USER - AUTHENTICATION

Authentication

During the login process, the user and his password is checked. If these are correct (matched with the stored values), user access is granted. This whole thing is called, authentication. (Sometimes it is separated to Identification (user account verification) and Authentication (password verification).)

On AIX the identification and authentication modules are shipped with the Operating System by default. The identification module offers services like storing users and groups’ attributes, and the authentication module provides services such as password verification or modification. Some compound modules provide both services.

It is possible to use additional authentication modules, like:
- Light weight directory access protocol (LDAP)
- Kerberos
- Pluggable authentication modules (PAM)
- Network information service (NIS)

Before using these methods, these need to be configured in /usr/lib/security/methods.cfg:

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

KERBEROS:
program = /usr/lib/security/KERBEROS
program_64 = /usr/lib/security/KERBEROS64
options = authonly,db=LDAP

CENTRIFYDC:
        program = /usr/lib/security/CENTRIFYDC
        program_64 = /usr/lib/security/CENTRIFYDC64
        options = nopromp

PAM:
        program = /usr/lib/security/PAM

PAMfiles:
        options = auth=PAM,db=BUILTIN


---------------------------------------------------------------

/etc/security/user

During the login of a user, the /etc/security/user file is checked for the authentication method of that user (local or LDAP...). This information is contained in the "registry" and "SYSTEM" parameters in that file.


/etc/security/user:
root:
        admin = true
        SYSTEM = "compat"
        account_locked = false
        rlogin = false
        admgroups = admin
        login = true
        registry = files


"compat" and files means, the authentication is done locally, for other methods (like LDAP ...), these need to be updated:

default:
        admin = false
        login = true
        ...
        SYSTEM = "LDAP"
        registry = LDAP
        ...

(In this case the default section has been changed, so for all local (already existing) users, SYSTEM = "compat" and registry = files need to be defined, otherwise the login process will search them on the LDAP Server.)

If a user account exists both locally and in LDAP, AIX requires both the SYSTEM and registry be set to the same value to work correctly. By setting the SYSTEM and registry differently, one will run into the risk that the user is defined to login through one mechanism, but the user's account activity is logged to a different user database.  It may also result in root managing the wrong account when changing password, locking the account, etc. 

A safe way of avoiding such problems is to set the SYSTEM and registry to the same value, e.g.,
# chuser SYSTEM=LDAP registry=LDAP user1

---------------------------------------------------------------

SYSTEM and registry

At login time, the login process checks for the user's SYSTEM and registry attributes in /etc/security/user file. If it is an LDAP user, SYSTEM needs to be set to LDAP for the user. (If a user's SYSTEM attribute is not defined, the default SYSTEM value is used.)

Values for SYSTEM parameter:

- compat: (default setting) It tells the system to use the local database and, if no resolution found, the NIS database is tried.
- files: it specifies that only local files are to be used during authentication
- NONE: it turns off authentication. (To turn off all authentication, "NONE" must appear in the SYSTEM and auth1 lines of the user's stanza.)

Other acceptable values for the SYSTEM attribute can be defined in /usr/lib/security/methods.cfg. (LDAP...)
(The root user is always locally authenticated, SYSTEM = "compat")

The SYSTEM attribute can take more values, so more methods can be combined with AND / OR statements.(It is called authentication grammar.) For example if SYSTEM="compat" AND "LDAP, it means both authentication is needed to have a successful login.

registry

During login an additional parameter is checked in /etc/security/user, the "registry". It shows where the user informations are stored and which user database (registry) to use when managing users. It takes always just 1 value. (SYSTEM can have more values.)

- files: (default setting) It shows it is a local user (user information is stored in /etc/security/user)
- other values can be: LDAP, NIS, KRB5, PAM...


---------------------------------------------------------------

auth1 and auth2

auth1 and auth2 are (were) used to configure authentication methods for a user. auth1 lists mandatory methods (authentication fails if listed method failed), and auth2 contains additional methods which are used after auth1. (authentication does not fail if listed method fails in auth2.)

Important, IBM writes this as official info:
Currently auth1 and auth2 is deprecated (not recommended) and should not be used to add additional methods (These may not be supported in future releases.)

Typically auth1 is set to SYSTEM and auth2 to NONE.

