Previous chapter
Migrating user information to RSBAC
Index
Introduction to AUTH
Next chapter

Authentication System Migration

Configuring the system for testing

Before we switch to the new security system offered by RSBAC we should make sure that it is working. The safest way to do this is to run the two systems in parallel.

Open the System Databases and Name Service Switch configuration file

lisa nano -w /etc/nsswitch.conf

and change the passwd, shadow and group lines to the following:

/etc/nsswitch.conf
passwd:      compat rsbac [NOTFOUND=continue SUCCESS=continue]
shadow:      compat rsbac
group:       compat rsbac [NOTFOUND=continue SUCCESS=continue]

You will also need to edit the Pluggable Authentication Modules System Authentication configuration file

lisa nano -w /etc/pam.d/system-auth

and add the following lines above the existing entries.

/etc/pam.d/system-auth
auth       sufficient   pam_rsbac.so
account    sufficient   pam_rsbac.so
password   sufficient   pam_rsbac.so
session    sufficient   pam_rsbac.so

This will allow the RSBAC module to process all authentication related tasks falling back to the standard Unix implementation if required.

Testing the new authentication system

Now that we have the two security systems running in parallel we can restart the system to ensure that we are working from a clean slate.

lisa shutdown -r now
Information:
You can probably just log out and log in again but I have heard of people experiencing issues with this method. A reboot seems to work more reliably.
 

Assuming that all has gone well you should be asked for your RSBAC password instead of your Unix password next time you log in using a console or ssh. See the example below.

max@max ssh root@lisa
root's RSBAC password: 

If you are asked for your non-RSBAC password as normal you will need to go back and verify all the steps thus far.

If you see a prompt like the following after entering your password you probably forgot to reset the passwords after migrating the users in the previous chapter. You should still be able to log in using the standard authentication method.

max@max ssh root@lisa
root's RSBAC password: 
pam_rsbac.so: User not authenticated 
Password: 

Completing the migration

Assuming all has gone well so far and you can log in to the system using RSBAC authentication then you are ready to remove all references to the old authentication system.

Open the System Databases and Name Service Switch configuration file

lisa nano -w /etc/nsswitch.conf

and change the passwd, shadow and group lines to the following:

/etc/nsswitch.conf
passwd:      rsbac [NOTFOUND=continue SUCCESS=continue]
shadow:      rsbac
group:       rsbac [NOTFOUND=continue SUCCESS=continue]

Then edit the Pluggable Authentication Modules System Authentication configuration file

lisa nano -w /etc/pam.d/system-auth

and modify it so that the following lines are the only lines present.

/etc/pam.d/system-auth
auth       required   pam_rsbac.so
account    required   pam_rsbac.so
password   required   pam_rsbac.so
session    required   pam_rsbac.so

Before you log out as root it is probably a good idea to ensure that you can log in with the new settings. Open another ssh connection to make certain.

max@max ssh root@lisa
root's RSBAC password: 
lisa 

Now that we are certain everything is working as expected we can move the old authentication files out of the way. It is probably best to keep them around for a while in case you decide to revert your changes.

lisa mkdir ~/old-unix-auth/
lisa mv /etc/passwd /etc/shadow /etc/group ~/old-unix-auth/

At this point it is probably worth verifying that you can still log in and that the names of users and groups are being correctly picked up from the RSBAC database.

max@max ssh root@lisa
root's RSBAC password: 
lisa ls -la /home
total 1 
drwxr-xr-x  5 root root  128 Jun 26 02:27 . 
drwxr-xr-x 23 root root  552 Jul  4 00:25 .. 
drwxr-xr-x  2 max  users 168 Jul  5 19:33 max 
... 

Another kernel rebuild

If you were paying particularly close attention you may remember that we didn't enable one of the User Management options of RSBAC when we initially configured our kernel, namely Exclusive user management. Now we can.

lisa cd /usr/src/linux
lisa make menuconfig

Find the User Management subsection of the RSBAC configuration and enable Exclusive user management.

User Management
  • [*]
  • [*]
  • (2000)
  • (2000)
  • [*]
  • (6)
  • [*]
  • User Management
    • Use Crypto API Digest SHA1
    • Minimum auto user ID
    • Minimum auto group ID
    • Exclusive user management
    • Minimum password length
    • Require non-alphabetic character in password
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Save your new kernel configuration and make it available to boot from.

lisa linux make
lisa linux mount /boot
lisa linux cp arch/i386/boot/bzImage /boot/kernel-2.6.14-rsbac-hardened-r1-eum-max1
lisa linux cp System.map /boot/System.map-2.6.14-rsbac-hardened-r1-eum-max1
lisa linux cp .config /boot/config-2.6.14-rsbac-hardened-r1-eum-max1
lisa linux nano -w /boot/grub/grub.conf
Information:
This entry should be added to your GRUB configuration as before so that the old kernel is still available should the new kernel fail to work as expected.
 
/boot/grub/grub.conf
title=Gentoo Linux 2.6.14-rsbac-hardened-r1 EUM Max-1
root (hd0,0)
kernel /kernel-2.6.14-rsbac-hardened-r1-eum-max1 root=/dev/ida/c0d0p5 rsbac_softmode
savedefault fallback
Information:
The rsbac_softmode boot flag is still required at this stage.
 

Now reboot to the new kernel

lisa linux umount /boot
lisa linux shutdown -r now

and see if you can still log in.

max@max ssh root@lisa
root's RSBAC password: 
lisa 

Congratulations! You have completed the migration to RSBAC user management.