Before we switch to the new security system offered by RSBAC we should make sure that it is working. The safest way to do this is to run the two systems in parallel.
Open the System Databases and Name Service Switch configuration file
and change the passwd, shadow and group lines to the following:
passwd: compat rsbac [NOTFOUND=continue SUCCESS=continue]
shadow: compat rsbac
group: compat rsbac [NOTFOUND=continue SUCCESS=continue]
You will also need to edit the Pluggable Authentication Modules System Authentication configuration file
and add the following lines above the existing entries.
auth sufficient pam_rsbac.so
account sufficient pam_rsbac.so
password sufficient pam_rsbac.so
session sufficient pam_rsbac.so
This will allow the RSBAC module to process all authentication related tasks falling back to the standard Unix implementation if required.
Now that we have the two security systems running in parallel we can restart the system to ensure that we are working from a clean slate.
Assuming that all has gone well you should be asked for your RSBAC password instead of your Unix password next time you log in using a console or ssh. See the example below.
root's RSBAC password:
If you are asked for your non-RSBAC password as normal you will need to go back and verify all the steps thus far.
If you see a prompt like the following after entering your password you probably forgot to reset the passwords after migrating the users in the previous chapter. You should still be able to log in using the standard authentication method.
root's RSBAC password:
pam_rsbac.so: User not authenticated
Password:
Assuming all has gone well so far and you can log in to the system using RSBAC authentication then you are ready to remove all references to the old authentication system.
Open the System Databases and Name Service Switch configuration file
and change the passwd, shadow and group lines to the following:
passwd: rsbac [NOTFOUND=continue SUCCESS=continue]
shadow: rsbac
group: rsbac [NOTFOUND=continue SUCCESS=continue]
Then edit the Pluggable Authentication Modules System Authentication configuration file
and modify it so that the following lines are the only lines present.
auth required pam_rsbac.so
account required pam_rsbac.so
password required pam_rsbac.so
session required pam_rsbac.so
Before you log out as root it is probably a good idea to ensure that you can log in with the new settings. Open another ssh connection to make certain.
root's RSBAC password:lisa ~ #
Now that we are certain everything is working as expected we can move the old authentication files out of the way. It is probably best to keep them around for a while in case you decide to revert your changes.
At this point it is probably worth verifying that you can still log in and that the names of users and groups are being correctly picked up from the RSBAC database.
root's RSBAC password:lisa ~ # ls -la /home
total 1
drwxr-xr-x 5 root root 128 Jun 26 02:27 .
drwxr-xr-x 23 root root 552 Jul 4 00:25 ..
drwxr-xr-x 2 max users 168 Jul 5 19:33 max
...
If you were paying particularly close attention you may remember that we didn't enable one of the User Management options of RSBAC when we initially configured our kernel, namely Exclusive user management. Now we can.
Find the User Management subsection of the RSBAC configuration and enable Exclusive user management.
|
|
Save your new kernel configuration and make it available to boot from.
title=Gentoo Linux 2.6.14-rsbac-hardened-r1 EUM Max-1
root (hd0,0)
kernel /kernel-2.6.14-rsbac-hardened-r1-eum-max1 root=/dev/ida/c0d0p5 rsbac_softmode
savedefault fallback
Now reboot to the new kernel
and see if you can still log in.
root's RSBAC password:lisa ~ #
Congratulations! You have completed the migration to RSBAC user management.