CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

Slides:

Advertisements

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Advertisements

Managing User, Computer and Group Accounts

Linux Users and Groups Management

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Privileged Account Management Jason Fehrenbach, Product Manager.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

Lesson 17: Configuring Security Policies

Understanding WebLogic Security

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.

Chapter 3 Rootly Powers. Computer Center, CS, NCTU 2 The Root  Root Root is God, also called super-user. UID is 0  UNIX permits the superuser to perform.

Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.

CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang

1. This presentation covers :  User Interface Administration  Files System and Services Management 2.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

SAMBA Integrating Linux and Window. What is Samba? Free suite of programs that enables flavors of UNIX to work with other operating systems such as OS/2.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Bugs SATAN scans for It is interesting to look at the bugs SATAN scans for. They are easily detected by the scanners and therefore do not pose a threat.

Day 11 SAMBA NFS Logs Managing Users. SAMBA Implements the ability for a Linux machine to communicate with and act like a Windows file server. –Implements.

Secure Operating Systems Lesson C: Linux Security Features.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Accounts and Namespaces.

Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.

Chapter 3: Authentication, Authorization, and Accounting

Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.

CIS 193A – Lesson4 Bastille Hardening a System. CIS 193A – Lesson4 Focus Question What Linux utilities, commands, and files are used by Bastille to harden.

Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

SCSC 455 Computer Security Chapter 3 User Security.

Michael Tinker September 16, 2004

Plugged Authentication Module Enijmax 4/23/2004 8/17/2004 updated.

CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.

Lecture – Authentication Services

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

UNIX Command RTFM: sudo(8)

System Administration II

ITIS 3110 System Hardening.

Overview – SOE Sudo SEP 2014.

Authenticate local Linux accounts against Windows Active Directory

Sudoers Meryll Larkin - that's me Why you are here:

Linux/Unix - Download Ubuntu Linux :

Overview – SOE Sudo Dec 2013.

Chapter 11: Managing Users

Overview – SOE Sudo September 2016.

Overview – SOE Sudo November 2015.

Cisco Data Virtualization

Chapter 3 Rootly Powers.

Chapter 2 User Management

Linux Users and Groups Management

IS3440 Linux Security Unit 3 User Account Management

Exploiting Metasploitable

LPIC-2 Real Q&As. How is the LDAP administrator account configured when the rootdn and rootpw directives are not present in the slapd.conf file?

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

PAM Pluggable Autthentication Modules

CSCI The UNIX System Shell Startup and Variables

MySQL User Privileges: Grant

Linux Security.

Module 13 System and User Security

CIT 470: Advanced Network and System Administration

Adding New Users.

Presentation transcript:

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM

CIS 193A – Lesson2 Quote of the Day In ubiquitous computing environments, the computer technology will recede into the background of our lives for its ultimate goal, invisibility. Taekyoung Kwon Dept. of Computer Engineering Sejong University, Seoul

CIS 193A – Lesson2 Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts?

CIS 193A – Lesson2 The Sudo Facility The sudo facility consists of: the sudo command: /usr/bin/sudo a configuration file: /etc/sudoers The sudoers file specifies who is able to run what commands as what user on which hosts.

CIS 193A – Lesson2 Sudoers Syntax who hosts = [ (as who) ] [ tags ] commands who::= username | %groupname hosts::= localhost | hostname | IP address as who::= username tags::= NOPASSWD | NOEXEC | NOSETENV Commands::= command [options] [args] Keyword: ALL represents any possible value: %wheel ALL = (ALL) ALL Aliases may be used to represent any of the above as a list of values

CIS 193A – Lesson2 Sudo Examples Allow user john to run all commands as root on the local machine. john localhost = (root) ALL Allow the group admins to run the kill command as any member of the users group on any host. %admins ALL = (%users) /bin/kill

CIS 193A – Lesson2 Use of the sudo command Run a command as another user: sudo –u user command Password:_ # must supply your password, # not the targeted user. Run a command as root: sudo command Password: # your password, not root’s Note: when running successive sudo commands, you will be prompted for a password only on the first invocation.

CIS 193A – Lesson2 PAM Pluggable Authentication Modules

CIS 193A – Lesson2 The PAM Facility The PAM facility consists of: the PAM libraries: /lib/security/pam_*.so a configuration file: /etc/pam.conf or a configuration directory: /etc/pam.d with configuration files for each service Other configuration files associated with the libraries occur in the /etc and /etc/security.

CIS 193A – Lesson2 PAM File Syntax Type Control PAM Library Parameters Example configuration file: system-auth auth required pam_env.so auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 500 quiet account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok use_authtok session optional pam_keyinit.so revoke session required pam_limits.so

CIS 193A – Lesson2 PAM Module Types Auth authenticates a user and set up user credentials Password used to define passwords Account checks for account privileges, such as expiration or time-of-day restrictions. Session once a user is authenticated, this controls the setup and break down of the session.

CIS 193A – Lesson2 PAM Control Flags Required The module check must be successful, but continue on with other modules regardless. Requisite The module check must be successful, if it isn’t, the authentication fails immediately and no other modules are checked. Sufficient If this module check is successful, and there are no Required flag failures, then authentication is granted immediately. Optional Not used unless no other module has determined a success or failure.

CIS 193A – Lesson2 Common PAM Libraries pam_access.so pam_keyinit.so pam_permit.so pam_ccreds.so pam_krb5.so pam_chroot.so pam_postgresok.so pam_time.so pam_pwhistory.so pam_timestamp.so pam_cracklib.so pam_lastlog.so pam_tty_audit.so pam_debug.so pam_ldap.so pam_rhosts.so pam_umask.so pam_deny.so pam_limits.so pam_rootok.so pam_unix_acct.so pam_echo.so pam_listfile.so pam_rps.so pam_unix_auth.so pam_env.so pam_localuser.so pam_securetty.so pam_exec.so pam_loginuid.so pam_selinux.so pam_mail.so pam_shells.so pam_unix.so pam_mkhomedir.so pam_smb_auth.so pam_userdb.so pam_filter.so pam_motd.so pam_smbpass.so pam_warn.so pam_ftp.so pam_namespace.so pam_stack.so pam_wheel.so pam_group.so pam_nologin.so pam_issue.so pam_passwdqc.so pam_succeed_if.so pam_xauth.so

CIS 193A – Lesson2 Review

CIS 193A – Lesson2 Focus Question What is the difference between authentication and authorization, and how do PAM and sudo relate to these two concepts? Authentication verifies that you are who you say you are. Once authentication is accomplished, authorization answers what you are allowed to do. PAM performs authentication, sudo handles authorization.

CIS 193A – Lesson2 Multi-Factor Authentication Single factor: –Based upon something you have Two factor: –Based on something you have and –Something you know Three factor: –Based on something you have, –Something you know, and –Something you are