Basic Authentication Walk-through

Seth Ellsworth
1. The user opens a secure connection with the application.
2. The application sends a prompt for the username.
3. The user’s sends a username to the application.
4. The application queries NSS (using getpwnam) about the user.
5. NSS reads /etc/nsswitch.conf and processes the passwd: files vas3 entry.
6. NSS queries nss_files which reads /etc/passwd and returns ENOENT because no matching user entry is found.
7. NSS queries nss_vas3.
8. nss_vas3 sends an interprocess communication (IPC) to vasd to update the user.
9. vasd uses credentials from the keytab to request a ticket to talk to the LDAP/ service in Active Directory (AD).
10. AD key-distribution center (KDC) returns the requested service ticket.
11. vasd queries AD LDAP for the user information.
12. The user’s information is returned.
13. vasd writes the user information into its local cache (persistence database).
14. vasd responds to nss_vas3 that it has updated the user.
15. nss_vas3 queries the local cache and formats the data into a passwd-style response.
16. nss_vas3 returns the passwd info to NSS. Note: There is no password hash since vasd does not have access to that unless using a legacy authentication setup.
17. NSS returns the information to the application.
18. The application calls PAM through pam_start then pam_authenticate.
19. PAM reads /etc/pam.conf and processes the pam_vas3 entry.
20. PAM queries pam_vas3.
21. pam_vas3 sends a forced update request for the user to vasd.
22. Since the request is made within 10 seconds of the previous request for the same user, vasd does not update it again. Returns that the user is updated.
23. pam_vas3 queries the local cache for the user information. The user is a VAS user so pam_vas3 will continue to attempt to authenticate the user instead of ignoring and letting the PAM stack fall past pam_vas3.
24. pam_vas3 returns a request for credentials (password) using PAM conversations including the prompt to use.)
25. PAM returns the request to the requesting application.
26. The application presents the user with the prompt for a password. (If the application is PAM conversation-aware, it uses the prompt pam_vas3 set).
27. The user enters a password.
28. The application passes the password to PAM.
29. The password is passed back to pam_vas3 through the conversation mechanism.
30. pam_vas3 requests a Kerberos ticket-granting ticket (TGT) for the user via a user key derived from the user’s samaccountname@realm and the supplied password. Kerberos does not use passwords: it uses keys derived from them for security. Thus, no passwords, even encrypted ones, are ever transmitted over the wire.
31. AD KDC returns the TGT (AS-REP).
32. pam_vas3 decrypts the response using the user key, obtaining a TGT and session key. The TGT and session key are used to request a service ticket (TGS-REQ) from the AD KDC for the user to authenticate against the “host/” (local machine) service.
33. The AD KDC returns the service ticket (TGS-REP), which is decrypted using both the session key (user portion) and the “host/” key (service portion) that is stored in the host.keytab file.
34. pam_vas3 processes the payload of the service portion of the service ticket, which is the privileged access certificate (PAC), a list of SIDs of groups of which the user is a member, and sends these through a secure IPC to vasd.
35. vasd modifies the local cache to set the current group memberships.
36. vasd returns success to pam_vas3.
37. pam_vas3 creates the user’s home directory if needed.
38. pam_vas3 calls VGP to apply any user policies.
39. pam_vas3 stores the user’s TGT and “host/” service ticket in the local cache for the user to use again if desired.
40. pam_vas3 sets the environment variable VAS_LOGONSERVER to the server used for auth (this is not guaranteed to be in effect in the user’s final shell), and fills the ~/.vas_logon_server file with the server name.
41. pam_vas3 reads the user account information from the local cache. It verifies the user is within any configured login hours and has a valid shell (not /bin/false in AD).
42. pam_vas3 queries the local cache for the user’s group membership information and confirms that the user has access based on any configured access control.
43. pam_vas3 sets a PAM stack variable to note that it has already processed the above. (This is a per-authentication local variable).
44. pam_vas3 performs UID and GID conflict checking.
45. pam_vas3 writes a syslog entry that the authentication succeeded.
46. pam_vas3 pam_authenticate returns PAM_SUCCESS.
47. Because the pam_vas3 entry is configured with sufficient, PAM_SUCCESS is returned to the querying application, ignoring the rest of the PAM stack.
48. The application calls PAM, through pam_acct_mgmt and pam_open_session.
49. PAM reads /etc/pam.conf and processes the pam_vas3 entry.
50. PAM queries pam_vas3 for pam_acct_mgmt and pam_open_session.
51. pam_vas3 reads the variable set in step 43.
52. pam_vas3 returns PAM_SUCCESS to PAM for each call. These functions are used mainly during non-password authentication (GSSAPI, ssh keys, etc.) and password changes.
53. PAM returns PAM_SUCCESS to the application for both calls.
54. The application starts the user’s shell which then sets up the environment.
55. The OS/shell calls NSS getgroups for the user’s group memberships.
56. NSS reads /etc/nsswitch.conf and processes the group: files vas3 entry.
57. NSS queries nss_files which reads /etc/group and adds no groups if no local groups contain the user.
58. NSS queries nss_vas3.
59. nss_vas3 queries the local cache to compute the user’s group memberships.
60. nss_vas3 returns the memberships to NSS.
61. The shell uses the groups to set the process space group memberships.
62. The OS presents the shell to the application.
63. The application presents the shell to the user who is now logged in.