Upload
paulina-campbell
View
228
Download
1
Embed Size (px)
Citation preview
CIT 500: IT Fundamentals
Users
Topics
1. Identity2. User Accounts3. /etc/{passwd,shadow}4. User Commands5. Passwords6. Groups
2
What is Identity?
Computer’s representation of an entity.
Authentication binds a principal to an identity.
Example:– username expresses your identity.– password binds the person typing to that
particular identity (username).
Purpose of Identity
Access Control– Most systems base access rights on identity of
principal executing the process.
Accountability– Logging and auditing functions.– Need to track identity across account/role changes
(e.g., su, sudo).
What is Authentication?
Binding of an identity to a subject.
Based on one of the following factors:1. What the entity knows (e.g., passwords)2. What the entity has (e.g., access card)3. What the entity is (e.g., fingerprints)4. Where the entity is (e.g., local terminal)
Or a combination of two or more factors.
Groups and Roles
An “entity” may be a set of entities referred to by a single identifier.
Users often need to share access to files, and thus are taken as groups.
A role is a group that ties membership to function
User Types
Regular users– Humans with accounts on system.– May log in via network or on console.
Special users– Non-human users for specific programs, i.e. http.– Used for file permission purposes.
Superuser– Admin user with UID 0 has special permissions.– Username is typically root.
7
User Accounts
UNIX accounts described by the following fields– User ID (UID)– Group ID (GID)– Password– Comment (a/k/a GCOS field)– Home directory– Login shell
User account data stored in /etc/passwd– Except password itself, which is in /etc/shadow
8
/etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shwaldenj:x:100:100:James Walden, faculty:/home/waldenj:/bin/bashsmith:x:101:101:John Smith, student:/home/smithj:/bin/bash
9
/etc/shadowRoot-only readable file for password storage
– Prevents users from reading encrypted passwords– Additional fields support password aging features.
One line per account, including fields for– Username– Encrypted password– Days since 1/1/1970 password was last changed– Days before password may be changed– Days after which password must be changed– Days before password is to expire that user is warned– Days after password expires that account is disabled– Days since 1/1/1970 that account is disabled
/etc/shadowroot:$1$A4h5.ZbC$DekjN2J7W5jymRS8gAbcT2:14565:0:99999:7:::daemon:*:14537:0:99999:7:::bin:*:14537:0:99999:7:::sys:*:14537:0:99999:7:::games:*:14537:0:99999:7:::man:*:14537:0:99999:7:::lp:*:14537:0:99999:7:::mail:*:14537:0:99999:7:::news:*:14537:0:99999:7:::uucp:*:14537:0:99999:7:::waldenj:$1$0nAbDEFg$HiJk9l1mNopQRlhTUVW5x.:14537:0:99999:7:::smith:$1$j02bHyTU$.vwXYz1ABcDEcfGH83IjK/:14565:0:99999:7:::
Note that not all fields are currently used: see blank fields at end of each line.
Accessing Account Information
Direct access to account informationgrep username /etc/{passwd,shadow}
grep username /etc/group
What if account information is elsewhere?getent passwd username
getent group username
Where else might account info be stored?NISLDAP
User Identification Commands
The whoami command provides username of the current user.
> whoamiwaldenj
The id command provides complete user and group information with user and group names and UIDs and GIDs.
> iduid=100(waldenj) gid=100(waldenj) groups=100(waldenj),1001(faculty)> id smithjuid=101(smithj) gid=101(smithj) groups=101(smithj),1001(faculty)
13
Changing your Identity
The su command changes your UID.– Without an argument, changes to root.– Requires a password unless you are already root.– Use exit command to change back.
The sudo command runs a command as root.– Use your own password to authenticate.– sudo cat /etc/shadow– sudo useradd
Superuser PowersSuperuser can
• Read any file.• Modify any file.• Add / remove users.• Become any user.• Kill any process.• Reprioritize processes.• Configure network.• Set date/time.• Shutdown / reboot.
