Cit 470 advanced network and system administration
Download
1 / 31

CIT 470: Advanced Network and System Administration - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

CIT 470: Advanced Network and System Administration. Accounts and Namespaces . Topics. Namespaces Policies selection lifetime scope security User Accounts PAM LDAP Authentication. Namespaces. A namespace consists of A set of unique keys A set of attributes associated with each key

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

CIT 470: Advanced Network and System Administration

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


CIT 470: Advanced Network and System Administration

Accounts and Namespaces

CIT 470: Advanced Network and System Administration


Topics

  • Namespaces

  • Policies

    • selection

    • lifetime

    • scope

    • security

  • User Accounts

  • PAM

  • LDAP Authentication

CIT 470: Advanced Network and System Administration


Namespaces

A namespace consists of

  • A set of unique keys

  • A set of attributes associated with each key

    Example

  • Key = Username

  • Attributes

    • GECOS

    • Homedir

    • Shell

    • Password

CIT 470: Advanced Network and System Administration


Namespaces

Systems include many namespaces

User account names.

E-mail addresses.

Filesystem pathnames.

Hostnames.

IP addresses.

Printer names.

Service names.

CIT 470: Advanced Network and System Administration


Types of Namespaces

Flat

No duplicates may exist.

Ex: usernames in /etc/passwd.

Hierarchical

Tree-structured namespace like DNS.

Duplicates can exist.

Ex: www.nku.edu and www.google.com

CIT 470: Advanced Network and System Administration


Namespace Problems

  • How to select names?

  • How to avoid name collisions?

  • How to ensure consistency?

  • How to distribute names?

CIT 470: Advanced Network and System Administration


Name Selection

Functional Names

mail hostname, /cit/470, student account

Descriptive names

geographic, print type, customer type

Formula-based Names

cvg0141 hostname, student0148 account

Themed Names

constellations (orion, ursa, etc.)

No Standard

CIT 470: Advanced Network and System Administration


Name Lifetime

When are names removed?

Immediately after PC, user leaves org.

Set time after resource is no longer in use.

When are names re-used?

Immediately: functional names.

Never.

After a set time: usernames, email addresses.

CIT 470: Advanced Network and System Administration


Namespace Scope

Geographical scopes

  • Local machine. (e.g., /etc/passwd.)

  • Local network.

  • Organization.

  • Global (e.g., DNS.)

    Service scopes

  • Single username for UNIX, NT, RADIUS, e-mail, VPN?

    Transferring scopes

  • Difficult without advance planning.

  • Some names may have to change.

CIT 470: Advanced Network and System Administration


Namespace Security

  • What are you trying to protect names from and why?

  • Do the names need to be protected or just the attributes?

  • Who can add, change, or delete records?

  • Can the owner of a record change fields within the record?

CIT 470: Advanced Network and System Administration


Example Namespace: Usernames

Selection policies

  • Descriptive: waldenj, jwalden

  • Decriptive + formulaic: waldenj1, jwalden0002

    Scope

  • Use for every campus (avoids collisions.)

  • Use for every service (avoids collisions.)

    Lifetime

  • Do not reuse until 1 year has passed since email addresses derive from usernames.

CIT 470: Advanced Network and System Administration


One Big Database

Centralize namespace in one big database.

  • Use SQL or LDAP to store entire namespace.

    Derive other namespaces from database.

  • Program to generate UNIX accounts.

  • Program to generate NT accounts.

  • etc.

    Advantages

  • Consistency

  • Ease of making changes, additions, deletions.

CIT 470: Advanced Network and System Administration


User Account Types

OS files

  • UNIX /etc/{passwd,shadow}

  • Windows SAM

    Network service

  • NIS

  • LDAP

  • Kerberos

  • Active Directory

  • RADIUS

CIT 470: Advanced Network and System Administration


Account Components

Username

UID

Password

Home directory

Account Files

/etc/passwd

/etc/shadow

/etc/group

UNIX Accounts

  • Account Management

    • Adding users

    • Removing and disabling users

    • Account/password policies

CIT 470: Advanced Network and System Administration


/etc/passwd

Username

UID

Default GID

GCOS

Home directory

Login shell

/etc/shadow

Username

Encrypted password

Date of last pw change.

Days ‘til change allowed.

Days `til change required.

Expiration warning time.

Expiration date.

/etc/{passwd,shadow}

Central file(s) describing UNIX user accounts.

student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash

student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7:::

CIT 470: Advanced Network and System Administration


Username

Syntax

  • Each username must be unique.

  • Length limits (8 chars on old systems)

  • Any character except : or \n.

    Issues

  • Naming standards.

  • How to ensure that usernames are unique?

  • System uses UIDs internally.

CIT 470: Advanced Network and System Administration


UIDs

  • UIDs are 32-bit non-negative integers.

  • Standards

    • Root is UID 0.

