first, but they re actually quite simple. The basicformat of a configuration rule is this: phase control-level module-pathname argumentsWe explain what you need to know about each partof a rule in the following sections. PhaseEach configuration file controls four different phasesof the authentication process: authentication, accountmanagement, session management, and passwordmanagement. Each configuration rule belongs to aspecific phase according to the first word in the rule: auth: An auth rule verifies that you are who youclaim to be, by password, biometric scanner, smart card, or other authentication means. account: Account rules allow or deny access toa service based on available system resources (a certain number of users may be allowed tolog in at one time), user location (rootusersmust be sitting in front of the computer con- sole), and other factors. You can use accountrules to help control system resources and privileged access. session: Session rules put in place the sessioninformation for the user that is logging in. A typi- cal session rule may mount your home directorywhen you log in or set up a log file that recordsyour entire login session. password: Password rules change the passwordor other authentication means that a moduleuses to identify the user. PAM modules are diverse, each controlling differentaspects of authentication and session management. A given module may service all four phases (authen- tication, account management, session management, and password management) or only a few. For exam- ple, the pam_nologin.somodule (which prohibitsuser logins if the file /etc/nologinexists) works inthe auth phase, but doesn t have anything to offerthe password phase. If you need an authentication module for anunusual security application, search the Web. Modules are out there just search the Webfor PAM modules. Control levelThe control level determines what happens if themodule fails. For example, if the user fails to providea proper password but passes a retina scan, you maywant to let that user into your system. Here are the control-level options: sufficient: If a rule is satisfied that is deemedsufficient, you are allowed to continue. A userentering a correct password in a step that isdeemed sufficient is allowed either to continuewith the login process or to access the program. required:This rule must succeed, or the user isnot allowed to run the program. optional:This rule does not need to be satisfiedfor the user to be allowed to use the program. requisite:If two passwords are used to authen- ticate identity, using the requisite control typestops authentication when the first passwordfails. Module pathnameThe third feature in a configuration rule is the path- name to the PAM module that the rule uses. Themodules are located in /lib/security. ArgumentsThe fourth item in a PAM configuration rule is a setof zero or more arguments that gets passed along tothe PAM module when the module is invoked. Thearguments vary depending on the module. The sim- plest of arguments is debug, which causes a moduleto write debugging information to the system log(which is handy if you re having trouble logging intoyour system).
If you are in need for cheap and reliable webhost to host your website, we recommend http web server services.

car online loan application

The dialogue between the handset and the cell site is plus loans of digital data that includes digitized audio (except for the first generation analog networks).

a Module andCustomizing Its RulesAdding your own rules to the PAM configuration filesis relatively simple when you understand what thedifferent modules do. If you use Fedora, you can find documentation aboutPAM modules in$ /usr/share/doc/pam-0.77/txtsIf you re a Mandrake user, you find documentationabout PAM modules in$ /usr/share/doc/pam-doc-0.77.txtsIf you use SuSE, look for PAM documentation in$ /usr/share/doc/packages/pam/modulesMove into the directory, and use the lscommand to see a list of the documents available. Use the morecommand to display the contents of the documentation: $ more README.pam_nologinPress the spacebar while the document is displayedto see more of the document. When you ve found a PAM module you want to usefor program authentication, add a rule to the pro- gram configuration file that tells PAM when to invokethe module. Building Good Rules with PAMThis is the section where we begin to break downwhat your options are for customizing levels of secu- rity in PAM. A PAM-enabled program can rely on achain of one or more rules to authenticate the user. PAM configuration rules can seem a bit overwhelmingUnderstanding Modules andConfiguration Files: The Basics of PAM AuthenticationPAM (Pluggable Authentication Modules) is the pro- gram that is responsible for authenticating users whoconnect to a Linux system. Most programs packagedwith Linux distributions use PAM for authentication, as do many other open-source projects. PAM gains its flexibility from plug-in modules. PAMitself doesn t do a whole lot, relying instead on mod- ules to do the heavy lifting. Developers write themodules to fulfill a number of diverse tasks. Somemodules store passwords on an smbmounted net- work share, while others are specialized to use hard- ware devices like smart cards and biometricscanners. PAM keeps track of the level of security you desire ina set of configuration files. You can change the PAMconfiguration files to require multiple passwords, limit access based on a user/location relationship, orenable biometric devices. Each configuration filespecifies a set of modules that PAM employs toauthenticate a user. With a little extra hardware and PAM, you canuse biometric scans or other high-tech devicesto secure super-important data. We explain the basics of finding a module and cus- tomizing its rules in the next section. Then, in Build- ing Good Rules with PAM, we explain the basic syntax of rules and what your customizing optionsare. And we help you better understand what s actu- ally in a configuration file in Dissecting a Configura- tion File also later in this technique.
Looking for affordable and reliable webhost to host and run your business application? Then look no more and go to servlet web hosting services.

