Table of Contents
Normal Unix authentication is provided by the pam_unix.so
method under the PAM (Pluggable Authentication Modules). Its 3 important configuration files, with ":
" separated entries, are:
Table 5.1. The 3 important configuration files for pam_unix.o.
file |
permission |
user |
group |
description |
---|---|---|---|---|
|
|
|
|
The (sanitized) user account information. |
|
|
|
|
The secure user account information. |
|
|
|
|
The group information. |
The /etc/passwd
file contains:
... user1:x:1000:1000:User1 Name,,,:/home/user1:/bin/bash user2:x:1001:1001:User2 Name,,,:/home/user2:/bin/bash ...
As explained in man 5 passwd
, each ":
" separated entry of this file means:
login name
password specification entry
numerical user ID
numerical group ID
user name or comment field
user home directory
optional user command interpreter
The second entry of /etc/passwd
was used for the encrypted password entry. After the introduction of /etc/shadow
, this entry is used for the password specification entry.
Table 5.2. The second entry content of /etc/passwd.
content |
meaning |
---|---|
(empty) |
passwordless account |
x |
the encrypted password is in the |
* |
no login for this account |
! |
no login for this account |
The /etc/shadow
file contains:
http://en.wikipedia.org/wiki/PAM ... user1:$1$Xop0FYH9$IfxyQwBe9b8tiyIkt2P4F/:13262:0:99999:7::: user2:$1$vXGZLVbS$ElyErNf/agUDsm1DehJMS/:13261:0:99999:7::: ...
As explained in man 5 shadow
, each ":
" separated entry of this file means:
login name
encrypted password. The initial "$1$
" indicates use of the MD5 encryption. The "*" indicate no login.
days since Jan 1, 1970 that password was last changed
days before password may be changed
days after which password must be changed
days before password is to expire that user is warned
The /etc/group
file contains:
... group1:x:20:user1,user2 ...
As explained in man 5 shadow
, each ":
" separated entry of this file means:
group name
encrypted password (not really used)
numerical group ID.
"," separated list of user names.
The /etc/gshadow
file provides the similar function as the /etc/shadow
file for the /etc/group
file but is not really used.
![]() |
Note |
---|---|
The actual group membership of a user may be dynamically added if "auth optional pam_group.so" line is added to |
![]() |
Note |
---|---|
The |
Here are few notable commands to manage account information:
Table 5.3. List of commands to manage account information.
command |
function |
---|---|
|
browse account information of |
|
browse shadowed account information of |
|
browse group information of |
|
manage password for the account |
|
set one-time password for the account activation |
|
manage password aging information |
You may need to have the root privilege for some functions to work. See man 3 crypt
for the password and data encryption.
![]() |
Note |
---|---|
On the system set up with PAM and NSS as the Debian alioth machine, the content of the local |
There are independent tools to generate password:
Table 5.4. List of tools to generate password.
package |
popcon |
command |
function |
---|---|---|---|
|
V:10, I:89 |
|
over-featured front end to the |
|
V:28, I:89 |
|
compute password hashes (OpenSSL). |
Modern Unix-like systems such as the Debian system provide PAM (Pluggable Authentication Modules) and NSS (Name Service Switch) mechanism to the local system administrator to configure his system. The role of these can be summarizes as:
PAM offers a flexible authentication mechanism used by the application software thus involves password data exchange.
NSS offers a flexible name service mechanism which is frequently used by the C library to obtain the user and group name for programs such as ls
and id
.
These PAM and NSS systems need to be configured consistently.
The notable packages of PAM and NSS systems are:
Table 5.5. List of notable PAM and NSS systems.
package |
popcon |
description |
---|---|---|
|
V:86, I:99 |
Pluggable Authentication Modules for PAM |
|
V:0.4, I:4 |
Pluggable Authentication Module allowing LDAP interfaces |
|
V:87, I:99 |
GNU C Library: Shared libraries which also provides "Name Service Switch" service |
|
I:56 |
NSS module for Multicast DNS name resolution |
|
I:4 |
NSS module for using LDAP as a naming service |
|
V:0.05, I:0.11 |
NSS module for using LDAP as a naming service (new folk of |
![]() |
Note |
---|---|
You can see more extensive and current list by " |
![]() |
Note |
---|---|
PAM is the most basic way to initialize environment variables for each program with the system wide default value. |
Here are few notable configuration files accessed by the PAM:
Table 5.6. List of configuration files accessed by the PAM.
