Jump to content

BSD Authentication

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dcirovic (talk | contribs) at 16:43, 13 July 2016 (refs). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache. It originated with BSD/OS and although the specification and implementation were donated to the FreeBSD project by BSDi, ultimately OpenBSD chose to adopt the framework in release 2.9. Pluggable Authentication Modules (PAM) serves a similar purpose on other operating systems such as Linux, FreeBSD and NetBSD.

BSD Auth performs authentication by executing scripts or programs as separate processes from the one requiring the authentication. This prevents the child authentication process from interfering with the parent except through a narrowly defined inter-process communication API, a technique inspired by the principle of least privilege and known as privilege separation. This behaviour has significant security benefits, notably improved fail-safeness of software, and robustness against malicious and accidental software bugs.[1] PAM uses an alternative system where the modules providing authentication are dynamically linked into the requesting process. This method is considered to be more flexible than BSD Auth[citation needed], but does not provide privilege separation without additional configuration.

See also

References

  1. ^ "Preventing Privilege Escalation". Proceedings of the 12th USENIX Security Symposium. 2003. pp. 231–242. {{cite conference}}: Unknown parameter |authors= ignored (help); Unknown parameter |booktitle= ignored (|book-title= suggested) (help)