Skip to main content
Engineering LibreTexts

12-B.5: Identity and Access Management

  • Page ID
    42803
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    EXAM OBJECTIVES COVERED
    3.2 Given a scenario, configure and implement appropriate access and authentication methods.
    4.3 Given a scenario, analyze and troubleshoot user issues.

    Identity and Access Management

    Identity and access management (IAM), is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management.

    Identity and access management (IAM) is the organizational process for identifying, authenticating and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities. IAM is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes data and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. In addition to users, managed entities typically include hardware and network resources and even applications.

    Using SSH Authentication

    Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.

    SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.

    Despite popular misconception, SSH is not an implementation of Telnet with cryptography provided by the Secure Sockets Layer (SSL). SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rsh and the related rlogin and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.

    SSH Config Files in Linux

    As is so common with Linux tools, there are configuration files for SSH. There are global configuration files that affect all users, and there are individual user configuration files. These files are shown in the table below.

    File name Description
    /etc/ssh/ssh_config This is the global configuration for all users of SSH on this system.
    /etc/ssh/ssh_known_hosts  Used to verify the identity of other systems
    ~/.ssh/config or $HOME/.ssh/config (both are the same location) The user’s configuration file which overrides settings in the global configuration file.
    ~/.ssh/id_rsa or $HOME/.ssh/id_rsa The user's private keys generated by ssh-keygen are stored here.
    ~/.ssh/id_rsa.pub or $HOME/.ssh/id_rsa.pub The user's public keys generated by ssh-keygen are stored here.
    ~/.ssh/authorized_keys - ON THE REMOTE SERVER The user's public keys.
    ~/.ssh/known_hosts - ON THE LOCAL CLIENT Contains the known keys for remote hosts that are allowed to connect.

    SSH keys

    SSH keys are a way to authenticate SSH connections without using a password, either to speed up your access or as a security measure if you turn password access off and ensure only authorized keys are permitted. To create an SSH key, run the command:

    pbmac@pbmac-server $ ssh-keygen 

    This will create a key-pair (a public and private key) in ~/.ssh/. Keep the private key (id_rsa) on the PC and never share it. You can share the public key (id_rsa.pub) with others or place it on other servers.

    ssh-copy-id

    To get the public key over to your remote machine, use the ssh-copy-id. For this to work, you must verify that you have SSH access to the remote machine. If you can't log into the remote host with a password, you can't set up passwordless login either:

    pbmac@pbmac-server $ ssh-copy-id myuser@192.168.1.20 

    ssh-add

    The ssh-add command adds SSH private keys into the SSH authentication agent for implementing single sign-on with SSH.

    Using ssh-agent and ssh-add allows the user to use any number of servers, spread across any number of organizations, without having to type in a password every time when moving between servers. This technique is commonly used by system administrators as it allows them to easily move between servers without constantly having to provide a password. It is also frequently found in universities and research institutions for accessing the variety of computing resources that researchers need in their work.

    Open the terminal and type the following command and you will see the PID of the ssh-agent:

    pbmac@pbmac-server $ eval `ssh-agent`
    Agent pid 78932

    Now our ssh-agent is running, and you need to provide the passphrase for your SSH private keys. For example, run the ssh-add command:

    pbmac@pbmac-server $ ssh-add
    Enter passphrase for /home/pbmac/.ssh/id_ed9923
    Identity added: /home/pbmac/.ssh/id_ed9923 (pbmac@pbmac_server)

    The /etc/ssh/sshd_config File

    First, make a backup of the sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh:

    pbmac@pbmac-server $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
    pbmac@pbmac-server $ sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

    Creating a read-only backup in /etc/ssh means you'll always be able to find a known-good configuration when you need it.

    Once you've backed up your sshd_config file, you can make changes with any text editor, for example:

    pbmac@pbmac-server $ sudo gedit /etc/ssh/sshd_config

    Depending on the distribution of Linux, you can use different editors, and the restart will be different.

    # Debian / Ubuntu
    pbmac@pbmac-server $ sudo service ssh restart
    
    # Red Hat / Fedora / CentOS
    pbmac@pbmac-server $ sudo systemctl restart sshd
    

    TCP Wrappers

    TCP Wrapper is a host-based networking access control list (ACL) used to filter network access to a host. It makes use of two files /etc/hosts.allow and /etc/hosts.deny. This allows you to grant or deny access to a specific host, by making edits to the appropriate file. The hosts.allow file has precedence over the hosts.deny file.

    To restrict SSH access to the server, the hosts.deny file would be configured as:

    ALL : ALL
    

    which denies access to all services from all sources. The hosts.allow file would then contain the allowable parameters.

    sshd : 192.168.
    sshd : .example.com
    

    The first line allows any host whose IP address begins 192.168 - which is a private ip address, so we know there are local systems. In the second line the period preceding example.com allows any host in the example.com domain.

    Adapted from
    "Identity management" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Secure Shell Protocol" by Multiple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "SSH/OpenSSH/Configuring" by kaddidle, Ubuntu Community Help Wiki is licensed under CC BY-SA 4.0


    12-B.5: Identity and Access Management is shared under a CC BY-SA 4.0 license and was authored, remixed, and/or curated by LibreTexts.

    • Was this article helpful?