LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

First update since the year 2000. 

Various language fixes and some docbook tag cleanups.
This commit is contained in:
fl0 2004-03-25 08:53:41 +00:00
parent 32b2a8633c
commit 99432ff5bf
1 changed files with 57 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
LDP/howto/docbook/User-Authentication-HOWTO.sgml
View File

@ -1,5 +1,5 @@
<!doctype article public "-//OASIS//DTD DocBook V3.1//EN"
[ <!entity header system "header.sgml">
[ <!entity header system "header.sgml">
]>
<article>
@ -19,14 +19,14 @@
</para>
</abstract>
<keywordset>
<keyword>User Authentication</keyword>
<keyword>user</keyword>
<keyword>password</keyword>
<keyword>PAM</keyword>
<keyword>NIS</keyword>
<keyword>/etc/passwd</keyword>
<keyword>/etc/shadow</keyword>
<keyword>/etc/group</keyword>
<keyword>User Authentication</keyword>
<keyword>user</keyword>
<keyword>password</keyword>
<keyword>PAM</keyword>
<keyword>NIS</keyword>
<keyword>/etc/passwd</keyword>
<keyword>/etc/shadow</keyword>
<keyword>/etc/group</keyword>
<keyword>/etc/gshadow</keyword>
</keywordset>
</artheader>
@ -47,7 +47,7 @@
New versions
</title>
<para>
When I get my domain up running properly, you'll be able to find the newest version of this document there. Until then, http://www.linuxdoc.org/ will have to suffice.
Unitl I get my domain up and running properly, the newest version of this document will be available from http://www.linuxdoc.org/.
</para>
</sect2>
<sect2>
@ -55,7 +55,7 @@
Feedback
</title>
<para>
Comments, corrections, suggestions, flames, and flying saucer sightings can be sent to petehern@yahoo.com.
Comments, corrections, suggestions, flames, and flying saucer sightings can be sent to petehern@yahoo.com.
</para>
</sect2>
<sect2>
@ -74,6 +74,9 @@
<para>
v0.7 (May 15, 2000) revised; ready for release.
</para>
<para>
v0.8 (February 20, 2003) revised: language changes, various small fixes (provided by Floris Lambrechts).
</para>
</sect2>
<sect2>
<title>
@ -83,27 +86,27 @@
(c) 2000 Peter Hernberg
</para>
<para>
This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:
This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:
</para>
<itemizedlist>
<listitem>
<para>
The copyright notice above and this permission notice must be preserved complete on all complete or partial copies
The copyright notice above and this permission notice must be preserved complete on all complete or partial copies
</para>
</listitem>
<listitem>
<para>
Any translation or derived work must be approved by the author in writing before distribution.
Any translation or derived work must be approved by the author in writing before distribution.
</para>
</listitem>
<listitem>
<para>
If you distribute this work in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.
If you distribute this work in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.
</para>
</listitem>
<listitem>
<para>
Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given. Exceptions to these rules may be granted for academic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators. Any source code (aside from the SGML this document was written in) in this document is placed under the GNU General Public License, available via anonymous FTP from the GNU archive.
Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given. Exceptions to these rules may be granted for academic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators. Any source code (aside from the SGML this document was written in) in this document is placed under the GNU General Public License, available via anonymous FTP from the GNU archive.
</para>
</listitem>
</itemizedlist>
@ -152,7 +155,7 @@
pete:x:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash
</programlisting>
<para>
Where did the encrypted password go? Before I tell you where it went, a bit explanation is required.
Where did the encrypted password go? Before I tell you where it went, a bit explanation is required.
</para>
<para>
The <filename>/etc/passwd</filename> file, which contains information about all users, including their encrypted password, is readable by all users, making it possible for any user to get the encrypted password of everyone on the system. Though the passwords are encrypted, password-cracking programs are widely available. To combat this growing security threat, shadow passwords were developed.
