Security authentication mechanism in AIX

Authentication mechanism verifies which users are allowed to access a system. Administrator can define authentication protocol; based on that protocol, users' credentials are verified, and users are given access to the system. AIX provides several authentication and identification modules. A user's authentication and identification are done based on the user's attributes on AIX. This article covers the user's authentication and identification attributes, load modules available in AIX, and a new authentication attribute introduced AIX 6.1 Tl07 and AIX 7.1 Tl1 releases.

Uma Chandolu (uchandol@in.ibm.com), AIX security developer and support specialist, IBM

Photo of Uma ChandoluUma M. Chandolu works as a development support specialist on AIX. He has over 6 years of extensive hands-on experience in AIX environments and demonstrated expertise in AIX system administration and other subsystems. He has experience interfacing with customers and handling customer-critical situations. He has been recognized as an IBM developerWorks Contributing Author. You can reach him at uchandol@in.ibm.com.



15 November 2011

Also available in Chinese Russian

Introduction

The process of verifying a user's identity on a system is part of the user authentication mechanism. Authentication mechanism varies from application to application. Administrators need to determine which authentication mechanism is suitable for their application, based on what needs to be configured on the system.

AIX standard authentication mechanism uses the crypt function to verify the user credentials. The crypt function uses only the first 8 characters from the user's password string to verify the user's password. AIX 5.3 Tl7 and AIX 6.1 introduced Loadable Password Algorithm (LPA) that supports new secure password hash algorithms, removed 8 character password length limitations, and supported 255 characters in passwords.

AIX provides load modules. These modules can be used for both user identification and authentication. Authentication functions include password verification and modification. Identification functions include storage, retrieval, and modification of user and group account information. Also, AIX provides loadable identification and authentication framework; using that interface, users can write their own authentication and identification modules.

This article provides information about AIX load modules, user identification, authentication attributes, and loadable password algorithms.

Overview

AIX supports loadable authentication and identification framework starting from AIX 4.1 and on. AIX 5.1 introduced compound modules; these modules are a combination of authentication and database modules. Authentication modules provide authentication services like password verification, where as database modules provide identification services like storing user's attributes.

Security load modules are like LDAP, NIS, KRB5, and PAM. AIX provides support for these modules starting from AIX 5.1 and on. These modules are briefly described further in following sections.

AIX Security subsystem directs authentication and identification requests to the proper method by using two attributes. These attributes are "registry" and "SYSTEM". registry and SYSTEM attributes play an important role in AIX user and group account management and authentication. Every user in AIX has a value for the registry and SYSTEM attribute. Groups only have registry values.

registry attribute

The registry attribute specifies where the user's and group's identification information is stored and administrated. The registry attribute always takes one value. User's identification information can be defined based on the value specified with the registry attribute.

For local users, the registry attribute is always set to "files"; for remote users, the registry attribute value changes based on user definition existence.

Set the registry attribute for a user with the chuser command. For example:

 chuser registry=<load module name> <username>

Note that for remote users, specify -R option in chuser command.

SYSTEM attribute

The SYSTEM attribute specifies authentication grammar for a user. Based on authentication grammar, the user is authenticated on that system. The authentication grammar can be used to describe multiple or alternative authentication methods.

The SYSTEM attribute allows an administrator to specify a fine granularity method (or methods) which the user must successfully meet to authenticate to gain access to the system.

When the SYSTEM attribute specified as "files", the user is authenticated using local authentication. When the SYSTEM attribute is specified as "compat", the user can be authenticated using local, NIS, or LDAP netgroup authentication.

Multiple authentication methods and modules can be defined as follows.

  • When the SYSTEM specified as "compat" AND "LDAP":
    • The user is required to authenticate using both compat and LDAP. If both methods return success, then the user is allowed to login to the system.
    • If any one authentication module fails to authenticate the user, the user is not granted access to the system.
  • When SYSTEM specified as "compat AND (LDAP[UNAVAIL] or LDAP[SUCCESS] )":
    • The user is required to authenticate using the "compat" module. Also, if LDAP is unavailable or LDAP returns success, then the user is allowed to login.

The SYSTEM and registry attributes are stored under the /etc/security/user files. During the user's login, SYSTEM and registry attributes are retrieved from the /etc/security/user file. For remote users, like LDAP, SYSTEM attributes are also retrieved from /etc/security/user files.

