~~TOC~~
The traditional Linux user management, specially the common passwd/shadow scheme with PAM, has several security problems:
Now, what is the difference in the new RSBAC User Management?
Group protection is very similar, only the number of settings is smaller.
You can remove the complete shadow suite with pam_unix, /etc/passwd*, /etc/shadow*, /etc/group*, /etc/gshadow*.
Still, I recommend keeping the PAM helper stuff, e.g. pam_cracklib.so. Just replace pam_unix.so in your PAM config files with pam_rsbac.so.
The rsbac_useradd and rsbac_groupadd commands can import existing accounts and groups, except for the passwords. These must be set manually for all accounts, RSBAC does not include password crackers. ;) Sure this has to happen before you remove pam_unix and the files and before you change PAM and NSS config. It is sometimes necessary to rerun the import to get cross dependencies between groups and users right. You can check your groups and users with rsbac_groupshow and rsbac_usershow.
The old {user|group}{add|mod|del}, passwd programs with PAM and NSS support should continue working as before, but you can also replace them with rsbac_. A symlink in /usr/local/bin works fine, if this dir is before /usr/sbin in the PATH setting. Additionally, if you have no PAM, you can replace the old login with rsbac_login, which only understands RSBAC UM.
After testing on real server systems, I can gladly say that almost all Linux programs use the standard library calls and are thus compatible with the new user/group scheme, if the PAM and NSS helper libraries have been installed and configured.
User management (UM) must be enabled in RSBAC kernel configuration. To get passwords encrypted with SHA1, this algorithm must first be enabled in the kernel Crypto menu. Only with SHA1 enabled, the User Management menu will show the option for encryption! After configuration, compile and install the kernel as usual.
The RSBAC admin tools contain the necessary user and group management tools with the usual Linux names ({user|group}{add|mod|del}, passwd, gpasswdm, login), but prefixed with rsbac_. Additionally, there are tools to retrieve and backup info, namely rsbac_usershow and rsbac_groupshow. The rsbac_login command does not support PAM, it only understands RSBAC UM. These tools can be used as direct replacements, e.g. make a symlink in /usr/local/bin, if this dir is first in PATH.
Both rsbac_useradd and rsbac_groupadd have options to convert existing users and groups. As standard Linux passwords are encrypted with another algorithm and salt size, they cannot be converted. Thus, passwords for converted users and groups must be reset, e.g. with the rsbac_usermod command. To get dependencies between users and groups right, run “rsbac_useradd -v -O” before “rsbac_groupadd -v -O” and repeat the import, if necessary. Always check the results with rsbac_usershow and rsbac_groupshow.
To enable normal Linux user programs to see and use RSBAC UM, you need to compile and install the NSS and PAM modules from the admin tools contrib dir. Change /etc/nsswitch.conf (replace compat in passwd, group, shadow by rsbac) and /etc/pam.d/* (replace pam_unix with pam_rsbac). Then it simply works - if you granted the necessary access rights and imported the existing users and groups, that is. It is generally a good idea to run in softmode first. :)
For soft migration and first tries, you can run passwd/shadow and RSBAC UM in parallel for a while, before you turn the first off: In nsswitch.conf change “compat” to “compat rsbac”, in /etc/pam.d/* add “ sufficient pam_rsbac.so” before the pam_unix.so line.
New in 1.2.5: If you want to use pam_rsbac.so together with pam_cracklib.so, passwd will first ask for the new password before pam_rsbac asks.so for the old password. This behaviour breaks some programs, e.g. kdepasswd, and does not match most users' expectations. Thus, pam_rsbac_oldpw.so simply asks for the old password, stores it in PAM and returns success. An /etc/pam.d password file could look like this:
password required pam_rsbac_oldpw.so
password required pam_cracklib.so retry=3 minlen=8 difok=3
password required pam_rsbac.so
After complete migration, you can enable UM exclusive mode to disallow all users and groups unknown to UM. auth_may_setuid settings should be changed from full to last_auth_and_gid to deny unauthenticated setuids, and AUTH caps should be properly reduced.
Table of Contents: RSBAC Handbook
Back: Security Models