        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 77
        expires = 0
        SYSTEM = "CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND (compat)"


---------------------------------------------------------------

/etc/security/login.cfg

There are some login and user authentication information, which are stored in the usw stanza of /etc/security/login.cfg file:

usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh...
        maxlogins = 32767
        logintimeout = 30
        maxroles = 8
        auth_type = STD_AUTH
        pwd_algorithm = ssha512

auth_type and autcontroldomain (which is not set in the above example) can be configured in /etc/security/login.cfg.


authcontroldomain

If this attribute is set in /etc/security/login.cfg (by default it is not set), the "registry" and "SYSTEM" values will be gathered from the value defined there. For example, authcontroldomain=LDAP forces the system to look for user's SYSTEM and registry values from LDAP, and the /etc/security/user file will be not checked.

The authcontroldomain attribute is not valid for local users and it can be configured like this:
chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP


auth_type

Defines the route through which applications can authenticate their users. The two values to which auth_type can be set are:

STD_AUTH - (default) standard user authentication.
PAM_AUTH - Use PAM to authenticate users via the /etc/pam.conf file


-----------------

PAM (Pluggable Authentication Modules)

In the past if a program, such as su, passwd or login, needed to authenticate a user, it would read the necessary file (e.g. /etc/security/passwd.) If it needed to change the users' password, it would simply edit those files. This simple method presented numerous problems for system administrators and application developers. As MD5 and shadow passwords became popular, each program had to know how to get the proper information when dealing with different methods. If you wanted to change your user authentication method, all these programs had to be recompiled. PAM eliminates this complication by enabling programs to transparently authenticate users, regardless of how user information is stored.

This is accomplished by providing a library of functions that an application may use. With PAM, it doesn't matter whether your password is stored in /etc/security/passwd or on a separate server. When a program needs to authenticate a user, PAM provides a library containing the functions for authentication. Because this library is loaded dynamically, changing authentication methods can be done any time.

Starting with AIX V5.3, PAM is fully integrated into AIX. A default /etc/pam.conf file is shipped with additional PAM service modules. PAM can also be enabled for the entire system by changing the auth_type attribute to PAM_AUTH in the /etc/security/login.cfg file.

auth_type determines whether PAM or the standard AIX authentication mechanism will be used:
PAM_AUTH - Use the PAM library for user authenticate tasks as configured by the /etc/pam.conf file.
STD_AUTH - Use the standard AIX security library for user authentication tasks. This is the default value.

The following native AIX commands and applications have been changed to recognize the auth_type attribute and to directly call the PAM library if the system is configured to use PAM for authentication: login, rlogind, telnetd, su, passwd, ftpd, rexecd, rshd ..


When auth_type is changed to PAM_AUTH, these programs will use the PAM library configuration contained in /usr/lib/security/methods.cfg:

/usr/lib/security/methods.cfg:
PAM:
        program = /usr/lib/security/PAM

PAMfiles:
        options = auth=PAM,db=BUILTIN

Then the mentioned PAM library checks /etc/pam.conf file to determine which PAM module to use:

/etc/pam.conf:
# Authentication
#
dtaction auth   required        pam_aix
dtsession auth  required        pam_aix
dtlogin auth    required        pam_aix
ftp     auth    required        pam_aix
imap    auth    required        pam_aix
login   auth    required        pam_aix
rexec   auth    required        pam_aix
rlogin  auth    sufficient      pam_rhosts_auth
rlogin  auth    required        pam_aix
rsh     auth    required        pam_rhosts_auth
snapp   auth    required        pam_aix
su      auth    sufficient      pam_allowroot
su      auth    required        pam_aix
swrole  auth    required        pam_aix
telnet  auth    required        pam_aix
xdm     auth    required        pam_aix
OTHER   auth    required        pam_prohibit

#
# Account Management
#
dtlogin account required        pam_aix
ftp     account required        pam_aix
login   account required        pam_aix
rexec   account required        pam_aix
rlogin  account required        pam_aix
rsh     account required        pam_aix
su      account sufficient      pam_allowroot
su      account required        pam_aix
swrole  account required        pam_aix
telnet  account required        pam_aix
xdm     account required        pam_aix
OTHER   account required        pam_prohibit

#
# Password Management
#
dtlogin password  required      pam_aix
login   password  required      pam_aix
passwd  password  required      pam_aix
rlogin  password  required      pam_aix
su      password  required      pam_aix
telnet  password  required      pam_aix
xdm     password  required      pam_aix
OTHER   password  required      pam_prohibit


---------------------------------------------------------------

2 comments:

  1. Hi Balaz,

    Could you please let me know how to list all the files/directories on my system that have ACL set on them.

    Regards,
    Swathi

    ReplyDelete