The SYSTEM attribute can be set for a user using chuser command. For example:

chuser SYSTEM=<load module name> <username>

For remote users, specify the -R option in chuser command.

Note that the load modules like LDAP, Kerberos, PAM, and NIS needs to be defined in the /usr/lib/security/methods.cfg or /etc/methods.cfg file. If the module definition does not exist in the methods.cfg file, then the grammar defined with that module for a user will fail to log in to the system.

authcontroldomain attribute

AIX introduced a new alternative authentication control attribute "authcontroldomain" from AIX 6.1 Tl07 and 71 Tl01 releases. When this attribute is set, SYSTEM and registry attributes are stored or retrieved from that database. For local users, SYSTEM and registry attribute are stored in /etc/security/user file irrespective of the authcontroldomain value.

The authcontroldomain attribute needs to be defined with a loadmodule name which is defined in the /etc/methods.cfg or /usr/lib/security/methods.cfg file. This attribute needs to be defined in the /etc/security/login.cfg file under the usw stanza.

authcontroldomain attribute can be set for a system as using the chsec command. For example:

chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP

Note that the authcontroldomain attribute is not valid for local users.

AIX security authentication modules

AIX security authentication modules are:

  • Network Information Service (NIS)
  • Light weight Directory Access protocol (LDAP)
  • Kerberos
  • Pluggable Authentication Module (PAM)

Network Information Service (NIS)

Network Information Service is termed as "yellow pages" or sometimes called "Name Services." NIS follows client-server architecture; it stores information on an NIS servers in a set of files, and these files are referred as maps. These maps contain information about users, groups, and host information. NIS clients use these map files to check about NIS users, groups, or host entries on NIS Server. See the Resources section for information on configuring an NIS server and client.

The advantage to using NIS is it is easy to manage data on an NIS server.

Drawbacks with NIS are:

  • NIS stores the information in a flat file system.
  • NIS is not suitable for managing a large network of machines.
  • NIS servers need to update the map files for every change made to the users, groups, and hosts information on the system.
  • Information is transferred in plain text format over the network.

Lightweight Directory Access Protocol (LDAP)

LDAP is based on the client/server model of distributed computing. It provides consistent authentication and authorization services for necessary universal access. LDAP stores information in directory information tree (DIT) format on the LDAP server. LDAP is a connection oriented protocol which runs on TCP/IP; LDAP client connects to LDAP servers and are based on LDAP user credentials.

A LDAP security module has been available since AIX 4.3 release. This module acts as a interface between LDAP client daemon and AIX Security library. The AIX LDAP module is fully integrated on the AIX operating system.

In an heterogeneous environment, AIX LDAP client can be configured with any type of LDAP server. AIX LDAP client supports AIX, rfc2307, rfc2307aix, and SFU schemas.

LDAP installation and configuration

AIX provides mksecldap command for configuring an LDAP server and client on AIX systems. Please refer the Resources section for configuring an LDAP server and client configuration.

IBM LDAP filesets are shipped with AIX base media. The filesets starts with the idsldap name. AIX 5.3 ships LDAP 5.2 version filesets, and these filesets start with the ldap name.

Advantages with LDAP

  • LDAP stores information in a DIT format in a database and is easy to access the information from LDAP clients.
  • LDAP runs on TCP/IP and SSL.
  • With LDAP, it is easy to migrate database from one server to other server.
  • LDAP is suitable for managing large networks of machines.

Disadvantages with LDAP

  • LDAP transfers information in clear text format over the network.
  • LDAP is not suitable for dynamic transactions, such as banking transactions.

Kerberos

Kerberos is the name of a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos works on symmetric key cryptography and requires a trusted third party.

AIX ships Kerberos module (KRB5) from AIX 4.3 release, and this module provides user authentication. Kerberos is only an authentication module, and it needs to be integrated with other database modules.

AIX provides commands to configure Kerberos server and client that are part of the bos.rte.security fileset. This fileset is installed by default on the system.

Use the following steps to configure a Kerberos server on an AIX system:

  • Install the krb5.server.rte fileset on the system using the smit install command. These filesets can be found on AIX base media.
  • Configure the Kerberos server using the mkkrb5srv command.

