Chapter 16 Flashcards
Looking at Access and Authentication Methods
Summarize various PAM modules and features.
PAM is a one-stop shop for various applications to implement authentication services. For an application to use PAM, it must be compiled with the libpam.so module and have an associated PAM configuration file. The configuration files are located in the /etc/pam.d/ directory. Applications can enforce strong passwords employing any of the three PAM modules—pam_unix.so, pam_pwhistory.so, and pam_pwquality.so (the latter of which was formerly called pam_cracklib.so). PAM can also provide account lockouts to protect against brute-force attacks. This is accomplished via the pam_tally.so or pam_faillock.so module, depending on the system’s distribution. If your environment incorporates LDAP, it also can be integrated with PAM. The PAM module to do so is the pam_ldap.so module.
Describe PKI and its components.
PKI protects cipher key integrity. This framework includes the CA structure, which validates a person’s or device’s identity and provides a signed digital certificate. The certificate includes a public key and can be sent to others so they can verify that the public key is valid and does truly come from the certificate holder. Self-signed certificates are available but should only be used for testing purposes. Symmetric key encryption uses only a private key for both encrypting and decrypting data. Asymmetric key encryption uses a public/private key pair, where commonly the public key is used for encryption and the private key is used for decryption. Hashing data prior to encryption and then encrypting the produced message digest allows you to add a digital signature to your transmitted encrypted data. It provides a means of data integrity.
Explain the various SSH features and utilities.
The OpenSSH application provides SSH services via the ssh command and sshd daemon. To configure SSH client connections, you can either use ssh command-line options or employ the ~/.ssh/config or /etc/ssh/ssh_config file. For the server side, the configuration file is /etc/ssh/sshd_config. When you initially establish an SSH connection from a client to a remote SSH server, the server’s key information is stored in the ~/.ssh/known_hosts file. If keys need to be regenerated or you are setting up a password-less login, you can employ the ssh-keygen utility to create the needed keys. When you are setting up a password-less login, two files should be created, which are located in the ~/.ssh/ directory and named id_rsa and id_rsa.pub. The public key is copied to the SSH server system and placed in the ~/.ssh/authorized_keys file via the ssh-copy-id command. An alternative is to use the ssh-agent and add the needed key via the ssh-add command.
Compare the various VPN client security implementations.
Typically used when needed to traverse a public network, VPN software establishes a secure encrypted connection between two systems. The protocols involved may be SLS/TLS, DTLS, and IPSec. The SLS/TLS protocol is stream-oriented and protects against on-path attacks. DTLS only uses UDP packets, which makes it faster than TCP packet-only protocols. IPSec operates at the Network layer. It provides two modes—tunnel mode and transport mode. OpenVPN is the most popular VPN software; it uses its own proprietary protocol but employs SLS/TLS for the key exchange.
For an application to use PAM, it needs to be compiled with which PAM library?
ldd pam_nologin.so pam_unix.so libpam pam_cracklib
D. For an application to use PAM, it must be compiled with the libpam (also called libpam.so) library. Thus, option D is the correct answer. Option A lists the ldd command, which allows you to view modules compiled with various applications. Therefore, option A is a wrong answer. Options B, C, and E are all PAM modules, but none are the PAM library module needed to make an application PAM-aware. Therefore, options B, C, and E are incorrect choices.
Which of the following will display failed login attempts? (Choose all that apply.)
tally2 pam_tally2 pam_tally2.so pam_faillock faillock
B, E. The pam_tally2 and faillock commands display failed login attempts, and therefore options B and E are correct answers. The tally2 command does not exist, and thus option A is a wrong answer. The pam_tally2.so module is involved with locking out accounts due to failed login attempts, but it does not display failed logins. Therefore, option C is a wrong choice. The pam_faillock is made up, and thus, option D is also an incorrect choice.
Which of the following are PAM control flags? (Choose all that apply.)
requisite required allowed sufficient optional
A, B, D, E. requisite, required, sufficient, and optional are all PAM control flags you may find in a PAM /etc/pam.d/ configuration file. Therefore, options A, B, D, and E are correct. Option C, allowed, is made up and thus an incorrect choice.
Leigh encrypts a message with Luke’s public key and then sends the message to Luke. After receiving the message, Luke decrypts the message with his private key. What does this describe? (Choose all that apply.)
Symmetric key encryption Asymmetric key encryption Public/private key encryption Secret key encryption Private key encryption
B, C. Asymmetric, or public/private, key encryption involves a message sender encrypting a message with the receiver’s public key. When the receiver obtains the encrypted message, it is then decrypted using the receiver’s private key. Therefore, options B and C are correct answers. Symmetric key encryption is also called secret or private key encryption. It involves the sender and receiver using the same secret key to encrypt and decrypt a message. Therefore, options A, D, and E are incorrect choices.
Which of the following best describes a digital signature?
Plaintext that has been turned into ciphertext Ciphertext that has been turned into plaintext A framework that proves authenticity and validation of keys as well as the people or devices that use them A digital certificate that is not signed by a CA but by an end user An original plaintext hash, which is encrypted with a private key and sent along with the ciphertext
E. Option E best describes a digital signature and is therefore the correct answer. Option A describes encryption and is thus a wrong answer. Option B describes decryption and is also an incorrect choice. PKI is described in option C, and thus option C is a wrong answer. Option D describes a self-signed digital certificate, and therefore it is an incorrect choice as well.
The OpenSSH application keeps track of any previously connected hosts and their public keys in what file?
~/.ssh/known_hosts ~/.ssh/authorized_keys /etc/ssh/known_hosts /etc/ssh/authorized_keys /etc/ssh/ssh_host_rsa_key.pub
A. The OpenSSH application keeps track of any previously connected hosts and their public keys in each user’s ~/.ssh/known_hosts file. Therefore, option A is the correct answer. The ~/.ssh/authorized_keys file is used on an SSH server to keep track of authorized public keys used for password-less authentication. Therefore, option B is a wrong answer. Options C and D are made up and therefore incorrect choices. Option E is an RSA public key that could be created by the ssh-keygen utility, so it is a wrong choice as well.
Which of the following are OpenSSH configuration files? (Choose all that apply.)
~./ssh/config /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/sshd/ssh_config /etc/sshd/sshd_config
A, B, C. The ~./ssh/config, /etc/ssh/ssh_config, and /etc/ssh/sshd_config files are all OpenSSH configuration files. Therefore, options A, B, and C are correct choices. The files listed in options D and E are made up and therefore incorrect answers.
Which of the following files may be involved in authenticating with SSH keys?
/etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub ~/.ssh/id_rsa_key ~/.ssh/id_rsa_key.pub ~/.ssh/id_rsa
E. The only correct answer is option E. These identity keys are created with the filenames of id_type for the private key and id_type.pub for the public key. The key in option E is a private key using the RSA algorithm. Option A’s key is an RSA private key used in establishing a password authenticated SSH connection, so it is a wrong answer. The key listed in option B is a public version of option A’s key, so it too is a wrong choice. The keys listed in options C and D are made up, and thus they are wrong choices as well.
Which of the following is true concerning TCP wrappers? (Choose all that apply.)
The /etc/hosts.allow file is consulted first. The /etc/hosts.allow file should contain ALL: ALL to provide the best security. If an application is compiled with the libwrap library, it can employ TCP Wrappers. IP addresses of remote systems can be listed individually or as entire subnets. TCP Wrappers are considered to be deprecated by many distributions, and firewalls should be used instead.
A, C, D, E. Options A, C, D, and E are all true statements concerning TCP wrappers and therefore are correct choices. You would never want to place ALL: ALL in the /etc/hosts.allow file because it would block everyone from accessing the service. Instead, you would want to place this record in the /etc/hosts.deny file to provide the best security because it is checked last. Therefore, option B is a wrong choice.
Which of the following protocols or frameworks might be involved in using VPN software as a client? (Choose all that apply.)
Tunnel SSL/TLS Transport IPSec DTLS
B, D, E. Options B and E are protocols that may be involved in using VPN software as a client, and therefore they are correct choices. IPSec is a framework, which may be involved at the Network layer when using VPN software as a client, and thus option D is also a correct answer. Tunnel and transport are modes of IPSec, but not frameworks or protocols, so options A and C are incorrect choices.