30CustomizingAuthentication with PAMSuppose that you ve written the world s spiffiest database program. You install it at a few sites, and your users love it. Now, you sell yourdatabase to a bank that uses a smart card to identify each user. Youhave to modify your database to handle smart card authentication. A fewmonths later, you run into a customer that wants to use a retinal scannerto protect access to his data. Again, you have to modify your database tohandle retinal scanners. Next, someone wants to use voice authentication. More changes. In this technique, we introduce you to PAM, which stands for PluggableAuthentication Modules (or methods). Flexible, well-rounded, and ever- expandable, PAM is a great system resource to get to know. It was designedto hide authentication methods from an application. If you modify yourdatabase to interact with PAM, you don t have to change your code justbecause an administrator wants to try out a fancy new authenticationtool. With PAM, you can Create complex login procedures (two or three passwords, challenge/response mechanisms, and so on). Use high-tech methods like biometric scans to authenticate users. You obviously need extra hardware to use mechanical authenticationmethods, but if the data is valuable enough to justify the cost of theprotection, PAM can help manage the technology. Avoid entering the rootpassword when you need superuser privi- leges.With just a few quick file changes, you ll save time wheneveryou need to su(as well as when you need to use the Linux configura- tion tools). We don t recommend using PAM to circumvent rootforeveryone, but if you re working on a system that doesn t need to havetight security, it can make administrative or system tasks a breeze. This technique shows you how. If you re interested in setting up a Linuxhost in a Windows domain network or if you want to use Kerberos toauthenticate your users, take a peek at Technique 29 as well. TechniqueSave Time By Understanding the PAMconfiguration files Building your ownauthentication rules Searching the Web forPAM modules Skipping the rootpass- word if you dare37_
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

When prompted, reenter the password. The creation of the new principal is confirmedwith a message. 5.Repeat Steps 2 through 4 to create more princi- pals (users) and then log out of the KDC whenyou re finished. At this point, you have two passwords: the oldlogin password and the new Kerberos pass- word. If you give the old password when youlog in, PAM doesn t get a chance to do itswork, and you won tbe granted a Kerberosticket. If you give the new password, PAMobtains a ticket for you. If you can successfully log in with the new(Kerberos) password, you know that theKerberos and PAM setup is working. After youknow things are running okay, you canremove the old login password. To remove the old login, open the terminal windowand give yourself superuser privileges with the sucommand. Then execute the following command: # passwd -l usernameLocking password for username. passwd: SuccessAfter executing this command, only the new Kerberospassword will work for logins. Now, each time you log in to your workstation, PAMautomatically obtains a Kerberos ticket for you. The Kerberos infrastructure quietly passes thatticket from server to server as you move aroundyour network the ticket proves that you are whoyou claim to be. Adding users to the Key Distribution CenterThe KDC doesn t hand out any session tickets unlessit recognizes the user. Users must verify their identi- ties to the KDC with a password. Only when they rerecognized are they issued a ticket. To the KDC, the user is known as a principal. A principal can be a host, a user, or a program. A principal is anyone who trusts the KDC. If aprogram needs to honor tickets across the net- work, it must be defined as a principal. After you follow the steps in the preceding four sec- tions, you re ready to add a principal to the KDC: 1.Log in to the KDC (as user root): # ssh root@kdcname2.Enter the following command: # kadmin.local -q addprinc username 3.When prompted, enter the login password forthe new principal.
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.

polyphonic ringtones omd

In old phones, this voltage was used to trigger ringtones free christmas electromagnet to ring a bell on the phone.

