Chapter 4. Authentication Techniques and Infrastructures

Before you can perform any operation on a Linux system, you must have an identity, such as a username, SSH key, or Kerberos credential. The act of proving your identity is called authentication, and it usually involves some kind of password or digital key. To secure your Linux system, you need to create and control identities carefully. Our recipes span the following authentication systems:

Pluggable Authentication Modules (PAM)

An application-level, dynamically configurable system for consistent authentication. Instead of having applications handle authentication on their own, they can use the PAM API and libraries to take care of the details. Consistency is achieved when many applications perform the same authentication by referencing the same PAM module. Additionally, applications needn't be recompiled to change their authentication behavior: just edit a PAM configuration file (transparent to the application) and you're done.

Secure Sockets Layer (SSL)[1]

A network protocol for reliable, bidirectional, byte-stream connections. It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication. Its authentication relies on X.509 certificates: data structures that bind an entity's public key to a name. The binding is attested to by a second, certifying entity, by means of a digital signature; the entity owning the public key is the certificate's subject , and the certifying entity is the issuer. The issuer in turn has its own certificate, with itself as the subject, and so on, forming a chain of subjects and issuers. To verify a certificate's authenticity, software follows this chain, possibly through several levels of certificate hierarchy, until it reaches one of a set of built-in, terminal (self-signed ) certificates marked as trusted by the user or system. Linux includes a popular implementation of SSL, called OpenSSL.

Kerberos

A sophisticated, comprehensive authentication system, initially developed at the Massachusetts Institute of Technology as part of Project Athena in the 1980s. It involves a centralized authentication database maintained on one or more highly-secure hosts acting as Kerberos Key Distribution Centers (KDCs). Principals acting in a Kerberos system (users, hosts, or programs acting on a user's behalf) obtain credentials called " tickets" from a KDC, for individual services such as remote login, printing, etc. Each host participating in a Kerberos "realm" must be explicitly added to the realm, as must each human user.

Kerberos has two major versions, called Kerberos-4 and Kerberos-5, and two major Unix-based implementations, MIT Kerberos (http://web.mit.edu/kerberos/www) and Heimdal (http://www.pdc.kth.se/heimdal). We cover the MIT variant of Kerberos-5, which is included in Red Hat 8.0. SuSE 8.0 includes Heimdal; our recipes should guide you toward getting started there, although some details will be different. You could also install MIT Kerberos on SuSE.

Secure Shell (SSH)

Provides strong, cryptographic authentication for users to access remote machines. We present SSH recipes in Chapter 6.

Authentication is a complex topic, and we won't teach it in depth. Our recipes focus on basic setup and scenarios. In the real world, you'll need a stronger understanding of (say) Kerberos design and operation to take advantage of its many features, and to run it securely. For more information see the following web sites:

Linux-PAM

http://www.kernel.org/pub/linux/libs/pam

OpenSSL

http://www.openssl.org

Kerberos

http://web.mit.edu/kerberos/www

SSH

http://www.openssh.com

In addition, there are other important authentication infrastructures for Linux which we do not cover. One notable protocol is Internet Protocol Security (IPSec), which provides strong authentication and encryption at the IP level. A popular implementation, FreeS/WAN, is found at http://www.freeswan.org.

PAM Modules

A PAM module consists of a shared library: compiled code dynamically loaded into the memory space of a running process. A program that uses PAM loads modules based on per-program configuration assigned by the system administrator, and calls them via a standard API. Thus, a new PAM module effectively extends the capabilities of existing programs, allowing them to use new authentication, authorization, and accounting mechanisms transparently.

To add a new PAM module to your system, copy the compiled PAM module code library into the directory /lib/security. For example, if your library is pam_foo.so:

# cp pam_foo.so /lib/security
# cd /lib/security
# chown root.root pam_foo.so
# chmod 755 pam_foo.so

Now you can set applications to use the new module by adding appropriate configuration lines to /etc/pam.conf, or to files among /etc/pam.d/*. There are many ways to configure use of a module, and not all modules can be used in all possible ways. A module generally comes with suggested configurations. Modules may also depend on other software: LDAP, Kerberos, and so forth; see the module's documentation.

pam(8) explains the details of PAM operation and the module configuration language.



    Chapter 9. Testing and Monitoring