Bookmark this page

Chapter 2. Identity Management Core Technologies

Abstract

Goal	Review the core technologies of Identity Management (IdM) in Red Hat Enterprise Linux.
Objectives	Describe the IdM core technologies.
Sections	The System Security Services Framework (and Guided Exercise) The Kerberos Authentication Protocol (and Guided Exercise) The Public Key Infrastructure (and Guided Exercise)
Lab	Working with Identity Management Core Technologies

The System Security Services Framework

Objectives

Describe the features of the System Security Services Daemon.
Describe the Name Service Switch.
Describe the Pluggable Authentication Module (PAM) architecture.

The System Security Services Daemon

The System Security Services Daemon (SSSD) consolidates various technologies into a single client-side framework that offers an authentication service. SSSD is a client that can interface with many different identity management servers that implement LDAP and/or Kerberos. Its primary role is to cache information from the identity server for later use.

The SSSD Integrated Solution

SSSD solves many problems in the Linux realm, such as integration with Microsoft Active Directory, centralized host-based access control (HBAC) and sudo rules, and offline login if the identity server is unavailable.

Before the introduction of SSSD, the configuration required for the use of LDAP and Kerberos for identity, and authentication was complex. Manual configuration included nss_ldap for LDAP identities, pam_krb5 for Kerberos authentication, nscd to cache the information retrieved from the LDAP directory, and pam_ccreds to cache Kerberos credentials.

SSSD Architecture and Components

Figure 2.1: SSSD Architecture

Table 2.1. SSSD Component Categories

Category	Description
`backends`	A back end queries an identity service, and stores the response in the cache.
`responders`	A responder takes requests and tries to fulfill them from the cache. If the information is absent then the responder asks the back end to refresh the cache.
`client libraries`	Client libraries act as a shim, translating requests from client applications to the responders.
`monitor`	The monitor observes back ends and responders, ensuring they are always running.
`tools`	Command-line tools used to manage SSSD and its cache.

SSSD does not only cache user and group information; it can also cache sudo rules and SSH keys, among others. Note that back ends are the only components that can write to the local cache.

Three types of cache are used within SSSD.

The local cache is stored persistently on disk, and is the primary store.

A negative cache exists inside each responder, and is used to store negative lookups; information that proves that something does not exist in the identity management server. Negative caches are not persistent.

The third type of cache is the in-memory cache of the name service switch (NSS) responder. This serves the standard purpose of speeding up responses for information that was recently successfully retrieved.

Configuring Authentication Components

Manually configuring SSSD, NSS, and Pluggable Authentication Modules (PAM) can be a complex task. Because these services need to work together, several tools are available that can simplify configuration. In Red Hat Enterprise Linux 7 and earlier, authconfig was the tool of choice for configuring the system to use centralized authentication. You can use authconfig by using its GUI, text-based user interface (TUI), or command-line interfaces.

With the introduction of RHEL 8, authconfig was replaced by authselect. Instead of configuring elements of PAM and NSS individually, authselect uses preconfigured profiles:

minimal: Do not use any centralized authentication, only local users.
sssd: Enable SSSD.
winbind: Use winbind centralized authentication.

The sssctl command enables interaction with SSSD, such as verifying the state of the daemon, servers, domains, and objects in the cache. The sssctl command is provided by the sssd-tools package, which is not installed by default.

When configuring a system as an IdM client, the ipa-client-install command configures SSSD, replacing any existing configuration. There is no need to use the authselect command. You also do not need authselect when using the realm join command to join a system to Active Directory.

The Name Service Switch

Originally, programs hard-coded standard lookup routines, and there could only be one choice for each resource. This was why the DNS lookup was hard-coded into the local host lookup routine. Name Service Switch (NSS) solved this problem, providing the ability to have multiple back ends and lookups that could be controlled independently for each configured database of information (aliases, ethers, groups, and so on).

Even though the Name Service Switch method enabled the use of different databases, if those databases were unavailable you could not log in. This led to the use of the Name Service Caching Daemon (NSCD) to cache information and avoid unnecessary lookups. If a user had logged in previously, and the cached information had not timed out, the user was still able to log in if the authentication back end was down. NSCD did have some issues, however, such as failing to respect DNS TTL values in some cases. Overall, NSCD introduced more problems than it solved.

Configuring the Name Service Switch

The NSS configuration is stored in the /etc/nsswitch.conf file. Each line in the file consists of a database name followed by a series of services to try in order. Some common database names, such as passwd, group, and hosts, match the files of the same name in the /etc directory.

The following example entry in /etc/nsswitch.conf defines the order of services to resolve hostnames:

hosts:      files dns

The /etc/hosts file is tried first, followed by DNS if the queried name is not found.

As a general rule, you only change the order of services to override the default behavior for a specific system. The configuration implemented by tools is usually correct.

For example, overriding DNS records with entries in /etc/hosts requires the files service to be listed first.

When a service such as sss is listed first, you should not remove the files service. Having a local NSS service to fall back on when the network is unavailable can enable system services to continue functioning.

Note

Changing the service order could have a negative impact on performance and so should be considered carefully.

Because SSSD can cache several different types of information, it can be listed as a service for different NSS databases. The following content is part of the /etc/nsswitch.conf file on the workstation machine.

passwd:     sss files systemd
shadow:     files
group:      sss files systemd
hosts:      files dns myhostname
services:   files sss
netgroup:   sss
automount:  files sss

aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files

In this example, SSSD is queried for user and group information before the local /etc/passwd and /etc/group files.

