Accounts and Authentication

Download Report

Transcript Accounts and Authentication

Accounts and
Authentication
By: Tom Ockenhouse
What is Authentication?
► The
process of attempting to verify the
digital identity of the sender of a
communication such as a request to log in.
► The sender being authenticated may be a
person using a computer, a computer itself
or a computer program.
► A blind credential does not establish identity
at all, but only a narrow right or status of
the user or program.
What is an User Account?
►
►
Where is it stored?
Most of the user account information is stored in the
passwd file.
 Password encryption and password aging is stored in the passwd
file when using NIS or NIS+ authentication standards
►
passwd file consists of 6 fields:







►
username
password
uid
gid
comment
home-directory
login-shell
All Unix systems have an account called root.
 aka superuser.
►
Admin or Superuser grants access to new users
Common Users on UNIX
Guest
None
Guest Access
Demo
None
Demo Access
Games
None
Play Games
Nuucp
None
UUCP Access
Daemo
None
No Direct Access
Bin
None
No Direct Acces
Nobody
None
ftp
None
No Dirrect
Access
Anon FTP
Access
Locating User Accounts
► finger
 Get users that are currently logged in
 Determine if account is active
 Last accessed
► rusers
 Returns remote user info
► whois
 Responsible for certain domain and active accounts
► Often
treated as attacks
 Will refuse these commands
Authentication Standards
► NIS
 Network Information Service
 Distributing system configuration data such as user and
host names between computers on a computer
network.
 Used for maintenance and distribution of a central
directory of user and group information, hostnames, email aliases and other text-based tables of information
in a computer network.
 NIS can be configured to serve password data used to
authenticate users against as well
Kerberos
►
►
Allows individuals communicating over a non-secure network to prove
their identity to one another in a secure manner.
Its designers aimed primarily at a client-server model, and it provides
mutual authentication — both the user and the server verify each
other's identity.
 protocol messages are protected against eavesdropping and replay
attacks.
►
►
Kerberos builds on symmetric key cryptography and requires a trusted
third party. Extensions to Kerberos can provide for the use of publickey cryptography during certain phases of authentication.
Drawbacks
 Single point of failure: It requires continuous availability of a central server.
When the Kerberos server is down, no one can log in.
 Kerberos requires the clocks of the involved hosts to be synchronized. The
tickets have time availability period and, if the host clock is not
synchronized with the clock of Kerberos server, the authentication will fail.
 Secret keys for all users are stored on the central server, a compromise of
that server will compromise all users' secret keys.
Lightweight Directory Access
Protocol (LDAP)
► Protocol
for querying and modifying
directory services running over TCP/IP
► LDAP is often used by other services for
authentication, despite the security
problems this causes.
► Most advanced and secure of the three
standards
LDAP/Kerberos replacing NIS
►
NIS is the most commonbut, it is also completely insecure.
 Weakly encrypted passwords are sent over the network in the clear.
 Difficult to firewall.
 Clients have no way to ensure that the server they are talking to is
actually an official server.
►
►
Most LDAP server implementations support pretty good
security through SSL for authentication and transport
encryption, fine grained access controls, etc.
Thus many sites are based on using Kerberos for
authentication and LDAP for directory services
Bibliography
► http://jeremy.zawodny.com/perl/AcctInfo/Ac
ctInfo.html
► http://docs.sun.com/app/docs/doc/8022002/6i60dq84q?l=ru&a=view
► http://www.nmrc.org/pub/faq/hackfaq/hack
faq-27.html
► http://aput.net/~jheiss/krbldap/howto.html
► http://en.wikipedia.org/wiki/Network_Infor
mation_Service