Tom Kelliher, CS 325
Oct. 19, 2011
Trusted operating system design.
Authentication can be based upon:
We can slow down or thwart an attacker by introducing an artificial delay into a failed authentication, or even locking an account after failed attempts. This can have consequences.
Optimization: Start with shortest passwords.
This worked for me once.
Originally, encrypted passwords were not hidden. This has become a necessity with the arrival of password cracking software.
Use of a ``salt'' to disguise two users choosing the same password.
Your secret is an algorithm, rather than a password.
Authentication authenticates you to the system. How is the system authenticated to you?
How do you know that your password is being sent to the system, and not collected by a trojan program?
Generally known as PAM.
These are provided on an application-by-application basis:
For example, restricting use to a certain period of the day or according to resource availability.
For example, ensuring that a home directory on a remote disk is mounted and available.
Policy modules can be stacked.
auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_deny.so password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_deny.so
auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth \ nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 \ type= password sufficient /lib/security/$ISA/pam_unix.so nullok \ use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the # "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the # "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam_stack.so service=system-auth session optional /lib/security/$ISA/pam_xauth.soThe first line allows root to su to some other user without entering the root password.
auth sufficient pam_rootok.so auth sufficient pam_timestamp.so auth required pam_stack.so service=system-auth session required pam_permit.so session optional pam_xauth.so session optional pam_timestamp.so account required pam_permit.soNote the used of the ``cached'' previous authentication token on the second line.