22.2 About Local Oracle Linux Authentication

22.2.1 Configuring Local Access
22.2.2 Configuring Fingerprint Reader Authentication
22.2.3 Configuring Smart Card Authentication

Unless you select a different authentication mechanism during installation or by using the Authentication Configuration GUI or the authconfig command, Oracle Linux verifies a user's identity by using the information that is stored in the /etc/passwd and /etc/shadow files.

The /etc/passwd file stores account information for each user such as his or her unique user ID (or UID, which is an integer), user name, home directory, and login shell. A user logs in using his or her user name, but the operating system uses the associated UID. When the user logs in, he or she is placed in his or her home directory and his or her login shell runs.

The /etc/group file stores information about groups of users. A user also belongs to one or more groups, and each group can contain one or more users. If you can grant access privileges to a group, all members of the group receive the same access privileges. Each group account has a unique group ID (GID, again an integer) and an associated group name.

By default, Oracle Linux implements the user private group (UPG) scheme where adding a user account also creates a corresponding UPG with the same name as the user, and of which the user is the only member.

Only the root user can add, modify, or delete user and group accounts. By default, both users and groups use shadow passwords, which are cryptographically hashed and stored in /etc/shadow and /etc/gshadow respectively. These shadow password files are readable only by the root user. root can set a group password that a user must enter to become a member of the group by using the newgrp command. If a group does not have a password, a user can only join the group by root adding him or her as a member.

The /etc/login.defs file defines parameters for password aging and related security policies.

For more information about the content of these files, see the group(5), gshadow(5), login.defs(5), passwd(5), and shadow(5) manual pages.

22.2.1 Configuring Local Access

You can use the User Manager GUI (system-config-users) to add or delete users and groups and to modify settings such as passwords, home directories, login shells, and group membership. Alternatively, you can use commands such as useradd and groupadd.

To enable local access control, select the Enable local access control check box on the Advanced Options tab of the Authentication Configuration GUI (system-config-authentication). The system can then read the /etc/security/access.conf file for local user authorization rules that specify login combinations that the system accepts or refuses.

Figure 22.2 shows the Authentication Configuration GUI with the Advanced Options tab selected.

Figure 22.2 Authentication Configuration Advanced Options

The figure shows the Authentication Configuration GUI with the Advanced Options tab selected.


Alternatively, use the following command:

# authconfig --enablepamaccess --update 

Each entry in /etc/security/access.conf takes the form:

permission : users : origins [ except 

where:

permission

Set to + or - to grant or deny login respectively.

users

Specifies a space-separated list of user or group names or ALL for any user or group. Enclose group names in parentheses to distinguish them from user names. You can use the EXCEPT operator to exclude a list of users from the rule.

origins

Specifies a space-separated list of host names, fully qualified domain names, network addresses, terminal device names, ALL, or NONE. You can use the EXCEPT operator to exclude a list of origins from the rule.

For example, the following rule denies login access by anyone except root from the network 192.168.2.0/24:

- : ALL except root : 192.168.2.0/24

For more information, see the access.conf(5) manual page and Chapter 23, Local Account Configuration.

22.2.2 Configuring Fingerprint Reader Authentication

If appropriate hardware is installed and supported, the system can use fingerprint scans to authenticate users.

To enable fingerprint reader support, select the Enable fingerprint reader support check box on the Advanced Options tab of the Authentication Configuration GUI (system-config-authentication).

Alternatively, use the following command:

# authconfig --enablefingerprint --update 

22.2.3 Configuring Smart Card Authentication

If appropriate hardware is installed and supported, the system can use smart cards to authenticate users. The pam_pkcs11 package provides a PAM login module that enables X.509 certificate-based user authentication. The module uses the Name Service Switch (NSS) to manage and validate PKCS #11 smart cards by using locally stored root CA certificates, online or locally accessible certificate revocation lists (CRLs), and the Online Certificate Status Protocol (OCSP).

To enable smart card authentication:

  1. Install the pam_pkcs11 package:

    # yum install pam_pkcs11
  2. Use the following command to install the root CA certificates in the NSS database:

    # certutil -A -d /etc/pki/nssdb -t "TC,C,C" -n "Root CA certificates" -i CACert.pem

    where CACert.pem is the base-64 format root CA certificate file.

  3. Run the Authentication Configuration GUI:

    # system-config-authentication
  4. On the Advanced Options tab, select the Enable smart card support check box.

  5. If you want to disable all other login authentication methods, select the Require smart card for login check box.

    Caution

    Do not select this option until you have tested that can use a smart card to authenticate with the system.

  6. From the Card removal action menu, select the system's response if a user removes a smart card while logged in to a session:

    Ignore

    The system ignores card removal for the current session.

    Lock

    The system locks the user out of the session .

You can also use the following command to configure smart card authentication:

# authconfig --enablesmartcard --update

To specify the system's response if a user removes a smart card while logged in to a session:

 authconfig --smartcardaction=0|1 --update

Specify a value of 0 to --smartcardaction to lock the system if a card is removed. To ignore card removal, use a value of 1.

Once you have tested that you can use a smart card to authenticate with the system, you can disable all other login authentication methods.

# authconfig --enablerequiresmartcard --update