Documentation< Previous | Contents | Next >
DHCP client machines will usually be configured using a GUI that configures the dhcpcd, the DHCP client daemon. Check your system documentation if you need to configure your machine as a DHCP client.
10.3.9. Authentication services
10.3.9.1. Traditional
Traditionally, users are authenticated locally, using the information stored in /etc/passwd and
/etc/shadow on each system. But even when using a network service for authenticating, the local files will always be present to configure system accounts for administrative use, such as the root account, the daemon accounts and often accounts for additional programs and purposes.
These files are often the first candidates for being examined by hackers, so make sure the permissions and ownerships are strictly set as should be:
bob:~> ls -l /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1803 Mar 10 13:08 /etc/passwd
-r-------- 1 root root 1116 Mar 10 13:08 /etc/shadow
bob:~> ls -l /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1803 Mar 10 13:08 /etc/passwd
-r-------- 1 root root 1116 Mar 10 13:08 /etc/shadow
10.3.9.2. PAM
Linux can use PAM, the Pluggable Authentication Module, a flexible method of UNIX authentication. Advantages of PAM:
• A common authentication scheme that can be used with a wide variety of applications.
• PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.
• Great flexibility and control over authentication for the administrator and application developer.
• Application developers do not need to develop their program to use a particular authentication scheme. Instead, they can focus purely on the details of their program.
The directory /etc/pam.d contains the PAM configuration files (used to be /etc/pam.conf). Each application or service has its own file. Each line in the file has four elements:
• Module:
♦ auth: provides the actual authentication (perhaps asking for and checking a password) and sets credentials, such as group membership or Kerberos tickets.
♦ account: checks to make sure that access is allowed for the user (the account has not expired, the user is allowed to log in at this time of day, and so on).
♦ password: used to set passwords.
♦ session: used after a user has been authenticated. This module performs additional tasks which are needed to allow access (for example, mounting the user's home directory or making their mailbox available).
The order in which modules are stacked, so that multiple modules can be used, is very important.
• Control Flags: tell PAM which actions to take upon failure or success. Values can be required, requisite, sufficient or optional.
• Module Path: path to the pluggable module to be used, usually in /lib/security.
• Arguments: information for the modules
Shadow password files are automatically detected by PAM.
More information can be found in the pam man pages or at the Linux-PAM project homepage.
10.3.9.3. LDAP
The Lightweight Directory Access Protocol is a client-server system for accessing global or local directory services over a network. On Linux, the OpenLDAP implementation is used. It includes slapd, a stand-alone server; slurpd, a stand-alone LDAP replication server; libraries implementing the LDAP protocol and a series of utilities, tools and sample clients.
The main benefit of using LDAP is the consolidation of certain types of information within your organization. For example, all of the different lists of users within your organization can be merged into one LDAP directory. This directory can be queried by any LDAP-enabled applications that need this information. It can also be accessed by users who need directory information.
Other LDAP or X.500 Lite benefits include its ease of implementation (compared to X.500) and its
well-defined Application Programming Interface (API), which means that the number of LDAP-enabled applications and LDAP gateways should increase in the future.
On the negative side, if you want to use LDAP, you will need LDAP-enabled applications or the ability to use LDAP gateways. While LDAP usage should only increase, currently there are not very many LDAP-enabled applications available for Linux. Also, while LDAP does support some access control, it does not possess as many security features as X.500.
Since LDAP is an open and configurable protocol, it can be used to store almost any type of information relating to a particular organizational structure. Common examples are mail address lookups, central authentication in combination with PAM, telephone directories and machine configuration databases.