configuration file |
function |
---|---|
|
set up PAM configuration for the |
|
set up NSS configuration with the entry for each service. See manpage of |
|
accessed by |
|
accessed by |
|
accessed by |
|
accessed by |
|
accessed by |
|
accessed by |
|
accessed by |
|
accessed by |
|
accessed by |
The limitation of the password selection is implemented by the PAM modules, pam_unix.so
and pam_cracklib.so
and configuring them with arguments.
The modern centralized system management can be deployed using the centralized Lightweight Directory Access Protocol (LDAP) server to administer many Unix-like and non-Unix-like systems on the network. The open source implementation of the Lightweight Directory Access Protocol is OpenLDAP Software.
The LDAP server provides the account information through the use of PAM and NSS with libpam-ldap
and libnss-ldap
packages for the Debian system. Several actions are required to enable this (I have not used this setup and based purely on secondary information. Please read this in this context.):
You set up a centralized LDAP server by running program such as stand-alone LDAP daemon, slapd
.
You change the PAM configuration files in the /etc/pam.d/
directory to use pam_ldap.so
instead of the default pam_unix.so
.
You change the NSS configuration in the /etc/nsswitch.conf
file to use ldap
instead of the default (compat
or file
).
Debian uses /etc/pam_ldap.conf
as libpam-ldap
's configuration file and /etc/pam_ldap.secret
as the file to store the password of the rootbinddn.
You must make libpam-ldap
to use SSL (or TLS) connection for the security of password.
You may make libnss-ldap
to use SSL (or TLS) connection using /etc/libnss-ldap.conf
to ensure integrity of data at the cost of the LDAP network overhead.
You should run nscd
locally to cache any LDAP search results in order to reduce the LDAP network traffic.
See documentations in /usr/share/doc/libpam-doc/html/
offered by libpam-doc
package and "info libc 'Name Service Switch'
" offered by glibc-doc
package.
Similarly, you can set up alternative centralized systems with:
NIS or NIS+ with the traditional Unix systems.
winbind with Windows NT and SAMBA.
This is the famous phrase at the bottom of the old "info su
" page by Richard M. Stallman. Not to worry: the current su
in Debian uses PAM, so that one can restrict the ability to use su
to root
group by enabling the line with pam_wheel.so
in /etc/pam.d/su
.
![]() |
Note |
---|---|
See Section 10.4.8, “Alt-SysRq” for restricting the kernel SAK feature. |
sudo
is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. sudo
requires only an ordinary user's password. Install sudo
package and activate it by setting options in /etc/sudoers
. See configuration example at /usr/share/doc/sudo/examples/sudoers
.
My usage of sudo
for the single user system (see Section 2.1.12, “sudo configuration”) is aimed to protect myself from my own stupidity. Personally, I consider using sudo
a better alternative to using the system from the root account all the time. For example, following will change the owner of <some_file> to <my_name>:
$ sudo chown <my_name> <some_file>
Of course if you know the root password (as self-installed Debian users do), any command can be run under root from any user's account using "su -c
".
Security-Enhanced Linux (SELinux)is a framework to tighten privilege model tighter than the ordinary Unix-like security model with the mandatory access control (MAC) policies. The root power may be restricted under some conditions.
The Internet super-server, inetd
, is started at boot time by /etc/rc2.d/S20inetd
(for RUNLEVEL=2
), which is a symlink to /etc/init.d/inetd
. Essentially, inetd
allows one running daemon to invoke several others, reducing load on the system.
Whenever a request for service arrives, its protocol and service are identified by looking them up in the databases in /etc/protocols
and /etc/services
. inetd
then looks up a normal Internet service in the /etc/inetd.conf
database, or a Sun-RPC based service in /etc/rpc.conf
.
For system security, make sure to disable unused services in /etc/inetd.conf
. Sun-RPC services need to be active for NFS and other RPC-based programs.
