User Authentication HOWTO

Peter Hernberg

2000/05/02

Explains how user and group information is stored and how users are authenticated on a Linux system (PAM), and how to secure you system's user authentication.


Table of Contents
Introduction
How this document came to be
New versions
Feedback
Version History
Copyrights and Trademarks
Acknowledgements and Thanks
Assumptions about the reader
How User Information is Stored on Your System
/etc/passwd
Shadow passwords
/etc/group and /etc/gshadow
MD5 encrypted passwords
Sifting through the mess
PAM (Pluggable Authentication Modules)
Why
What
How
Getting more information
Securing User Authentication
A strong /etc/pam.d/other
Disabling logins for user with null passwords
Disable unused services
Password-cracking tools
Shadow and MD5 passwords
Tying it all together
Apache + mod_auth_pam
Resources
PAM
General Security
Offline Documentation
Conclusion

Introduction

How this document came to be

When trying to add a number of (mostly unnecessary :) network services to my existing home network, I kept running into the problem of authentication, so I decided to figure out how authentication works on linux systems, write a HOWTO, and call it my senior project. I hope this document helps you understand this often-forgotten, but very important, aspect of system administration.

New versions

When I get my domain up running properly, you'll be able to find the newest version of this document there. Until then, http://www.linuxdoc.org/ will have to suffice.

Feedback

Comments, corrections, suggestions, flames, and flying saucer sightings can be sent to [email protected].

Version History

v0.1 (May 13, 2000) first version (not released).

v0.3 (May 14, 2000) revised (not released).

v0.5 (May 15, 2000) added section on securing pam, added resources section (not released).

v0.7 (May 15, 2000) revised; ready for release.

Copyrights and Trademarks

(c) 2000 Peter Hernberg

This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:

  • The copyright notice above and this permission notice must be preserved complete on all complete or partial copies

  • Any translation or derived work must be approved by the author in writing before distribution.

  • If you distribute this work in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.

  • Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given. Exceptions to these rules may be granted for academic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators. Any source code (aside from the SGML this document was written in) in this document is placed under the GNU General Public License, available via anonymous FTP from the GNU archive.

Acknowledgements and Thanks

Thanks to my family for putting up with me for 18 years. Thanks to the Debian folks for making such a sweet distro for me to play with. Thanks to CGR for paying me to be a geek. Thanks to Sandy Harris for his helpful suggestions. Finally, I'd like thank the makers of ramen noodles, because I don't know how I'd live without them.

Assumptions about the reader

For the purpose of this document, it is assumed that the reader is comfortably with executing commands at the command line and editing text configuration files.