Skip to main content

Authentication Providers

oh yes we all need government-issued digital IDs that compromise all forms of privacy and are prone to leaks

Authentication providers are the software architecture and code that underpins (whatever that means) the mechanism by which the user is authenticated before starting a shell or session.

In Linux, this is called a login, Windows calls it a sign-on, and they all use knowledge-based authentication (e.g. password or PIN).

Knowledge-based authentication relies on cryptographic hashing, which converts any string to a unique, fixed-length code that shouldn't be able to be converted back into the original string. This allows passwords to be stored as their hash instead of the plaintext string, ensuring secure authentication using hash comparing.

Windows Authentication (Raw Lesson Content)

Windows authentication involves a complex architecture of components, but the following three scenarios are typical:

  • Windows local sign-in—The Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.
  • Windows network sign-in—The LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.
  • Remote sign-in—If the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.

Linux Authentication (Raw Lesson Content)

In Linux, local user account names are stored in /etc/passwd. When a user logs in to a local interactive shell, the password is checked against a hash stored in /etc/shadow. Interactive login over a network is typically accomplished using Secure Shell (SSH). With SSH, the user can be authenticated using cryptographic keys instead of a password.

A pluggable authentication module (PAM) is a package for enabling different authentication providers, such as smart card login. The PAM framework can also be used to implement authentication to network servers.

No comments to display

Back to top