Sometimes, inetd
does not start the intended server directly but starts the tcpd
TCP/IP daemon wrapper program with the intended server name as its argument in /etc/inetd.conf
. In this case, tcpd
runs the appropriate server program after logging the request and doing some additional checks using /etc/hosts.deny
and /etc/hosts.allow
.
If you have problems with remote access in a recent Debian system, comment out "ALL: PARANOID" in /etc/hosts.deny
if it exists.
For details, see inetd
(8), inetd.conf
(5), protocols
(5), services
(5), tcpd
(8), hosts_access
(5), and hosts_options
(5).
For more information on Sun-RPC, see rpcinfo
(8), portmap
(8), and /usr/share/doc/portmap/portmapper.txt.gz
.
There are also non-PAM based access control available for atd
and cron
.
The information here may not be sufficient for your security needs but it should be a good start.
Many popular transportation layer services communicate messages including password authentication in the plain text. It is very bad idea to transmit password in the plain text over the wild Internet where it can be intercepted. You can run these services over "Transport Layer Security" (TLS) or its predecessor, "Secure Sockets Layer" (SSL) to secure entire communication including password by the encryption.
Table 5.7. List of insecure and secure services and ports.
insecure service name |
port |
secure service name |
port |
---|---|---|---|
www (http) |
80 |
https |
443 |
smtp (mail) |
25 |
ssmtp (smtps) |
465 |
ftp-data |
20 |
ftps-data |
989 |
ftp |
21 |
ftps |
990 |
telnet |
23 |
telnets |
992 |
imap2 |
143 |
imaps |
993 |
pop3 |
110 |
pop3s |
995 |
ldap |
389 |
ldaps |
636 |
The encryption costs CPU time. As a CPU friendly alternative, you can keep communication in plain text while securing just password with the secure authentication protocol such as "Authenticated Post Office Protocol" (APOP) for POP and "Challenge-Response Authentication Mechanism MD5" (CRAM-MD5) for SMTP and IMAP. (For sending mail messages over the Internet to your mail server from your mail client, it is recently popular to use new message submission port 587 instead of traditional SMTP port 25 to avoid port 25 blocking by the network provider while authenticating yourself with CRAM-MD5.)
The Secure Shell (ssh
) program (OpenSSH SSH client) and sshd
program (OpenSSH SSH daemon) provide secure encrypted communications between two untrusted hosts over an insecure network with the secure authentication. This SSH can be used to tunnel the insecure protocol communication such as POP and X securely over the Internet with the port forwarding feature.
The client tries to authenticate itself using host-based authentication, public key authentication, challenge-response authentication, or password authentication. The use of public key authentication enables the remote password-less login. See man 1 ssh
and man 8 sshd
.
Even when you run secure services such as "Secure Shell" (SSH) and "Point-to-point tunneling protocol" (PPTP) servers, there are still chances for the break-ins using brute force password guessing attack etc. from the Internet. Use of the firewall policy together with the following secure tools may improve the security situation.
Table 5.8. List of tools to provide extra security measures.
package |
popcon |
description |
---|---|---|
|
V:0.11, I:0.3 |
small port-knock daemon |
|
V:1.3, I:1.6 |
an utility to help sysadmins thwart ssh hackers |
|
V:0.03, I:0.19 |
protects from brute force attacks against ssh |
|
V:0.01, I:0.05 |
locks out remote attackers trying password guessing |
To prevent people to access your machine with root privilege, you need to:
prevent physical access to the hard disk.
lock BIOS and prevent booting from the removable media.
set password for GRUB interactive session.
lock GRUB menu from editing.
With physical access to hard disk, resetting the password is relatively easy;
move the hard disk to a PC with CD bootable BIOS.
boot system with a rescue media (Debian boot disk, Knopix CD, ...).
mount root partition with read-write access.
edit /etc/passwd
in the root partition and make the second entry for root
account empty.
If you have the edit access to the GRUB menu entry at the boot time, it is even easier:
boot system with the kernel parameter changed to something like "root=/dev/hda6 rw init=/bin/sh
".
edit /etc/passwd
and make the second entry for root
account empty.
The only reasonable software solution to avoid all these concern which I can think of, is to use software encrypted root partition using initramfs. You always need password to boot the system, though.