Superuser can’t• Change read-only
filesystem.• Decrypt hashed
passwords.• Modify NFS-mounted
filesystems.• Read or modify SELinux
protected files.
Creating an Account
useradd –c “John Smith” username– Creates account with specified username.– Sets comment to “John Smith” to store name.– Uses defaults from /etc/login.defs for other fields,
such as home directory, shell, password aging, &c.
To set password become root and run– passwd username
Modifying an Account
usermod [options] username-c comment
-d homedir
-e password-expire-date
-G group1,group2 [adds groups]
-l newusername [changes username]
-L [locks account, prevents logins]
-s shell
Removing an Account
The userdel command removes an accountMust supply –r option to remove homedir.
Passwords
Passwords– Most common type of authentication.– Authentication binds a person to an identity.– Use passwd command to change.
Attacks against passwords– Reading passwords from disk storage.– Intercepting passwords via wiretapping.– Guessing passwords.
19
Protecting Passwords
Against disk storage attacks– Store password in secure file, /etc/shadow.– Store one-way hash of password, not password itself.– Compare hash of password entered by user with hash of
password stored on disk to login.
Against wiretapping– Do not send passwords over email.– Use encrypted protocols like ssh to login.
Against guessing– Do not use dictionary words, birthdates, names.– Choose a long password.
20
People Don’t Choose Random Passwords
Commonly Used Bad Passwords• 123456• letmein• password• 12345678• dragon• qwerty• michael• 654321• harley• ranger• iwantu• xxxxxxx• turtle• united
• porsche• guitar• black• diamond• nascar• jun0389• 06031989• amanda• phoenix• mickey• tigers• purple• xmen94• aaaaaa
• prince• beach• amateur• ncc1701• tennis• startrek• swimming• kitty• rainbox• 112233• 232323• giants• enter• 0• cupcake
• 8675309• marlboro• newyork• diablo• sexsex• access14• abgrtyu• 123123• dragon123• applepie• 31415926• 99skip• just4fun• xcvb• typewriter
How to Select Good Passwords
1. Long passwords, consisting of multiple words..Use nth letter of each word if phrase too long.
2. Themes:1. Word combinations: 3 blind katz2. E-mail or URL: [email protected]. Phone number: (888) 888-eight eight4. Bracketing: Starfleet -> *!-Starfleet-!*5. Add a word: shopping -> Goin’ shopping6. Repetition: Pirate--PirateShip7. Letter swapping: Sour Grape -> Gour Srape
Password AgingRequirement that password be changed after a period of time or after an event has occurred.If expected time to guess is 180 days, should change password more frequently than 180 days.
1. If change time too short, users have difficulty recalling passwords.
2. Cannot allow users to change password to current one.3. Also prevent users from changing passwords too soon.4. Give notice of impending password change requirement.5. Expire account to prevent logins if password not changed
within time specified by policy.
Groups
Users belong to one or more groups.– User always has a primary group.– Files are created with GID of primary group.– User can access files accessible to any of the
groups to which the user belongs.
Groups contain zero or more users.– Created by the system administrator.– Some groups exist for programs like special users.– Other groups exist for human users.
25
/etc/grouproot:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
waldenj:x:100:
smithj:x:101:
faculty:x:1001:smithj,waldenj
26
Group Commands
groupadd [-g GID] groupnameCreates a new group.
groupmod groupname-n newgroupname-g newgroupID
usermod –Gmodifies group membership
groupdelremoves a group
References
1. Red Hat, RHEL Installation Guide, http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/index.html, 2009.
2. Syed Mansoor Sarwar, Robert Koretsky, Syed Ageel Sarwar, UNIX: The Textbook, 2nd edition, Addison-Wesley, 2004.
3. Nicholas Wells, The Complete Guide to Linux System Administration, Thomson Course Technology, 2005.