Chapter 4. Authentication Techniques and Infrastructures
Before you can perform any operation on a Linux system, you must have
an
identity,
such as a username, SSH key, or Kerberos credential. The act of
proving your identity is called
authentication, and it usually involves some
kind of password or digital key. To secure your Linux system, you
need to create and control identities carefully. Our recipes span the
following authentication systems:
- Pluggable Authentication Modules
(PAM)
-
An application-level, dynamically configurable system for
consistent authentication. Instead of having
applications handle authentication on their own, they can use the PAM
API and libraries to take care of the details. Consistency is
achieved when many applications perform the same authentication by
referencing the same PAM module. Additionally, applications
needn't be recompiled to change their authentication
behavior: just edit a PAM configuration file (transparent to the
application) and you're done.
-
Secure Sockets Layer (SSL)
-
A network protocol for reliable, bidirectional, byte-stream
connections. It provides cryptographically
assured privacy (encryption), integrity, optional
client
authentication, and mandatory server authentication. Its
authentication relies on X.509
certificates: data structures that bind an
entity's public key to a name. The binding is
attested to by a second, certifying entity, by means of a
digital
signature; the entity owning the public key is the
certificate's
subject , and the certifying entity is
the issuer. The issuer in turn has its own
certificate, with itself as the subject, and so on, forming a chain
of subjects and issuers. To verify a certificate's
authenticity, software follows this chain, possibly through several
levels of certificate hierarchy, until it reaches one of a set of
built-in, terminal
(self-signed ) certificates marked as
trusted by the user or system. Linux includes
a popular implementation of
SSL, called OpenSSL.
-
Kerberos
-
A sophisticated, comprehensive authentication system, initially
developed at the Massachusetts
Institute of Technology as part of Project Athena in the 1980s. It
involves a centralized authentication database maintained on one or
more highly-secure hosts acting as
Kerberos Key Distribution Centers (KDCs).
Principals acting in a Kerberos system
(users, hosts, or programs acting on a user's
behalf) obtain credentials called
" tickets" from a KDC,
for individual services such as remote login, printing, etc. Each
host participating in a Kerberos
"realm" must be
explicitly added to the realm, as must each human user.
Kerberos has two major versions, called Kerberos-4 and Kerberos-5,
and two major Unix-based implementations, MIT Kerberos (http://web.mit.edu/kerberos/www) and
Heimdal
(http://www.pdc.kth.se/heimdal).
We cover the MIT variant of Kerberos-5, which is included in
Red Hat 8.0.
SuSE 8.0 includes Heimdal; our
recipes should guide you toward getting started there, although some
details will be different. You could also install MIT Kerberos on
SuSE.
- Secure Shell (SSH)
-
Provides strong, cryptographic authentication for users to access
remote machines. We present SSH recipes in Chapter 6.
Authentication is a complex topic, and we won't
teach it in depth. Our recipes focus on basic setup and scenarios. In
the real world, you'll need a stronger understanding
of (say) Kerberos design and operation to take advantage of its many
features, and to run it securely. For more information see the
following web sites:
- Linux-PAM
-
http://www.kernel.org/pub/linux/libs/pam
- OpenSSL
-
http://www.openssl.org
- Kerberos
-
http://web.mit.edu/kerberos/www
- SSH
-
http://www.openssh.com
In addition, there are other important authentication infrastructures
for Linux which we do not cover. One notable protocol is
Internet Protocol
Security
(IPSec), which
provides strong authentication and encryption at the IP level. A
popular implementation, FreeS/WAN, is found at
http://www.freeswan.org.
|
A
PAM
module consists of a shared library: compiled
code dynamically loaded into the memory space of a running process. A
program that uses PAM loads modules based on per-program
configuration assigned by the system administrator, and calls them
via a standard API. Thus, a new PAM module effectively extends the
capabilities of existing programs, allowing them to use new
authentication, authorization, and accounting mechanisms
transparently.
To add a new PAM module to your system, copy the compiled PAM module
code library into the directory /lib/security.
For example, if your library is pam_foo.so:
# cp pam_foo.so /lib/security
# cd /lib/security
# chown root.root pam_foo.so
# chmod 755 pam_foo.so
Now you can set applications to use the new module by adding
appropriate configuration lines to
/etc/pam.conf, or to files among
/etc/pam.d/*. There are many ways to configure
use of a module, and not all modules can be used in all possible
ways. A module generally comes with suggested configurations. Modules
may also depend on other software: LDAP, Kerberos, and so forth; see
the module's documentation.
pam(8) explains the details of PAM operation and the module
configuration language.
|
|
