Most native authentication services on UNIX platforms
offer multiple options for configuration. The simplest form of native
authentication on UNIX platforms is the local password file (usually
/etc/passwd) which contains passwords encrypted with a one-way
encryption function. Although the passwords cannot be decrypted, the
file is readable by all users of the system and therefore susceptible to
dictionary-based password cracking attempts.
The simplest alternative to the local password file is password
shadowing. On systems that use NIS/yp or password shadowing, replace
each encrypted password in the /etc/passwd file with a special
token and store the passwords in a separate file not readable by normal system
users.
Previous releases of EMSRV for UNIX platforms supported local password
files and shadow passwords by using two separate EMSRV executables:
emsrv and emsrv.shadow. This was necessary
because each authentication system uses a different programming
interface.
Recent releases of most UNIX platforms now offer a single authentication
programming interface that can support both of the aforementioned
authentication systems as well as many others. The most well-known of
these authentication frameworks is PAM (password Authentication
Modules). PAM was developed by Sun Microsystems and is now supported by
and ships as part of Solaris, Linux, and HP-UX. Although there is no
PAM implementation included with AIX, IBM offers a similar
authenticate() function that can be used to authenticate users
using local password files, shadow passwords, and DCE authentication.
A single authentication programming interface makes it possible for one
EMSRV executable to use a variety of authentication systems. For this
reason, there is no longer an emsrv.shadow available on some
UNIX platforms. In such cases, the emsrv executable can be
used to authenticate using shadow passwords and, potentially, other forms of
authentication as well.
Where EMSRV uses an authentication framework such as PAM, the
authentication system used by EMSRV and its exact configuration, are
determined by the environment. For example, EMSRV for Linux uses PAM
and, therefore, requires the file /etc/pam.d/emsrv to be
present and to specify the PAM (module) used by EMSRV.
On Linux and Solaris platforms, authentication is implemented using PAM
(password Authentication Modules). Although this would theoretically
allow the use of any PAM (modules) with EMSRV by changing the relevant PAM
configuration file, in practice this is not possible.
EMSRV does not converse with clients in a manner that is entirely
compatible with the PAM architecture, As a result, EMSRV authentication will
only work where the module prompts initially for a text password (supplied
initially by the client). The tested and certified authentication
methods meet these requirements as will most PAM (modules).
Sophisticated modules that require extended conversation or authentication
data that EMSRV does not support, will not work correctly with EMSRV.
Fingerprint scanners and retina scanners are such examples.
EMSRV for AIX now supports authentication using the system
authenticate() function. This allows one EMSRV executable to
support both shadowed and non-shadowed passwords in addition to DCE
authentication.
The authentication method for each user is set in the
/etc/security/user file.
EMSRV for HP-UX continues to implement authentication using two
separate EMSRV executables. Although HP-UX 11.0 supports PAM,
there is a bug in the implementation that is identical to the bug in the
Solaris 2.6 implementation of PAM, as described above. To date,
Hewlett-Packard does not have a patch to correct this problem.
EMSRV for Linux now supports authentication using PAM. This
allows both shadowed and non-shadowed passwords to be supported with one EMSRV
executable.
In addition, Red Hat Linux 6.2 supports MD5 passwords and EMSRV also
supports these via PAM
PAM must be correctly configured on a machine running EMSRV otherwise it
will not even be possible to shutdown EMSRV using EMADMIN. The PAM
configuration file must be copied to
/etc/pam.d/emsrv. A sample PAM configuration file is
included with this release (see /opt/IBMvast/5.5/samples/PAM).
EMSRV for Solaris now supports authentication using PAM. This
allows both shadowed and non-shadowed passwords to be supported with one EMSRV
executable.
There is a bug in the Solaris 2.6 implementation of PAM that
prevents EMSRV from working correctly. The patch 106257-05 must
be applied when using EMSRV with Solaris 2.6. The patch is
available at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%F106257&zone_32=PAM
The specific bug that this patch fixes is:
The patch is not required for Solaris 7.0.
PAM must be correctly configured on a machine running EMSRV otherwise it
will not even be possible to shutdown EMSRV using EMADMIN. The
/etc/pam.conf file is included with this release (see
/opt/IBMvast/5.5/samples/PAM).
Root access on UNIX platforms is required to authenticate users.
EMSRV does NOT need to be started by the root user to accomplish this.
Doing so would compromise security as EMSRV would then have complete access to
all filesystems.
Instead, you should change the owner of the EMSRV executable to
'root' and set the SUID bit of the executable. This can be
accomplished as follows:
when EMSRV attempts to authenticate a user, it will temporarily change the
authority of the running EMSRV process to be the authority of the owner of the
executable. Once authentication is complete, the authority of the
running EMSRV process will be changed back to that of the user that started
EMSRV. This happens on a per-process (per-client) basis so while a
client is being authenticated, only the process serving that client has
temporary root access.
Root access for authentication is required regardless of how EMSRV actually
implements authentication. Interfaces such as PAM only provide a common
API to permit applications to support multiple authentication methods,
configuration specific to each method of authentication must still be
correct.Authentication on UNIX Platforms
PAM
Authentication on AIX platform
Authentication on HP-UX platforms
Authentication on Linux platforms
Authentication on Solaris platforms
4092227 pam_conv appdata_ptr member is not passed thru to conv() function as documented
Usage of Root Access for Authentication
chown root emsrv
chmod u+s emsrv