Published on

Presentation I did for the Nashville Linux User Group on 8/13/2013. Presented on Sudo, Kerberos, and Privileged Access Suite for Unix. Which includes Authentication Services, Quest One Privilege Manager for Sudo, and Privilege Manager for Unix.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Dell Software is uniquely positioned to address all of these mega trends with compelling solutions that address all of the mega trends impacting IT today
  • The Dell Software portfolio is comprised by these major acquisitions as well as many smaller ones that Quest Software had made in recent years such as vKernel and ScriptLogic. Within the portfolio of these companies are notable, leading product lines such as:CLOUD & DATA CENTER:KACEFoglightWindows management and migration softwareINFORMATION MANAGEMENT:ToadKitengaSharePlexMOBILE WORKFORCE:KACEvWorkspaceSonicWALL Next-Gen FirewallSECURITY:SonicWALL Next-Gen FirewallQuestOne Identity and Access ManagementDATA PROTECTION:AppAssurevRangerNetVault
  • the comic, Cueball is demanding a sandwich from a friend. Not being properly asked, the friend denies the request. Cueball then (ab)uses the sudo command on the friend, which then has no choice but to go and make the sandwich, because Cueball has all rights. The title text references this abuse, noting that an administrator should set a proper use of the command in order to control his system. Simon says is a children's game in which a leader gives various commands which must be followed by formal logic, prefixed with "Simon says". Wikipedia suggests "Simon" may be the powerful lord Simon de Montfort, or a corruption of Cicero, both of whom were influential politicians of their day.
  • Mention there is a play that MIT developed that acts out the Kerberos protocol:
  • Developed by MIT as part of Project Athena in 1983Kerberos, X Windows, and ZephyrFirst 3 versions where never publically releasedVersion 4 is retired, and version 5 is the current version (See RFC 4120)Adopted as authentication protocol choice of Active DirectoryMany updates to the standardRFC’s 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806
  • Windows machineShow Unix enable user (RFC 2307)Group policyShow Management Console for Unix and profilingLinux MachineLogin as root and show that user in not in /etc/passwdCat /etc/nsswitch-> quick explanation of nsswitchCat /etc/pam.d -> quick explanation of pamLogout and login with userRun sudo command for userSingle sign on with user to another machine from linuxLog back into Windows:Show recorded sudo commandSingle Sign on from Windows to Linux
  • NLUG_Sudo_Kerberos_PAS4U

    1. 1. 0 Software Helpful links • Overview of the Solution – Privileged Access Suite for Unix – • Free e-book – management-iam-for-unix-based-systems823140# • Try it yourself –
    2. 2. Dell Software Privilege Access Suite for Unix Tyler Reese Program Manager
    3. 3. 2 Software Who is Dell Software?
    4. 4. 3 Software Dell Software solutions Information management Mobile workforce management Data center and cloud management Security and data protection
    5. 5. 4 Software Dell Software solutions capabilities Data center & cloud management • Endpoint management • Performance management • Virtualization & cloud mgmt • Windows server mgmt • Application enablement/delivery • Desktop virtualization • Mobile device mgmt • Mobile security Information management • Application & data integration • Big data analytics • Business intelligence/analytics • Database management Mobile workforce management • Email security • Endpoint security • Identity & access management • Network security Security Data protection • Application protection • Disaster recovery • Enterprise backup/recovery • Virtual protection
    6. 6. 5 Software Dell Software solutions
    7. 7. 6 Software Open Source Authorization and Authentication • Sudo – Authorization • Kerberos – Authentication All tie together to give us Unix Identity and Access Management
    8. 8. 7 Software Sudo
    9. 9. 8 Software What is Sudo? • Sudo allows a system administrator to give users the ability to run commands as the super user without having to run a root shell, or su. • Sudo logs each command run. • Command to be run are prefixed with “sudo”. • The file that determines who can run what is called the sudoers file.
    10. 10. 9 Software Why do I need something like Sudo? • UNIX root account is all or nothing • Want everyone to have the root password? – Want to have to change it every time one of those folks leave? – Remember, Admins are "lazy" - minimize unnecessary work! ;-) • Want to give selective root access by user/machine/command? • Want to know what someone did as root? • Can also be used to control others users ... but we don’t use that yet • Sudo can help you with all of these dilemma’s!