Run the following command to configure a Kerberos server:

 mkkrb5srv -r <realm name> -d <domain name> -a <admin user>/<admin
    user's passwd>

This command creates the /etc/krb5/krb5.conf, /var/krb5/krb5kdc/kdc.conf and /etc/krb5/ krb5_cfg_type files.

The /etc/krb5/krb5.conf file contains information about the Kerberos server details and list of encryption algorithms. The /etc/krb5/krb5_cfg_type file specifies the type of system: master, slave, or client.

The /var/krb5/krb5kdc/kdc.conf file sets the values for the kdc_ports, kadmind_port, max_life, max_renewable_life, master_key_type, and supported_enctypes variables. This file also sets the paths for the database_name, admin_keytab, acl_file, dict_file, and key_stash_file variables.

The mkkrb5srv command prompts the user to enter the master admin password. This command starts the "krb5kdc" and "kadmind" daemons on the system. Kadmind daemon is for managing principal administration on Kerberos server.

Follow these steps to configure Kerberos client on AIX System:

  • Install krb5.client.rte, krb5.toolkit.adt filesets on the system using the smit install command.
  • Configure the Kerberos client using mkrkb5clnt command.

Run the following command to configure a Kerberos client:

 mkkrb5clnt -r <realm name> -c <KDC server> -s <Kerberos server> -a <admin user 
    /admin user's passwd> -d <domain name> 
-i <database name> -A -K -T

This command creates the /etc/krb5/krb5.conf file. The /etc/krb5/krb5.conf file is updated with the default realm name, KDC server, Kerberos admin server, and domain name specified during command invocation.

Note that the Kerberos client can be configured with multiple realms and multiple KDC servers. Please refer to the Resources section for configuring multiple kerberos realms on kerberos client.

Advantages with Kerberos

  • Kerberos is suitable for non-secure environments.
  • Kerberos uses symmetric key encryption mechanisms.
  • Kerberos transfers information in encrypted format over the network.

Disadvantages with Kerberos

  • Kerberos provides only authentication services; for identification services, it depends on other modules.
  • Kerberos authentication mechanism relies on a trusted third party. If a third party comprises security, it creates problems.
  • If the kerberos service ticket (TGT)is stolen, it can be used to access the network until it expires.

Pluggable authentication module (PAM)

Pluggable authentication module provides an interface for administrators to integrate any type of authentication service with system authentication mechanism. PAM is available starting from AIX 5.1 and completely integrated in the AIX 5.3 release. All existing services are integrated with PAM in AIX 5.3 release. Please refer the Resources section for configuring/enabling PAM and PAM services on AIX systems.

Advantages with PAM

  • PAM modules can be integrated with any type of authentication services.
  • Single authentication mechanism can be used for a variety of applications.

Disadvantages with PAM

  • PAM is an authentication module, and it only provides authentication services.

Loadable password algorithms (LPA)

AIX 5.3 allows configuring a user's password with different encryption algorithms from AIX 5.3 Tl07 and AIX 6.1 releases and on. This allows the user to set a password up to 255 characters length. By default, a user's password is encrypted with DES encryption algorithms.

For AIX 5.3 Tl07 and AIX 6.1 releases onward, the following password algorithms are introduced:

  • MD5
  • SHA
    • SHA1
    • SHA 256
    • SHA 512
  • Blowfish

Password algorithms are defined in the /etc/security/pwdalg.cfg file. Set password algorithms in the /etc/security/login.cfg file under the usw stanza. Use the following command to set the password algorithm:

 chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=<algorithm name>

Please refer the Resources section for more information about password hashing algorithms.

Note that when the password algorithm is set on a system, the user's password is modified with the new algorithm during the user's next password change.

Long user name support

AIX 5.3 allows increasing user and group name length from 8 to 255 characters. Use the following command to get the maximum allowed login name on a system. For example:

 lsattr -El sys0 -a max_logname

Use the following command to change the login name length:

 chdev -l sys0 -a max_logname=255

This change takes effect during next reboot of the system.

Conclusion

Security authentication mechanism works for user on AIX. AIX user's attributes, like registry and SYSTEM, play an important role during user authentication mechanism. Security load modules provides authentication and identification services for users and groups.

Resources

Learn

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
  • Try out IBM software for free. Download a trial version, log into an online trial, work with a product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM product trials.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX, Security
ArticleID=774143
ArticleTitle=Security authentication mechanism in AIX
publish-date=11152011