Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Accounts and Namespaces.

Similar presentations


Presentation on theme: "CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Accounts and Namespaces."— Presentation transcript:

1 CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Accounts and Namespaces

2 CIT 470: Advanced Network and System AdministrationSlide #2 Topics 1.Namespaces 2.Policies 1.selection 2.lifetime 3.scope 4.security 3.User Accounts 4.PAM 5.LDAP Authentication

3 CIT 470: Advanced Network and System AdministrationSlide #3 Namespaces A namespace consists of –A set of unique keys –A set of attributes associated with each key Example –Key = Username –Attributes GECOS Homedir Shell Password

4 CIT 470: Advanced Network and System AdministrationSlide #4 Namespaces Systems include many namespaces User account names. E-mail addresses. Filesystem pathnames. Hostnames. IP addresses. Printer names. Service names.

5 CIT 470: Advanced Network and System AdministrationSlide #5 Types of Namespaces Flat No duplicates may exist. Ex: usernames in /etc/passwd. Hierarchical Tree-structured namespace like DNS. Duplicates can exist. Ex: www.nku.edu and www.google.com

6 CIT 470: Advanced Network and System AdministrationSlide #6 Namespace Problems 1.How to select names? 2.How to avoid name collisions? 3.How to ensure consistency? 4.How to distribute names?

7 CIT 470: Advanced Network and System AdministrationSlide #7 Name Selection Functional Names mail hostname, /cit/470, student account Descriptive names geographic, print type, customer type Formula-based Names cvg0141 hostname, student0148 account Themed Names constellations (orion, ursa, etc.) No Standard

8 CIT 470: Advanced Network and System AdministrationSlide #8 Name Lifetime When are names removed? Immediately after PC, user leaves org. Set time after resource is no longer in use. When are names re-used? Immediately: functional names. Never. After a set time: usernames, email addresses.

9 CIT 470: Advanced Network and System AdministrationSlide #9 Namespace Scope Geographical scopes –Local machine. (e.g., /etc/passwd.) –Local network. –Organization. –Global (e.g., DNS.) Service scopes –Single username for UNIX, NT, RADIUS, e-mail, VPN? Transferring scopes –Difficult without advance planning. –Some names may have to change.

10 CIT 470: Advanced Network and System AdministrationSlide #10 Namespace Security 1.What are you trying to protect names from and why? 2.Do the names need to be protected or just the attributes? 3.Who can add, change, or delete records? 4.Can the owner of a record change fields within the record?

11 CIT 470: Advanced Network and System AdministrationSlide #11 Example Namespace: Usernames Selection policies –Descriptive: waldenj, jwalden –Decriptive + formulaic: waldenj1, jwalden0002 Scope –Use for every campus (avoids collisions.) –Use for every service (avoids collisions.) Lifetime –Do not reuse until 1 year has passed since email addresses derive from usernames.

12 CIT 470: Advanced Network and System AdministrationSlide #12 One Big Database Centralize namespace in one big database. –Use SQL or LDAP to store entire namespace. Derive other namespaces from database. –Program to generate UNIX accounts. –Program to generate NT accounts. –etc. Advantages –Consistency –Ease of making changes, additions, deletions.

13 CIT 470: Advanced Network and System AdministrationSlide #13 User Account Types OS files –UNIX /etc/{passwd,shadow} –Windows SAM Network service –NIS –LDAP –Kerberos –Active Directory –RADIUS

14 CIT 470: Advanced Network and System AdministrationSlide #14 UNIX Accounts Account Components –Username –UID –Password –Home directory Account Files –/etc/passwd –/etc/shadow –/etc/group Account Management –Adding users –Removing and disabling users –Account/password policies

15 CIT 470: Advanced Network and System AdministrationSlide #15 /etc/{passwd,shadow} /etc/passwd –Username –UID –Default GID –GCOS –Home directory –Login shell /etc/shadow –Username –Encrypted password –Date of last pw change. –Days ‘til change allowed. –Days `til change required. –Expiration warning time. –Expiration date. Central file(s) describing UNIX user accounts. student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7:::

16 CIT 470: Advanced Network and System AdministrationSlide #16 Username Syntax –Each username must be unique. –Length limits (8 chars on old systems) –Any character except : or \n. Issues –Naming standards. –How to ensure that usernames are unique? –System uses UIDs internally.

17 CIT 470: Advanced Network and System AdministrationSlide #17 UIDs UIDs are 32-bit non-negative integers. Standards –Root is UID 0. –System accounts have low UIDs (<= 500) Uniqueness –Multiple usernames can have same UID! –Re-using UIDs may give away files to new user. –Distributed systems may require unique UIDs across organizational boundaries.

