Authentication:

• What does this term actually mean?
• Provides assurances that the communicating parties are who they claim
• We also talk about message authentication....really we mean data integrity. We need assurances that the data received from one party is truly from that party AND that the message has NOT been tampered with by another party.
• End user authentication.....verify who you are and that you have access permissions
  • Multi-factor authentication
    • Factor 1: something you know....like a password
    • Factor 2: something you have....like a smartphone that receives a time-based second password
  • Google and Clemson have moved to two-factor authentication
    • Clemson's info
  
  
• Linux passwords
  • Every file has an owner and a group
    • Kernel tracks access through user identification numbers (UIDs) and group identification numbers (GIDs)
    • Access maintained through three files
      
      • /etc/passwd   : 7 fields includinguser name, optional password, userid, group id,....
        
      • /etc/shadow:  9 fields, includes user name, encrypted password (see man shadow)
        
      • /etc/group:     :      group_name:passwd:GID:user_list
        • jjm:x:1000    the x says no password
        • sudo:x:27:jjm  this says  jjm is a member of group sudo
  • SUID is set on the passwd command giving callers temporary root access so the password related files in /etc can be accessed
    • /etc/passwd : user account info
    • /etc/shadow : secure user account info
    • /etc/shadow- backup of shadow
  • /etc/passwd - fields separated by ':', showing two example entries
    • jjm:x:1000:1000:Jim,,,:/home/jjm:/bin/bash
    • sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
      
    • username, placeholder for pwd, UID, GID, comment, home directory, user shell
  • /etc/shadow - access by sudo less /etc/shadow
    • jjm:$6$KXWkvPBF$PWNk5ynTKrwDeDcSHIiL2Ah5FymTssqfvjhJSqT5ImjXXmWwvT.hX0sC0QWh0I9jUbmE1mVKfucxza5GPoiOy0:17183:0:99999:7:::
      sshd:*:17203:0:99999:7:::
      
    • Username, salt/hashed pwd, time since last change (days), days until allowed to do a new password (0 is no restriction), Days until force new password (99999 implies never require new pwd), days of warning before required change (7 default),
    • salt/hash: actually three fields
      • $x : 1:MD5,...$5 sha256 $6 sha512
      • salt: one input to the hash function, the other input is the password,- the output of the hash is the next field
      • $hash
  • Tutorial on end user authentication
    
• ssh authentication:
  • ssh normally is setup to use public key crypto to verify remote hosts
    • The remote's public keys must be in local host's /etc/ssh_known_hosts or ~/.ssh/known_hosts
      • Config policy on ubuntu : /etc/ssh/sshd_config
        • Default prevents simple encrypted password: #PasswordAuthentication yes
        • Text (Ch22) recommends:
          • RhostsAuthentication no //won't bypass auth if local host in shosts
          • RhostsRSAAuthentication no //won't allow shosts even with key
          • RSAAuthentication yes
          • PasswordAuthentication yes
          • PermitRootLogin no
    • When you ssh to a server for the first time (pick a dept server that you have not logged into before), you will be shown a message :
      • ssh jmarty@hornet6.cs.clemson.edu The authenticity of host 'hornet6.cs.clemson.edu (130.127.48.170)' can't be established. ECDSA key fingerprint is cd:3e:49:19:5f:b0:ef:d6:57:b9:ee:6e:16:53:65:84. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'hornet6.cs.clemson.edu,130.127.48.170' (ECDSA) to the list of known hosts. Password:
      • If you continue, you will establish a secure communications channel with hornet6....the problem is we do not know for sure if the destination is actually the 'hornet6' that we assume (i.e., this could be a person-in-the-middle attack).
      • Alternative: establish trusted identify using ssh keys. See this article.
        
• apache web page authentication (i.e., how to require a user to enter a username/pwd to access a page)
  • decent tutorial on apache's htaccess
  • let's say we want to protect the page http://mysite/protected/index.html
  • in the directory where mypage.html exists, create .htaccess
    • Example .htaccess assuming access name testuser1 and your web account user is sysadminJoe with your web files located at /home/sysadminJoe/public_html/ and there is a directory ./protected that contains content that is meant for limited access. Create a file .htaccess in the directory ~/protected that contains the following liines:
      • ShibDisable On
      • AuthType Basic
      • AuthName "Password Protected Area"
      • AuthUserFile /full path/to/.htpasswd
      • require user testuser1
    • To create the username and password:
      • In the ./protected directory, issue:
        • htpasswd -c .htpasswd testuser1

 

Last updated: 4/22/2018