Chapter 4. Authentication Techniques and Infrastructures

Before you can perform any operation on a Linux system, you must have an identity, such as a username, SSH key, or Kerberos credential. The act of proving your identity is called authentication, and it usually involves some kind of password or digital key. To secure your Linux system, you need to create and control identities carefully. Our recipes span the following authentication systems:

Pluggable Authentication Modules (PAM)

An application-level, dynamically configurable system for consistent authentication. Instead of having applications handle authentication on their own, they can use the PAM API and libraries to take care of the details. Consistency is achieved when many applications perform the same authentication by referencing the same PAM module. Additionally, applications needn't be recompiled to change their authentication behavior: just edit a PAM configuration file (transparent to the application) and you're done.

Secure Sockets Layer (SSL)^[1]

A network protocol for reliable, bidirectional, byte-stream connections. It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication. Its authentication relies on X.509 certificates: data structures that bind an entity's public key to a name. The binding is attested to by a second, certifying entity, by means of a digital signature; the entity owning the public key is the certificate's subject , and the certifying entity is the issuer. The issuer in turn has its own certificate, with itself as the subject, and so on, forming a chain of subjects and issuers. To verify a certificate's authenticity, software follows this chain, possibly through several levels of certificate hierarchy, until it reaches one of a set of built-in, terminal (self-signed ) certificates marked as trusted by the user or system. Linux includes a popular implementation of SSL, called OpenSSL.

Kerberos

A sophisticated, comprehensive authentication system, initially developed at the Massachusetts Institute of Technology as part of Project Athena in the 1980s. It involves a centralized authentication database maintained on one or more highly-secure hosts acting as Kerberos Key Distribution Centers (KDCs). Principals acting in a Kerberos system (users, hosts, or programs acting on a user's behalf) obtain credentials called " tickets" from a KDC, for individual services such as remote login, printing, etc. Each host participating in a Kerberos "realm" must be explicitly added to the realm, as must each human user.

Kerberos has two major versions, called Kerberos-4 and Kerberos-5, and two major Unix-based implementations, MIT Kerberos (http://web.mit.edu/kerberos/www) and Heimdal (http://www.pdc.kth.se/heimdal). We cover the MIT variant of Kerberos-5, which is included in Red Hat 8.0. SuSE 8.0 includes Heimdal; our recipes should guide you toward getting started there, although some details will be different. You could also install MIT Kerberos on SuSE.

Secure Shell (SSH)

Provides strong, cryptographic authentication for users to access remote machines. We present SSH recipes in Chapter 6.

Authentication is a complex topic, and we won't teach it in depth. Our recipes focus on basic setup and scenarios. In the real world, you'll need a stronger understanding of (say) Kerberos design and operation to take advantage of its many features, and to run it securely. For more information see the following web sites:

Linux-PAM

http://www.kernel.org/pub/linux/libs/pam

OpenSSL

http://www.openssl.org

Kerberos

http://web.mit.edu/kerberos/www

SSH

http://www.openssh.com

In addition, there are other important authentication infrastructures for Linux which we do not cover. One notable protocol is Internet Protocol Security (IPSec), which provides strong authentication and encryption at the IP level. A popular implementation, FreeS/WAN, is found at http://www.freeswan.org.

# cp pam_foo.so /lib/security # cd /lib/security # chown root.root pam_foo.so # chmod 755 pam_foo.so