    • System accounts have low UIDs (<= 500)

  • Uniqueness

    • Multiple usernames can have same UID!

    • Re-using UIDs may give away files to new user.

    • Distributed systems may require unique UIDs across organizational boundaries.

CIT 470: Advanced Network and System Administration


Password

Syntax

  • Length: unlimited(MD5,SHA1), 8 chars(crypt)

  • Chars: anything except \n, though certain control chars may be interpreted by system.

    Stored in “encrypted” format.

  • Hashed: crypt, MD5, SHA1

  • Salted: 12-bit salt means 4096 different hashes for each password

CIT 470: Advanced Network and System Administration


GID

  • GIDs are 32-bit non-negative integers.

  • Each user has a default GID.

    • File group ownership set to default GID.

    • Temporarily change default GID: newgrp.

  • Groups are described in /etc/group

    • Users may belong to multiple groups.

    • Format: group name, pw, GID, user list.

    • wheel:x:10:root,waldenj,bergs

CIT 470: Advanced Network and System Administration


GECOS

Original use

  • General Electric Comprehensive OS data

    Current use

  • User information.

  • Full name, location, phone number, e-mail.

CIT 470: Advanced Network and System Administration


Home Directory

  • User’s CWD at login time.

  • Typically where user stores all files.

CIT 470: Advanced Network and System Administration


Login Shell

  • Process started when user logs in.

  • Typically a shell like bash, tcsh, ksh, ...

    • System users may be different.

    • Disabled accounts have a noshell program.

CIT 470: Advanced Network and System Administration


Adding a User

  • Create account with useradd.

  • Lock account until user arrives.

  • User signs account agreement.

  • Set passwd with passwd.

CIT 470: Advanced Network and System Administration


Adding a User

  • Edit /etc/{passwd,shadow} with vipw.

  • Set passwd with passwd command.

  • Edit /etc/group to add groups.

  • Create user home directory.

    • mkdir /home/studenta

    • chown studenta.student /home/studenta

    • chmod 755 /home/studenta

  • Copy default files from /etc/skel

    .bashrc, .Xdefaults, .xsession, etc.

  • Set e-mail aliases, disk quotas, etc.

  • Verify that the account works.

CIT 470: Advanced Network and System Administration


Disabling an Account

Edit account configuration:

  • Place * or ! in front of encrypted password.

  • Replace shell with nologin program.

  • Note: usermod -L will do this for you.

    Kill active logins and processes.

  • Note: usermod -L will not do this.

CIT 470: Advanced Network and System Administration


Removing a User

  • Disable account.

  • Change shared passwords (root, etc.)

  • Kill active logins and processes.

  • Remove from local databases/files.

  • Remove from e-mail aliases.

  • Remove mail spool (backup first.)

  • Remove crontabs and pending jobs.

  • Remove temporary files.

  • Remove home directory (backup first.)

  • Remove from passwd, shadow, and group.

CIT 470: Advanced Network and System Administration


nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

hosts: files dns

ethers: files

netmasks: files

networks: files

protocols: files

rpc: files

services: files

  • Use both files and ldapto enable failover when LDAP unavailable.

  • Configure files first to let root login when LDAP down without long timeout.

Name Service Switch configuration file.

CIT 470: Advanced Network and System Administration


Configuring LDAP Authentication

  • Configure server with People/Group schema.

  • Migrate user data to LDAP directory.

  • Point clients to hostname and rootDN of svr.

    /etc/ldap.conf (PAM LDAP)

    /etc/openldap/ldap.conf (LDAP)

  • Verify access to server with ldapsearch.

  • Edit /etc/ldap.conf to set DNs for

    nss_base_{passwd, shadow,and group}

  • Modify nsswitch.conf to add ldap option:

    passwd, shadow,and group

  • Modify PAM system-auth to use LDAP.

authconfig

CIT 470: Advanced Network and System Administration


LDAP ACLs

LDAP ACL format:

access to <RDN>

by <self|anonymous|DN> <read|write|auth>

ex: Allow users to change passwords

access to attr=userPassword

by self write

by anonymous auth

by * none

CIT 470: Advanced Network and System Administration


Key Points

Namespace definition and policies

  • selection

  • lifetime

  • scope

  • security

    UNIX Accounts

  • File formats: passwd, shadow, group

    Authentication

  • PAM: purpose, includes

  • nsswitch.conf: purpose and failover

CIT 470: Advanced Network and System Administration


References

  • Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003.

  • Gerald Carter, LDAP System Administration, O’Reilly, 2003.

  • Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007.

  • Linux PAM, http://www.kernel.org/pub/linux/libs/pam/

  • OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2007.

  • RedHat, Red Hat Enterprise Linux 5 Deployment Guide, Sections 25.3, 43.4, http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/, 2009.

CIT 470: Advanced Network and System Administration


ad
  • Login