290 likes | 303 Views
CIT 500: IT Fundamentals. Users. Topics. Identity User Accounts /etc/{passwd,shadow} User Commands Passwords Groups. What is Identity?. Computer’s representation of an entity. Authentication binds a principal to an identity. Example: username expresses your identity.
E N D
CIT 500: IT Fundamentals Users
Topics • Identity • User Accounts • /etc/{passwd,shadow} • User Commands • Passwords • Groups
What is Identity? Computer’s representation of an entity. Authentication binds a principal to an identity. Example: • username expresses your identity. • password binds the person typing to that particular identity (username).
Purpose of Identity Access Control • Most systems base access rights on identity of principal executing the process. Accountability • Logging and auditing functions. • Need to track identity across account/role changes (e.g., su, sudo).
What is Authentication? Binding of an identity to a subject. Based on one of the following factors: • What the entity knows (e.g., passwords) • What the entity has (e.g., access card) • What the entity is (e.g., fingerprints) • Where the entity is (e.g., local terminal) Or a combination of two or more factors.
Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Users often need to share access to files, and thus are taken as groups. A role is a group that ties membership to function
User Types Regular users • Humans with accounts on system. • May log in via network or on console. Special users • Non-human users for specific programs, i.e. http. • Used for file permission purposes. Superuser • Admin user with UID 0 has special permissions. • Username is typically root.
User Accounts UNIX accounts described by the following fields • User ID (UID) • Group ID (GID) • Password • Comment (a/k/a GCOS field) • Home directory • Login shell User account data stored in /etc/passwd • Except password itself, which is in /etc/shadow
/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh waldenj:x:100:100:James Walden, faculty:/home/waldenj:/bin/bash smith:x:101:101:John Smith, student:/home/smithj:/bin/bash
/etc/shadow Root-only readable file for password storage • Prevents users from reading encrypted passwords • Additional fields support password aging features. One line per account, including fields for • Username • Encrypted password • Days since 1/1/1970 password was last changed • Days before password may be changed • Days after which password must be changed • Days before password is to expire that user is warned • Days after password expires that account is disabled • Days since 1/1/1970 that account is disabled
/etc/shadow root:$1$A4h5.ZbC$DekjN2J7W5jymRS8gAbcT2:14565:0:99999:7::: daemon:*:14537:0:99999:7::: bin:*:14537:0:99999:7::: sys:*:14537:0:99999:7::: games:*:14537:0:99999:7::: man:*:14537:0:99999:7::: lp:*:14537:0:99999:7::: mail:*:14537:0:99999:7::: news:*:14537:0:99999:7::: uucp:*:14537:0:99999:7::: waldenj:$1$0nAbDEFg$HiJk9l1mNopQRlhTUVW5x.:14537:0:99999:7::: smith:$1$j02bHyTU$.vwXYz1ABcDEcfGH83IjK/:14565:0:99999:7::: Note that not all fields are currently used: see blank fields at end of each line.
Accessing Account Information Direct access to account information grep username /etc/{passwd,shadow} grep username /etc/group What if account information is elsewhere? getent passwd username getent group username Where else might account info be stored? NIS LDAP
User Identification Commands The whoami command provides username of the current user. > whoami waldenj The id command provides complete user and group information with user and group names and UIDs and GIDs. > id uid=100(waldenj) gid=100(waldenj) groups=100(waldenj),1001(faculty) > id smithj uid=101(smithj) gid=101(smithj) groups=101(smithj),1001(faculty)
Changing your Identity The su command changes your UID. • Without an argument, changes to root. • Requires a password unless you are already root. • Use exit command to change back. The sudo command runs a command as root. • Use your own password to authenticate. • sudo cat /etc/shadow • sudo useradd
Superuser can Read any file. Modify any file. Add / remove users. Become any user. Kill any process. Reprioritize processes. Configure network. Set date/time. Shutdown / reboot. Superuser can’t Change read-only filesystem. Decrypt hashed passwords. Modify NFS-mounted filesystems. Read or modify SELinux protected files. Superuser Powers
Creating an Account useradd –c “John Smith” username • Creates account with specified username. • Sets comment to “John Smith” to store name. • Uses defaults from /etc/login.defs for other fields, such as home directory, shell, password aging, &c. To set password become root and run • passwd username
Modifying an Account usermod [options] username -c comment -d homedir -e password-expire-date -G group1,group2 [adds groups] -l newusername [changes username] -L [locks account, prevents logins] -s shell
Removing an Account The userdel command removes an account Must supply –r option to remove homedir.
Passwords Passwords • Most common type of authentication. • Authentication binds a person to an identity. • Use passwd command to change. Attacks against passwords • Reading passwords from disk storage. • Intercepting passwords via wiretapping. • Guessing passwords.
Protecting Passwords Against disk storage attacks • Store password in secure file, /etc/shadow. • Store one-way hash of password, not password itself. • Compare hash of password entered by user with hash of password stored on disk to login. Against wiretapping • Do not send passwords over email. • Use encrypted protocols like ssh to login. Against guessing • Do not use dictionary words, birthdates, names. • Choose a long password.
123456 letmein password 12345678 dragon qwerty michael 654321 harley ranger iwantu xxxxxxx turtle united porsche guitar black diamond nascar jun0389 06031989 amanda phoenix mickey tigers purple xmen94 aaaaaa Commonly Used Bad Passwords • prince • beach • amateur • ncc1701 • tennis • startrek • swimming • kitty • rainbox • 112233 • 232323 • giants • enter • 0 • cupcake • 8675309 • marlboro • newyork • diablo • sexsex • access14 • abgrtyu • 123123 • dragon123 • applepie • 31415926 • 99skip • just4fun • xcvb • typewriter
How to Select Good Passwords • Long passwords, consisting of multiple words.. Use nth letter of each word if phrase too long. • Themes: • Word combinations: 3 blind katz • E-mail or URL: yoda@strong-this-password-is.net • Phone number: (888) 888-eight eight • Bracketing: Starfleet -> *!-Starfleet-!* • Add a word: shopping -> Goin’ shopping • Repetition: Pirate--PirateShip • Letter swapping: Sour Grape -> Gour Srape
Password Aging Requirement that password be changed after a period of time or after an event has occurred. If expected time to guess is 180 days, should change password more frequently than 180 days. • If change time too short, users have difficulty recalling passwords. • Cannot allow users to change password to current one. • Also prevent users from changing passwords too soon. • Give notice of impending password change requirement. • Expire account to prevent logins if password not changed within time specified by policy.
Groups Users belong to one or more groups. • User always has a primary group. • Files are created with GID of primary group. • User can access files accessible to any of the groups to which the user belongs. Groups contain zero or more users. • Created by the system administrator. • Some groups exist for programs like special users. • Other groups exist for human users.
/etc/group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: waldenj:x:100: smithj:x:101: faculty:x:1001:smithj,waldenj
Group Commands groupadd [-g GID] groupname Creates a new group. groupmod groupname -n newgroupname -g newgroupID usermod –G modifies group membership groupdel removes a group
References • Red Hat, RHEL Installation Guide, http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/index.html, 2009. • Syed Mansoor Sarwar, Robert Koretsky, Syed Ageel Sarwar, UNIX: The Textbook, 2nd edition, Addison-Wesley, 2004. • Nicholas Wells, The Complete Guide to Linux System Administration, Thomson Course Technology, 2005.