ADMIN

Recommendations

Info

Nuts and Bolts PAM and Hardware © Ana Vasileva, Fotolia.com Flexible user authentication with PAM Turnkey Solution PAM is a very powerful framework for handling software- and hardware-based user authentication, giving administrators a choice of implementation methods. By Thorsten Scherf Hardware innovations are daily business in user account authentication. Pluggable Authentication Modules (PAM) help transparently integrate these new devices into a system. This gives experienced administrators the option of offering a variety of different authentication methods to their users while providing scope for controlling the total user session workflow. Old School User logins on Linux systems are traditionally handled by the /etc/ passwd and /etc/shadow files. When a user runs the login command to log in to the system with a name and password, the program creates a cryptographic checksum of the password and compares the results with the checksum stored for this user in the /etc/shadow file. If the checksums match, the user is authenticated; if not, the login will fail. This approach doesn’t scale well. In larger environments, user credentials are typically stored centrally on an LDAP server, for example. In this case, the login program doesn’t retrieve the password checksum from the /etc/shadow file but from a directory service. This task can be simplified by deploying PAM [1]. Modular Authentication Originally developed in the mid- 1990s by Sun Microsystems, PAM is available on most Unix-style systems today. PAM offloads the whole authentication process from the application itself to a central framework comprising an extensive collection of modules (Figure 1). Each of these modules handles a specific task; however, the application only gets to 78 Admin 01 www.admin-magazine.com
PAM and Hardware Nuts and Bolts Figure 1: PAM provides a centralized user management framework for the application. Figure 2: A classic PAM configuration file contains modules and libraries that the administrator can use to customize PAM. know whether or not the user logged in successfully. In other words, it is PAM’s job to find a suitable method for authenticating the user. The PAM framework defines what this method looks like, and the application remains blissfully unaware of it. PAM can use various authentication methods. Besides popular networkbased methods like LDAP, NIS, or Winbind, PAM can use more recent libraries to access a variety of hardware devices, thus supporting logins based on smartcards or the user’s digital fingerprint. One-time password systems, such as S/Key or SecurID, are also supported by PAM, and some methods even require a specific Bluetooth device to log in the user. The way PAM works is fairly simple. Each PAM-aware application (the application must be linked against the libpam library) has a separate configuration file in the /etc/pam.d/ folder. The file will typically be named after the application itself – login, for example. Within the file, modules distribute PAM tasks among themselves. Numerous libraries are available in each group, and they handle a variety of tasks within the group (Figure 2). Control flags let you manage PAM’s behavior in case of error – for example, if a user fails to provide the correct password or if the system is unable to verify a fingerprint. Fingerprints More recent PAM libraries allow administrators to authenticate users by means of smartcards, USB tokens, or biometric features. State-of-the-art notebooks often include a fingerprint reader that allows the owner to use a digital fingerprint when logging into the system. The PAM ThinkFinger library [2] provides the necessary support. According to the documentation, the module will support the UPEK/ SGS Thomson Microelectronics fingerprint reader used by most recent Lenovo notebooks and many external devices. Most major Linux distributions offer prebuilt packages for the PAM libraries. You can use your distribution’s package manager to install the software from the repositories. To install the required packages on your hard disk, you would give the yum install thinkfinger command on a Fedora system and apt‐get install thinkfinger‐tools U libpam‐thinkfinger on Ubuntu Hardy. Gentoo admins can issue a compact command: emerge sys‐auth/thinkfinger If you’re using openSUSE, you’ll