At times, you need to give access to your account to different users. To provide access without giving your password to other users, you can create a .k5loginfile in your home directory. This is a text file, which might exist in the homedirectory.
It contains a list of the principals who have permission to log onto the account.
The listed principals can log on and use the account without any restrictions.
However, other users should have Kerberos tickets in their respective Kerberos realms.
Summary
In this chapter, you looked at the different encryption and authentication tech-niques used to make the Linux environment secure. You can use two types of encryption for data security: single key encryption and public key encryption. In addition to encryption, hashing also can be used to secure the data. Hashing is a technique in which a string is converted to an irreversible form. You learned about the most popular hash function, MD5. Authentication restricts a user’s access to the critical data on your system and network. The authentication mechanisms that I discussed in detail in this chapter are LDAP, Shadow Suite, Kerberos, and PAM.
Check Your Understanding
Multiple Choice Questions
1. Which configuration file allows you to set logon defaults?
a. login.defs b. passwd c. shadow d.logon.defs
2. Which of the following tasks are triggered when you run the pwconv command while the /etc/shadow file exists?
a. Entries in the /etc/passwdfile, which don’t exist in the /etc/shadow
file, are added to the /etc/shadowfile.
b. Entries in /etc/shadow, which are not present in /etc/passwd, are removed from the /etc/shadowfile.
c. Entries in /etc/shadow, which are present in /etc/passwd, are removed from the /etc/passwdfile.
d. Password details for entries that exist in both the files are copied from the /etc/passwdfile to the /etc/shadowfile.
3. Select the modules supported by Linux PAM.
a. Authentication b. Shadow c. Session d. Password
4. Execute the command to view the tickets.
5. Execute the command to change the Kerberos password.
Short Questions
1. Edward is unable to understand to format of an entry in the pam.conf file. Explain the format to him.
2. Briefly discuss these secret key algorithms:
•
DES•
3DES•
IDEA3. Discuss the PAM modules.
Answers
Multiple Choice Questions
1. The logon.defsfile allows you to set logon defaults.
2. The tasks that are triggered when you run the pwconvcommand and the
/etc/shadoware as follows:
a. Entries in /etc/passwd, which don’t exist in the /etc/shadow file, are added to the /etc/shadow file.
b. Entries in /etc/shadow, which are not present in /etc/passwd, are removed from the /etc/shadow file.
d. Password details for entries that exist in both files are copied from the /etc/passwd file to the /etc/shadow file.
3. The modules supported by Linux-PAM are authentication, session, and password.
4. The command to view the tickets is as follows:
Shell% klist
5. The command to change the Kerberos password is given here:
Shell% kpasswd
Short Answers
1. The general entry in the pam.conffile has the following format:
[service-name] [module-type] [control-flag] [module-path] [arguments]
The [service_name]argument specifies the service or the application associated with the given configuration entry. By using this parameter, you can select services such as ftpd,rlogind, and su.
The [module_type]argument can have one of the four listed values:
•
auth•
account•
session•
passwordThe [control_flag]argument is used to specify the response of the PAM library in events of success or failure of the module with which it is associated. The keywords that you can assign are listed here:
•
Required•
Requisite•
Sufficient•
OptionalThe [module_path]argument represents the pathname of the dynami-cally loadable object file, which is normally the pluggable module.
The [arguments]arguments are a list of tokens that are passed to the module when it is invoked.
2. DES
DES is a method for data encryption that uses a secret key, which is extremely difficult to break, to encrypt data. DES applies a 56-bit key to each 64-bit block of data. This method uses the private key cryptogra-phy, where both the sender and the receiver use the same private key to encrypt and decrypt data.
3DES
3DES takes three 64-bit keys to form an overall key length of 192 bits.
The data is encrypted with the first key and decrypted with the second key. This decrypted data is again encrypted with the third key. The 3DES encryption breaks the secret key into three subkeys and pads the keys, if necessary, so that they are each 64-bit long. The 3DES encryp-tion is more secure than the DES encrypencryp-tion.
IDEA
IDEA is a symmetric block cipher designed to facilitate both software and hardware implementation. It was developed to provide a high level of security with ease of implementation. IDEA encrypts data in 64-bit blocks with a 128-bit key. The 64-bit data block is divided into four 16-bit sub-blocks. Each of these sub-blocks undergoes eight rounds of oper-ations where the XOR algorithm is applied on the sub-blocks. This results in a very complex value, which is very difficult to analyze.
3. Linux PAM supports four types of modules: