12-B.5: Identity and Access Management
- Page ID
- 42803
\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)
\( \newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\)
( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\)
\( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)
\( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\)
\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)
\( \newcommand{\Span}{\mathrm{span}}\)
\( \newcommand{\id}{\mathrm{id}}\)
\( \newcommand{\Span}{\mathrm{span}}\)
\( \newcommand{\kernel}{\mathrm{null}\,}\)
\( \newcommand{\range}{\mathrm{range}\,}\)
\( \newcommand{\RealPart}{\mathrm{Re}}\)
\( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)
\( \newcommand{\Argument}{\mathrm{Arg}}\)
\( \newcommand{\norm}[1]{\| #1 \|}\)
\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)
\( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\AA}{\unicode[.8,0]{x212B}}\)
\( \newcommand{\vectorA}[1]{\vec{#1}} % arrow\)
\( \newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow\)
\( \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vectorC}[1]{\textbf{#1}} \)
\( \newcommand{\vectorD}[1]{\overrightarrow{#1}} \)
\( \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} \)
\( \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} \)
\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)
\(\newcommand{\avec}{\mathbf a}\) \(\newcommand{\bvec}{\mathbf b}\) \(\newcommand{\cvec}{\mathbf c}\) \(\newcommand{\dvec}{\mathbf d}\) \(\newcommand{\dtil}{\widetilde{\mathbf d}}\) \(\newcommand{\evec}{\mathbf e}\) \(\newcommand{\fvec}{\mathbf f}\) \(\newcommand{\nvec}{\mathbf n}\) \(\newcommand{\pvec}{\mathbf p}\) \(\newcommand{\qvec}{\mathbf q}\) \(\newcommand{\svec}{\mathbf s}\) \(\newcommand{\tvec}{\mathbf t}\) \(\newcommand{\uvec}{\mathbf u}\) \(\newcommand{\vvec}{\mathbf v}\) \(\newcommand{\wvec}{\mathbf w}\) \(\newcommand{\xvec}{\mathbf x}\) \(\newcommand{\yvec}{\mathbf y}\) \(\newcommand{\zvec}{\mathbf z}\) \(\newcommand{\rvec}{\mathbf r}\) \(\newcommand{\mvec}{\mathbf m}\) \(\newcommand{\zerovec}{\mathbf 0}\) \(\newcommand{\onevec}{\mathbf 1}\) \(\newcommand{\real}{\mathbb R}\) \(\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}\) \(\newcommand{\laspan}[1]{\text{Span}\{#1\}}\) \(\newcommand{\bcal}{\cal B}\) \(\newcommand{\ccal}{\cal C}\) \(\newcommand{\scal}{\cal S}\) \(\newcommand{\wcal}{\cal W}\) \(\newcommand{\ecal}{\cal E}\) \(\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}\) \(\newcommand{\gray}[1]{\color{gray}{#1}}\) \(\newcommand{\lgray}[1]{\color{lightgray}{#1}}\) \(\newcommand{\rank}{\operatorname{rank}}\) \(\newcommand{\row}{\text{Row}}\) \(\newcommand{\col}{\text{Col}}\) \(\renewcommand{\row}{\text{Row}}\) \(\newcommand{\nul}{\text{Nul}}\) \(\newcommand{\var}{\text{Var}}\) \(\newcommand{\corr}{\text{corr}}\) \(\newcommand{\len}[1]{\left|#1\right|}\) \(\newcommand{\bbar}{\overline{\bvec}}\) \(\newcommand{\bhat}{\widehat{\bvec}}\) \(\newcommand{\bperp}{\bvec^\perp}\) \(\newcommand{\xhat}{\widehat{\xvec}}\) \(\newcommand{\vhat}{\widehat{\vvec}}\) \(\newcommand{\uhat}{\widehat{\uvec}}\) \(\newcommand{\what}{\widehat{\wvec}}\) \(\newcommand{\Sighat}{\widehat{\Sigma}}\) \(\newcommand{\lt}{<}\) \(\newcommand{\gt}{>}\) \(\newcommand{\amp}{&}\) \(\definecolor{fillinmathshade}{gray}{0.9}\)EXAM OBJECTIVES COVERED
3.2 Given a scenario, configure and implement appropriate access and authentication methods.
4.3 Given a scenario, analyze and troubleshoot user issues.
Identity and Access Management
Identity and access management (IAM), is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management.
Identity and access management (IAM) is the organizational process for identifying, authenticating and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities. IAM is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes data and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. In addition to users, managed entities typically include hardware and network resources and even applications.
