Authentication Modules for Linux
Arun Bagul
Friday, January 26, 2007 1

Thought of the Day...
“We all are in mission of learning,
What learning will give?
-when learning is purposeful,
creativity blossoms,
when creativity blossoms,
thinking emanates,
when thinking emanates,
knowledge is fully floats,
When knowledge fully floats,
economy fully flourishes”.
- APJ Abdul Kalam
Friday, January 26, 2007 2

What will you learn?...
Authentication

 PAM (Pluggable Authentication Modules)
 PAM Modules and Architecture
 How to configure PAM?
 NSS (Name Service Switch)
 Different methods of User Admin.
 PAM with MySQL
Friday, January 26, 2007 3

Authentication…
What is Authentication?

 Why Authentication?
 Different types of Authentication
Basic, single-factor

 Multi-factor
 Cryptographic
Friday, January 26, 2007 4

What is Authentication?
Act of establishing identity

 Identity: users, systems, applications and
messages
 Legal process
Friday, January 26, 2007 5

Why Authentication?
Control access and privileges

 Bind some sensitive data
 Establish trusted multiple parties
 Maintain, secure data/privacy
Friday, January 26, 2007 6

Different types of Authentication
1) Basic, single-factor
common password

host or system names

 application names
 numerical ids
Friday, January 26, 2007 7

Different types of Authentication
2) Multi-Factor
name and password

smart cards

 biometric information
Friday, January 26, 2007 8

Different types of Authentication
3) Cryptographic
Public key authentication

 Digital signature
Friday, January 26, 2007 9

PAM (Pluggable Authentication Modules)
What is PAM?

 Why PAM?
 Advantages
 User administration
Friday, January 26, 2007 10

PAM Architecture
MySQL
Friday, January 26, 2007 11

PAM Modules
Authentication management

 Account management
 Session management
 Password management
Friday, January 26, 2007 12

PAM Modules syntax…
<module> <control-flag> <module-path>
<argument>
auth required /lib/security ignore
account requisite ok
session sufficient done
password optional
e.g.:-
auth required pam_issue.so issue=/etc/issue
auth requisite pam_securetty.so
account requisite pam_time.so
Friday, January 26, 2007 13

How to configure PAM
/etc/pam.d/login
auth requisite pam_securetty.so
session required pam_env.so readenv=1
auth optional pam_group.so
@include common-auth
@include common-account
@include common-session
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-password
Friday, January 26, 2007 14

How to configure PAM
/etc/pam.d/common-session
#session required pam_unix.so
#session optional pam_foreground.so
session required pam_mkhomedir.so skel=/etc/skel/
session sufficient pam_unix.so
session required pam_mysql.so
config_file=/etc/pam_mysql.conf
/etc/pam.d/common-password
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
password required pam_mysql.so config_file=/etc/pam_mysql.conf
/etc/pam.d/common-account
account sufficient pam_mysql.so config_file=/etc/pam_mysql.conf
account required pam_unix.so
Friday, January 26, 2007 15

NSS (Name Service Switch)
MySQL
Friday, January 26, 2007 16

Different methods of User Admin.
PAM with MySQL

 PAM with Postgres
 LDAP
 Kerberos
 Samba
 OPIE (One time Password In Everything)
Friday, January 26, 2007 17

PAM with MySQL
pam_mysql

 libnss-mysql_1.0_4
 Database:- authentication
 Tables:- users, groups and authlog
/etc/pam_mysql.conf

 /etc/nsswitch.conf
 /etc/nss-mysql.conf
 /etc/nss-mysql-root.conf
 /etc/pam.d
Friday, January 26, 2007 18

PAM with MySQL
pam_mysql and libnss-mysql installation

# ./configure --with-pam-mods-dir=/lib/security
# dpkg –i libnss-mysql_1.0_4ubuntu.deb
create pam_mysql package for same configuration

Friday, January 26, 2007 19

PAM with MySQL
#/etc/pam_mysql.conf
users.host = 192.168.0.10
users.database = authentication
users.db_user = connect_auth
users.db_passwd = abc
users.where_clause = users.status = 'A' AND users.allowed_hosts LIKE
'%hostname%';
users.table = users
users.update_table = users
users.user_column = user_name
users.password_column = password
users.password_crypt = 1
log.enabled = 1
log.table = authlog
Friday, January 26, 2007 20

PAM with MySQL
#/etc/nsswitch.conf
files mysql
passwd:
files mysql
group:
files mysql
shadow:
Friday, January 26, 2007 21

PAM with MySQL
#/etc/nss-mysql.conf
## DB Access
users.host = inet:192.168.0.10:3306;
users.db_user = query_auth;
users.db_password = xyz
## USERS
users.table = users;
users.user_column = users.user_name;
users.user_column = users.user_name;
Friday, January 26, 2007 22

Authentication Modules for Linux
Thank you
www.magnettechnologies.com
arun.bagul@magnettechnologies.com
Ph:- 022 6719200, 9890756335
Friday, January 26, 2007 23