12. Security topics. Part 1: password security.¶
Outline of the password security:
Vectors of attack review
Passwords and encryption types
Password cracking exercise
Pluggable Authentication Module (PAM)
Password complexity and policy settings
Two factor authentication (TFA)
12.1. Examples of how systems get compromised.¶
Cracked, stollen and sniffed passwords
SSH client with a sniffer on a multi-user system: reads user name, password and the destination host.
SSH brute force attack guesses user credentials.
Accounts with empty passwords and root privileges
World writable files and directories can be used for planting trojans.
SETUID and SETGID executables
Trojans
Stack overflow attacks on vulnerable services
Worms
12.2. Linux passwords.¶
On a local system, passwords are stored in file /etc/shadow
:
mike:$6$A0NKorlZ$l3YhLlm/Y1n2BW0YBiryNl5cS6vx5k.4j4LE/vb5FUOnD.uVXkiUA1kPSHLo5/6q5MzEJTal1OY1OiE4ReSpK0:17317:0:99999:7:::
The second field consits of 3 parts: the hashing algorithm, \(6\), the salt \(A0NKorlZ\), and the hashing function, crypt, value of (password,salt) parameters,
l3YhLlm/Y1n2BW0YBiryNl5cS6vx5k.4j4LE/vb5FUOnD.uVXkiUA1kPSHLo5/6q5MzEJTal1OY1OiE4ReSpK0
The password hash is generated by function crypt. From the output of man crypt we see the hash structure components:
$id$salt$encrypted
The following values of id are supported:
ID | Method
-----------------------------------------------------
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
So $5$salt$encrypted
is an SHA-256 encoded password and
$6$salt$encrypted
is an SHA-512 encoded one.
12.3. MD5 and SHA512 Encryption algorithms.¶
The crypt algorithms are the one way function. There is no reverse function to derive the original password from its hash.
md5-crypt can be divided into three phases. Initialization, loop, and finalization:
1. Generate a simple md5 hash based on the salt and password 2. Loop 1000 times, calculating a new md5 hash based on the previous hash concatenated with alternating the password and the salt. 3. Use a special base64 encoding on the final hash to create the password hash string
sha512-crypt allows to specify a custom number of rounds, from 1000 to 999999999. the default is 5000.
12.4. mkpasswd installation (Exercise).¶
Start kvm1, login to the console, and create shell script reset_machine_id.sh
in the home directory of hostadm with the following content:
reset_machine_id.sh:
#!/bin/bash
rm -f /etc/machine-id
rm /var/lib/dbus/machine-id
dbus-uuidgen --ensure=/etc/machine-id
dbus-uuidgen --ensure
dhclient -r ens3
Make the script executable:
chmod a+x reset_machine_id.sh
Logout from the console, and shutdown kvm1:
virsh shutdown kvm1
Clone your kvm1 virtual machine into a new VM, cryptvm.
virsh shutdown kvm1
virt-clone -o kvm1 -n cryptvm -f /home/hostadm/KVM/cryptvm.qcow2
Start cryptvm and login to its console:
virsh start cryptvm
virsh console cryptvm
Fix the hostname in /etc/hostname
and Reset the machine ID by running the script:
./reset_machine_id.sh
Reboot the VM.
On the desktop, enter the IP address of cryptvm in /etc/hosts
file to reslove its host name.
Install whois package on cryptvm
:
apt-get install whois
The package contains command mkpasswd. To see what encryption algorithms are supported, run command below:
mkpasswd -m help
12.5. User password with different encryptions (Exercise).¶
On cryptvm
, create user accounts mike1, mike2, mike3, mike4
:
useradd -m -s /bin/bash -d /home/mike1 mike1
useradd -m -s /bin/bash -d /home/mike2 mike2
useradd -m -s /bin/bash -d /home/mike3 mike3
useradd -m -s /bin/bash -d /home/mike4 mike4
By using command mkpasswd
on cryptvm
create passwords for each user with the different encryption algorithm:
mkpasswd --method=des mike1
mkpasswd --method=md5 --salt=b1b2b3b4 mike2
mkpasswd --method=sha-256 --salt=b1b2b3b4 mike3
mkpasswd --method=sha-512 --salt=b1b2b3b4 mike4
Copy the hashes into the user accounts on cryptvm.
