Local Authentication
The local authentication provider is the software architecture and code that underpins the mechanism by which the user is authenticated before starting a shell.
- one of most important features of an OS
- usually described as a
- login (Linux)
- logon
- sign-in (Microsoft)
- knowledge-based auth is the default authentication provider for most OS
- relies on cryptographic hashes
- is a function that converts any string to a unique, fixed-length code
- should be unable to convert back to plaintext
- one-way
- relies on cryptographic hashes
- a password is not transmitted or stored as plaintext
- risk of compromise
- instead, stored as a cryptographic hash
- when a user enters a password to login,
- an authenticator converts what is typed into a hash
- transmits it to an authority
- authority compares the submitted hash to one in the database
- authenticates the subject only if they match
Windows Authentication
- Windows authentication involves a complex architecture of components
- three scenarios are typical:
- Windows local sign-in
- the Local Security Authority Subsystem Service (LSASS) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database
- SAM is part of the registry
- referred to as interactive logon
- the Local Security Authority Subsystem Service (LSASS) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database
- Windows network sign-in
- is LSASS that can pass the credentials for authentication to a Active Directory domain controller
- preferred system for network authentication is based on Kerberos
- legacy network applications might use NT LAN Manager (NTLM) authentication
- is LSASS that can pass the credentials for authentication to a Active Directory domain controller
- Remote sign-in
- If the user’s device is not connected to the local network, authentication can take place over:
- VPN
- enterprise Wi-Fi
- Web portal
- use protocols to create a secure connection between the
- client machine
- remote access device
- authentication server
- If the user’s device is not connected to the local network, authentication can take place over:
- Windows local sign-in
Linux Authentication
- In Linux, local user accounts names are stored in
/etc/passwd - when user logs into a local interactive shell,
- the password is checked against a hash stored in
/etc/shadow
- the password is checked against a hash stored in
- interactive login over network is typically accomplished using Secure Shell (SSH)
- user can authenticate using cryptographic keys instead of a password
Pluggable authentication module (PAM) is a package for enabling different authentication providers.
- e.g., smart card login
- PAM framework can be used to implement authentication to network servers