need the libthinkfinger and pam_thinkfinger packages, the repository versions of which are not up to date. You might prefer a manual install with the typical ./configure, make, make install steps and files from the current source code archive. Debian users on Lenny will need to access the Experimental repository and then type aptitude install libthinkfinger0 U libpam‐thinkfinger thinkfinger‐tools for the install. Before you modify the existing PAM configuration, you might want to test the device itself. To do so, scan a fingerprint by giving the tf‐tool ‐‐acquire command (Figure 3). Then you can use tf‐tool ‐‐verify to verify the results. You might see a Fingerprint does *not* match message at this point; initial attempts can be fairly inaccurate because you will need to familiarize yourself with the device. If you drag your finger too quickly or too slowly across the scanner, the device could fail to identify the fingerprint correctly. In this case, it will output an error message and quit. When you achieve reliable results from fingerprint scans, you can delete the temporary file with the test scan in /tmp and create an individual file for each user on the system that will contain the user’s fingerprint. The command is tf‐tool ‐‐add‐user username (Figure 4). Users must scan their fingerprints three times for this to work. If the fingerprint is identified correctly each time, the tool will store it in a separate file below /etc/pam_thinkfinger/. Once everything is working, you can begin the PAM configuration. Figure 2 shows a PAM configuration for the login program that lists just one authentication module: pam_unix. If you want to authenticate against the fingerprint scanner first, you need to www.admin-magazine.com Admin 01 79
Page 1 and 2:
ADMIN Network & Security Rescue CD
Page 3 and 4:
Welcome to Admin WELCOME ALL FOR AD
Page 5 and 6:
Table of Contents SERVICE 8 Spacewa
Page 7 and 8:
POWERHOUSE PERL 11 cool projects! F
Page 9 and 10:
Spacewalk Features configuration fi
Page 11 and 12:
Spacewalk Features Figure 2: Assign
Page 13 and 14:
Spacewalk Features kickstart profil
Page 15 and 16:
Icinga Features Table 1: States Opt
Page 17 and 18:
Icinga Features ministrators only n
Page 19 and 20:
Icinga Features Figure 6: Network o
Page 21 and 22:
MySQL Forks and Patches Features th
Page 23 and 24:
MySQL Forks and Patches Features In
Page 25 and 26:
Exchange 2010 Features © peapop, F
Page 27 and 28: they can now synchronize text messa
Page 29 and 30: Backup Software Features data. One
Page 31 and 32: Backup Software Features tended), l
Page 33 and 34: Backup Software Features Two “wiz
Page 35 and 36: Backup & Disaster Recovery Georgeto
Page 37 and 38: OCFS2 Tools ing. OCFS2 is fairly si
Page 39 and 40: OCFS2 Tools F Figure 2: Unspectacul
Page 41 and 42: To do this, you need to change the
Page 43 and 44: Synergy Tools Figure 1: Synergy as
Page 45 and 46: SystemTap Tools The SystemTap [3] t
Page 47 and 48: SystemTap Tools Instead of searchin
Page 49 and 50: Package Your Scripts Virtualization
Page 51 and 52: Linux Magazine ACADEMY curl U http:
Page 53 and 54: openVz VirtuAlizAtion live migratio
Page 55 and 56: OpenVZ Virtualization a number of c
Page 57 and 58: OpenVZ Virtualization OpenVZ kernel
Page 59 and 60: AND SAVE 30%! ADMIN Network & Secur
Page 61 and 62: Virtual Machine Manager Virtualizat
Page 63 and 64: Virtual Machine Manager Virtualizat
Page 65 and 66: Teamviewer Management and be contro
Page 67 and 68: NOV. 7-12 2010 24th Large Installat
Page 69 and 70: Chef Management Server Provides rec
Page 71 and 72: Chef Management ‐r http://s3.amaz
Page 73 and 74: Chef Management Figure 5: The clien
Page 75 and 76: Sysinternals Management AdInsight a
Page 77: Sysinternals Management Name Table
Page 81 and 82: November 13-19, 2010 • Ernest N.
Page 83 and 84: PAM and Hardware Nuts and Bolts to
Page 85 and 86: ON NEWSSTANDS NOW ! UBUNTU USER MAG
Page 87 and 88: modSecurity nutS And boltS complex
Page 89 and 90: ModSecurity Nuts and bolts Insider
Page 91 and 92: REAL SOLUTIONS FOR REAL NETWORKS Ea
Page 93 and 94: Daemon Monitoring Nuts and Bolts Fi
Page 95 and 96: VPns with SSTP nuTS And BoLTS Hands
Page 97 and 98: VPNs with SSTP Nuts and Bolts Figur
Page 100: DEDICATED SERVERS £59 FROM PER MON
show all

ADMIN

Create successful ePaper yourself

Delete template?

Save as template?