@ -162,7 +165,7 @@
</para>
<programlisting>
pete:/3GJllg1o4152:11009:0:99999:7:::
</programlisting>
</programlisting>
</sect2>
<sect2>
<title>
@ -183,7 +186,7 @@
MD5 encrypted passwords
</title>
<para>
Traditionally, unix passwords were encrypted with the standard crypt() function. (For more information on the crypt() function, see the crypt(3) manpage.) As computers grew faster, passwords encrypted with this function became easier to crack. As the internet emerged, tools for distributed the task of password-cracking across multiple hosts became available. Many newer distributions ship with the option of encrypting passwords with the stronger MD5 hash algorithm. (For more information on the MD5 hash algorithm, consult RFC 1321.) While MD5 passwords will not eliminate the threat of password cracking, they will make cracking your passwords much more difficult.
Traditionally, unix passwords were encrypted with the standard crypt() function. (For more information on the crypt() function, see the crypt(3) manpage.) As computers grew faster, passwords encrypted with this function became easier to crack. As the internet emerged, tools for distributing the task of password-cracking across multiple hosts became available. Many 'newer' distributions ship with the option of encrypting passwords with the stronger MD5 hash algorithm. (For more information on the MD5 hash algorithm, consult RFC 1321.) While MD5 passwords will not eliminate the threat of password cracking, they will make cracking your passwords much more difficult.
</para>
</sect2>
<sect2>
@ -200,7 +203,7 @@
PAM (Pluggable Authentication Modules)
</title>
<para>
Pluggable authentication modules are at the core of user authentication in any modern linux distribution.
Pluggable authentication modules are at the core of user authentication in any modern linux distribution.
</para>
<sect2>
<title>
@ -256,7 +259,7 @@
Installing PAM
</title>
<para>
Installing PAM from scratch is long process, beyond the scope of this HOWTO. If PAM isn't installed on your system, you're probably running such an old version of your distribution that there are many other reasons to upgrade. If you really want to do it yourself, then you're certainly not the sort of person who needs any help from me. For all these reasons, I'm going to assume that you already have PAM installed.
Installing PAM from scratch is long process, beyond the scope of this HOWTO. If PAM isn't installed on your system, you're probably running such an old version of your distribution that there are many other reasons to upgrade. If you really want to do it yourself, then you're certainly not the sort of person who needs any help from me. For all these reasons, I'm going to assume that you already have PAM installed.
</sect2
<sect2>
<title>
@ -270,7 +273,7 @@
PAM configuration files
</title>
<para>
PAM configuration files are stored in the <filename class="directory">/etc/pam.d/</filename> directory. (If you don't have <filename class="directory">/etc/pam.d/</filename> directory, don't worry, I'll cover that in the next section) Let's go over there and take look.
PAM configuration files are stored in the <filename class="directory">/etc/pam.d/</filename> directory. (If you don't have <filename class="directory">/etc/pam.d/</filename> directory, don't worry, I'll cover that in the next section) Let's go over there and take a look.
</para>
<programlisting>
<prompt>~$ </prompt><userinput>cd /etc/pam.d</userinput>
@ -279,7 +282,7 @@
<prompt>/etc/pam.d/$ </prompt>
</programlisting>
<para>
Your system may have a few more or a few less files in this directory, depending on what's installed on your system. Whatever the details, you probably saw a file for each of the programs on your system that authenticate users. As you probably already guessed, each file contains the PAM authentication configuration for the program it's named after (except for the <filename>other</filename> file, which we'll talk about in a little bit). Let's take a look the PAM configuration file for passwd (I've condensed the file for the sake of simplicity):
Your system may have a few more or a few less files in this directory, depending on what's installed on your system. Whatever the details, you probably saw a file for each of the programs on your system that authenticate users. As you probably already guessed, each file contains the PAM authentication configuration for the program it's named after (except for the <filename>other</filename> file, which we'll talk about in a little bit). Let's take a look the PAM configuration file for login (I've condensed the file for the sake of simplicity):
</para>
<programlisting>
<prompt>/etc/pam.d/$ </prompt><userinput>cat login</userinput>
@ -287,14 +290,14 @@
auth requisite pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so nulok
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
password required pam_unix.so nullok obscure min=4 max=8
</programlisting>
<para>
Before dig into this file, I must mention a little something.
Before I dig into this file, I must mention a little something.
