Introduction - Northern Kentucky University
Download
Report
Transcript Introduction - Northern Kentucky University
CIT 470: Advanced Network and
System Administration
Accounts and Namespaces
CIT 470: Advanced Network and System Administration
Slide #1
Topics
1. Namespaces
2. Policies
1.
2.
3.
4.
selection
lifetime
scope
security
3. User Accounts
4. PAM
5. LDAP Authentication
CIT 470: Advanced Network and System Administration
Slide #2
Namespaces
A namespace consists of
– A set of unique keys
– A set of attributes associated with each key
Example
– Key = Username
– Attributes
•
•
•
•
GECOS
Homedir
Shell
Password
CIT 470: Advanced Network and System Administration
Slide #3
Namespaces
Systems include many namespaces
User account names.
E-mail addresses.
Filesystem pathnames.
Hostnames.
IP addresses.
Printer names.
Service names.
CIT 470: Advanced Network and System Administration
Slide #4
Types of Namespaces
Flat
No duplicates may exist.
Ex: usernames in /etc/passwd.
Hierarchical
Tree-structured namespace like DNS.
Duplicates can exist.
Ex: www.nku.edu and www.google.com
CIT 470: Advanced Network and System Administration
Slide #5
Namespace Problems
1.
2.
3.
4.
How to select names?
How to avoid name collisions?
How to ensure consistency?
How to distribute names?
CIT 470: Advanced Network and System Administration
Slide #6
Name Selection
Functional Names
mail hostname, /cit/470, student account
Descriptive names
geographic, print type, customer type
Formula-based Names
cvg0141 hostname, student0148 account
Themed Names
constellations (orion, ursa, etc.)
No Standard
CIT 470: Advanced Network and System Administration
Slide #7
Name Lifetime
When are names removed?
Immediately after PC, user leaves org.
Set time after resource is no longer in use.
When are names re-used?
Immediately: functional names.
Never.
After a set time: usernames, email addresses.
CIT 470: Advanced Network and System Administration
Slide #8
Namespace Scope
Geographical scopes
–
–
–
–
Local machine. (e.g., /etc/passwd.)
Local network.
Organization.
Global (e.g., DNS.)
Service scopes
– Single username for UNIX, NT, RADIUS, e-mail, VPN?
Transferring scopes
– Difficult without advance planning.
– Some names may have to change.
CIT 470: Advanced Network and System Administration
Slide #9
Namespace Security
1. What are you trying to protect names from
and why?
2. Do the names need to be protected or just
the attributes?
3. Who can add, change, or delete records?
4. Can the owner of a record change fields
within the record?
CIT 470: Advanced Network and System Administration
Slide #10
Example Namespace: Usernames
Selection policies
– Descriptive: waldenj, jwalden
– Decriptive + formulaic: waldenj1, jwalden0002
Scope
– Use for every campus (avoids collisions.)
– Use for every service (avoids collisions.)
Lifetime
– Do not reuse until 1 year has passed since email
addresses derive from usernames.
CIT 470: Advanced Network and System Administration
Slide #11
One Big Database
Centralize namespace in one big database.
– Use SQL or LDAP to store entire namespace.
Derive other namespaces from database.
– Program to generate UNIX accounts.
– Program to generate NT accounts.
– etc.
Advantages
– Consistency
– Ease of making changes, additions, deletions.
CIT 470: Advanced Network and System Administration
Slide #12
User Account Types
OS files
– UNIX /etc/{passwd,shadow}
– Windows SAM
Network service
–
–
–
–
–
NIS
LDAP
Kerberos
Active Directory
RADIUS
CIT 470: Advanced Network and System Administration
Slide #13
UNIX Accounts
• Account Components
–
–
–
–
• Account Files
Username
UID
Password
Home directory
– /etc/passwd
– /etc/shadow
– /etc/group
• Account Management
– Adding users
– Removing and disabling users
– Account/password policies
CIT 470: Advanced Network and System Administration
Slide #14
/etc/{passwd,shadow}
Central file(s) describing UNIX user accounts.
/etc/passwd
–
–
–
–
–
–
Username
UID
Default GID
GCOS
Home directory
Login shell
/etc/shadow
–
–
–
–
–
–
–
Username
Encrypted password
Date of last pw change.
Days ‘til change allowed.
Days `til change required.
Expiration warning time.
Expiration date.
student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash
student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7:::
CIT 470: Advanced Network and System Administration
Slide #15
Username
Syntax
– Each username must be unique.
– Length limits (8 chars on old systems)
– Any character except : or \n.
Issues
– Naming standards.
– How to ensure that usernames are unique?
– System uses UIDs internally.
CIT 470: Advanced Network and System Administration
Slide #16
UIDs
• UIDs are 32-bit non-negative integers.
• Standards
– Root is UID 0.
– System accounts have low UIDs (<= 500)
• Uniqueness
– Multiple usernames can have same UID!
– Re-using UIDs may give away files to new user.
– Distributed systems may require unique UIDs across
organizational boundaries.
CIT 470: Advanced Network and System Administration
Slide #17
Password
Syntax
– Length: unlimited(MD5,SHA1), 8 chars(crypt)
– Chars: anything except \n, though certain control
chars may be interpreted by system.
Stored in “encrypted” format.
– Hashed: crypt, MD5, SHA1
– Salted: 12-bit salt means 4096 different hashes
for each password
CIT 470: Advanced Network and System Administration
Slide #18
GID
• GIDs are 32-bit non-negative integers.
• Each user has a default GID.
– File group ownership set to default GID.
– Temporarily change default GID: newgrp.
• Groups are described in /etc/group
– Users may belong to multiple groups.
– Format: group name, pw, GID, user list.
– wheel:x:10:root,waldenj,bergs
CIT 470: Advanced Network and System Administration
Slide #19
GECOS
Original use
– General Electric Comprehensive OS data
Current use
– User information.
– Full name, location, phone number, e-mail.
CIT 470: Advanced Network and System Administration
Slide #20
Home Directory
• User’s CWD at login time.
• Typically where user stores all files.
CIT 470: Advanced Network and System Administration
Slide #21
Login Shell
• Process started when user logs in.
• Typically a shell like bash, tcsh, ksh, ...
– System users may be different.
– Disabled accounts have a noshell program.
CIT 470: Advanced Network and System Administration
Slide #22
Adding a User
1. Create account with useradd.
2. Lock account until user arrives.
3. User signs account agreement.
4. Set passwd with passwd.
CIT 470: Advanced Network and System Administration
Slide #23
Adding a User
1.
2.
3.
4.
Edit /etc/{passwd,shadow} with vipw.
Set passwd with passwd command.
Edit /etc/group to add groups.
Create user home directory.
1. mkdir /home/studenta
2. chown studenta.student /home/studenta
3. chmod 755 /home/studenta
5. Copy default files from /etc/skel
.bashrc, .Xdefaults, .xsession, etc.
6. Set e-mail aliases, disk quotas, etc.
7. Verify that the account works.
CIT 470: Advanced Network and System Administration
Slide #24
Disabling an Account
Edit account configuration:
– Place * or ! in front of encrypted password.
– Replace shell with nologin program.
– Note: usermod -L will do this for you.
Kill active logins and processes.
– Note: usermod -L will not do this.
CIT 470: Advanced Network and System Administration
Slide #25
Removing a User
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Disable account.
Change shared passwords (root, etc.)
Kill active logins and processes.
Remove from local databases/files.
Remove from e-mail aliases.
Remove mail spool (backup first.)
Remove crontabs and pending jobs.
Remove temporary files.
Remove home directory (backup first.)
Remove from passwd, shadow, and group.
CIT 470: Advanced Network and System Administration
Slide #26
nsswitch.conf
Name Service Switch configuration file.
passwd:
shadow:
group:
hosts:
ethers:
netmasks:
networks:
protocols:
rpc:
services:
files
files
files
files
files
files
files
files
files
files
ldap
ldap
ldap
dns
CIT 470: Advanced Network and System Administration
Use both files and ldap
to enable failover when
LDAP unavailable.
Configure files first to
let root login when
LDAP down without
long timeout.
Slide #27
Configuring LDAP Authentication
1. Configure server with People/Group schema.
2. Migrate user data to LDAP directory.
3. Point clients to hostname and rootDN of svr.
authconfig
/etc/ldap.conf (PAM LDAP)
/etc/openldap/ldap.conf (LDAP)
4. Verify access to server with ldapsearch.
5. Edit /etc/ldap.conf to set DNs for
nss_base_{passwd, shadow, and group}
6. Modify nsswitch.conf to add ldap option:
passwd, shadow, and group
7. Modify PAM system-auth to use LDAP.
CIT 470: Advanced Network and System Administration
Slide #28
LDAP ACLs
LDAP ACL format:
access to <RDN>
by <self|anonymous|DN> <read|write|auth>
ex: Allow users to change passwords
access to attr=userPassword
by self write
by anonymous auth
by * none
CIT 470: Advanced Network and System Administration
Slide #29
Key Points
Namespace definition and policies
1.
2.
3.
4.
selection
lifetime
scope
security
UNIX Accounts
– File formats: passwd, shadow, group
Authentication
– PAM: purpose, includes
– nsswitch.conf: purpose and failover
CIT 470: Advanced Network and System Administration
Slide #30
References
1.
2.
3.
4.
5.
6.
Brian Arkills, LDAP Directories Explained: An Introduction and
Analysis, Addison-Wesley, 2003.
Gerald Carter, LDAP System Administration, O’Reilly, 2003.
Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of
System and Network Administration, 2nd ed, Limoncelli and Hogan,
Addison-Wesley, 2007.
Linux PAM, http://www.kernel.org/pub/linux/libs/pam/
OpenLDAP, OpenLDAP Administrator’s Guide,
http://www.openldap.org/devel/admin/, 2007.
RedHat, Red Hat Enterprise Linux 5 Deployment Guide, Sections
25.3, 43.4, http://www.redhat.com/docs/enUS/Red_Hat_Enterprise_Linux/5.4/, 2009.
CIT 470: Advanced Network and System Administration
Slide #31