Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

Transcription

1 Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

2 Outline 1. What is authentication? a. General Informations 2. Authentication Systems in Linux a. Local Authentication Systems Local Authentication in CentOS b. Global Authentication Servers LDAP NIS

3 General Information

4 /etc/passwd 1 Username: It is used when user logs in. It should be between 1 and 32 characters in length. 2 Password: An x character indicates that encrypted password is stored in /etc/ shadow file. 3 User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID are reserved by system for administrative and system accounts/ groups. 4 Group ID (GID): The primary group ID (stored in /etc/group file) 5 User ID Info: The comment field. It allow you to add extra information about the users such as user's full name, phone number etc. This field use by finger command. 6 Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes / 7 Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. 1

5 /etc/shadow 1 User name: It is the login name 2 Password: The encrypted password. The password should be minimum 6-8 characters long including special characters/digits 3 Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed 4 Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/ her password 5 Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password) 6 Warn The number of days before password is to expire that user is warned that his/her password must be changed 7 Inactive: The number of days after password expires that account is disabled 8 Expire: days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used 2

6 User Permissions - I ls -l

7 User Permissions - II 4

8 chmod chmod options permissions filename 5

9 chown chown owner- user file chown owner- user:owner- group file chown owner- user:owner- group directory chown options owner- user:owner- group file

10 Authentication in CentOS

11 User and Group Managemet Tools The following command line tools can also be used to manage users and groups:!! useradd, usermod, and userdel Industry-standard methods of adding, deleting and modifying user accounts!! groupadd, groupmod, and groupdel Industry-standard methods of adding, deleting, and modifying user groups!! gpasswd Industry-standard method of administering the / etc/group file!! pwck, grpck Tools used for the verification of the password, group, and associated shadow files!! pwconv, pwunconv Tools used for the conversion of passwords to shadow passwords and back to standard passwords 7

12 Adding a User To add a user to the system: 1 Issue the useradd command to create a locked user account: useradd <username>! 2 Unlock the account by issuing the passwd command to assign a password and set password aging guidelines: passwd <username> 8

13 Command Line Options for useradd Option -c '<comment>' -d<home-dir> -e<date> Description <comment> can be replaced with any string. This option is generally used to specify the full name of a user. Home directory to be used instead of default /home/<username>/ Date for the account to be disabled in the format YYYY-MM-DD -f<days> Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is -g<groupname> specified, Group name the or account group number is not be for disabled the user's after default the password group. The expires. group must exist prior to being specified here. -G<grouplist> -m List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. Create the home directory if it does not exist. -M Do not create the home directory. -n Do not create a user private group for the user. -r Create a system account with a UID less than 500 and without a home directory -p<password> The password encrypted with crypt -s User's login shell, which defaults to /bin/bash -u<uid> User ID for the user, which must be unique and greater than 499 9

14 Adding a Group To add a group to the system, use the command groupadd: groupadd <group-name> Option Description -g<gid> Group ID for the group, which must be unique and greater than 499 -r Create a system group with a GID less than 500 -f When used with -g<gid> and <gid> already exists, groupadd will choose another unique <gid> for the group. 10

15 Password Aging For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager. Option -m<days> -M<days> -d<days> -I<days> -E<date> -W<days> Description Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire. Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account. Specifies the number of days since January 1, 1970 the password was changed Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires. Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used. Specifies the number of days before the password expiration date to warn the user. Tip If the chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed. 11

16 Locking User Password 1 Lock the user password If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked. If the password is already enabled, lock it with the command: usermod -L username! 2 Force immediate password expiration Type the following command: chage -d 0 username! This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place. 12

17 Explaining the Process - I The following steps illustrate what happens if the command useradd juan is issued on a system that has shadow passwords enabled: 1 A new line for juan is created in /etc/passwd. The line has the following characteristics: It begins with the username juan. There is an x for the password field indicating that the system is using shadow passwords. A UID greater than 499 is created. (Under Red Hat Enterprise Linux, UIDs and GIDs below 500 are reserved for system use.) A GID greater than 499 is created. The optional GECOS information is left blank. The home directory for juan is set to /home/juan/. The default shell is set to /bin/bash. 2 A new line for juan is created in /etc/shadow. The line has the following characteristics: It begins with the username juan. Two exclamation points (!!) appear in the password field of the /etc/ shadow file, which locks the account. Note If an encrypted password is passed using the -p flag, it is placed in the / etc/shadow file on the new line for the user. The password is set to never expire. 13

