Change of Active Identity and PAM
Commands to Change the Active Identity
- The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly.
- The sudo command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
- visudo edits the sudoers file in a safe fashion. visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
PAM (Pluggable Authentication Module)
In the old times of Linux; When a program such as su, passwd, or login wants to authenticate a user, it simply reads the necessary information from the /etc/passwd file. It was enough to edit the file /etc/passwd to change the user's password. This simple but incompetent method confronted system administrators and application developers with problems.MD5 and shaded passwords have become popular and it has become clear that every program that needs user Authentication needs to know how to get the right information. If you want to change the user authentication credentials, you have to recompile all the programs.
PAM removed this complexity from possible security vulnerabilities in addition to programmers' ease of life, allowing programs to authenticate themselves in a transparent manner, independent of how user information is stored.
Today, software that requires user authentication can authenticate users through PAM without knowing the complexity of the user authentication mechanism.
With PAM, users can be verified not only from the "/etc/passwd" file, but also from the database, directory server, fingerprint, etc. UNIX is very flexible in terms of the user authentication mechanism can be integrated with many different authentication systems.
Any software that uses the PAM application interface can benefit from the flexibility provided by PAM. There are many different PAM modules for Linux. There are already modules for Radius, LDAP, SmartCard, X.509 certificates.
PAM Configurations
The PAM configuration files are located in the /etc/pam.d/ directory. Although the files included in this directory vary according to the services and applications running on your system, you will see a file in this directory for each program that needs user authentication in your system. Each file in this directory contains the PAM authentication configuration for the respective program.The configuration files have the following syntax:
type control module-path module-arguments
- type: specifies which type of authentication to perform. Account, auth, password, session
- control: specifies what to do if the proof fails. Requisite, required, sufficent, optional
- module-path: specifies which module to use and where.
- module-arguments: parameters to be added to the module.
We see in the login configuration file that there is at least one entry for each type, but all are there because login is above the entire user structure. You can not see the whole thing in customized services.
Control tells PAM what to do when a module fails authentication. PAM recognizes four different types of control: Requisite if authentication fails through this module, the authentication is immediately rejected. Required PAM continues to call other modules listed for this service before rejecting authentication, but failure also results in denial of authentication. Sufficient if authentication with this module succeeds, PAM will accept authentication even if it fails in a previous required module. Optional the success or failure of this module is important if it is the only module in its kind for a service. Module-path knows which module PAM will use and where to find the modules.
To read my previous article: Monitoring of Work