To see thelast 4 the entries in /etc/shadow
tail -4 /etc/shadow
They should look as follows:
mike1:WsjrhMNZ2uDQ6:17343:0:99999:7:::
mike2:$1$b1b2b3b4$.DXYwTXqggiphS7Cf/1Xs/:17343:0:99999:7:::
mike3:$5$b1b2b3b4$KR9Cw68GDJqOh8AHoYjzBj0NPBfZqSrK6Ys2Ylw5OL0:17343:0:99999:7:::
mike4:$6$b1b2b3b4$03/.yg7J/ZdMZk8HdieyVOYKM6S9vToVo1QZyT5j1MZ3PDl4uISxwb.Cq9lHDdgxZHpUxumfe.fYSrDb8m9Al.:17343:0:99999:7:::
From the desktop, ssh to cryptvm
as users mike1, mike2, mike3, mike4
and make sure their passwords work:
ssh mike1@cryptvm
ssh mike2@cryptvm
ssh mike3@cryptvm
ssh mike4@cryptvm
12.6. Cracking passwords with John the Ripper (Exercise).¶
On cryptvm, install John the Ripper:
apt-get install john
mkdir john
cd john
Copy the hash entries from /etc/shadow
:
tail -4 /etc/shadow > passwd.txt
Crack DES passwords (default):
john passwd.txt #this cracks password
john --show passwd.txt #this shows the cracked passwords
Crack MD5 passwords:
john --format=md5crypt passwd.txt #this cracks password
john --show passwd.txt #this shows the cracked passwords
They should look as follows:
mike1:mike1:17343:0:99999:7:::
mike2:mike2:17343:0:99999:7:::
2 password hashes cracked, 2 left
Note, John the Ripper can’t handle advanced encryption algorithms, SHA-256 and SHA-512.
12.7. Pluggable Authentication Module (PAM).¶
All the PAM configuration files are located in directory /etc/pam.d
.
Every application or service that uses PAM has its own config file there. Their entries consist of four columns:
module type |
control flag |
module path |
argument |
---|
Module types
auth |
account |
session |
password |
---|---|---|---|
Authenticates a user |
Restricts or permits access when certain conditions on the account are met |
Some operations on the user environment at login and/or loogout |
Needed when updating a user password |
The control flag specifies how PAM reacts on success or failure of the module.
required |
requisite |
sufficient |
optional |
---|---|---|---|
Success of the module is required. If fails, doesn’t exit until the other modules in the list are checked |
Similar to required, but exits if the module fails |
Exits if the module succeds |
the success or failure of this module is only important if it is the only module in the stack associated with this service type. |
Example
/etc/pam.d/sshd
:
/etc/pam.d/sshd:
#Set correct type settings
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Standard Un*x password updating.
@include common-password
12.8. Two factor authentication (Exercise).¶
Using even a relatively strong password on a critical system may not be sufficient, especially, for remote access. Two-factor authentication, configurable through PAM, is desirable.
Install the prerequisite packages to build the Google authenticator:
apt-get install make gcc libpam0g-dev autoconf libtool git
Download the source code:
git clone https://github.com/google/google-authenticator-libpam
Compile the PAM module:
cd google-authenticator-libpam
./bootstrap.sh
./configure
make
sudo make install
The entry in the SSH PAM config file, /etc/pam.d/sshd
, should contain the full path to the google authenticator library, /usr/local/lib/security/pam_google_authenticator.so
, namely:
/etc/pam.d/sshd:
auth required /usr/local/lib/security/pam_google_authenticator.so
Edit file /etc/ssh/sshd_config
and set
ChallengeResponseAuthentication yes
Restart ssh:
systemctl restart ssh
Configure the google authenticator by running command as user hostadm:
google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: 5G3KY2FPHDHF2GGY7MLQP6I4PA - save the key. It will be needed for configuring the App.
Do you want me to update your "/home/hostadm/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication token? (y/n) y
This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y
Do you want to enable rate-limiting? (y/n) n
The ownership of file .google_authenticator
in the home directory of hostadm should be hostadm:
sudo chown hostadm:hostadm /home/hostadm/.google_authenticator
Install Google Authenticator plugin in the Firefox on your desktop by navigating at
https://addons.mozilla.org/en-US/firefox/addon/auth-helper/
Configure the plugin: click on Edit, +, Secret, then use the secret key that you got during the configuration of the google authenticator on the VM.
Try ssh to cryptvm
from the desktop as hostadm and use both the password and the code shown up in the applet.
12.9. References on password security¶
Password hashing with MD5-crypt in relation to MD5
Implementation of SHA512-crypt vs MD5-crypt
How are passwords stored in Linux (Understanding hashing with shadow utils)
How To Set Password Policies In Linux
How To Force Users To Use Strong Passwords In Debian, Ubuntu
Securing SSH with two factor authentication using Google Authenticator