Using SSH Authentication
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.
SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.
Despite popular misconception, SSH is not an implementation of Telnet with cryptography provided by the Secure Sockets Layer (SSL). SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rsh and the related rlogin and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.
SSH Config Files in Linux
As is so common with Linux tools, there are configuration files for SSH. There are global configuration files that affect all users, and there are individual user configuration files. These files are shown in the table below.
File name | Description |
---|---|
/etc/ssh/ssh_config | This is the global configuration for all users of SSH on this system. |
/etc/ssh/ssh_known_hosts | Used to verify the identity of other systems |
~/.ssh/config or $HOME/.ssh/config (both are the same location) | The user’s configuration file which overrides settings in the global configuration file. |
~/.ssh/id_rsa or $HOME/.ssh/id_rsa | The user's private keys generated by ssh-keygen are stored here. |
~/.ssh/id_rsa.pub or $HOME/.ssh/id_rsa.pub | The user's public keys generated by ssh-keygen are stored here. |
~/.ssh/authorized_keys - ON THE REMOTE SERVER | The user's public keys. |
~/.ssh/known_hosts - ON THE LOCAL CLIENT | Contains the known keys for remote hosts that are allowed to connect. |
SSH keys
SSH keys are a way to authenticate SSH connections without using a password, either to speed up your access or as a security measure if you turn password access off and ensure only authorized keys are permitted. To create an SSH key, run the command:
pbmac@pbmac-server $ ssh-keygen
This will create a key-pair (a public and private key) in ~/.ssh/. Keep the private key (id_rsa) on the PC and never share it. You can share the public key (id_rsa.pub) with others or place it on other servers.
ssh-copy-id
To get the public key over to your remote machine, use the ssh-copy-id. For this to work, you must verify that you have SSH access to the remote machine. If you can't log into the remote host with a password, you can't set up passwordless login either:
pbmac@pbmac-server $ ssh-copy-id myuser@192.168.1.20
ssh-add
The ssh-add command adds SSH private keys into the SSH authentication agent for implementing single sign-on with SSH.
Using ssh-agent and ssh-add allows the user to use any number of servers, spread across any number of organizations, without having to type in a password every time when moving between servers. This technique is commonly used by system administrators as it allows them to easily move between servers without constantly having to provide a password. It is also frequently found in universities and research institutions for accessing the variety of computing resources that researchers need in their work.
Open the terminal and type the following command and you will see the PID of the ssh-agent:
pbmac@pbmac-server $ eval `ssh-agent`
Agent pid 78932
Now our ssh-agent is running, and you need to provide the passphrase for your SSH private keys. For example, run the ssh-add command:
pbmac@pbmac-server $ ssh-add
Enter passphrase for /home/pbmac/.ssh/id_ed9923
Identity added: /home/pbmac/.ssh/id_ed9923 (pbmac@pbmac_server)
The /etc/ssh/sshd_config File
First, make a backup of the sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh:
pbmac@pbmac-server $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
pbmac@pbmac-server $ sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
Creating a read-only backup in /etc/ssh means you'll always be able to find a known-good configuration when you need it.
Once you've backed up your sshd_config file, you can make changes with any text editor, for example:
pbmac@pbmac-server $ sudo gedit /etc/ssh/sshd_config
Depending on the distribution of Linux, you can use different editors, and the restart will be different.
# Debian / Ubuntu
pbmac@pbmac-server $ sudo service ssh restart
# Red Hat / Fedora / CentOS
pbmac@pbmac-server $ sudo systemctl restart sshd
TCP Wrappers
TCP Wrapper is a host-based networking access control list (ACL) used to filter network access to a host. It makes use of two files /etc/hosts.allow and /etc/hosts.deny. This allows you to grant or deny access to a specific host, by making edits to the appropriate file. The hosts.allow file has precedence over the hosts.deny file.
To restrict SSH access to the server, the hosts.deny file would be configured as:
ALL : ALL
which denies access to all services from all sources. The hosts.allow file would then contain the allowable parameters.
sshd : 192.168.
sshd : .example.com
The first line allows any host whose IP address begins 192.168 - which is a private ip address, so we know there are local systems. In the second line the period preceding example.com allows any host in the example.com domain.
Adapted from
"Identity management" by Multiple Contributors, Wikipedia is licensed under CC BY-SA 3.0
"Secure Shell Protocol" by Multiple Contributors, Wikipedia is licensed under CC BY-SA 3.0
"SSH/OpenSSH/Configuring" by kaddidle, Ubuntu Community Help Wiki is licensed under CC BY-SA 4.0