path: root/lectures/04-authentication-and-directory-services.org

#+title: Authentication and Name Services
#+date: 2026-03-30 Mon
#+author: W. Kosior
#+email: wkosior@agh.edu.pl

* Pluggable Authentication Modules
- in many UNIX'es
- replace =/etc/shadow=
  - SQL database?  No problem.
  - TOTP?
  - smart cards?
  - How about LDAP?
  - =apt-cache search libpam- | grep -cE 'PAM .*module'= → 41
- SSO
- Windows equivalent: Security Support Provider Interface

* PAM — Config
#+begin_example
$ ls /etc/pam.d/
chfn             common-session-noninteractive  newusers   su
chpasswd         cron                           other      su-l
chsh             cups                           passwd     sudo
common-account   lightdm                        ppp        sudo-i
common-auth      lightdm-autologin              runuser    xfce4-screensaver
common-password  lightdm-greeter                runuser-l
common-session   login                          sshd
#+end_example

* PAM — Config, Cont.
#+begin_example
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
#+end_example

/source: [[https://wiki.debian.org/LDAP/PAM]]/

* PAM — Config, Cont…
=/etc/pam.d/common-auth=
#+begin_example
auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so
#+end_example

* PAM — Config — Management Groups
/(aka types)/
- =auth=
- =account= (access management other than auth)
- =passwd= (updating password)
- =session= (actions related to session start / end)

* PAM — Config — Control Values
- =required=
- =requisite= (immediate return)
- =sufficient= (immediate return)
- =optional=
- =include= (other file)
- =substack= (other file)
- =[success=ok new_authtok_reqd=ok ignore=ignore default=bad]=

* =get*()=
- =getpwent()=
- =getgrent()=
- =getaddrinfo()=
- =getnameinfo()=
- =getnetent()=
- …

* getent
- hosts
- passwd
- shadow
- group
- ahosts
- networks
- …

* NSS
- =/etc/nsswitch.conf=
- sample entry: =passwd: files systemd ldap=
  - queries for passwd entries should use, in order:
  - =/etc/passwd= file
    - (=/usr/lib/x86_64-linux-gnu/libnss_files.so.2= service module)
  - systemd-userdb
    - (=/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2= service module)
  - ldap
    - (=/usr/lib/x86_64-linux-gnu/libnss_ldap.so.2= service module)

* NSS, Cont.
- sample entry: =hosts: files mdns4_minimal [NOTFOUND=return] dns=
  - queries for host addresses/names should use, in order:
  - =/etc/hosts= file
  - Multicast DNS (=*.local= names)
    - terminating immediately if a =*.local= name was being queried
  - dns (=/etc/resolv.conf=)

* nscd
- caching
- sometimes replaced with systemd-resolved…
- query time reduction
  - DNS
  - remote passwd, etc. entries

* Hostnames
How does the OS know localhost → 127.0.0.1?
- =/etc/hosts= (read by the =files= service of NSS)
- sample entry: =149.156.98.68 galaxy.agh.edu.pl galaxy home.agh.edu.pl home=
  - IP address
  - canonical name
  - aliases
- try, say, the replacement 127.0.0.1 → 127.3.4.5 in =/etc/hosts=

* Domain & FQDN
- =/etc/hostname=
  - read and stored in the kernel (=sethostname()=)
- domain & Fully Qualified Domain Name
  - every network-plugged computer is in a domain and has a name
    - RIGHT!?
  - Debian et al. use
    - =/etc/hostname= → hostname
    - hostname & =/etc/hosts= → FQDN
    - hostname & FQDN → domainname

* LDAP
- X.500 (Directory Access Protocol) → L(ightweight)DAP
- ports: 389, 636 (TLS)
- *directory services*
  - hierarchical database
- sample uses:
  - information about people
  - \________"\________ assets/property
  - \________"\________ groups/projects
  - DNS data
- used for SSO
  - both UNIX (PAM) & Windows
    - (Active Directory ⊃ LDAP)

* Object Identifiers
- for: things, concepts…
- =1.3.91= — Cisco Systems
- =2.16.840.1.101.3.7.2.1.0= — X.509 Certificate for Digital Signature
- =1.3.6.1.1.1.2.0= — posixAccount Object Class (RFC 2307)
- =1.3.6.1.1.1.1.1= — gidNumber Attribute Type  \____"\_____

* Directory Information Tree
#+begin_example
                    "" (empty)
                    |
                  dc=com
                    |
                dc=example
                /     \
               /       \
         ou=users    ou=groups
         /     |           \
        /      |            \
 cn=theodore cn=eugenia   cn=students
#+end_example

(domain component, organizational unit, common name)

* Distinguished Names
- example: =cn=theodore,ou=users,dc=example,dc=com=
- Relative Distinguished Names (1 or more per level)
  - example: =ou=users=

* Entities & Attributes
#+begin_example
dn: cn=theodore,ou=users,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: theodore
uid: theodore
uidNumber: 1041
gidNumber: 103
homeDirectory: /home/users/theodore
loginShell: /bin/bash
userPassword: {SSHA}0XMFoclVCl2DEl+lKvNgX+za5H3IdWgBVkZf
#+end_example

* Entities & Attributes — Schema
#+begin_example
( 0.9.2342.19200300.100.1.1 NAME 'uid' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
X-ORIGIN 'RFC 1274' )
#+end_example

- OpenLDAP → schema itself in the directory service
- entities conform to types
- can define own object classes / attribute types

* LDIF
#+begin_example
dn: cn=theodore,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}GcSgGl/7qsbOr4cJcwaXrNX4k52RYziVav4E
-
add: description
description: A *nix fan.
#+end_example

* LDAP Operations
- modifications
- queries
  - filter example: =(&(|(cn=theodore)(cn=alexander))(gidNumber=103))=
- indexes possible (and used!)

* LDAP Security
- binding
  - e.g., as =cn=admin,dc=example,dc=com=
  - or =cn=theodore,ou=users,dc=example,dc=com=
  - or anonymous
- ACLs
  - read permission
  - write permission
  - authenticate permission
  - in case of OpenLDAP — stored in directory service itself

* Simple Authentication and Security Layer
- authentication independent from protocol / application
- used in IMAP, SMTP, XMPP, *LDAP*
  - not mandatory to be able to set up
- recognizable SASL mechanisms (do not use the first 3 (without TLS))
  - LOGIN
  - PLAIN
  - DIGEST-MD5
  - EXTERNAL (application-specific semantics)
    - ldapi ("inter-process", socket)
    - TLS (client cert)
  - NTLM (nonstandard for Microsoft fans)
  - GSSAPI

* Directory Services — Popular Software
- 389 Directory Server
  - commercial version: Red Hat Directory Server
- Active Directory (Microsoft)
- OpenLDAP
- modules?

* Generic Security Services Application Programming Interface
- the SASL mechanism most useful to us
- *Kerberos* authentication
- data security included
  - (unlike in other listed mechanisms)

* Kerberos
- realms (e.g., =EXAMPLE.COM=)
- principals
  - people (e.g., =theodore@EXAMPLE.COM=)
  - services (e.g., =nfs-server/titan@EXAMPLE.COM=)
  - machines
- symmetric cryptography
  - secrets shared between Kerberos servers and clients

* Kerberos Authentication
- Client (e.g., user)
- Authentication Server
- Ticket-Granting Server
- Service (e.g., NFS server; also technically a /client/)

* Kerberos Authentication, Cont.
1. C → AS: =C_name=
2. AS → C: =encrypt(TGS_session_key, C_key)=
3. AS → C: =TGT = encrypt(C_name.TGS_session_key.…, C_key)=
4. C → TGS: =TGT.S_name=
5. C → TGS: =encrypt(C_name.…, TGS_session_key)=
6. TGS → C: =encrypt(C_name.S_session_key.…, S_key)=
7. TGS → C: =encrypt(S_session_key, TGS_session_key)=
8. C → S: =encrypt(C_name.S_session_key.…, S_key)=
9. C → S: =encrypt(C_name.timestamp, S_session_key)=
10. S → C: =encrypt(C_name.incr(timestamp), S_session_key)=

* NFS Security
- sys
- dh
- krb5
- krb5i
- krb5p