Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCSC 455 Computer Security Chapter 3 User Security.

Published byDana Iris Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "SCSC 455 Computer Security Chapter 3 User Security."— Presentation transcript:

1 SCSC 455 Computer Security Chapter 3 User Security

2 Index Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility

3 Access computer system Users can access computer systems in two different ways: To use client software that connects to a server Q: What is client/server computing paradigm? Q: what is a server?  The user’s access is limited to the functions performed by the service running on the server To log in as a user on the system  The user must have a valid user account  The user must enter a password corresponding to a user ID Creating good passwords and keeping them secure is crucial

4 Creating good passwords What are the good practices of creating passwords? Must be long enough (the length >= 8 characters) Include at least one number or symbol (@#$%^&*) Could include two or three words separated by symbols or numbers Using words are foreign or altered so that they do not appear in a dictionary Using a series of numbers or a pattern of altered letters can make it easier to remember Examples …

5 Attack on Passwords Attackers utilize social engineering to gain access to your system  Q: What is social engineering?  Examples … Attackers can also resort to brute force attack  Q: what is brute force attack? all possible combinations are tried until one succeeds in guessing a password

6 How to protect passwords? Protect password from social engineering  Passwords must not be written down especially not anywhere near the computer to which they provide access  Passwords must be chosen carefully so they can be remembered without a written aid  Passwords should not include easily guessed words or numbers  Users should never tell anyone their password Q: How to protect password from brute force attack?

7 Linux Password files When a new user account is added to the system, a single line is added to file /etc/passwd Example … The actual encrypted password is stored in the file /etc/shadow  can only access by root  In Red Hat Linux, passwords are encrypted by MD5 by default Example … Q: why using two files for passwords?

8 Managing Linux Passwords Each user can change his/her password using the passwd utility e.g. $ passwd  When this command is entered, the user is prompted to enter their current password, then their new password two times  passwd utility performs a few basic checks on the entered password based on the configuration of Linux PAM modules. Root can change any user’s password e.g. # passwd bob Caution: should NOT edit /etc/passwd and /etc/shadow files directly in a text editor.

9 passwd command-line options

10 useradd command-line options for password control

11 Index Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility

12 Pluggable Authentication Modules The Pluggable Authentication Module (PAM) was developed by Sun Microsystems  PAM is an architecture and set of libraries that let a programmer create a module to perform a specific security- related function  System administrators can select, configure, and then use one or more PAM modules to control the PAM aware Linux programs How to use PAM?  select the modules necessary to to control the activity of a program  list them in the program’s configuration file (The details of PAM are not required in this course.)

13 Index Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility

14 Security utilities for users There are many security utilities that system administrators and users need to be aware of  Some of security utilities are PAM controlled  Others are separated packages that you have to install and configure before using Security utilities for users (next a few slides)  Utilities for console security  Utilities for login security  Utilities for file security  Utilities for monitoring user activities

15 Utilities for console security Screen locking programs disable keyboard input and hide the screen so that private information is not visible nor accessible vlock is used from a text console xlock is employed from a graphical interface Linux desktop (Gnome and KDE) also have their own screensaver

16 Utilities for login security /etc/securetty file  The root user can only log in from terminals that are listed in the file /etc/securetty  By default this file contains only the virtual consoles terminals. None of the network or other devices are listed  Root cannot login from network /etc/nologin file  If /etc/nologin exists, only root can log in The contents in this file are displayed for any user tries to log in  When this file is deleted, all users can log in again

17 SUID Set UID bit (SUID)  Executable files can have a special file permission set SUID causes files to take on the permissions of the user who owns the file rather than the user who executed the file  Root can set SUID for a file # chmod u+s Warning: Too many files with SUID is a great security risk  any user on the system could easily get root access.

18 Utilities for file security Linux file systems support a number of attributes that you can set on files  Notice that: these attributes are different from file access control attributes (r, w, x) Examples …

19 Utilities for monitoring user activities Linux includes a number of utilities for monitoring user activities  who – list all of the users who are currently logged in on the system. who am i (to see who you are logged in as)  w - list all of the users who are currently logged in with their username, terminal, the command that the user is currently running, CPU time … includes the remote location from which the users has logged in

20 Utilities for monitoring user activities  mesg – Enable or disable the ability of other users to send a message to your screen (by using utilities such as write, talk).  dmesg – print the contents of the kernel ring buffer to screen. kernel ring buffer is a memory area holds messages generated by the kernel. Using dmesg utility to monitor all hardware related messages

21 Utilities for monitoring user activities  last – display a history of user log-ins and log-outs, system reboot information Examples …

22 Index Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility

23 Why do we need “sudo” utility? Ans: If a server needs to be administered by a number of people, it is normally not a good idea for them all to use the root account.  difficult to determine exactly who did what, when and where if everyone logs in with the same credentials.  The sudo utility was designed to overcome this difficulty.

24 Sudo Sudo lets you assign privileges to any user account to execute only specific programs.  The system administrators can complete common administration task without login as root or su to root Examples …  /etc/sudoers configuration file to determine which user can perform which task.

25 How does sudo utitlity work? The basic format of a configuration line in /etc/sudoers user host = command_list Example … Note that: to edit /etc/sudoers file, you must use the visudo program

26 The security concern of sudo utility Sudo utility can present security dangers if not properly configured  A user should have exactly as much as access as her job requires. “need to know” “least privilege”  A malicious user will try to use access to a single command to gain access to other commands. Example …

27 The security concern of sudo utility Many program support shelling out. Q: what is “shelling out” ? The sudo utility cannot control it once the power is handed out.  Conclusion: system administrator must hand out sudo power carefully.

Download ppt "SCSC 455 Computer Security Chapter 3 User Security."

Similar presentations

Linux Users and Groups Management

Linux Users and Groups Management
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.

Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
Chapter 2 Accessing Your System and the Common Desktop Environment.

Chapter 2 Accessing Your System and the Common Desktop Environment.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Getting Started with Linux: Novell’s Guide to CompTIA’s Linux+ (Course 3060) Section 2 Use the Linux Desktop.

Getting Started with Linux: Novell’s Guide to CompTIA’s Linux+ (Course 3060) Section 2 Use the Linux Desktop.
Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.

Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.
1. This presentation covers :  User Interface Administration  Files System and Services Management 2.

1. This presentation covers :  User Interface Administration  Files System and Services Management 2.
Linux+ Guide to Linux Certification Chapter Three Linux Installation and Usage.

Linux+ Guide to Linux Certification Chapter Three Linux Installation and Usage.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.

Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
Introduction to Unix/Linux Chapter One The Essence of UNIX.

Introduction to Unix/Linux Chapter One The Essence of UNIX.
Guide to Operating System Security Chapter 4 Account-based Security.

Guide to Operating System Security Chapter 4 Account-based Security.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Unix System Administration Rootly Powers Chapter 3.

Unix System Administration Rootly Powers Chapter 3.

Similar presentations

Ads by Google