Most native authentication services on UNIX platforms offer multiple options for configuration. The simplest form of native authentication on UNIX platforms is the local password file (usually /etc/passwd) which contains passwords encrypted with a one-way encryption function. Although the passwords cannot be decrypted, the file is readable by all users of the system and therefore susceptible to dictionary-based password cracking attempts.The simplest alternative to the local password file is password shadowing. On systems that use NIS/yp or password shadowing, replace each encrypted password in the /etc/passwd file with a special token and store the passwords in a separate file not readable by normal system users.Previous releases of EMSRV for UNIX platforms supported local password files and shadow passwords by using two separate EMSRV executables: emsrv and emsrv.shadow. This was necessary because each authentication system uses a different programming interface.Recent releases of most UNIX platforms now offer a single authentication programming interface that can support both of the aforementioned authentication systems as well as many others. The most well-known of these authentication frameworks is PAM (password Authentication Modules). PAM was developed by Sun Microsystems and is now supported by and ships as part of Solaris and Linux. Although there is no PAM implementation included with AIX, IBM offers a similar authenticate() function that can be used to authenticate users using local password files, shadow passwords, and DCE authentication.A single authentication programming interface makes it possible for one EMSRV executable to use a variety of authentication systems. For this reason, there is no longer an emsrv.shadow available on UNIX platforms. In such cases, the emsrv executable can be used to authenticate using shadow passwords and, potentially, other forms of authentication as well.Where EMSRV uses an authentication framework such as PAM, the authentication system used by EMSRV and its exact configuration, are determined by the environment. For example, EMSRV for Linux uses PAM and, therefore, requires the file /etc/pam.d/emsrv to be present and to specify the PAM (module) used by EMSRV.EMSRV for AIX now supports authentication using the system authenticate() function. This allows one EMSRV executable to support both shadowed and non-shadowed passwords in addition to DCE authentication.The authentication method for each user is set in the /etc/security/user file.PAM must be correctly configured on a machine running EMSRV otherwise it will not even be possible to shutdown EMSRV using EMADMIN. The PAM configuration file must be copied to /etc/pam.d/emsrv. A sample PAM configuration file is included with this release (see /usr/local/VASmalltalk/9.0/samples/PAM).PAM must be correctly configured on a machine running EMSRV otherwise it will not even be possible to shutdown EMSRV using EMADMIN. The /etc/pam.conf file is included with this release (see /usr/local/VASmalltalk/9.0/samples/PAM).
|
|