Modify /etc/nsswitch.conf● Join the directory/domain:
kinit Administrator
![Page 17: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/17.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 17/22
Example 2
● Finally, PAM:auth sufficient pam_winbind.so
auth required pam_unix2.so use_first_pass
session sufficient pam_mkhomedir.so skel=/etc/skel/umask=0022
session required pam_unix2.so
![Page 18: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/18.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 18/22
Test ing
● Always use a test computer
● or use a virtual computer
●
Leave a back door open● Log in and never log out
![Page 19: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/19.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 19/22
Test examples
● Construct test examples as forordinary software:
– Input and expected output
– Run all test after any change
– Test all combinations in stacks
![Page 20: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/20.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 20/22
Example
auth required pam_unix.so nullok_secure
auth optional pam_mount.so use_first_pass
• Valid account, correct password, encrypted homedirectory
• Valid account, correct password, noencrypted homedirectory
• Valid account, incorrect password, encrypted homedirectory
•
Valid account, incorrect password, noencrypted homedirectory
• Invalid account
![Page 21: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/21.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 21/22
Automat ic tests
#!/usr/bin/expect -f
send_user "Valid user, validpassword\n"
spawn pamtester httpd knethauthenticateexpect "assword: "send "Only2day\r"
expectset timeout 60
![Page 22: Kenneth Geisshirt](https://reader030.vdocuments.site/reader030/viewer/2022021118/577ce4591a28abf1038e26b6/html5/thumbnails/22.jpg)
7/30/2019 Kenneth Geisshirt
http://slidepdf.com/reader/full/kenneth-geisshirt 22/22
More in format ion
● Pluggable Authentication Modules: TheDefinitive Guide to PAM for Linux SysAdminsand C Developers. Kenneth Geisshirt. PacktPublishing, January 2007.
● Linux-PAM:
● Solaris PAM:http://www.sun.com/software/solaris/pa
●
Pamtester:http://pamtester.sourceforge.net/