Linux Authentication (and authorization, PAM, Single Sign-on, Active Directory integration, Kerberos, etc.)

(March 2018)

A simple and traditional stand-alone unix/Linux box, defines users and authenticates against the /etc/passwd file (along with /etc/shadow and /etc/group). What are the options when that isn’t adequate to manage identity and authentication? We consider these scenarios:

• A small Linux network needs just enough to support secure NFS v4 (i.e., Kerberos), and what the day-to-day user workflow involves.
• Integrate Linux boxes into a Windows Active Directory environment, allowing login to Linux with AD accounts.
• Run a Linux domain.

System-Level Authentication

Authentication confirms an identity based on some type of credential (password, certificate, etc.). Authorization specifies the permissions and limitations of an authenticated party.

Every application maintains its own identity store, and a user must authenticate to each one.

How does Linux know which authentication mechanism to use? PAM (pluggable authentication modules) and NSS (name service switch).

PAM provides a unified, high-level API for application software independently of whatever underlying, low-level authentication mechanism the system uses. PAM finds authentication configuration for various services in /etc/pam.d/. (OpenBSD uses BSD Auth rather than PAM.)

NSS unifies various sources of name information and configuration data (e.g., for users, groups, hosts), like /etc/passwd, DNS, NIS, and LDAP. The file /etc/nsswitch.conf defines the sources for such information for various services on the local system. Each service may list several sources. NSS queries sources in the listed order. Functions in the C standard library access NSS to get information; this is how ls knows about users and groups, for example.

Active Directory

AD is the 800-pound gorilla of identity management systems. These components comprise AD:

• LDAP: a tree-like store for configuration data (users, computers, policies, etc.) with a defined schema. It holds entries, with each entry identified by a “distinguished name”. Each entry may have a number of attributes (defined by the schema). Each attribute has a name and one or more values. More properly, LDAP is the protocol for querying the data store.
• Kerberos: a ticket-based, three-way-trust authentication system.
• DNS
• Certificate services (PKI)

Linux Single Sign-On

With single sign-on a user authenticates identity with one central identity store, rather than each application maintaining its own. Most commonly, Kerberos (through a Kerberos realm or AD domain) provides the central identity store. Another option is a certificate authority in a public key infrastructure with smart cards.

References

• https://paulgorman.org/technical/
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/index
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/index
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index
• https://www.debian.org/doc/manuals/debian-reference/ch04.en.html
• https://en.wikipedia.org/wiki/Name_Service_Switch
• https://en.wikipedia.org/wiki/Pluggable_authentication_module
• https://en.wikipedia.org/wiki/BSD_Authentication
• https://unix.stackexchange.com/questions/12021/automatic-kerberos-ticket-initialization-on-login#12022
• https://en.wikipedia.org/wiki/Active_Directory
• https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol