•
See https://www.freeipa.org
for more information.
Oracle Internal & Oracle
The slide shows the Advanced Options tab from the Authentication Configuration GUI. On this tab, you can configure local authentication options that define authentication behavior on the local system. You can also configure your system to automatically create home directories the first time that a user logs in, and you can enable smart card authentication. Each of these configuration options is discussed.
Enable Fingerprint Reader Support
Assuming that the appropriate hardware is in place, this allows fingerprint scans to be used to authenticate local users rather than using other credentials. Use the following command to enable fingerprint reader support, from the command line:
# authconfig --enablefingerprint --update
Enable Local Access Control
This checks the /etc/security/access.conf file for local user authorization rules. This file specifies combinations for logins that are accepted or refused. The syntax of the entries is:
permission : users : origin
A plus sign (+) in the permission field means that the login is granted. Login is denied if the field contains a minus sign (-). The users field can be a username, group, or the ALL
keyword. The origin field is a host name, network, TTY (terminal), or the ALL or NONE keywords.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Configuring Advanced Options
Oracle Internal & Oracle
Password Hashing Algorithm
This sets the hashing algorithm to use to encrypt locally stored passwords. The options are: • DESCRYPT
• BIGCRYPT
• MD5
• SHA256 • SHA512
You can also look at the password field in /etc/shadow to determine the algorithm. The field starts with a specific set of characters, depending on the hashing algorithm used, for example:
• MD5 starts with $1$ • SHA-256 starts with $5$ • SHA-512 starts with $6$
To determine the current algorithm from the command line: # authconfig --test |grep hashing
You can also change the hashing algorithm from the command line. The following example changes it to SHA512:
# authconfig --passalgo=sha512 --update
Other Authentication Options
To enable the creation of user home directories at the first login, from the command line: # authconfig --enablemkhomedir --update
Smart Card Authentication Options
A system can accept smart cards (or tokens) to authenticate users. The appropriate hardware must be available and the following package must be installed:
# yum install pam_pkcs11
Enabling smart card support prompts for additional configuration information:
• Require smart card for login: This disables Kerberos password authentication and all
other methods of authentication for logging in to the system.
• Card removal action: Sets the system’s response to a smart card being removed during
an active session. Options are Ignore, meaning that the system continues functioning, and Lock, which immediately locks the screen.
To enable smart card use, from the command line:
# authconfig --enablesmartcard --update
To enable smart cards and lock the system when the smart card is removed:
# authconfig --enablesmartcard --smartcardaction=0 --update Setting --smartcardaction=1 does not lock the system when the smart card is removed.
Oracle Linux 7: Advanced Administration 3 - 31
Oracle Internal & Oracle
The slide shows the Password Options tab from the Authentication Configuration GUI. From this tab, you can configure password complexity, which is a combination of length and variation of character classes. You can specify what types of characters can be used in a password and how those characters can be used within the password.
Minimal Password Requirements
Use the “Length” field to specify the minimum length of the password. Use the “Character Classes” field to specify the minimum number of character classes, which must be used in the password.
Required Character Classes
In this section, you can enable character classes, which must be used for passwords. For example, if the “Digits” check box is selected, a digit must be used in every password. All character types are allowed but the selection of a character class means the character class is required.
Maximal Consecutive Character Repetition
Set the number of times that a character or character class can be repeated consecutively. A zero setting means there is no repeat limit. The “Same Character” field sets how often a single character can be repeated. The “Same Class” field sets how many times any character from a character class can be repeated.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Configuring Password Options
Oracle Internal & Oracle
Password complexity can also be configured from the command line by using the authconfig command with the following options:
• --passminlen: The minimum length of a password
• --passminclass: The minimum number of different types of characters that must be
used in a password
• --passmaxrepeat: The number of times a character can be repeated consecutively
• --passmaxclassrepeat: The number of times the same character can be used
• --enablerequpper: The password requires uppercase letters
• --enablereqlower: The password requires lowercase letters
• --enablereqdigit: The password requires numbers
• --enablereqother: The password requires special characters
The following example sets the minimum length of the password to eight characters, requires three different types of character classes, does not allow characters of classes to be repeated more than two times, and requires both numbers and special characters.
# authconfig --passminlen=8 --passminclass=3 --passmaxrepeat=2
--passmaxclassrepeat=2 --enablereqdigit --enablereqother --update
Oracle Linux 7: Advanced Administration 3 - 33
Oracle Internal & Oracle
The System Security Services Daemon (SSSD) provides access to remote identity and authentication providers. Providers are configured as back ends with SSSD acting as an intermediary between local clients and any configured back-end provider. The local clients connect to SSSD and then SSSD contacts the providers. Benefits of SSSD include:
• Reduced load: Clients do not have to contact the identification/authentication servers
directly; they need to contact only SSSD.
• Offline authentication: SSSD can, optionally, keep a cache of user identities and
credentials, allowing users to authenticate offline.
• Single-user accounts: SSSD maintains network credentials, allowing users to connect
to network resources by authenticating with their local username on their local machine. Install the following SSSD packages:
# yum install sssd sssd-client
To cause SSSD to start when the system boots, enter either of the following: # systemctl enable sssd
# authconfig --enablesssd --update
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.