===== User Management Configuration ===== Before you improve system security by activating RSBAC User Management, it is strongly recommended to read the overview under [[documentation:rsbac_handbook:user_management|User Management]]. User management (UM) must be enabled in RSBAC kernel configuration. To get passwords encrypted with SHA1, this algorithm must first be enabled in the kernel Crypto menu. Only with SHA1 enabled, the User Management menu will show the option for encryption! After configuration, compile and install the kernel as usual. The RSBAC admin tools contain the necessary user and group management tools with the usual Linux names ({user|group}{add|mod|del}, passwd, gpasswdm, login), but prefixed with rsbac_. Additionally, there are tools to retrieve and backup info, namely rsbac_usershow and rsbac_groupshow. The rsbac_login command does not support PAM, it only understands RSBAC UM. These tools can be used as direct replacements, e.g. make a symlink in /usr/local/bin, if this dir is first in PATH. All commands show a help screen with -h. Additionally, rsbac_usershow and rsbac_groupshow give details about users and groups. They also allow to make backups, if you have the necessary access rights to each individual user and group. To enable normal Linux user programs to see and use RSBAC UM, you need to compile and install the NSS and PAM modules from the admin tools contrib dir. It is strongly recommended to enable UM debugging before starting first tests. Either use rsbac_debug_aef_um kernel parameter or at runtime call as root or security officer: echo "debug_aef_um 1" >/proc/rsbac-info/debug ===== Import existing users ===== Both rsbac_useradd and rsbac_groupadd have options to convert existing users and groups. rsbac_useradd -v -O rsbac_groupadd -v -O To get dependencies between users and groups right, you might have to repeat the import. Always check the results with rsbac_usershow and rsbac_groupshow: rsbac_groupshow groupname rsbac_usershow username As standard Linux passwords are encrypted with another algorithm and salt size, they cannot be converted. Thus, passwords for converted users and groups must be reset, e.g. with the rsbac_usermod or the rsbac_passwd command. Set the user password with one of these commands: rsbac_usermod -p "password" username rsbac_passwd -n username For soft migration and first tries, you can run passwd/shadow and RSBAC UM in parallel for a while, before you turn the first off: In nsswitch.conf change "compat" to "compat rsbac", in /etc/pam.d/* add " sufficient pam_rsbac.so" before the pam_unix.so line. ===== Switch over ===== To disable the old scheme and to switch over to RSBAC Users and Groups only, change /etc/nsswitch.conf (replace compat in passwd, group, shadow by rsbac) and /etc/pam.d/* (replace pam_unix with pam_rsbac). Then it simply works - if you granted the necessary access rights and imported the existing users and groups, that is. It is generally a good idea to try in softmode first. :) After complete migration, you can enable UM exclusive mode in the kernel settings to disallow all users and groups unknown to UM. auth_may_setuid settings should be changed from full to last_auth_and_gid to deny unauthenticated setuids, and AUTH caps should be properly reduced. Some decision modules, e.g. RC, have a special access right CHANGE_AUTHED_OWNER, which allows to setuid to a user target, if the process has successfully authenticated that user (only works for the last one). ===== Virtual User Sets ===== To use virtual groups and users, you need to enable them in kernel config. Then you can e.g. create group "users" in virtual set 1 with: rsbac_groupadd 1/users To copy group "users" (without members) from another set, e.g. the default set 0: rsbac_groupadd -C 0/users 1/users To copy a user, e.g. root, without password: rsbac_useradd -C 0/root 1/root And to copy an existing user with password: rsbac_useradd -K 0/joe 1/joe Check the results: rsbac_groupshow 1/users rsbac_usershow 1/root rsbac_usershow 1/joe rsbac_usershow -S 1 -l rsbac_user_menu 1/joe To login as 1/joe, just enter 1/joe as your login user name. You can use 1/joe with all RSBAC tools, e.g. to set a role, raise resource limits or add an ACL entry. It is as simple as that. A user name without / is always taken from the current virtual set of the calling process. //note: Newer versions of OpenSSH can have SELinux support enabled, in that case / (slash) becomes a special character in SSH user names and sshd does NOT pass the user name completely. You can rebuild your OpenSSH without SELinux extension to get full use of RSBAC virtual users through ssh.// //note2: Some versions of OpenSSH have a bug that does not really disable the meaning of /, even if you compile without SELinux support. Always check what name sshd sees with -v// Whenever a process authenticates a virtual user, it automatically changes the current virtual set of the authenticating process and thus binds the user session to that set. Alternatively, you can force some virtual set for a program with a general attribute or through the rsbac_jail command. By default kernel configuration, any process with a current virtual user set that is not the main set 0 does not see users or groups in other sets! This means that the same process cannot authenticate users in other sets afterwards, please be careful with separate authentication service processes. ===== One-Time Passwords ===== As usual, one-time passwords must be enabled in kernel config. There you can also specify a limit on the number of one-time passwords per user. When enabled, rsbac_passwd allows to add them or remove them all. To add a password for joe as admin: rsbac_passwd -o -n joe To add one for yourself: rsbac_passwd -o To delete all one-time passwords for joe: rsbac_passwd -O joe To show the number of unused one-time passwords: rsbac_passwd -C joe You can also script password setting, e.g. to create 10 random passwords for joe: pwgen -1 -N 10 | while read pw do echo "One-Time-PW: $pw" echo "$pw $pw" | rsbac_passwd -o -n joe done \\ ---- **Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\ **Previous:** [[Service Encapsulation]]\\ **Next:** [[Logging]]