Security authentication mechanism in AIX
The process of verifying a user's identity on a system is part of the user authentication mechanism. Authentication mechanism varies from application to application. Administrators need to determine which authentication mechanism is suitable for their application, based on what needs to be configured on the system.
AIX standard authentication mechanism uses the crypt function to verify the user credentials. The crypt function uses only the first 8 characters from the user's password string to verify the user's password. AIX 5.3 Tl7 and AIX 6.1 introduced Loadable Password Algorithm (LPA) that supports new secure password hash algorithms, removed 8 character password length limitations, and supported 255 characters in passwords.
AIX provides load modules. These modules can be used for both user identification and authentication. Authentication functions include password verification and modification. Identification functions include storage, retrieval, and modification of user and group account information. Also, AIX provides loadable identification and authentication framework; using that interface, users can write their own authentication and identification modules.
This article provides information about AIX load modules, user identification, authentication attributes, and loadable password algorithms.
AIX supports loadable authentication and identification framework starting from AIX 4.1 and on. AIX 5.1 introduced compound modules; these modules are a combination of authentication and database modules. Authentication modules provide authentication services like password verification, where as database modules provide identification services like storing user's attributes.
Security load modules are like LDAP, NIS, KRB5, and PAM. AIX provides support for these modules starting from AIX 5.1 and on. These modules are briefly described further in following sections.
AIX Security subsystem directs authentication and identification requests to the proper method by using two attributes. These attributes are "registry" and "SYSTEM". registry and SYSTEM attributes play an important role in AIX user and group account management and authentication. Every user in AIX has a value for the registry and SYSTEM attribute. Groups only have registry values.
The registry attribute specifies where the user's and group's identification information is stored and administrated. The registry attribute always takes one value. User's identification information can be defined based on the value specified with the registry attribute.
For local users, the registry attribute is always set to "files"; for remote users, the registry attribute value changes based on user definition existence.
Set the registry attribute for a user with the chuser command. For example:
chuser registry=<load module name> <username>
Note that for remote users, specify -R option in chuser command.
The SYSTEM attribute specifies authentication grammar for a user. Based on authentication grammar, the user is authenticated on that system. The authentication grammar can be used to describe multiple or alternative authentication methods.
The SYSTEM attribute allows an administrator to specify a fine granularity method (or methods) which the user must successfully meet to authenticate to gain access to the system.
When the SYSTEM attribute specified as "files", the user is authenticated using local authentication. When the SYSTEM attribute is specified as "compat", the user can be authenticated using local, NIS, or LDAP netgroup authentication.
Multiple authentication methods and modules can be defined as follows.
- When the SYSTEM specified as "compat" AND "LDAP":
- The user is required to authenticate using both compat and LDAP. If both methods return success, then the user is allowed to login to the system.
- If any one authentication module fails to authenticate the user, the user is not granted access to the system.
- When SYSTEM specified as "compat AND (LDAP[UNAVAIL] or LDAP[SUCCESS] )":
- The user is required to authenticate using the "compat" module. Also, if LDAP is unavailable or LDAP returns success, then the user is allowed to login.
The SYSTEM and registry attributes are stored under the /etc/security/user files. During the user's login, SYSTEM and registry attributes are retrieved from the /etc/security/user file. For remote users, like LDAP, SYSTEM attributes are also retrieved from /etc/security/user files.
The SYSTEM attribute can be set for a user using chuser command. For example:
chuser SYSTEM=<load module name> <username>
For remote users, specify the -R option in chuser command.
Note that the load modules like LDAP, Kerberos, PAM, and NIS needs to be defined in the /usr/lib/security/methods.cfg or /etc/methods.cfg file. If the module definition does not exist in the methods.cfg file, then the grammar defined with that module for a user will fail to log in to the system.
AIX introduced a new alternative authentication control attribute "authcontroldomain" from AIX 6.1 Tl07 and 71 Tl01 releases. When this attribute is set, SYSTEM and registry attributes are stored or retrieved from that database. For local users, SYSTEM and registry attribute are stored in /etc/security/user file irrespective of the authcontroldomain value.