    11. 11. 10 Software Brief History of Sudo 201119941991198619851980 First version from SUNY/Buffalo CU-Boulder version Todd Miller starts making releases derived from the Root Group Sudo Updated version posted to net.sources Root Group version Sudo 1.8 released
    12. 12. 11 Software Dell and Sudo • Todd Miller starts maintaining sudo during spare time 1994 • Vintela/Quest submits patches as part of open source extending – • Todd is hired by Quest to maintain sudo as part of full-time job in 2010 – Sudo 1.8 is released in 2011 with new plugin functionality • Quest is acquired by Dell in 2012 • Dell is helping to fund sudo 2.0
    13. 13. 12 Software /etc/sudoers ## # User specification ## # root and users in group wheel can run anything on any machine as any user root ALL = (ALL) ALL %wheel ALL = (ALL) ALL # full time sysadmins can run anything on any machine without a password FULLTIMERS ALL = NOPASSWD: ALL # part time sysadmins may run anything but need a password PARTTIMERS ALL = ALL
    14. 14. 13 Software Kerberos
    15. 15. 14 Software What is Kerberos? • Cerberus – 3 headed dog that guards the gate to hell • Kerberos provides mutual authentication between network nodes • Time sensitive protocol • Based on requesting and getting tickets (TGT)
    16. 16. 15 Software Why do I need something like Kerberos? • Delegated authentication – Credentials follow you • Single sign on – Once you sign on to your box, you don’t need to use password again • Interoperability – Standards based, support by major vendors • More efficient authentication – Reuse credentials, no need to hit authenticator every time • Mutual authentication – Trust relationship is established and then checked every time auth happens
    17. 17. 16 Software History of Kerberos 2006200519991993 1985- 1991 1983 Developed by MIT as part of Project Athena Version 5 released (current version) Version 5 Updated (RFC 4120) Versions 1-3 developed internally Active Directory Adopts Kerberos Standard Version 4 EOL’ed
    18. 18. 17 Software Dell and Kerberos • Vintela, a startup born from SCO/Caldera 2002 • Builds AD bridge product and releases 2003 • Lots of custom code to get around MS extensions to Kerberos • Engineering work is submitted back through Hiemdal base • Most of the Kerberos code (MIT and Hiemdal) supports basic MS implementation
    19. 19. 18 Software The Privileged Access Suite for Unix
    20. 20. 19 Software The problem with Unix security • Box-by-box identity management • NIS is less secure • No delegation of “root” account • Native reporting for access control manual and error prone
    21. 21. 20 Software The solution: Privileged Access Suite for Unix • Consolidates identities • Extends the security of Active Directory to Unix- based systems and applications • Audit trail for individual accountability • Enables least-privileged access for “root” • Centralized and single source access control reporting
    22. 22. 21 Software
    23. 23. 22 Software Management Console for Unix AD Bridge Unix Delegation Replace SudoEnhance Sudo
    24. 24. 23 Software AD Bridge • Centralized authentication • Authenticate through AD Kerberos • Consolidate identities & directories • Eliminate non-secure authentication methods • Extend AD Kerberos single sign-on • Unix, Linux, and mac • Standards-based applications • Achieve single sign-on for SAP • Configuration and administration • Migrate and manage NIS data • Leverage group policy for Unix, Linux and Mac • Enhance password security • Extend AD password policies • Eliminate redundant, inconsistent, and non-secure passwords • Extend AD-based self-service password reset capabilities
    25. 25. 24 Software Unix delegation • Enhance sudo • Central administration & management • Centralized access reporting • No new training required • No need to update scripts & applications • Replace sudo • Central administration & management • Centralized access reporting • Advanced capabilities • Restricts Shells • Restricts remote host command execution • Removes escape out
    26. 26. 25 Software Demo
    27. 27. 26 Software Recap • Dell is more then just a hardware company • Use and contribute to OSS and standards in many of our products – Heimdal (Kerberos), openldap, sudo, ssh, samba, apache – RFC 2307, RFC 4120 • Dell Software has been contributing to open source software for over 10+ years • Continues to fund open source projects through direct investment or code contributions
    28. 28. Questions?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.