Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 470: Advanced Network and System Administration

Published byΛαύρα Τοκατλίδης Modified over 5 years ago

Similar presentations

Presentation on theme: "CIT 470: Advanced Network and System Administration"— Presentation transcript:

1 CIT 470: Advanced Network and System Administration
Accounts and Namespaces CIT 470: Advanced Network and System Administration

2 CIT 470: Advanced Network and System Administration
Topics Namespaces Policies selection lifetime scope security User Accounts PAM LDAP Authentication CIT 470: Advanced Network and System Administration

3 CIT 470: Advanced Network and System Administration
Namespaces A namespace consists of A set of unique keys A set of attributes associated with each key Example Key = Username Attributes GECOS Homedir Shell Password CIT 470: Advanced Network and System Administration

4 CIT 470: Advanced Network and System Administration
Namespaces Systems include many namespaces User account names. addresses. Filesystem pathnames. Hostnames. IP addresses. Printer names. Service names. CIT 470: Advanced Network and System Administration

5 CIT 470: Advanced Network and System Administration
Types of Namespaces Flat No duplicates may exist. Ex: usernames in /etc/passwd. Hierarchical Tree-structured namespace like DNS. Duplicates can exist. Ex: and CIT 470: Advanced Network and System Administration

6 CIT 470: Advanced Network and System Administration
Namespace Problems How to select names? How to avoid name collisions? How to ensure consistency? How to distribute names? CIT 470: Advanced Network and System Administration

7 CIT 470: Advanced Network and System Administration
Name Selection Functional Names mail hostname, /cit/470, student account Descriptive names geographic, print type, customer type Formula-based Names cvg0141 hostname, student0148 account Themed Names constellations (orion, ursa, etc.) No Standard CIT 470: Advanced Network and System Administration

8 CIT 470: Advanced Network and System Administration
Name Lifetime When are names removed? Immediately after PC, user leaves org. Set time after resource is no longer in use. When are names re-used? Immediately: functional names. Never. After a set time: usernames, addresses. CIT 470: Advanced Network and System Administration

9 CIT 470: Advanced Network and System Administration
Namespace Scope Geographical scopes Local machine. (e.g., /etc/passwd.) Local network. Organization. Global (e.g., DNS.) Service scopes Single username for UNIX, NT, RADIUS, , VPN? Transferring scopes Difficult without advance planning. Some names may have to change. CIT 470: Advanced Network and System Administration

10 CIT 470: Advanced Network and System Administration
Namespace Security What are you trying to protect names from and why? Do the names need to be protected or just the attributes? Who can add, change, or delete records? Can the owner of a record change fields within the record? CIT 470: Advanced Network and System Administration

11 Example Namespace: Usernames
Selection policies Descriptive: waldenj, jwalden Decriptive + formulaic: waldenj1, jwalden0002 Scope Use for every campus (avoids collisions.) Use for every service (avoids collisions.) Lifetime Do not reuse until 1 year has passed since addresses derive from usernames. CIT 470: Advanced Network and System Administration

12 CIT 470: Advanced Network and System Administration
One Big Database Centralize namespace in one big database. Use SQL or LDAP to store entire namespace. Derive other namespaces from database. Program to generate UNIX accounts. Program to generate NT accounts. etc. Advantages Consistency Ease of making changes, additions, deletions. CIT 470: Advanced Network and System Administration

13 CIT 470: Advanced Network and System Administration
User Account Types OS files UNIX /etc/{passwd,shadow} Windows SAM Network service NIS LDAP Kerberos Active Directory RADIUS CIT 470: Advanced Network and System Administration

14 CIT 470: Advanced Network and System Administration
UNIX Accounts Account Components Username UID Password Home directory Account Files /etc/passwd /etc/shadow /etc/group Account Management Adding users Removing and disabling users Account/password policies CIT 470: Advanced Network and System Administration

15 CIT 470: Advanced Network and System Administration
/etc/{passwd,shadow} Central file(s) describing UNIX user accounts. /etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days ‘til change allowed. Days `til change required. Expiration warning time. Expiration date. student:x:1000:1000:Example User,, ,:/home/student:/bin/bash student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7::: CIT 470: Advanced Network and System Administration

16 CIT 470: Advanced Network and System Administration
Username Syntax Each username must be unique. Length limits (8 chars on old systems) Any character except : or \n. Issues Naming standards. How to ensure that usernames are unique? System uses UIDs internally. CIT 470: Advanced Network and System Administration