</para>
</sect3>
<sect3>
@ -302,7 +305,7 @@
A little something
</title>
<para>
A small percentage are probably thinking, "Oh no! I don't have a /etc/pam.d directory! Your list of distributions says that my distribution includes PAM, but I can't find that directory. Without PAM, my life is empty and meaningless! What can I do?" Don't worry, all is not lost. If you know that your distribution includes PAM, but you have no <filename class="directory">/etc/pam.d/</filename> directory, then your PAM configuration is stored in <filename>/etc/pam.conf</filename>. Rather than being spread across several files, all your PAM configuration is stored in a single file. This adds a little twist to PAM configuration, but the proper adjustments are pointed out in section 3.3.4.
A small percentage of the readers are probably thinking, "Oh no! I don't have a /etc/pam.d directory! Your list of distributions says that my distribution includes PAM, but I can't find that directory. Without PAM, my life is empty and meaningless! What can I do?" Don't worry, all is not lost. If you know that your distribution includes PAM, but you have no <filename class="directory">/etc/pam.d/</filename> directory, then your PAM configuration is stored in <filename>/etc/pam.conf</filename>. Rather than being spread across several files, all your PAM configuration is stored in a single file. This adds a little twist to PAM configuration, but the proper adjustments are pointed out in section 3.3.4.
</para>
</sect3>
<sect3>
@ -325,7 +328,7 @@
The type token tells PAM what type of authentication is to be used for this module. Modules of the same type can be "stacked", requiring a user to meet multiple requirements to be authenticated. PAM recognizes four types:
</para>
<variablelist>
<varlistentry><term>account<term>
<varlistentry><term>account</term>
<listitem><para>
Determines whether the user is allowed to access the service, whether their passwords has expired, etc.
</para></listitem>
@ -356,12 +359,12 @@
The control token tells PAM what should be done in if authentication by this module fails. PAM recognizes four control types:
</para>
<variablelist>
<varlistentry><term>requisite<term>
<varlistentry><term>requisite</term>
<listitem><para>
Failure to authenticate via this module results in immediate denial of authentication.
</para>
</varlistentry>
<varlistentry><term>required<term>
<varlistentry><term>required</term>
<listitem><para>
Failure also results in denial of authentication, although PAM will still call all the other modules listed for this service before denying authentication.
</para></listitem>
@ -378,18 +381,18 @@
</varlistentry>
</variablelist>
<para>
In the configuration file for login, we see nearly all of the different control types. Most of the required modules are pam_unix.so (the main authentication module), the single requisite module is pam_securetty.so (checks make sure the user is logging in on a secure console), and the only optional module is pam_lastlogin.so (the module that retrieves information on the user's most recent login).
In the configuration file for login, we see nearly all of the different control types. Most of the required modules <filename>are pam_unix.so</filename> (the main authentication module), the single requisite module is <filename>pam_securetty.so</filename> (which makes sure the user is logging in on a secure console), and the only optional module is <filename>pam_lastlog.so</filename> (the module that retrieves information on the user's most recent login).
</para>
</listitem>
</varlistentry>
<varlistentry><term><token>module-path</token></term>
<listitem><para>
The module-path tells PAM which module to use and (optionally) where to find it. Most configurations only contain the module's name, as is the case in our login configuration file. When this is the case, PAM looks for the modules in the default PAM module directory, normally <filename class="directory">/usr/lib/security</filename>. However, if your linux distribution conforms to the Linux Filesystem standard, PAM modules can be found in <filename class="directory">/lib/security</filename>.
The module-path tells PAM which module to use and (optionally) where to find it. Most configurations only contain the module's name, as is the case in our login configuration file. When this is the case, PAM looks for the modules in the default PAM module directory, normally <filename class="directory">/usr/lib/security</filename>. However, if your linux distribution conforms to the Filesystem Hierarchy Standard (FHS), PAM modules can be found in <filename class="directory">/lib/security</filename>.
</para></listitem>
</varlistentry>
<varlistentry><term><token>module-arguments</token></term>
<listitem><para>
The module-arguments are arguments to be passed to the module. Each module has its own arguments. For example, in our login configuration, the "nulok" ("null ok", argument being passed to pam_unix.so module, indicating the a blank ("null") password is acceptable ("ok").
The module-arguments are arguments to be passed to the module. Each module has its own arguments. For example, in our login configuration, the "nulok" ("null ok", argument being passed to pam_unix.so module, indicating the a blank ("null") password is acceptable ("ok").
</para></listitem>
</varlistentry>
</variablelist>
@ -409,7 +412,7 @@
login auth required pam_unix.so nulok
</programlisting>
<para>
Except for this minor difference, all the rest of the PAM syntax applies.