must click the Start icon after checkingeach box. If you check all three and then clickStart, Fedora starts only the last service youchecked. As each service starts, a dialog opens confirmingthat the service started successfully. Click OK (in the pop-up) and start the next service. 5.When all three services have been started, click the Save button (in the toolbar) and closethe Service Configuration window. Your KDC should be up and running and ready to distribute tickets. Don t forget that you needto add each user (or program) that requestsauthentication to the KDC database. Jump ahead to the section Adding users tothe Key Distribution Center for details aboutadding principals to the KDC database. Setting up automatic ticket management with Kerberos and PAMAfter you ve synched your clocks, tested your DNS, and established the Key Distribution Center (KDC) on your network (all explained in earlier sections), you re ready to configure your workstation so thatPAM manages your Kerberos login session tickets. To set up Kerberos authentication, you need twopieces of information: The workgroup name of the computers that trustauthentication from your KDC (the Kerberosrealm) The name of the computer that is acting as your KDCFollow these steps to enable Kerberos authentication: 1.Open the Main Menu and choose SystemSettings.Authentication. A dialog opens, prompting you for the rootpassword. 2.Enter the rootpassword and click OK. The Authentication Configuration window opens. 3.Click the Authentication tab. 4.Check the Enable Kerberos Support box. 5.Click Configure Kerberos. The Kerberos Settings dialog opens, as shown inFigure 29-6. Figure 29-6: The Kerberos Settings dialog. Fill in the dialog with the information about yourKerberos realm. 6.Enter the Realm name in the Realm field. 7.Enter the KDC name in the KDCs field, followedby a colon and the port number 88. computername:888.Enter the KDC name in the Admin Servers field, followed by a colon and the port number 749. computername:7499.Click OK to close the dialog and save the settings. 10.Click OK to close the AuthenticationConfiguration window.
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

script saves a copy of the originals andupdates the working configuration files by usingdefault values it finds on your network. fixrealmshows you its progress as it works. 10.Create the KDC database with the followingcommand: # kdb5_util create -sYou re prompted for the KDC database masterkey. 11.Type a password and press Enter. You re prompted for the KDC database master- key again to verify the entry. 12.Retype the password and press Enter. Don t forget this password. It s important! 13.Add your own user name to the KDC databasewith the following command: # kadmin.local -q addprinc username 14.Enter the password that you want to use whenyou log in. 15.Reenter your password when prompted. The creation of your user account is verified byKerberos. Now, you need to start the KDC with the ServiceConfiguration tool. To start the KDC services, followthese steps: 1.Open the Main Menu and choose SystemSettings.Server Settings.Services. A dialog opens prompting you for the rootpass- word. 2.Enter the rootpassword and click OK. 3.Use the scroll bar to find the following services: krb524 krb5kdc kadmin4.One service at a time, check the box next to theservice and click the Start icon. You can make all these changes manually, butto save a bit of time, we ve added a quickscript to update the configuration files. Thistool works only if your DNS server is runningand you have a domain in place. 6.Add the following code to /tmp/fixrealm: #!/bin/bashOLDDOMAIN=example.comOLDREALM=EXAMPLE.COMOLDKDC=kerberos.example.comNEWDOMAIN=$(dnsdomainname) NEWREALM=$(echo $NEWDOMAIN | tr [:lower:] [:upper:] ) NEWKDC=$(hostname) function fixup() { cp $1 $1.origecho Fixing $1 (original saved in$1.orig) sed s/$OLDREALM/$NEWREALM/ $1.orig | sed s/$OLDDOMAIN/$NEWDOMAIN/ | sed s/$OLDKDC/$NEWKDC/ > $1} fixup /etc/krb5.conffixup /var/kerberos/krb5kdc/kdc.conffixup /var/kerberos/krb5kdc/kadm5.acl7.Save the file and close the editor. Double-check your typing before you save thecode. (We managed to wipe out our Kerberosconfiguration files with just a few typos.) 8.Make the script executable with the followingcommand: # chmod a+x /tmp/fixrealm9.Run the script with the following command: # /tmp/fixrealm36_
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