The authcontroldomain attribute needs to be defined with a loadmodule name which is defined in the /etc/methods.cfg or /usr/lib/security/methods.cfg file. This attribute needs to be defined in the /etc/security/login.cfg file under the usw stanza.
authcontroldomain attribute can be set for a system as using the chsec command. For example:
chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP
Note that the authcontroldomain attribute is not valid for local users.
AIX security authentication modules
AIX security authentication modules are:
- Network Information Service (NIS)
- Light weight Directory Access protocol (LDAP)
- Pluggable Authentication Module (PAM)
Network Information Service (NIS)
Network Information Service is termed as "yellow pages" or sometimes called "Name Services." NIS follows client-server architecture; it stores information on an NIS servers in a set of files, and these files are referred as maps. These maps contain information about users, groups, and host information. NIS clients use these map files to check about NIS users, groups, or host entries on NIS Server. See the Related topics section for information on configuring an NIS server and client.
The advantage to using NIS is it is easy to manage data on an NIS server.
Drawbacks with NIS are:
- NIS stores the information in a flat file system.
- NIS is not suitable for managing a large network of machines.
- NIS servers need to update the map files for every change made to the users, groups, and hosts information on the system.
- Information is transferred in plain text format over the network.
Lightweight Directory Access Protocol (LDAP)
LDAP is based on the client/server model of distributed computing. It provides consistent authentication and authorization services for necessary universal access. LDAP stores information in directory information tree (DIT) format on the LDAP server. LDAP is a connection oriented protocol which runs on TCP/IP; LDAP client connects to LDAP servers and are based on LDAP user credentials.
A LDAP security module has been available since AIX 4.3 release. This module acts as a interface between LDAP client daemon and AIX Security library. The AIX LDAP module is fully integrated on the AIX operating system.
In an heterogeneous environment, AIX LDAP client can be configured with any type of LDAP server. AIX LDAP client supports AIX, rfc2307, rfc2307aix, and SFU schemas.
LDAP installation and configuration
AIX provides mksecldap command for configuring an LDAP server and client on AIX systems. Please refer the Related topics section for configuring an LDAP server and client configuration.
IBM LDAP filesets are shipped with AIX base media. The filesets starts with the idsldap name. AIX 5.3 ships LDAP 5.2 version filesets, and these filesets start with the ldap name.
Advantages with LDAP
- LDAP stores information in a DIT format in a database and is easy to access the information from LDAP clients.
- LDAP runs on TCP/IP and SSL.
- With LDAP, it is easy to migrate database from one server to other server.
- LDAP is suitable for managing large networks of machines.
Disadvantages with LDAP
- LDAP transfers information in clear text format over the network.
- LDAP is not suitable for dynamic transactions, such as banking transactions.
Kerberos is the name of a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos works on symmetric key cryptography and requires a trusted third party.
AIX ships Kerberos module (KRB5) from AIX 4.3 release, and this module provides user authentication. Kerberos is only an authentication module, and it needs to be integrated with other database modules.
AIX provides commands to configure Kerberos server and client that are part of the bos.rte.security fileset. This fileset is installed by default on the system.
Use the following steps to configure a Kerberos server on an AIX system:
- Install the krb5.server.rte fileset on the system using the smit install command. These filesets can be found on AIX base media.
- Configure the Kerberos server using the mkkrb5srv command.
Run the following command to configure a Kerberos server:
mkkrb5srv -r <realm name> -d <domain name> -a <admin user>/<admin user's passwd>
This command creates the /etc/krb5/krb5.conf, /var/krb5/krb5kdc/kdc.conf and /etc/krb5/ krb5_cfg_type files.
The /etc/krb5/krb5.conf file contains information about the Kerberos server details and list of encryption algorithms. The /etc/krb5/krb5_cfg_type file specifies the type of system: master, slave, or client.
The /var/krb5/krb5kdc/kdc.conf file sets the values for the kdc_ports, kadmind_port, max_life, max_renewable_life, master_key_type, and supported_enctypes variables. This file also sets the paths for the database_name, admin_keytab, acl_file, dict_file, and key_stash_file variables.
