Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Authentication with /etc/shadow

by ELISHEVA (Prior)
on Feb 26, 2011 at 20:03 UTC ( #890336=note: print w/ replies, xml ) Need Help??


in reply to Authentication with /etc/shadow

Rather than try to work directly with /etc/shadow have you considered using Perl to interface with PAM (pluggable authentication module for Linux)? There are several modules available on CPAN: PAM.

By going to etc/shadow directly you are bypassing whatever additional checks and validations or security alternatives have been configured for your system's users via PAM.


Comment on Re: Authentication with /etc/shadow
Re^2: Authentication with /etc/shadow
by fluffyvoidwarrior (Monk) on Feb 26, 2011 at 23:28 UTC
    Yes, I considered using PAM and the associated perl modules

    I discarded this approach because it seemed to be likely to introduce quite a bit of system overhead and I'm really going to be hammering it - potentially a max of 50 checks per second.

    I thought a quick crypt comparison on etc/shadow would be faster and less intensive - ie load the whole file into an array and parse it with regex, etc.

    I don't want to labour my cpu with password checks

      Please don't.

      In my programming life, I've seen at least 2 orders of magnitude more problems caused by people manually mucking about with things that have nice defined API's for fanciful reasons, than problems caused by something being too slow for doing so.

      If it's a problem, find out that it's a problem first, then fix it. And in this case, you'll eat the crypto overhead either way, so what do you think you'll save?

        Well, maybe the monks could think of a better route to take if I told more of the story. This could then be a long post and there will be discrepancies in what I tell you because I can't tell you everything.

        Normally I would agree entirely with the point you just made.

        My problem is:-

        I have a program that loops once a second and provides command and control for a real world system - like a perl emulation of a plc. The real world system I am controlling has massive security significance for my client. It isn't exposed to wan access but it will never have very good physical security.

        The main security risk I can see is the possibility of an attacker copying my program (stealing a hard drive or system unit wouldn't work) and running it on his computer to gain access via a hole in the wall. My program is a perlapp so trivial code inspection is unlikely. The situation is changing constantly and I only need to delay an attacker a few hours and his attack becomes pointless. Though he can steal the program and run on it on his computer I am hoping he is unlikely to clone my users. I want to authenticate my system users with every pass of my program loop and shred my perlapps if any of various conditions (user validation being one indicator that my program is running under an alien environment) are not met, thus causing the needed delay. Only one of my checks needs to fail and my program will commit suicide.
        (security of some user passwords is not a consideration - I don't mind hard coding some of them in my perlapp)

        The need for speed and low system overhead is due to the fact that my program may have to handle up to 50 requests with each pass and all the validity checks have to be done on every pass (if an attacker successfully runs a single pass then all could be lost). There will only ever be a handful of system users. All this is far from perfect and it isn't security but it's better than nothing.

        I can probably thwart the unskilled with this sort of stuff and maybe delay the skilled long enough if I'm lucky. Anyway, physical security isn't really my responsibility - I'm just trying to help them out a bit.

      I can't help feeling there is something fundamentally inconsistent in your reply here and your response to fullermd. I'll grant that you know your client and your situation and you may be limited in your ability to explain your true requirements but... just food for thought.

      You write, in reply to fullermd

      The main security risk I can see is the possibility of an attacker copying my program (stealing a hard drive or system unit wouldn't work) and running it on his computer to gain access via a hole in the wall...I only need to delay an attacker a few hours and his attack becomes pointless. Though he can steal the program and run on it on his computer I am hoping he is unlikely to clone my users. I want to authenticate my system users with every pass of my program loop and shred my perlapps if any of various conditions

      If security is so very important to your client, about the last thing you should be considering is an end-run around PAM. The more places security is defined, the more places changes to security protocols need to be updated, and the more long term problems. Also the more places you need to secure and protect from access. By adding a second authentication mechanism outside of PAM you are in fact increasing the number of potential attack vectors.

