Cit 470 advanced network and system administration
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

CIT 470: Advanced Network and System Administration PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

CIT 470: Advanced Network and System Administration. Accounts and Namespaces . Topics. Namespaces Policies selection lifetime scope security User Accounts PAM LDAP Authentication. Namespaces. A namespace consists of A set of unique keys A set of attributes associated with each key

Download Presentation

CIT 470: Advanced Network and System Administration

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cit 470 advanced network and system administration

CIT 470: Advanced Network and System Administration

Accounts and Namespaces

CIT 470: Advanced Network and System Administration


Topics

Topics

  • Namespaces

  • Policies

    • selection

    • lifetime

    • scope

    • security

  • User Accounts

  • PAM

  • LDAP Authentication

CIT 470: Advanced Network and System Administration


Namespaces

Namespaces

A namespace consists of

  • A set of unique keys

  • A set of attributes associated with each key

    Example

  • Key = Username

  • Attributes

    • GECOS

    • Homedir

    • Shell

    • Password

CIT 470: Advanced Network and System Administration


Namespaces1

Namespaces

Systems include many namespaces

User account names.

E-mail addresses.

Filesystem pathnames.

Hostnames.

IP addresses.

Printer names.

Service names.

CIT 470: Advanced Network and System Administration


Types of namespaces

Types of Namespaces

Flat

No duplicates may exist.

Ex: usernames in /etc/passwd.

Hierarchical

Tree-structured namespace like DNS.

Duplicates can exist.

Ex: www.nku.edu and www.google.com

CIT 470: Advanced Network and System Administration


Namespace problems

Namespace Problems

  • How to select names?

  • How to avoid name collisions?

  • How to ensure consistency?

  • How to distribute names?

CIT 470: Advanced Network and System Administration


Name selection

Name Selection

Functional Names

mail hostname, /cit/470, student account

Descriptive names

geographic, print type, customer type

Formula-based Names

cvg0141 hostname, student0148 account

Themed Names

constellations (orion, ursa, etc.)

No Standard

CIT 470: Advanced Network and System Administration


Name lifetime

Name Lifetime

When are names removed?

Immediately after PC, user leaves org.

Set time after resource is no longer in use.

When are names re-used?

Immediately: functional names.

Never.

After a set time: usernames, email addresses.

CIT 470: Advanced Network and System Administration


Namespace scope

Namespace Scope

Geographical scopes

  • Local machine. (e.g., /etc/passwd.)

  • Local network.

  • Organization.

  • Global (e.g., DNS.)

    Service scopes

  • Single username for UNIX, NT, RADIUS, e-mail, VPN?

    Transferring scopes

  • Difficult without advance planning.

  • Some names may have to change.

CIT 470: Advanced Network and System Administration


Namespace security

Namespace Security

  • What are you trying to protect names from and why?

  • Do the names need to be protected or just the attributes?

  • Who can add, change, or delete records?

  • Can the owner of a record change fields within the record?

CIT 470: Advanced Network and System Administration


Example namespace usernames

Example Namespace: Usernames

Selection policies

  • Descriptive: waldenj, jwalden

  • Decriptive + formulaic: waldenj1, jwalden0002

    Scope

  • Use for every campus (avoids collisions.)

  • Use for every service (avoids collisions.)

    Lifetime

  • Do not reuse until 1 year has passed since email addresses derive from usernames.

CIT 470: Advanced Network and System Administration


One big database

One Big Database

Centralize namespace in one big database.

  • Use SQL or LDAP to store entire namespace.

    Derive other namespaces from database.

  • Program to generate UNIX accounts.

  • Program to generate NT accounts.

  • etc.

    Advantages

  • Consistency

  • Ease of making changes, additions, deletions.

CIT 470: Advanced Network and System Administration


User account types

User Account Types

OS files

  • UNIX /etc/{passwd,shadow}

  • Windows SAM

    Network service

  • NIS

  • LDAP

  • Kerberos

  • Active Directory

  • RADIUS

CIT 470: Advanced Network and System Administration


Unix accounts

Account Components

Username

UID

Password

Home directory

Account Files

/etc/passwd

/etc/shadow

/etc/group

UNIX Accounts

  • Account Management

    • Adding users

    • Removing and disabling users

    • Account/password policies

CIT 470: Advanced Network and System Administration


Etc passwd shadow

/etc/passwd

Username

UID

Default GID

GCOS

Home directory

Login shell

/etc/shadow

Username

Encrypted password

Date of last pw change.

Days ‘til change allowed.

Days `til change required.

Expiration warning time.

Expiration date.

/etc/{passwd,shadow}

Central file(s) describing UNIX user accounts.

student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash

student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7:::

CIT 470: Advanced Network and System Administration


Username

Username

Syntax

  • Each username must be unique.

  • Length limits (8 chars on old systems)

  • Any character except : or \n.

    Issues

  • Naming standards.

  • How to ensure that usernames are unique?

  • System uses UIDs internally.

CIT 470: Advanced Network and System Administration


Cit 470 advanced network and system administration

UIDs

  • UIDs are 32-bit non-negative integers.