The mkkrb5srv command prompts the user to enter the master admin password. This command starts the "krb5kdc" and "kadmind" daemons on the system. Kadmind daemon is for managing principal administration on Kerberos server.
Follow these steps to configure Kerberos client on AIX System:
- Install krb5.client.rte, krb5.toolkit.adt filesets on the system using the smit install command.
- Configure the Kerberos client using mkrkb5clnt command.
Run the following command to configure a Kerberos client:
mkkrb5clnt -r <realm name> -c <KDC server> -s <Kerberos server> -a <admin user /admin user's passwd> -d <domain name> -i <database name> -A -K -T
This command creates the /etc/krb5/krb5.conf file. The /etc/krb5/krb5.conf file is updated with the default realm name, KDC server, Kerberos admin server, and domain name specified during command invocation.
Note that the Kerberos client can be configured with multiple realms and multiple KDC servers. Please refer to the Related topics section for configuring multiple kerberos realms on kerberos client.
Advantages with Kerberos
- Kerberos is suitable for non-secure environments.
- Kerberos uses symmetric key encryption mechanisms.
- Kerberos transfers information in encrypted format over the network.
Disadvantages with Kerberos
- Kerberos provides only authentication services; for identification services, it depends on other modules.
- Kerberos authentication mechanism relies on a trusted third party. If a third party comprises security, it creates problems.
- If the kerberos service ticket (TGT)is stolen, it can be used to access the network until it expires.
Pluggable authentication module (PAM)
Pluggable authentication module provides an interface for administrators to integrate any type of authentication service with system authentication mechanism. PAM is available starting from AIX 5.1 and completely integrated in the AIX 5.3 release. All existing services are integrated with PAM in AIX 5.3 release. Please refer the Related topics section for configuring/enabling PAM and PAM services on AIX systems.
Advantages with PAM
- PAM modules can be integrated with any type of authentication services.
- Single authentication mechanism can be used for a variety of applications.
Disadvantages with PAM
- PAM is an authentication module, and it only provides authentication services.
Loadable password algorithms (LPA)
AIX 5.3 allows configuring a user's password with different encryption algorithms from AIX 5.3 Tl07 and AIX 6.1 releases and on. This allows the user to set a password up to 255 characters length. By default, a user's password is encrypted with DES encryption algorithms.
For AIX 5.3 Tl07 and AIX 6.1 releases onward, the following password algorithms are introduced:
- SHA 256
- SHA 512
Password algorithms are defined in the /etc/security/pwdalg.cfg file. Set password algorithms in the /etc/security/login.cfg file under the usw stanza. Use the following command to set the password algorithm:
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=<algorithm name>
Please refer the Related topics section for more information about password hashing algorithms.
Note that when the password algorithm is set on a system, the user's password is modified with the new algorithm during the user's next password change.
Long user name support
AIX 5.3 allows increasing user and group name length from 8 to 255 characters. Use the following command to get the maximum allowed login name on a system. For example:
lsattr -El sys0 -a max_logname
Use the following command to change the login name length:
chdev -l sys0 -a max_logname=255
This change takes effect during next reboot of the system.
Security authentication mechanism works for user on AIX. AIX user's attributes, like registry and SYSTEM, play an important role during user authentication mechanism. Security load modules provides authentication and identification services for users and groups.
- AIX Security Guide provides complete information about security authentication modules.
- "LDAP configuration management and troubleshooting on AIX" (developerWorks May 2007) provides an overview of the LDAP configuration and management.
- "AIX pluggable authentication module" (developerWorks July 2011) provides an overview of the pluggable authentication module and services.
- "Network information Service" (developerWorks November 2007) provides step by step instruction for configuring NIS server and client.
- "Configuring an AIX client with multiple Kerberos realms" (developerWorks October 2009) provides step-by-step instructions for configuring client with multiple realms.
- Loadable Password Algorithms provides more information about password hashing algorithms in AIX.
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
- Try out IBM software for free. Download a trial version, log into an online trial, work with a product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM product trials.