Authentication on UNIX Platforms
Most native authentication services on UNIX platforms offer multiple options for configuration. The simplest form of native authentication on UNIX platforms is the local password file (usually /etc/passwd) which contains passwords encrypted with a one-way encryption function. Although the passwords cannot be decrypted, the file is readable by all users of the system and therefore susceptible to dictionary-based password cracking attempts.
The simplest alternative to the local password file is password shadowing. On systems that use NIS/yp or password shadowing, replace each encrypted password in the /etc/passwd file with a special token and store the passwords in a separate file not readable by normal system users.
Previous releases of EMSRV for UNIX platforms supported local password files and shadow passwords by using two separate EMSRV executables: emsrv and emsrv.shadow. This was necessary because each authentication system uses a different programming interface.
Recent releases of most UNIX platforms now offer a single authentication programming interface that can support both of the aforementioned authentication systems as well as many others. The most well-known of these authentication frameworks is PAM (password Authentication Modules). PAM was developed by Sun Microsystems and is now supported by and ships as part of Linux.
A single authentication programming interface makes it possible for one EMSRV executable to use a variety of authentication systems. For this reason, there is no longer an emsrv.shadow available on UNIX platforms. In such cases, the emsrv executable can be used to authenticate using shadow passwords and, potentially, other forms of authentication as well.
Where EMSRV uses an authentication framework such as PAM, the authentication system used by EMSRV and its exact configuration, are determined by the environment. For example, EMSRV for Linux uses PAM and, therefore, requires the file /etc/pam.d/emsrv to be present and to specify the PAM (module) used by EMSRV.
PAM
On Linux platforms, authentication is implemented using PAM (password Authentication Modules). Although this would theoretically allow the use of any PAM (modules) with EMSRV by changing the relevant PAM configuration file, in practice this is not possible.
EMSRV does not converse with clients in a manner that is entirely compatible with the PAM architecture, As a result, EMSRV authentication will only work where the module prompts initially for a text password (supplied initially by the client). The tested and certified authentication methods meet these requirements as will most PAM (modules). Sophisticated modules that require extended conversation or authentication data that EMSRV does not support, will not work correctly with EMSRV. Fingerprint scanners and retina scanners are such examples.
Authentication on Linux platforms
EMSRV for Linux now supports authentication using PAM. This allows both shadowed and non-shadowed passwords to be supported with one EMSRV executable.
In addition, Red Hat Linux supports MD5 passwords and EMSRV also supports these via PAM.
PAM must be correctly configured on a machine running EMSRV otherwise it will not even be possible to shutdown EMSRV using EMADMIN. The PAM configuration file must be copied to /etc/pam.d/emsrv. A sample PAM configuration file is included with this release (see /usr/local/VASTPlatform/12.0.0-64bit/samples/PAM).
Usage of Root Access for Authentication
Root access on UNIX platforms is required to authenticate users. EMSRV does NOT need to be started by the root user to accomplish this. Doing so would compromise security as EMSRV would then have complete access to all filesystems.
Instead, you should change the owner of the EMSRV executable to 'root' and set the SUID bit of the executable. This can be accomplished as follows:
chown root emsrv
chmod u+s emsrv
When EMSRV attempts to authenticate a user, it will temporarily change the authority of the running EMSRV process to be the authority of the owner of the executable. Once authentication is complete, the authority of the running EMSRV process will be changed back to that of the user that started EMSRV. This happens on a per-process (per-client) basis so while a client is being authenticated, only the process serving that client has temporary root access.
Root access for authentication is required regardless of how EMSRV actually implements authentication. Interfaces such as PAM only provide a common API to permit applications to support multiple authentication methods, configuration specific to each method of authentication must still be correct.
Last modified date: 12/30/2022