      Second, modern versions of PAM support some pretty sophisticated user identification mechanisms, including bio-identification. Presumably, if those scripts are run on a personal computer, they have to log in at some point into the sensitive computer. I'm going to assume you are sophisticated enough to never ever put login information in the clear in your scripts, especially in a high security situation.

      Why aren't you making your scripts owned by a user who can only be activated with a bio marker? Then it wouldn't matter what computer your would-be attacker ran the program on: when he tried to access the sensitive computer and reached the bio-security check, he'd be stopped dead in his tracks.

      Third, if this is really so very important to your client and you really have no option but to run security checks before each and every operation, your client should be willing to provide a box with sufficient memory and CPU to handle the hit rate and security checks.

      Forth, if stealing a disk won't work, how is it that these scripts are being stolen or copied in the first place? How is it that merely running the scripts on a personal computer would give someone access? That doesn't sound right at all. Have you considered front-ending the computer with these valuable scripts with a gateway computer that validates the users? Putting these scripts on a secure computer accessible only via the IP of that gateway computer or by an on-site login with bio-id? Limiting the actions those users can take?

      Fifth, if your scripts can be stolen or copied, why wouldn't your user base be stolen or cloned? Seems to me that would be a much more direct way of cracking your system. Why wouldn't a serious attacker read your source code? I certainly wouldn't write off a script as not worth reading even if it contained only one line in it. Would you? I hope not. I'm not following your logic when it comes to likely cracker behavior.

      Sixth, if security is essential to your client, should you even be using scripts for such sensitive operations? Might it not be wiser for both performance and security reasons to go with a compiled executable? With any scripting solution there is always a risk that an enterprising hacker can intentionally create and take advantage of time gaps between the launching of the Perl interpreter and the loading of your script to change the effective user id or wreck other havoc. If you must use scripts you might want to take a good hard look at the implementation and security checks done by Apache's mod_suexec.

      Seventh, I question your logic that a pure Perl script hacking /etc/shadow would in fact be faster. If PAM is doing nothing more than a password check, my first guess is that it would be faster because you are using pre-parsed code compiled into machine code ops. With a script you have to parse and compile it with each run. Even if you are pre-loading modules and using signals or function calls for each user check, you'd still be running Perl OP codes which have to be translated into machine ops rather than machine ops. If PAM is doing more than a simple password check, then you aren't really doing a complete authentication if you by-pass PAM and as soon as your would be hacker figures that out, they'll find a backdoor through the things you aren't checking.

      I don't know your situation, but based on what you've shared so far, it seems to me that you are trying to solve a problem with scripting that needs to be solved in a much more systemic way. I think you need to have a very serious talk with your client.

        Thanks. That's a lot to think about.

        One immediate answer to part of your post is that physically stealing something - hard drive or system unit - would be immediately noticed. Copying software would be much harder to prevent in this environment.

        Yes, chunks of it need rewriting as compiled binaries but the client moved the goalposts and wants it running next week - no time

        I have absolutely no objection to using PAM for this but it looked like a lot of overhead so I thought of a quick password hash comparison.

        Protecting user login security is almost irrelevant since unauthorised login is not possible without physical attack and is almost meaningless in this context anyway since many varied people will use this system on the premises with no personal login at all. I am not trying to safeguard that type of security. I am not trying to authenticate user logins, I am trying to detect if my system is running off the premises and prevent or delay it's use.

        One interesting point you made touches exactly on one of my major concerns - "a risk that an enterprising hacker can intentionally create and take advantage of time gaps between the launching of the Perl interpreter and the loading of your script to change the effective user id or wreck other havoc." In an attempt to counter such an approach my program checks it's effective user id on each pass. My assumption was that to crack a perlapp, this would be a likely route. My hope was that for an attacker to take this route the perlapp would have to be run and so would have a chance to fork and render itself useless.

        I am looking for roadblocks and delays in an unusual security context.

        And, sorry, I am aware that there are inconsistencies in what I am telling you. A bit like visiting the doctor and lying about your symptoms. However, your critical input is helpful nevertheless.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://890336]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (18)
As of 2014-07-31 18:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (250 votes), past polls