you configure all your machines to synchro- nize to the same server, time won t interferewith your Kerberos logins. Testing your domain name server (DNS) Kerberos makes extensive use of the DNS server. Before you set up Kerberos, it s a good idea to besure that all your computers are on a first namebasis. Every computer on your network can talk to anyother computer just by knowing its IP address, butwith Kerberos, your computers must know eachother by name. The easiest way to verify that DNS isworking is with a series of pings: Ping the Key Distribution Center by name fromeach potential client. Ping each client machine by name from the KeyDistribution Center. Each potential client should ping any otherpotential client (by name) that it will access. Just in case you re not familiar with pinging, a pingislike a handshake across the network. To ping amachine, open the terminal window and enter thefollowing command: $ ping machinenameYour machine sends a note to the other machinetelling it to send back a packet of data. If the DNSservice is working properly, you start getting a streamof replies that looks something like this: $ ping bastillePING bastille (192.168.0.28): 56 databytes64 bytes from 192.168.0.28: icmp_seq=0ttl=64 time=34.893 ms64 bytes from 192.168.0.28: icmp_seq=1ttl=64 time=2.918 ms— bastille ping statistics — 2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 2.918/18.905/ 34.893 msUse the Ctrl-C combination to stop pinging. Setting up a Key Distribution CenterKerberos can make authentication on a large net- work quick and easy. The centerpiece to Kerberosauthentication is the trusted third party the KeyDistribution Center (KDC). All the other machines onyour network look to the KDC for authenticationservices. Time is crucial to using Kerberos successfully theKDC and all the other Kerberos client and servermachines must agree on the current time. Be surethat the NTP (Network Time Protocol) is up and run- ning on all your computers. See the earlier section, Establishing synchronized system times, for details. You should also test your DNS, which we also explainearlier in Testing your domain name server (DNS). Here s how to set up a Key Distribution Center: 1.Log in to the computer that you want to use asthe KDC. You can do this at the console, or by using SSHto log in over the network. 2.Open a terminal window and give yourselfsuperuser privileges with the sucommand. 3.Insert and mount the Fedora distribution disc. 4.Move to the directory containing the RPM pack- ages (/mnt/cdrom/Fedora/RPMS) and use the fol- lowing commands to install the Kerberospackages: # rpm -Uhv krb5-libs-1.3.1-6.i386.rpm# rpm -Uhv krb5-server-1.3-1.6.i386.rpm# rpm -Uhv krb5-workstation- 1.3-1.6.i386.rpm5.To begin creating a script that will automati- cally update a few of the configuration filesthat the KDC needs to operate, open yourfavorite editor and create a file named /tmp/ fixrealm: # kedit /tmp/fixrealm36_
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

Figure 29-4: The Date/Time Properties window. The kind people at Red Hat provide two timeservers for public use. We recommend usingthe same server to synchronize all themachines on your network. Alternatively, if your entire network doesn t haveInternet access, you can set up a time server onone of your own computers and synchronize toit, but it s a bit of work. For more informationabout establishing your own time server, visitwww.ntp.org. 5.Click OK. A confirmation screen verifies that the update istaking place, as shown in Figure 29-5. After somethought, your machine updates the time settingsto synchronize with the server. When the updatecompletes, the Date/Time Properties windowcloses. Figure 29-5: Confirmation of contact. Figure 29-3: The Service Configuration window. 3.Use the scroll bar in the left frame to scrollthrough the list of services until you find theentry for ntpd. 4.Check the box next to the ntpdentry and clickthe Start button (on the toolbar). An Information dialog opens, telling you that thentpdstarted successfully. 5.Click OK to close the dialog. 6.Click the Save button to save the changes toyour services. 7.Close the Service Configuration window. Now that the ntpddaemon is running, you re readyto enable the Network Time Protocol. To synchro- nize your systems time, follow these steps: 1.Open the Main Menu and choose SystemSettings.Date & Time. A dialog opens, prompting you for the rootpassword. 2.Enter the rootpassword and click OK. The Date/Time Properties window opens, asshown in Figure 29-4.3.Check the Enable Network Time Protocol box. The Server drop-down list becomes activated. 4.Use the Server drop-down list to choose a net- work time server, or add the name of your ownnetwork time server.
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.