18 CIT 470: Advanced Network and System AdministrationSlide #18 Password Syntax –Length: unlimited(MD5,SHA1), 8 chars(crypt) –Chars: anything except \n, though certain control chars may be interpreted by system. Stored in “encrypted” format. –Hashed: crypt, MD5, SHA1 –Salted: 12-bit salt means 4096 different hashes for each password

19 CIT 470: Advanced Network and System AdministrationSlide #19 GID GIDs are 32-bit non-negative integers. Each user has a default GID. –File group ownership set to default GID. –Temporarily change default GID: newgrp. Groups are described in /etc/group –Users may belong to multiple groups. –Format: group name, pw, GID, user list. –wheel:x:10:root,waldenj,bergs

20 CIT 470: Advanced Network and System AdministrationSlide #20 GECOS Original use –General Electric Comprehensive OS data Current use –User information. –Full name, location, phone number, e-mail.

21 CIT 470: Advanced Network and System AdministrationSlide #21 Home Directory User’s CWD at login time. Typically where user stores all files.

22 CIT 470: Advanced Network and System AdministrationSlide #22 Login Shell Process started when user logs in. Typically a shell like bash, tcsh, ksh,... –System users may be different. –Disabled accounts have a noshell program.

23 CIT 470: Advanced Network and System AdministrationSlide #23 Adding a User 1.Create account with useradd. 2.Lock account until user arrives. 3.User signs account agreement. 4.Set passwd with passwd.

24 CIT 470: Advanced Network and System AdministrationSlide #24 Adding a User 1.Edit /etc/{passwd,shadow} with vipw. 2.Set passwd with passwd command. 3.Edit /etc/group to add groups. 4.Create user home directory. 1.mkdir /home/studenta 2.chown studenta.student /home/studenta 3.chmod 755 /home/studenta 5.Copy default files from /etc/skel.bashrc,.Xdefaults,.xsession, etc. 6.Set e-mail aliases, disk quotas, etc. 7.Verify that the account works.

25 CIT 470: Advanced Network and System AdministrationSlide #25 Disabling an Account Edit account configuration: –Place * or ! in front of encrypted password. –Replace shell with nologin program. –Note: usermod -L will do this for you. Kill active logins and processes. –Note: usermod -L will not do this.

26 CIT 470: Advanced Network and System AdministrationSlide #26 Removing a User 1.Disable account. 2.Change shared passwords (root, etc.) 3.Kill active logins and processes. 4.Remove from local databases/files. 5.Remove from e-mail aliases. 6.Remove mail spool (backup first.) 7.Remove crontabs and pending jobs. 8.Remove temporary files. 9.Remove home directory (backup first.) 10.Remove from passwd, shadow, and group.

27 nsswitch.conf Name Service Switch configuration file. CIT 470: Advanced Network and System AdministrationSlide #27 passwd: files ldap shadow: files ldap group: files ldap hosts: files dns ethers: files netmasks: files networks: files protocols: files rpc: files services: files Use both files and ldap to enable failover when LDAP unavailable. Configure files first to let root login when LDAP down without long timeout.

28 CIT 470: Advanced Network and System AdministrationSlide #28 Configuring LDAP Authentication 1.Configure server with People/Group schema. 2.Migrate user data to LDAP directory. 3.Point clients to hostname and rootDN of svr. /etc/ldap.conf (PAM LDAP) /etc/openldap/ldap.conf (LDAP) 4.Verify access to server with ldapsearch. 5.Edit /etc/ldap.conf to set DNs for nss_base_{passwd, shadow, and group} 6.Modify nsswitch.conf to add ldap option: passwd, shadow, and group 7.Modify PAM system-auth to use LDAP. authconfig

29 LDAP ACLs LDAP ACL format: access to by ex: Allow users to change passwords access to attr=userPassword by self write by anonymous auth by * none CIT 470: Advanced Network and System AdministrationSlide #29

30 Key Points Namespace definition and policies 1.selection 2.lifetime 3.scope 4.security UNIX Accounts –File formats: passwd, shadow, group Authentication –PAM: purpose, includes –nsswitch.conf: purpose and failover CIT 470: Advanced Network and System AdministrationSlide #30

31 CIT 470: Advanced Network and System AdministrationSlide #31 References 1.Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003. 2.Gerald Carter, LDAP System Administration, O’Reilly, 2003. 3.Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2 nd ed, Limoncelli and Hogan, Addison-Wesley, 2007. 4.Linux PAM, http://www.kernel.org/pub/linux/libs/pam/ 5.OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2007. http://www.openldap.org/devel/admin/ 6.RedHat, Red Hat Enterprise Linux 5 Deployment Guide, Sections 25.3, 43.4, http://www.redhat.com/docs/en- US/Red_Hat_Enterprise_Linux/5.4/, 2009.


Download ppt "CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Accounts and Namespaces."

Similar presentations


Ads by Google