Cap. 4. Autentificare și controale de acces

Here are a few notable configuration files accessed by PAM and NSS.

The limitation of the password selection is implemented by the PAM modules, pam_unix(8) and pam_cracklib(8). They can be configured by their arguments.

	Indicație
	PAM modules use suffix ".so" for their filenames.

The modern centralized system management can be deployed using the centralized Lightweight Directory Access Protocol (LDAP) server to administer many Unix-like and non-Unix-like systems on the network. The open source implementation of the Lightweight Directory Access Protocol is OpenLDAP Software.

The LDAP server provides the account information through the use of PAM and NSS with libpam-ldapd and libnss-ldapd packages for the Debian system. Several actions are required to enable this (I have not used this setup and the following is purely secondary information. Please read this in this context.).

See documentations in nsswitch.conf(5), pam.conf(5), ldap.conf(5), and "/usr/share/doc/libpam-doc/html/" offered by the libpam-doc package and "info libc 'Name Service Switch'" offered by the glibc-doc package.

Similarly, you can set up alternative centralized systems with other methods.

This is the famous phrase at the bottom of the old "info su" page by Richard M. Stallman. Not to worry: the current su command in Debian uses PAM, so that one can restrict the ability to use su to the root group by enabling the line with "pam_wheel.so" in "/etc/pam.d/su".

# here are the per-package modules (the "Primary" block)
password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
password	optional	pam_gnome_keyring.so
# end of pam-auth-update config

Many popular transportation layer services communicate messages including password authentication in the plain text. It is very bad idea to transmit password in the plain text over the wild Internet where it can be intercepted. You can run these services over "Transport Layer Security" (TLS) or its predecessor, "Secure Sockets Layer" (SSL) to secure entire communication including password by the encryption.

The encryption costs CPU time. As a CPU friendly alternative, you can keep communication in plain text while securing just the password with the secure authentication protocol such as "Authenticated Post Office Protocol" (APOP) for POP and "Challenge-Response Authentication Mechanism MD5" (CRAM-MD5) for SMTP and IMAP. (For sending mail messages over the Internet to your mail server from your mail client, it is recently popular to use new message submission port 587 instead of traditional SMTP port 25 to avoid port 25 blocking by the network provider while authenticating yourself with CRAM-MD5.)

The Secure Shell (SSH) program provides secure encrypted communications between two untrusted hosts over an insecure network with the secure authentication. It consists of the OpenSSH client, ssh(1), and the OpenSSH daemon, sshd(8). This SSH can be used to tunnel an insecure protocol communication such as POP and X securely over the Internet with the port forwarding feature.

The client tries to authenticate itself using host-based authentication, public key authentication, challenge-response authentication, or password authentication. The use of public key authentication enables the remote password-less login. See Secțiune 6.3, „The remote access server and utilities (SSH)”.

Even when you run secure services such as Secure Shell (SSH) and Point-to-point tunneling protocol (PPTP) servers, there are still chances for the break-ins using brute force password guessing attack etc. from the Internet. Use of the firewall policy (see Secțiune 5.7, „Infrastructura netfilter”) together with the following security tools may improve the security situation.

To prevent people to access your machine with root privilege, you need to make following actions.

• Prevent physical access to the hard disk

• Lock UEFI/BIOS and prevent booting from the removable media

• Set password for GRUB interactive session

• Lock GRUB menu from editing

With physical access to hard disk, resetting the password is relatively easy with following steps.

1. Move the hard disk to a PC with CD bootable UEFI/BIOS.

2. Boot system with a rescue media (Debian boot disk, Knoppix CD, GRUB CD, …).

3. Mount root partition with read/write access.

4. Edit "/etc/passwd" in the root partition and make the second entry for the root account empty.

If you have edit access to the GRUB menu entry (see Secțiune 3.1.2, „Etapa 2: încărcătorul de pornire”) for grub-rescue-pc at boot time, it is even easier with following steps.

The root shell of the system is now accessible without password.

The only reasonable software solution to avoid all these concerns is to use software encrypted root partition (or "/etc" partition) using dm-crypt and initramfs (see Secțiune 9.9, „Data encryption tips”). You always need password to boot the system, though.

ACLs are a superset of the regular permissions as explained in Secțiune 1.2.3, „Permisiuni ale sistemului de fișiere”.

You encounter ACLs in action on modern desktop environment. When a formatted USB storage device is auto mounted as, e.g., "/media/penguin/USBSTICK", a normal user penguin can execute:

 $ cd /media/penguin
 $ ls -la
total 16
drwxr-x---+ 1 root    root    16 Jan 17 22:55 .
drwxr-xr-x  1 root    root    28 Sep 17 19:03 ..
drwxr-xr-x  1 penguin penguin 18 Jan  6 07:05 USBSTICK

"+" in the 11th column indicates ACLs are in action. Without ACLs, a normal user penguin shouldn't be able to list like this since penguin isn't in root group. You can see ACLs as:

 $ getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:penguin:r-x
group::---
mask::r-x
other::---

Here:

See "POSIX Access Control Lists on Linux", acl(5), getfacl(1), and setfacl(1) for more.

sudo(8) is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. sudo requires only an ordinary user's password. Install sudo package and activate it by setting options in "/etc/sudoers". See configuration example at "/usr/share/doc/sudo/examples/sudoers" and Secțiune 1.1.12, „Configurarea «sudo»”.

My usage of sudo for the single user system (see Secțiune 1.1.12, „Configurarea «sudo»”) is aimed to protect myself from my own stupidity. Personally, I consider using sudo a better alternative than using the system from the root account all the time. For example, the following changes the owner of "some_file" to "my_name".

$ sudo chown my_name some_file

Of course if you know the root password (as self-installed Debian users do), any command can be run under root from any user's account using "su -c".

PolicyKit is an operating system component for controlling system-wide privileges in Unix-like operating systems.

Newer GUI applications are not designed to run as privileged processes. They talk to privileged processes via PolicyKit to perform administrative operations.

PolicyKit limits such operations to user accounts belonging to the sudo group on the Debian system.

A se vedea polkit(8).

For system security, it is a good idea to disable as much server programs as possible. This becomes critical for network servers. Having unused servers, activated either directly as daemon or via super-server program, are considered security risks.

Many programs, such as sshd(8), use PAM based access control. There are many ways to restrict access to some server services.

See Secțiune 3.5, „Gestionarea sistemului”, Secțiune 4.5.1, „Configuration files accessed by PAM and NSS”, and Secțiune 5.7, „Infrastructura netfilter”.

Linux kernel has evolved and supports security features not found in traditional UNIX implementations.

Linux supports extended attributes which extend the traditional UNIX attributes (see xattr(7)).

Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities(7), which can be independently enabled and disabled. Capabilities are a per-thread attribute since kernel version 2.2.

The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. For example:

Since these extensions may tighten privilege model tighter than the ordinary Unix-like security model policies, even the root power may be restricted. You are advised to read the Linux Security Module (LSM) framework document at kernel.org.

Linux namespaces wrap a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. Since kernel version 5.6, there are 8 kinds of namespaces (see namespaces(7), unshare(1), nsenter(1)).

As of Debian 11 Bullseye (2021), Debian uses unified cgroup hierarchy (a.k.a. cgroups-v2).

Usage examples of namespaces with cgroups to isolate their processes and to allow resource control are:

These functionalities can't be realized by Secțiune 4.1, „Autentificare normală Unix”. These advanced topics are mostly out-of-scope for this introductory document.