Access and authorization

PAM

Pluggable authentication modules.

PAM provides libraries that compile into the application and acts as the interface for apps that require an authentication method. This includes the following:

  • Passwords: /etc/passwd and /etc/shadow
  • Certificate: PKI cert stores
  • Lightweight Directory Access Protocol (LDAP)
  • Kerberos: Kerberos issues a token to clients when they login to the system. These tokens can authenticate to multiple network resources. Also called single sign-on (SSO) bc you just login once to access multiple networked resources.
  • Multifactor auth (MFA): Includes biometrics, tokens, PKI, and password emails

Programs that use PAM services are compiled with libpam.so and have a PAM config file. You can determine if a program is PAM-aware with ldd:

# ldd prints shared object files
ldd /bin/login | grep libpam.so
	libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x000071b01ce9a000)


# view all PAM config files
ls -l /etc/pam.d/
-rw-r--r-- 1 root root  384 Nov 11  2021 chfn
-rw-r--r-- 1 root root   92 Nov 11  2021 chpasswd
...

Configuration file format

  • Each PAM-MODULE is called in the order it is listed in the config file. This is called the module stack.
# config file syntax
type control-flag pam-module [module-options]

cat /etc/pam.d/login 
#
# The PAM configuration file for the Shadow `login' service
#
...
auth       optional   pam_faildelay.so  delay=3000000
...
auth       requisite  pam_nologin.so
...
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
...
session    required     pam_loginuid.so
...
session    optional   pam_motd.so motd=/run/motd.dynamic
session    optional   pam_motd.so noupdate
...

Enforcing strong passwords

PKI

Public key infrastructure

encryption
When plaintext–human-readable text–is converted into ciphertext with cryptographic algorithms.
decryption
When ciphertext is converted into plaintext.
keys/cipher keys
Special data that encrypts and decrypts data. If you share encrypted data, you must also share a key to decipher it.

Certificates

  • certificate authority (CA) structure
    • CA verifies a person’s ID, then issues a digital cert
    • cert provides identification proof and an embedded key
    • Cert holder uses cert’s key to encrypt data and sign it using the certificate
  • Commercial CAs charge money
  • Can use self-signed cert

Key concepts

Two types of cipher keys:

  • Private keys. Symmetric keys: also called private or secret keys. Encrypts data with a crypto algorithm and a single key. Protected by a passphrase.
    • Bc there is only one key, you need to share the key if others are going to decrypt the data
  • Public/private key pairs. Assymetric keys: Used by SSH. Encrypts data with a crypto algorithm and a two keys. Public key is used to encrypt, private key is used to decrypt. Public key is meant to be shared.

Hashing

One-way algorithm that turns plaintext into fixed-length ciphertext. The ciphertext is called a message digest, hash, hash value, fingerprint, or signature.

  • Hashing algorithm needs to be collision free - it cannot create the same output for two different inputs.
  • non-salted and non-keyed message digests only use plaintext file as input.
  • salt is random data included with input file. Creates a salted hash.
  • keyed message digest is created with the plaintext file and private key. Used in SSH.

Digital signatures

A digital signature is a message digest of the original plaintext data, which is then encrypted with a user’s private key and sent along with the ciphertext. It provides authentication and data verification.

  • Ciphertext receiver decrypts the digital signature with the sender’s public key to get the original message digest
  • receiver also decrypts the ciphertext and hashes its plaintext data to create a new message digest
  • original and new message digests are compared.

SSH

  • Secure Shell (SSH), de facto standard software to send data securely across the network.
  • Uses assymetric (public/private) key pairs.
  • Keeps track of previously connected hosts in ~/.ssh/known_hosts
DistroOpenSSH package names
Rocky/RHELopenssh, openssh-clients, openssh-server
Ubuntuopenssh-client, openssh-server
ssh [options] username@hostname

# very verbose
ssh -vvv username@hostname

# send commands to remote system
ssh username@hostname "ls -lsogh ~/home/dirname"

rsync

rsync uses SSH to quickly copy files to a remote system in an encrypted tunnel:

rsync <filename> username@hostname:~/path/to/destination

Configuring SSH

SSH uses the following config files:

  • ~/.ssh/config: Individual user overrides. OpenSSH client config options. Can override with ssh command-line options.
  • /etc/ssh/ssh_config: System overrides (all users). OpenSSH client config options. Can override with ssh command-line options or ~/.ssh/config
  • /etc/ssh/sshd_config: System overrides (all users). OpenSSH daemon config options.

Common directives:

  • AllowTcpForwarding
  • ForwardX11
  • PermitRootLogin
  • Port
# remote SSH is listening on 1138
ssh -p 1138 10.20.30.40

Generating SSH keys

Keys use format ssh_host_KeyType_key, where KeyType is the digital signature algorithm used to create the keys.

  • Private keys should have 0640 or 0600 perms
  • Public keys should be world-readable
  • Keys that identify the server and their configuration files are in /etc/ssh
# generate keys
# -t is the KeyType
# -f names the private key file (public key is same with '.pub' extension)
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

# ssh keys are stored in /etc/ssh
ls -log /etc/ssh/*key*
-rw------- 1  505 Apr 18 22:00 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1  175 Apr 18 22:00 /etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1  399 Apr 18 22:00 /etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1   95 Apr 18 22:00 /etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 2602 Apr 18 22:00 /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1  567 Apr 18 22:00 /etc/ssh/ssh_host_rsa_key.pub

Authenticating with SSH keys

You don’t have to use your password each time you authenticate to a remote system–you can use your SSH keys:

# 1. If you don't already have SSH keys on the client, generate them:
ssh-keygen -t rsa -f /.ssh/id_rsa

# 2. Copy client public key to ~/.ssh/authorized_keys
ssh-copy-id -p 2223 username@localhost

# dry run w -n option
ssh-copy-id -n -p 2223 username@localhost

Authenticating with the authentication agent

You must use a passphrase on the keys.

Example in the book wasn’t great, need a better tutorial or just authenticate with keys.

VPN

A Virtual Private Network (VPN) establishes a secure encrypted connection between two systems on separate networks with a public network in between.

  • OpenVPN is a popular OSS package
  • Don’t implement a VPN client that uses the PPTP protocol

Data packet transportation methods:

  • UDP-based systems have better performance than TCP-based systems
    • SSL/TLS: provides secure data encryption over a network between systems
    • TLS (Transport Layer Security): Symmetric encryption, prevents on path attacks and replay attacks
    • DTLS: Datagram TLS, uses UDP packets (faster than TCP) so sometimes called UDP TLS.
    • IPSec: Internet Protocol Security (IPSec) is a framework that operates at the network level. Has two modes; tunnel and transport