18 Explaining the Process - II 3 A new line for a group named juan is created in /etc/group. A group with the same name as a user is called a user private group. The line created in /etc/group has the following characteristics: It begins with the group name juan. An x appears in the password field indicating that the system is using shadow group passwords. The GID matches the one listed for user juan in /etc/passwd. 4 A new line for a group named juan is created in /etc/gshadow. The line has the following characteristics: It begins with the group name juan. An exclamation point (!) appears in the password field of the /etc/gshadow file, which locks the group. All other fields are blank. 5 6 A directory for user juan is created in the /home/ directory. This directory is owned by user juan and group juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied. The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory. At this point, a locked account called juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines. 14

19 Standart Users in CentOS root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, operator, ftp, nobody, rpm, ntp, rpc, mailman, named, sshd, nfsnobody, pvm, apache, htt, mysql, squid, ldap, netdump 15

20 Standart Groups in CentOS root: root! bin: root, bin, daemon! daemon: root, bin, daemon! sys: root, bin, admin! disk: root 16

21 LDAP (Lightweight Directory Access Protocol)

22 To install and configure OpenLDAP on CentOS 1. Install the OpenLDAP components using package manager [root]# yum -y install openldap openldap-clients openldap-servers 2. Generate a password hash to be used as the admin password. This password hash will be used when you create the root user for the LDAP installation. [root]# slappasswd New password : p@ssw0rd Re-enter new password : p@ssw0rd {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv 17

23 To install and configure OpenLDAP on CentOS 3a. Add the root user and the root user's password hash to the OpenLDAP configuration in the olcdatabase={2}bdb.ldif file. The root user will have permissions to add other users, groups, organizational units, etc. [root]# cd /etc/openldap/slapd.d/cn\=config [root]# vi olcdatabase\=\{2\}bdb.ldif 3b. If the olcrootpw attribute does not already exist, create it. Then set the value to be the hash you created from slappasswd. olcrootpw: {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv... 18

24 LDAP Terms LDAP: Lightweight Directory Access Protocol! LDIF : LDAP Data Interchange Format! CN : Common Name! OU : Organizational Unit! DC : Domain Component 19

25 To install and configure OpenLDAP on CentOS 4. While editing this file, change the distinguished name (DN) of the olcsuffix to something appropriate. The suffix typically corresponds to your DNS domain name, and it will be appended to the DN of every other LDAP entry in your LDAP tree. olcsuffix: dc=cc,dc=itu,dc=edu,dc=tr... olcrootdn: cn=manager,dc=cc,dc=itu,dc=edu,dc=tr... olcrootpw: {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv... * Check /etc/resolv.conf for DNS domain name. 20

26 To install and configure OpenLDAP on CentOS 5a. Modify the DN of the root user in the olcdatabase={1}monitor.ldif file to match the olcrootdn line in the olcdatabase={2}bdb.ldif file. [root]# vi olcdatabase\=\{1\}monitor.ldif 5b. Modify the olcaccess line so that the dn.base matches the olcrootdn from the olcdatabase={2}bdb.ldif file.! olcaccess: {0}to * by dn.base="gidnumber=0+uidnumber=0,cn=peercred,cn=external,cn= auth" read by dn.base= cn=manager,dc=cc,dc=itu,dc=edu,dc=tr read by * none 21

27 To install and configure OpenLDAP on CentOS 5c. Now the root user for your LDAP is cn=manager,dc=cc,dc=itu,dc=edu,dc=tr. The root user's password is the password that you entered using slappasswd. * Check /etc/resolv.conf for DNS domain name. 22

28 To install and configure OpenLDAP on CentOS 6a. Hide the password hashes from users who should not have permission to view them! [root]# vi olcdatabase\=\{2\}bdb.ldif! 6b. Add the following two lines to the end of the file to restrict users from viewing other users' password hashes. olcaccess: {0}to attrs=userpassword by self write by dn.base="cn=manager,dc=cc,dc=itu,dc=edu,dc=tr" write by anonymous auth by * none! olcaccess: {1}to * by dn.base="cn=manager,dc=cc,dc=itu,dc=edu,dc=tr" write by self 23