  • Standards

    • Root is UID 0.

    • System accounts have low UIDs (<= 500)

  • Uniqueness

    • Multiple usernames can have same UID!

    • Re-using UIDs may give away files to new user.

    • Distributed systems may require unique UIDs across organizational boundaries.

CIT 470: Advanced Network and System Administration


Password

Password

Syntax

  • Length: unlimited(MD5,SHA1), 8 chars(crypt)

  • Chars: anything except \n, though certain control chars may be interpreted by system.

    Stored in “encrypted” format.

  • Hashed: crypt, MD5, SHA1

  • Salted: 12-bit salt means 4096 different hashes for each password

CIT 470: Advanced Network and System Administration


Cit 470 advanced network and system administration

GID

  • GIDs are 32-bit non-negative integers.

  • Each user has a default GID.

    • File group ownership set to default GID.

    • Temporarily change default GID: newgrp.

  • Groups are described in /etc/group

    • Users may belong to multiple groups.

    • Format: group name, pw, GID, user list.

    • wheel:x:10:root,waldenj,bergs

CIT 470: Advanced Network and System Administration


Gecos

GECOS

Original use

  • General Electric Comprehensive OS data

    Current use

  • User information.

  • Full name, location, phone number, e-mail.

CIT 470: Advanced Network and System Administration


Home directory

Home Directory

  • User’s CWD at login time.

  • Typically where user stores all files.

CIT 470: Advanced Network and System Administration


Login shell

Login Shell

  • Process started when user logs in.

  • Typically a shell like bash, tcsh, ksh, ...

    • System users may be different.

    • Disabled accounts have a noshell program.

CIT 470: Advanced Network and System Administration


Adding a user

Adding a User

  • Create account with useradd.

  • Lock account until user arrives.

  • User signs account agreement.

  • Set passwd with passwd.

CIT 470: Advanced Network and System Administration


Adding a user1

Adding a User

  • Edit /etc/{passwd,shadow} with vipw.

  • Set passwd with passwd command.

  • Edit /etc/group to add groups.

  • Create user home directory.

    • mkdir /home/studenta

    • chown studenta.student /home/studenta

    • chmod 755 /home/studenta

  • Copy default files from /etc/skel

    .bashrc, .Xdefaults, .xsession, etc.

  • Set e-mail aliases, disk quotas, etc.

  • Verify that the account works.

CIT 470: Advanced Network and System Administration


Disabling an account

Disabling an Account

Edit account configuration:

  • Place * or ! in front of encrypted password.

  • Replace shell with nologin program.

  • Note: usermod -L will do this for you.

    Kill active logins and processes.

  • Note: usermod -L will not do this.

CIT 470: Advanced Network and System Administration


Removing a user

Removing a User

  • Disable account.

  • Change shared passwords (root, etc.)

  • Kill active logins and processes.

  • Remove from local databases/files.

  • Remove from e-mail aliases.

  • Remove mail spool (backup first.)

  • Remove crontabs and pending jobs.

  • Remove temporary files.

  • Remove home directory (backup first.)

  • Remove from passwd, shadow, and group.

CIT 470: Advanced Network and System Administration


Nsswitch conf

nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

hosts: files dns

ethers: files

netmasks: files

networks: files

protocols: files

rpc: files

services: files

  • Use both files and ldapto enable failover when LDAP unavailable.

  • Configure files first to let root login when LDAP down without long timeout.

Name Service Switch configuration file.

CIT 470: Advanced Network and System Administration


Configuring ldap authentication

Configuring LDAP Authentication

  • Configure server with People/Group schema.

  • Migrate user data to LDAP directory.

  • Point clients to hostname and rootDN of svr.

    /etc/ldap.conf (PAM LDAP)

    /etc/openldap/ldap.conf (LDAP)

  • Verify access to server with ldapsearch.

  • Edit /etc/ldap.conf to set DNs for

    nss_base_{passwd, shadow,and group}

  • Modify nsswitch.conf to add ldap option:

    passwd, shadow,and group

  • Modify PAM system-auth to use LDAP.

authconfig

CIT 470: Advanced Network and System Administration


Ldap acls

LDAP ACLs

LDAP ACL format:

access to <RDN>

by <self|anonymous|DN> <read|write|auth>

ex: Allow users to change passwords

access to attr=userPassword

by self write

by anonymous auth

by * none

CIT 470: Advanced Network and System Administration


Key points

Key Points

Namespace definition and policies

  • selection

  • lifetime

  • scope

  • security

    UNIX Accounts

  • File formats: passwd, shadow, group

    Authentication

  • PAM: purpose, includes

  • nsswitch.conf: purpose and failover

CIT 470: Advanced Network and System Administration


References

References

  • Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003.

  • Gerald Carter, LDAP System Administration, O’Reilly, 2003.

  • Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007.

  • Linux PAM, http://www.kernel.org/pub/linux/libs/pam/

  • OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2007.

  • RedHat, Red Hat Enterprise Linux 5 Deployment Guide, Sections 25.3, 43.4, http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/, 2009.

CIT 470: Advanced Network and System Administration


  • Login