Except for this minor difference, all the rest of the configuration PAM syntax applies.
</para>
</sect3>
</sect2>
@ -428,7 +431,7 @@
<sect2>
<title>A strong <filename>/etc/pam.d/other</filename></title>
<para>
All of the files in <filename class="directory">/etc/pam.d/</filename> contain the configuration for a particular service. The notable exception to this rule is the <filename>/etc/pam.d/other</filename> file. This file contains the configuration for any services which do not have their own configuration file. For example, is the (imaginary) <application>xyz</application> service attempted authentication PAM would look for a <filename>/etc/pam.d/xyz</filename> file. Not finding one, authentication for <application>xyz</application> would be determined by the <filename>/etc/pam.d/other</filename> file. Since <filename>/etc/pam.d/other</filename> is the configuration to which PAM services fallback, it is important that it is secure. We will discuss two secure configurations of <filename>/etc/pam.d/other</filename>, one which is quite nearly paranoid and which is gentler.
All of the files in <filename class="directory">/etc/pam.d/</filename> contain the configuration for a particular service. The notable exception to this rule is the <filename>/etc/pam.d/other</filename> file. This file contains the configuration for any services which do not have their own configuration file. For example, if the (imaginary) <application>xyz</application> service attempted authentication, PAM would look for a <filename>/etc/pam.d/xyz</filename> file. Not finding one, authentication for <application>xyz</application> would be determined by the <filename>/etc/pam.d/other</filename> file. Since <filename>/etc/pam.d/other</filename> is the configuration to which PAM services fallback, it is important that it is secure. We will discuss two secure configurations of <filename>/etc/pam.d/other</filename>, one which is quite nearly paranoid and one which is gentler.
</para>
<sect3>
<title>A paranoid configuration</title>
@ -436,13 +439,13 @@
A paranoid configuration of <filename>/etc/pam.d/other</filename> is as follows:
</para>
<programlisting>
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
</programlisting>
<para>
@ -455,13 +458,13 @@
Here's configuration that isn't quite so mean:
</para>
<programlisting>
auth required pam_unix.so
auth required pam_warn.so
account required pam_unix.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_unix.so
auth required pam_unix.so
auth required pam_warn.so
account required pam_unix.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_unix.so
session required pam_warn.so
</programlisting>
<para>
@ -478,7 +481,7 @@
<sect2>
<title>Disabling logins for user with null passwords</title>
<para>
On most linux systems, there a number of "dummy" user accounts, used to assign privileges to certain system services like ftp, webservers, and mail gateways. Having these accounts allows your system to be more secure, because if these services are compromised, an attacker will only gain the limited privileges available to the dummy account, rather than the full privileges of a service running as root. However, allowing these dummy account login privileges is a security risk, as they usually have blank (null) passwords. The configuration option that enables null passwords is the "nullok" module-argument. You'll want remove this argument from any modules of 'auth' type for services that allow login. This is usually the login service, may also include services like rlogin and ssh. Hence, the following line in <filename>/etc/pam.d/login</filename>:
On most linux systems, there a number of "dummy" user accounts, used to assign privileges to certain system services like ftp, webservers, and mail gateways. Having these accounts allows your system to be more secure, because if these services are compromised, an attacker will only gain the limited privileges available to the dummy account, rather than the full privileges of a service running as root. However, allowing these dummy account login privileges is a security risk, as they usually have blank (null) passwords. The configuration option that enables null passwords is the "nullok" module-argument. You'll want to remove this argument from any modules of 'auth' type for services that allow login. This is usually the login service, but it may also include services like rlogin and ssh. Hence, the following line in <filename>/etc/pam.d/login</filename>:
</para>
<programlisting>
auth required pam_unix.so nullok
@ -499,7 +502,7 @@
<sect2>
<title>Password-cracking tools</title>
<para>
While password-cracking tools can be by attackers used to compromise a system, they can also be used by system administrators as proactive tool to ensure the strength of passwords on their system. The two most commonly used password-cracking tools are "crack" and "John the Ripper". Crack is probably included in your facorite distribution. John the Ripper can be obtained from <ulink url="http://www.false.com/security/john/index.html">http://www.false.com/security/john/index.html</ulink>. Run the tools against your password database and you'll probably be surprised with what they come up with.
While password-cracking tools can be used by attackers to compromise a system, they can also be used by system administrators as proactive tool to ensure the strength of passwords on their system. The two most commonly used password-cracking tools are "crack" and "John the Ripper". Crack is probably included in your favorite distribution. John the Ripper can be obtained from <ulink url="http://www.false.com/security/john/index.html">http://www.false.com/security/john/index.html</ulink>. Run the tools against your password database and you'll probably be surprised with what they come up with.
</para>
<para>
Additionally, there is a PAM module which utilizes the crack library to check the strength of a users password whenever it changed. When this module is installed, the user can only change their password to one which meets the minimum password strength.
@ -520,7 +523,7 @@
<sect2>
<title>Apache + mod_auth_pam</title>
<para>
As our example, we'll install and configure mod_auth_pam, an Apache module that allows you to use authenticate users of your webserver using PAM. For the purpose of this example, I'll assume you have apache installed. If it's not installed already you should be able find installation packages from your distributor.
As our example, we'll install and configure mod_auth_pam, an Apache module that allows you to authenticate users of your webserver using PAM. For the purpose of this example, I'll assume you have apache installed. If it's not installed already you should be able find installation packages from your distributor.
</para>
<sect2>
<title>Our example</title>
@ -540,7 +543,7 @@
<prompt>~/mod_auth_pam-1.0a#</prompt> <userinput>make install</userinput>
</programlisting>
<para>
If you have any trouble installing the mod_auth_pam module, make sure you've installed your distributions apache-dev package. After you've installed mod_auth_pam, you'll need to restart apache. Apache can usually by restarted by typing the following command (again, you must be root):
If you have any trouble installing the mod_auth_pam module, make sure you've installed your distribution's apache-dev package. After you've installed mod_auth_pam, you'll need to restart apache. Apache can usually by restarted by typing the following command (again, you must be root):
</para>
<programlisting>
<prompt>~#</prompt> <userinput>/etc/init.d/apache restart</userinput>
@ -549,7 +552,7 @@
<sect2>
<title>Configuring PAM</title>
<para>
PAM configuration for Apache is stored in <filename>/etc/pam.d/httpd</filename>. The default configuration (which was installed when you installed mod_auth_pam) is secure, but it uses a module (<filename>pam_pwdb.so</filename>) which may not be available on many systems. (Besides, configuring it from scratch will be fun!) So delete the <filename>/etc/pam.d/httpd</filename> file, and let's start fresh.
The PAM configuration for Apache is stored in <filename>/etc/pam.d/httpd</filename>. The default configuration (which was installed when you installed mod_auth_pam) is secure, but it uses a module (<filename>pam_pwdb.so</filename>) which may not be available on many systems. (Besides, configuring it from scratch will be fun!) So delete the <filename>/etc/pam.d/httpd</filename> file, and start with a fresh one.
</para>
<sect3>
<title>Deciding how to configure PAM</title>
@ -589,7 +592,7 @@
You may need to replace <filename class="directory">/var/www/</filename> with the default location of web documents, which is often <filename class="directory">/home/httpd/</filename>. Wherever that is, you'll need to create the <filename class="directory">family</filename> directory.
</para>
<para>
Before we test our setup, I'll to take a moment to explain the Apache configuration you just entered. The &lt;Directory&gt; directive is used to encapsulate configuration data for this directory. Inside this directive, we've enabled PAM authentication ("AuthPAM_enabled on"), turned off any overriding of this configuration ("AllowOverride none"), named this authentication zone "Family Secrets" ("AuthName "Family Secrets""), set the http authentication (not the PAM authentication) type to the default ("AuthType "basic""), and required the user group family ("require group family").
Before we test our setup, I'll take a moment to explain the Apache configuration you just entered. The &lt;Directory&gt; directive is used to encapsulate configuration data for this directory. Inside this directive, we've enabled PAM authentication ("AuthPAM_enabled on"), turned off any overriding of this configuration ("AllowOverride none"), named this authentication zone "Family Secrets" ("AuthName "Family Secrets""), set the http authentication (not the PAM authentication) type to the default ("AuthType "basic""), and required the user group family ("require group family").
</sect2>
<sect2>
<title>Testing our setup</title>