Because the passwd and shadow information is combined into one structure in network databases, shadow information is included in the sss lookup for passwd.

The netgroup database only exists in a network context, and has no local equal.

The systemd module ensures that the root and nobody users and groups (UID and GID of 0 and 65534, respectively) always remain resolvable, even if not listed in the /etc/passwd or /etc/group files, or if these files are missing.

The myhostname module provides hostname resolution for the locally configured system hostname. This module returns the information of the gethostname() system call, meaning localhost, localhost.localdomain, routing gateway addresses, and default outbound interfaces.

Most of the databases at the bottom of the file have no available network service.

Configuring Pluggable Authentication Modules

The Linux Pluggable Authentication Module (PAM) system separates security policy from application code. PAM introduced a standard API for authentication that application developers could take advantage of, to then concentrate on writing application code instead of authentication schemes. It enables a large amount of flexibility and control over authentication for both system administrators and application developers. PAM modules are written to be generic, making them suitable for use by any application. The modern PAM system provides much more than just authentication.

PAM Group and Control Directives

PAM can enforce security controls in four different management groups:

auth: The authentication group ensures that the user is who they say they are. Checks can include whether the user is local or coming through SSSD, or whether they are using a fingerprint to authenticate.
account: The account group verifies attributes of accounts, such as whether the account is in /etc/passwd, or whether it is a system or user account.
password: The password group verifies password complexity during password changes, or perform the password update in /etc/shadow.
session: The session group manages user session controls, such as resource limits, creating the user runtime directory if it does not exist, and setting environment variables.

The system is pluggable because multiple modules can be stacked for each management group. Each stack of modules is processed from the top down, so module order is important.

Each of the management groups support various levels of control:

required: Failing this module means that the result is always a failure, even after processing the remaining modules in the stack.
requisite: Failing this module results in returning immediately, no remaining modules in the stack are processed.
sufficient: If this module succeeds and no required modules have failed, then success is returned immediately.
optional: The success or failure of this module is not important unless it is the only module in the stack.
include: Inserts all lines from the given file that are relevant to this management group.
substack: Processes all relevant lines from the given file, except that the whole file is treated as a single module.

PAM Syntax and Directives

Traditionally, the syntax for a PAM rule in /etc/pam.conf consists of the service type control module-path module-arguments fields. In modern Linux systems, /etc/pam.conf has been replaced with multiple files located under the /etc/pam.d directory.

File names in /etc/pam.d match the name of the service, enabling that field to be removed from the rules. Rules in these files now follow the type control module-path module-arguments format.

This change allows packages to install their own default PAM configuration.

The following examples show the default content of the /etc/pam.d/sshd file.

The auth group

#%PAM-1.0
auth       substack     password-auth 
auth       include      postlogin

	Authentication is handed off to the system default `password-auth` stack.
	The `postlogin` stack provided by `authselect` is included.

The account group

account    required     pam_sepermit.so 
account    required     pam_nologin.so 
account    include      password-auth

	If the user is listed in the `/etc/security/sepermit.conf` file, then they can only log in if SELinux is in enforcing mode. If the user is not listed then this module returns PAM_IGNORE, meaning that processing should ignore this module and continue. If SELinux is disabled, this module cannot match users in the configuration file to SELinux users, and returns PAM_IGNORE for everyone.
	This module prevents all users other than `root` from logging in when either of the `/var/run/nologin` or `/etc/nologin` files exist. The content of the file is displayed to users attempting to log in.
	Handing off processing to the system default stack.

The password group

password   include      password-auth

Handing off processing to the system default stack.

The session group

# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close 
session    required     pam_loginuid.so 
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params 
session    required     pam_namespace.so 
session    optional     pam_keyinit.so force revoke 
session    optional     pam_motd.so 
session    include      password-auth 
session    include      postlogin

	Sets the default security context for the user session. The `close` argument restores the earlier security contexts to avoid issues with any following modules.
	Sets the `loginuid` process attribute for the current process for auditing purposes.
	Sets the default security context for the user session. The `open` argument sets up the execution security context for the next `execve` call.
	Creates a private namespace for the session.
	Creates a new session key ring.
	Displays `/etc/motd`.
	Hands off processing to the system default stack.
	Include the `post-login` rules for sessions here.

Many PAM modules are available that can perform myriad checks before approving a login. All PAM modules should provide a man page; use the name of the module without the .so extension.

[user@host ~]$ man 8 pam_unix
PAM_UNIX(8)                     Linux-PAM Manual                    PAM_UNIX(8)

NAME
       pam_unix - Module for traditional password authentication

SYNOPSIS
       pam_unix.so [...]

DESCRIPTION
       This is the standard Unix authentication module. It uses standard calls
       from the system's libraries to retrieve and set account information as
       well as authentication. Usually this is obtained from the /etc/passwd
       and the /etc/shadow file as well if shadow is enabled.
...output omitted...

References

For more information about SSSD, refer to the Understanding SSSD and its Benefits chapter in the Using SSSD, authselect, and sssctl to Configure Authentication and Authorization at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/configuring_authentication_and_authorization_in_rhel/index#understanding-SSSD-and-its-benefits_configuring-authentication-and-authorization-in-rhel

SSSD: System Security Services Daemon

Pluggable Authentication Modules for Linux

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8