UCS 2.4 - Univention
UCS 2.4 - Univention
UCS 2.4 - Univention
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
10.3.5 Testing <strong>Univention</strong> Firewall settings<br />
10.4 Authentication / PAM<br />
Package filter settings should always be thoroughly tested. The network scanner nmap, which is integrated<br />
in <strong>Univention</strong> Corporate Server as a standard feature, can be used for testing the status of individual ports:<br />
Since Nmap requires elevated privileges in the network stack, it should be started as root user. A TCP<br />
port can be tested with the following command:<br />
nmap HOSTNAME -p PORT(s)<br />
A UDP port can be tested with the following command:<br />
nmap HOSTNAME -sU -p PORT(s)<br />
Examples:<br />
• nmap 192.168.1.100 -p 400<br />
• nmap 192.168.1.110 -sU -p 400-500<br />
10.4 Authentication / PAM<br />
Authentication services in <strong>Univention</strong> Corporate Server are realised via Pluggable Authentication Mod-<br />
ules (PAM). To this end different log-in procedures are displayed on a common interface so that a new<br />
log-in method does not require adaptation for existing applications.<br />
In the <strong>UCS</strong> PAM configuration, different methods can be used for the authentication of user accounts.<br />
unix verifies the hashed password using the /etc/shadow file, ldap performs a bind attempt on the<br />
LDAP server and krb5 verifies the password using a Kerberos key, which is also stored in LDAP. There<br />
are also other methods, e.g., the secure shell (ssh) uses a key pair for verification of whether the user is<br />
really the user he claims to be.<br />
In <strong>UCS</strong> it is normally sufficient if the identity can be verified using one of these methods. Which<br />
method should be used can be configured using the <strong>Univention</strong> Configuration Registry variable<br />
auth/admin/methods for the administrator and the <strong>Univention</strong> Configuration Registry variable<br />
auth/user/methods for all other users. The default setting is krb5 ldap unix, which allows all three<br />
methods.<br />
Alongside this verification, certain services also require a valid user account: This assigns a user his<br />
home directory, his numerical user identification (UID) and his group memberships. This information is<br />
required among other things for logins on GDM, on the text console or via SSH. Samba also requires<br />
this information to store information saved by the user onto the UNIX file system or to verify whether the<br />
access to files and directories is allowed. In addition, the account data also includes additional information<br />
such as the age of the password, whether the account is deactivated or whether the account should only<br />
be valid on certain hosts.<br />
Here too different methods are used via PAM, which can sometimes be expanded and restricted: unix<br />
uses the information from /etc/passwd, /etc/group, /etc/shadow and /etc/nsswitch.conf,<br />
which can be used to mount further information sources. The latter is used to mount all the users<br />
225