17 CIT 470: Advanced Network and System Administration
UIDs UIDs are 32-bit non-negative integers. Standards Root is UID 0. System accounts have low UIDs (<= 500) Uniqueness Multiple usernames can have same UID! Re-using UIDs may give away files to new user. Distributed systems may require unique UIDs across organizational boundaries. CIT 470: Advanced Network and System Administration

18 CIT 470: Advanced Network and System Administration
Password Syntax Length: unlimited(MD5,SHA1), 8 chars(crypt) Chars: anything except \n, though certain control chars may be interpreted by system. Stored in “encrypted” format. Hashed: crypt, MD5, SHA1 Salted: 12-bit salt means 4096 different hashes for each password CIT 470: Advanced Network and System Administration

19 CIT 470: Advanced Network and System Administration
GID GIDs are 32-bit non-negative integers. Each user has a default GID. File group ownership set to default GID. Temporarily change default GID: newgrp. Groups are described in /etc/group Users may belong to multiple groups. Format: group name, pw, GID, user list. wheel:x:10:root,waldenj,bergs CIT 470: Advanced Network and System Administration

20 CIT 470: Advanced Network and System Administration
GECOS Original use General Electric Comprehensive OS data Current use User information. Full name, location, phone number, . CIT 470: Advanced Network and System Administration

21 CIT 470: Advanced Network and System Administration
Home Directory User’s CWD at login time. Typically where user stores all files. CIT 470: Advanced Network and System Administration

22 CIT 470: Advanced Network and System Administration
Login Shell Process started when user logs in. Typically a shell like bash, tcsh, ksh, ... System users may be different. Disabled accounts have a noshell program. CIT 470: Advanced Network and System Administration

23 CIT 470: Advanced Network and System Administration
Adding a User Create account with useradd. Lock account until user arrives. User signs account agreement. Set passwd with passwd. CIT 470: Advanced Network and System Administration

24 CIT 470: Advanced Network and System Administration
Adding a User Edit /etc/{passwd,shadow} with vipw. Set passwd with passwd command. Edit /etc/group to add groups. Create user home directory. mkdir /home/studenta chown studenta.student /home/studenta chmod 755 /home/studenta Copy default files from /etc/skel .bashrc, .Xdefaults, .xsession, etc. Set aliases, disk quotas, etc. Verify that the account works. CIT 470: Advanced Network and System Administration

25 CIT 470: Advanced Network and System Administration
Disabling an Account Edit account configuration: Place * or ! in front of encrypted password. Replace shell with nologin program. Note: usermod -L will do this for you. Kill active logins and processes. Note: usermod -L will not do this. CIT 470: Advanced Network and System Administration

26 CIT 470: Advanced Network and System Administration
Removing a User Disable account. Change shared passwords (root, etc.) Kill active logins and processes. Remove from local databases/files. Remove from aliases. Remove mail spool (backup first.) Remove crontabs and pending jobs. Remove temporary files. Remove home directory (backup first.) Remove from passwd, shadow, and group. CIT 470: Advanced Network and System Administration

27 CIT 470: Advanced Network and System Administration
PAM Problem: Many programs require authentication. Ex: ftp, rlogin, ssh, etc. New auth schemes require rewrites. Ex: longer passwords, keys, one-time passwords Solution: Separate authentication from programs. Use Pluggable Authentication Modules. Programs choose PAMs to use at runtime by reading config files. CIT 470: Advanced Network and System Administration

28 CIT 470: Advanced Network and System Administration
PAM Configuration Configured under /etc/pam.d Each PAM-aware service has a file there. Format: <module interface> <control flag> <module name> <module arguments> Module interface: one of 4 module types. Control flag: how module will react to failure or success (multiple successes may be required.) Module name: PAM shared library. Module args: Files to use, other options. CIT 470: Advanced Network and System Administration

29 CIT 470: Advanced Network and System Administration
Module Interfaces auth — Authenticates use of service. For example, it may request and verify a password. account — Verifies that access is permitted, e.g. check for expired accounts or location/time. password — Sets and verifies passwords. session — Configures and manages user sessions, e.g. mounting user home directories or mailboxes. CIT 470: Advanced Network and System Administration