29 To install and configure OpenLDAP on CentOS 7. Make sure that OpenLDAP is configured to start when the machine starts up, and start the OpenLDAP service.! [root]# chkconfig slapd on [root]# service slapd start 24

30 To install and configure OpenLDAP on CentOS 8a. Now, you must manually create the dc=cc,dc=itu,dc=edu,dc=tr LDAP entry in your LDAP tree. An LDAP directory is analogous to a tree. Nodes in this tree are called LDAP "entries" and may represent users, groups, organizational units, domain controllers, or other objects. The attributes in each entry are determined by the LDAP schema. In this tutorial we will build entries based on the InetOrgPerson schema (which ships with OpenLDAP by default). In order to build our LDAP tree we must first create the root entry. Root entries are usually a special type of entry called a domain controller (DC). Also note that dc=cc,dc=itu,dc=edu,dc=tr is what is called an LDAP distinguished name (DN). An LDAP distinguished name uniquely identifies an LDAP entry. [root]# cd /tmp [root]# vi cc.ldif 25

31 To install and configure OpenLDAP on CentOS 8b. Add the following lines in cc.ldif: dn: dc=cc,dc=itu,dc=edu,dc=tr objectclass: dcobject objectclass: organization dc: cc 8c. Now add the contents of this file to LDAP. Run this command:! [root]# ldapadd -f cc.ldif -D cn=manager,dc=cc,dc=itu,dc=edu,dc=tr -w 8d. Verify that your entry was added correctly. [root]# ldapsearch -x -LLL -b dc=cc,dc=itu,dc=edu,dc=tr dn: dc=cc,dc=itu,dc=edu,dc=tr objectclass: dcobject objectclass: organization dc: cc o: cc 26

32 To add an organizational unit (OU) entry to the LDAP tree. 1. Create a temporary file called users.ldif. (You can delete this file once its content has been added to LDAP, so in this example, we will create it in the /tmp folder.)! [root]# cd /tmp [root]# vi users.ldif 2. Add these lines to users.ldif: dn: ou=users,dc=cc,dc=itu,dc=edu,dc=tr objectclass: organizationalunit ou: Users! 3. Add the contents of users.ldif file to LDAP. [root]# ldapadd -f users.ldif -D cn=manager,dc=cc,dc=itu, dc=edu,dc=tr -w p@ssw0rd 27

33 To add a user to LDAP 1. Create a temporary file called bob.ldif.! [root]# cd /tmp [root]# vi bob.ldif 2. Add these lines to bob.ldif: dn: cn=bob Jones,ou=Users,dc=cc,dc=itu,dc=edu,dc=tr cn: Bob Jones sn: Jones objectclass: inetorgperson userpassword: p@ssw0rd uid: bjones! 3. Add the contents of bob.ldif file to LDAP. [root]# ldapadd -f bob.ldif -D cn=manager,dc=cc,dc=itu,dc=edu, dc=tr -w p@ssw0rd 28

34 To add a group to LDAP 1. Create a temporary file called addusertogroup.ldif.! [root]# cd /tmp [root]# vi engineering.ldif 2. Add these lines to addusertogroup.ldif: dn: cn=engineering,ou=users,dc=cc,dc=itu,dc=edu,dc=tr cn: Engineering objectclass: groupofnames member: cn=al Smith,ou=Users,dc=acme,dc=com! 3. Add the contents of addusertogroup.ldif file to LDAP. [root]# ldapadd -f engineering.ldif -D cn=manager,dc=cc,dc=itu,dc=edu,dc=tr -w p@ssw0rd 29

35 To add a user to an LDAP group 1. Create a temporary file called addusertogroup.ldif.! [root]# cd /tmp [root]# vi addusertogroup.ldif 2. Add these lines to addusertogroup.ldif: dn: cn=engineering,ou=users,dc=cc,dc=itu,dc=edu,dc=tr changetype: modify add: member member: cn=al Smith,ou=Users,dc=acme,dc=com! 3. Add the contents of addusertogroup.ldif file to LDAP. [root]# ldapadd -f addusertogroup.ldif -D cn=manager,dc=cc,dc=itu,dc=edu,dc=tr -w p@ssw0rd 30

36 NIS (Network Information Service)

37 What is NIS? The Network Information Service, or NIS (originally called Yellow Pages or YP) is a client server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors. 31

38 Questions?