* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Accounts and Authentication
Survey
Document related concepts
Deep packet inspection wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
TV Everywhere wikipedia , lookup
Wireless security wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Accounts and Authentication By: Tom Ockenhouse What is Authentication? ► The process of attempting to verify the digital identity of the sender of a communication such as a request to log in. ► The sender being authenticated may be a person using a computer, a computer itself or a computer program. ► A blind credential does not establish identity at all, but only a narrow right or status of the user or program. What is an User Account? ► ► Where is it stored? Most of the user account information is stored in the passwd file. Password encryption and password aging is stored in the passwd file when using NIS or NIS+ authentication standards ► passwd file consists of 6 fields: ► username password uid gid comment home-directory login-shell All Unix systems have an account called root. aka superuser. ► Admin or Superuser grants access to new users Common Users on UNIX Guest None Guest Access Demo None Demo Access Games None Play Games Nuucp None UUCP Access Daemo None No Direct Access Bin None No Direct Acces Nobody None ftp None No Dirrect Access Anon FTP Access Locating User Accounts ► finger Get users that are currently logged in Determine if account is active Last accessed ► rusers Returns remote user info ► whois Responsible for certain domain and active accounts ► Often treated as attacks Will refuse these commands Authentication Standards ► NIS Network Information Service Distributing system configuration data such as user and host names between computers on a computer network. Used for maintenance and distribution of a central directory of user and group information, hostnames, email aliases and other text-based tables of information in a computer network. NIS can be configured to serve password data used to authenticate users against as well Kerberos ► ► Allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. protocol messages are protected against eavesdropping and replay attacks. ► ► Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of publickey cryptography during certain phases of authentication. Drawbacks Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have time availability period and, if the host clock is not synchronized with the clock of Kerberos server, the authentication will fail. Secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys. Lightweight Directory Access Protocol (LDAP) ► Protocol for querying and modifying directory services running over TCP/IP ► LDAP is often used by other services for authentication, despite the security problems this causes. ► Most advanced and secure of the three standards LDAP/Kerberos replacing NIS ► NIS is the most commonbut, it is also completely insecure. Weakly encrypted passwords are sent over the network in the clear. Difficult to firewall. Clients have no way to ensure that the server they are talking to is actually an official server. ► ► Most LDAP server implementations support pretty good security through SSL for authentication and transport encryption, fine grained access controls, etc. Thus many sites are based on using Kerberos for authentication and LDAP for directory services Bibliography ► http://jeremy.zawodny.com/perl/AcctInfo/Ac ctInfo.html ► http://docs.sun.com/app/docs/doc/8022002/6i60dq84q?l=ru&a=view ► http://www.nmrc.org/pub/faq/hackfaq/hack faq-27.html ► http://aput.net/~jheiss/krbldap/howto.html ► http://en.wikipedia.org/wiki/Network_Infor mation_Service