30 Module Stacking Example
rlogin PAM requirements The file /etc/nologin must not be present. Root may not login over network (securetty.) Environment variables may be loaded. ~/.rhosts entry allows login without password. Otherwise perform standard password login. PAM config file auth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts_auth.so auth required pam_stack.so service=system-auth CIT 470: Advanced Network and System Administration

31 CIT 470: Advanced Network and System Administration
Control Flags required — Module result must be successful for authentication to continue. User is not notified on failure until results on all modules referencing that interface are available. requisite — Module result must be successful for authentication to continue. User is notified immediately with a message reflecting the first failed required or requisite module. sufficient — Module result ignored if it fails. If a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service. optional — Module result is ignored. Only necessary for successful authentication when no other modules reference the interface. CIT 470: Advanced Network and System Administration

32 CIT 470: Advanced Network and System Administration
PAM Files /etc/pam.d: PAM configuration files. /lib/libpam.so: Main PAM library. Reads configuration files. Loads other PAM modules. /lib/security: Pluggable modules. /usr/share/doc/*pam*: Documentation. See also CIT 470: Advanced Network and System Administration

33 CIT 470: Advanced Network and System Administration
PAM Includes PAM files can include other config files. #%PAM-1.0 # /etc/pam.d/sshd auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so session include system-auth session required pam_loginuid.so CIT 470: Advanced Network and System Administration

34 CIT 470: Advanced Network and System Administration
PAM system-auth Most PAM services include system-auth. #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so ... CIT 470: Advanced Network and System Administration

35 CIT 470: Advanced Network and System Administration
nsswitch.conf Name Service Switch configuration file. passwd: files ldap shadow: files ldap group: files ldap hosts: files dns ethers: files netmasks: files networks: files protocols: files rpc: files services: files Use both files and ldap to failover when LDAP unavailable. Configure files first to let root login when LDAP down without long timeout. CIT 470: Advanced Network and System Administration

36 Configuring LDAP Authentication
Configure server with People/Group schema. Migrate user data to LDAP directory. Point clients to hostname and rootDN of svr. /etc/ldap.conf (PAM LDAP) /etc/openldap/ldap.conf (LDAP) Verify access to server with ldapsearch. Edit /etc/ldap.conf to set DNs for nss_base_{passwd, shadow, and group} Modify nsswitch.conf to add ldap option: passwd, shadow, and group Modify PAM system-auth to use LDAP. authconfig CIT 470: Advanced Network and System Administration

37 CIT 470: Advanced Network and System Administration
LDAP ACLs LDAP ACL format: access to <RDN> by <self|anonymous|DN> <read|write|auth> ex: Allow users to change passwords access to attr=userPassword by self write by anonymous auth by * none CIT 470: Advanced Network and System Administration

38 CIT 470: Advanced Network and System Administration
Key Points Namespace definition and policies selection lifetime scope security UNIX Accounts File formats: passwd, shadow, group Authentication PAM: purpose, includes nsswitch.conf: purpose and failover CIT 470: Advanced Network and System Administration

39 CIT 470: Advanced Network and System Administration
References Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003. Gerald Carter, LDAP System Administration, O’Reilly, 2003. Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007. Linux PAM, OpenLDAP, OpenLDAP Administrator’s Guide, RedHat, Red Hat Enterprise Linux 5 Deployment Guide, Sections 25.3, 43.4, CIT 470: Advanced Network and System Administration

Download ppt "CIT 470: Advanced Network and System Administration"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
Unit 5 – User Administration Randy Marchany VA Tech Computing Center.

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.
6. Adding New Users Xiang Sha Cmsc 691x. 6.1 The /etc/passwd File The /etc/passwd File is a list of users recognized by the system. Login name Encrypted.

6. Adding New Users Xiang Sha Cmsc 691x. 6.1 The /etc/passwd File The /etc/passwd File is a list of users recognized by the system. Login name Encrypted.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.

User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.

Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
IT2204: Systems Administration I 1 6b). Introduction to Linux.

IT2204: Systems Administration I 1 6b). Introduction to Linux.
Scis.regis.edu ● CS 468: Advanced UNIX Class 2 Dr. Jesús Borrego Regis University 1.

Scis.regis.edu ● CS 468: Advanced UNIX Class 2 Dr. Jesús Borrego Regis University 1.
Unix System Administration Chapter 6 Adding New Users.

Unix System Administration Chapter 6 Adding New Users.

Similar presentations

Ads by Google