Linux Authentication and Access Control 5-2

Linux Authentication and Access Control 5-2

What is Authentication? Linux Authentication and Authentication binds a subject/principal outside the computer to an Access Control identity inside the computer. All subsequent stages assume the mapping is correct, so this is really important! fturbak Tuesday, September 18, 2012 Reading: Pollock Article; Hacking Linux Exposed gdome CS342 Computer Security root Department of Computer Science Wellesley College sanderso Linux Authentication and Access Control 5-2 Plaintext Password File Hashed Password File o Use one-way hash function (more on these later in the semester). o Intercepted password can be entered to impersonate user. o Intercepted hashed password cannot be entered for user. username: gdome o Password file must be private. username: gdome password: albatross password: albatross o Password file can be public (but still better private). Early Linux had /etc/passwd public. Now separates hash(albatross) = public /etc/passwd (user info) from albatross Npge08pfz4wuk private /etc/shadow (hashed passwords) fbar:pass34word fbar:Yt8w67aiewrH3 o Early linux used crypt function gdome:albatross gdome:Npge08pfz4wuk for hashing. qsera:S&L:DSiaNW qsera:vj9awiEU9KwtF password file password file o Subject to password cracking. Linux Authentication and Access Control 5-3 Linux Authentication and Access Control 5-4 Password Cracking Hashed & Salted Password File o Online cracking (ATM PINs, keypad locks on doors, interactive o Salt stored in password entry password input): combined with password before • Try common patterns followed by exhaustive brute-force search hashing. • Thwarted by long passwords (search space too large) and retry limitations o Thwarts precomputation of large (max of n attempts, exponential backoff). username: gdome hash dictionaries. o Offline cracking (e.g. hashed password file) password: albatross • Examples: john (the Ripper), crack o Linux allows /etc/shadow files with both salted MD5 passwords and • Can afford more computation. hash(d6tpFiwO, old-style crypt passwords. • Step 1: plain dictionary words (including names) albatross) = and user info (username). rBD5jd1ASAYatV2UuAlXW. • Step 2: transformations: insert digits, leetspeak (1337) • Step 3: brute force generation fbar:Yt8w67aiewrH3 gdome:$1$d6tpFiwO$rBD5jd1ASAYatV2UuAlXW. • Thwarted by long, non-dictionary passwords that pass qsera:$1$oVprdczq$NyoQ5WzZxeigDRBUCjQbg7 cracking attempts. password file Linux Authentication and Access Control 5-5 Linux Authentication and Access Control 5-6 Choosing Passwords (http://xkcd.com/936/) Linux IDs and /etc/passwd Each user has a user id (uid) and belongs to (possibly several) groups each of which has a gid. uid and default gid are stored in /etc/passwd. E.g, in my Fedora VM: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin ... lynux:x:500:500:Franklyn Turbak:/home/lynux:/bin/bash gdome:x:501:501:Georgia Dome:/home/gdome:/bin/bash cs342:x:502:502:CS342 Account:/home/cs342:/bin/bash Linux Authentication and Access Control 5-7 Linux Authentication and Access Control 4-8 /etc/group /etc/shadow /etc/group defines groups and Sysadmins can define new groups, lists which users belong to them. /etc/shadow contains hashed passwords: e.g. on puma root:$1$SdMYD5fz$cr120C7tA0wDhXPrQHc3H1:15583:0:99999:7::: root:x:0:root bin:*:13665:0:99999:7::: bin:x:1:root,bin,daemon • faculty (all cs faculty) daemon:*:13665:0:99999:7::: daemon:x:2:root,bin,daemon • adm:*:13665:0:99999:7::: sys:x:3:root,bin,adm cs111sta (members of the … adm:x:4:root,adm,daemon CS111 teaching staff) lynux:$1$mUwRqvWp$2yfe5MJV0HbtdcDad8E7i/:15583:0:99999:7::: tty:x:5: • cs251stu (cs251 students) gdome:$1$d6tpFiwO$rBD5jd1ASAYatV2UuAlXW.:14274:0:99999:7::: disk:x:6:root cs342:$1$kmTSYJoG$0AnYYfykI2e/nWPRXdjwO.:14194:0:99999:7::: lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root Your Ubuntu VM uses longer salts and hashes: ... lynux:x:500: wendy:$6$FoFIUVCi$/FUkEldzfdJXMefmv/s76m4wRpeZPnHjsVdJ9pO.QgKWuZmV gdome:x:501: cjt5J53lZ8Sifj9Q3Pm6n6ukR9p8A1\43mnE2Q0:15594:0:99999:7::: cs342:x:502: cs342sta:x:503:cs342,lynux cs342stu:x:504:cs342,gdome,lynux Linux Authentication and Access Control 5-9 Linux Authentication and Access Control 5-10 LDAP Checking/Changing Who You Are Our networked dept. machines now use LDAP, a database system for o whoami: name associated with current uid users/groups that does not use /etc/passwd and /etc/group directly. o groups: groups of which current uid is a member (But you will be using /etc/passwd and /etc/group on the machines you o su username : "become" username administer in E125.) o su - username: "become" username, using initialization files On puma, use getent command to get info from the LDAP database: o su: "become" root (su = superuser) [fturbak@puma ~] getent passwd fturbak o sudo command: Execute command as root fturbak:x:708:708:Franklyn Turbak:/home/fturbak:/bin/bash (if youre in /etc/sudoers and you give your password.) [fturbak@puma ~] getent passwd acarnigl acarnigl:x:4568:4569:Allison Carniglia class of 2013:/students/acarnigl:/usr/local/bin/scponly # /usr/local/bin/scponly only allows SCP, not login access. For 110/111 students [fturbak@puma ~] getent group cs242stu cs242stu:x:4678:networks,fturbak,amckenna,choover,clee2,cvaldes,kneugent,ksulliv3,lbell, gwunnava,skim17 http://xkcd.com/688/ Linux Authentication and Access Control 5-11 Linux Authentication and Access Control 5-12 Checking/Changing Who You Are: Examples sudo in Ubuntu [fturbak@puma ~] whoami fturbak [fturbak@puma ~] echo $UID The culture in Ubuntu is to use sudo rather than su to root. 708 [fturbak@puma ~] groups fturbak faculty cvs lumberjacks cs301stu cs301pri cs301sta itr2004 • Reminds you that you’re doing rooty things: less likely to cs230pri cs230sta cs230stu cs251pri cs251stu … accidentally do something bad (e.g. rm –rf * on /) [fturbak@puma ~] su – gdome Password: ********** • Don’t have to remember root password, only your own. [gdome@puma ~] whoami gdome • Can still become root if you want to (red part not echoed) [gdome@puma ~] echo $UID 707 wendy@cs342-ubuntu-1:~$ sudo su – [gdome@puma ~] groups gdome cs301stu cs230stu cs251stu cs235stu cs242stu [sudo] password for wendy: Tr0ub4dor&# [gdome@puma ~] su – root@cs342-ubuntu-1:~# Password: ********** [root@puma ~] whoami root [root@puma ~] echo $UID 0 [root@puma ~] groups root bin daemon sys adm disk wheel Linux Authentication and Access Control 5-13 Linux Authentication and Access Control 5-14 passwd: Change Password useradd: Create User Account Sudoer wendy changes guest password (red parts not echoed) Sudoer wendy adds user acct1 wendy@cs342-ubuntu-1:~$! sudo passwd guest wendy@cs342-ubuntu-1:~$! sudo useradd -m -s /bin/bash [sudo] password for wendy: Tr0ub4dor&# acct1 [sudo] password for wendy: Tr0ub4dor&# Enter new UNIX password: foobar Retype new UNIX password: foobar • By default, puts user in empty group with same name as user passwd: password updated successfully /etc/passwd now has: acct1:x:1101:1101::/home/acct1:/bin/bash! /etc/group now has: acct1:x:1101: • As root, wouldn’t need extra sudo password • Still need to set password (via passwd); ! in /etc/shadow locks user out: acct1:!:15601:0:99999:7::: • Can change anyone’s password as root • -m creates account /home/acct1 • Anyone change her own password w/o being root. • -s specifies shell program for user. • Many more options; see man useradd • Add user to group sudo to make her a sudoer • There are graphical user interfaces for creating accounts, setting passwords, etc. but you will not have access to these in CTF. So best to learn shell commands instead! Linux Authentication and Access Control 5-15 Linux Authentication and Access Control 5-16 File Permissions in Linux What Do Permissions Mean? [lynux@localhost cs342]$ ls -al handouts total 68 o On file: drwxrwx--- 4 lynux lynux 4096 2008-09-12 07:36 . drwxrwxr-x 6 lynux lynux 4096 2008-09-02 03:08 .. r: can read from file drwxrwx--- 2 lynux lynux 4096 2008-09-02 03:15 course-info -rw-rw---- 1 lynux lynux 638 2008-09-09 08:59 linux-commands.txt w: can write to file -rw-rw---- 1 lynux lynux 12335 2008-09-12 07:33 os-security.txt -rw-rw---- 1 lynux lynux 3073 2008-09-11 21:27 os-security.txt~ x: can execute file as a program drwxrwx--- 2 lynux lynux 4096 2008-09-09 05:38 security o On directory: How do you read a permission string (e.g. drwxrwxr-x, -rw-rw----)? r: can list the filenames in the directory. Leftmost chars: Other 9 chars: w: can add new file and delete existing file read (r), write (w), execute (x) (even if don't have any permissions on file!) - normal file permissions for 3 entities: x: can cd to directory and “search” files in directory d directory • 3 chars for owner (u=user); (i.e., get inode information necessary for file contents.) l link • 3 for group (g); s socket • 3 for everyone else (o=other) Linux Authentication and Access Control 5-17 Linux Authentication and Access Control 5-18 Special permissions Permissions as Bits & Octal Numbers There are 12 (not 9) permission bits in Linux. 11 10 9 8 7 6 5 4 3 2 1 0 11 10 9 8 7 6 5 4 3 2 1 0 set set stic- user user user group group group other other other uid gid key r w x r w x r w x set set stic- user user user group group group other other other

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us