PAM and Kerberos toServe Up AuthenticationIf your local network doesn t include a Windowsdomain controller, PAM can still streamline authenti- cation and increase your network security usingKerberos. Kerberos is a security protocol that uses atrusted third party to verify authentication informa- tion. With PAM and Kerberos working together, youget a single, secure network-wide login system, whichcan save a lot of time. This technique is best suited to large networks. You should have a domain in place and a DNSserver up and running to take advantage ofthe benefits of using Kerberos with PAM forauthentication. With this setup, Kerberos makes the login moresecure, and PAM makes ticket management auto- matic. Users first access a kerberized server, wherethey must prove their identity to the Key DistributionCenter (KDC). Only after the verification can usersobtain a ticket that represents their fully authenti- cated identity. After users log in, they can log in to any machinerunning Kerberos authentication or use a kerberizedserver on a remote machine without manually obtain- ing a ticket for the session. That means you (or yourusers) log in once and can access any kerberizedserver on your network without proving your iden- tity again for that login session. Kerberos tickets expire over time, so at theend of an eight-hour day, the ticket can t bereused by an intruder. The process of setting up Kerberos to work withPAM has several phases. Here s an overview of whatyou need to do: 1.Synchronize the system times. 2.Test the DNS. 3.Set up a KDC. 4.Set up PAM for automagic ticket management. 5.Add users to the KDC. The following sections explain each step in moredetail. Establishing synchronized system timesFor extra security, Kerberos tickets are time sensi- tive. Just like a real passport, your Kerberos ticketexpires after some period of time (you have to proveyour identity to the KDC every once in a while toprevent a nefarious hacker from using an old pass- port that you ve left sitting around somewhere). The time-sensitive nature of Kerberos tickets meansthat all your kerberized servers (and the KDC) mustagree on the current date and time. If the time variesby just five minutes between a Kerberos clientmachine and the KDC, Kerberos will deny an other- wise valid ticket. To ensure a consistent time, startthe NTP daemon and enable the Network Time Pro- tocol on all the computers on your network. (The fol- lowing steps show you how in just a few quick steps.) The Network Time Protocol (NTP) visits a serverlocated on the Internet and retrieves time updates. It synchronizes the clock on the local machine withthe clock on the time server. Setting up the NTP daemon on all the machines on your network to synchronize their clocks with the same time serverensures a consistent time for Kerberos. Before you enable the Network Time Protocol, youneed to start the NTP daemon: 1.Open the Main menu and choose SystemSettings.Server Settings.ServicesA dialog opens, prompting you for the rootpassword. 2.Enter your rootpassword and click OK. The Service Configuration window opens, asshown in Figure 29-3.36_
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

Check the Enable SMB Support box and thenclick the Configure SMB button. The SMB Settings dialog opens, as shown inFigure 29-2. Figure 29-2: The SMB Settings dialog. 5.Enter the workgroup (domain) name in theWorkgroup field. 6.Enter the name of the primary domain con- troller in the Domain Controllers field, fol- lowed by a comma and the backup domaincontroller s name. Don t add any spaces between the names andthe comma. 7.Click the OK button to close the dialog. 8.Click the OK button on the AuthenticationConfiguration window to close that window. Now, whenever you log in to your Linux computer, Fedora asks the domain controller to validate yourpassword. If the primary domain controller fails torespond in a reasonable period of time, Fedora con- tacts the backup domain controller. You still need auser account on your Linux computer (your Linuxuser ID, home directory, and login shell informationare stored in Linux), but the password comes fromWindows. After you follow the preceding steps, there sone more trick to setting up cross-platformauthentication: When you create a user accounton the Linux machine, leave the passwordblank. If you want to change the password youuse to log in to Linux, change your Windowspassword. If the program isn t installed, you need to add it. Con- veniently, it s included with the Fedora distribution. Insert and mount your Fedora media and enter thiscommand: # rpm -Uhv /mnt/cdrom/Fedora/RPMS/pam_smb- 1.1.7-2.i386.rpmNow you re ready to follow the steps in the next sec- tion, where you actually set up authentication. Setting up cross-platform authenticationWith the pam_smbpackage in place, you re ready toset up cross-platform authentication: 1.Open the Main Menu and choose SystemSettings.Authentication. A dialog may appear, prompting you for the rootpassword. 2.Type the rootpassword (if prompted) andpress Enter. The Authentication Configuration window opens. 3.Choose the Authentication tab to view authenti- cation options, as shown in Figure 29-1. Figure 29-1: The Authentication tab.
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check mysql web server services.