BSD Authentication
Encyclopedia
BSD Authentication, otherwise known as BSD Auth, is an authentication
framework
and software API employed by some Unix-like
operating system
s, specifically OpenBSD
and BSD/OS
, and accompanying system
and application
software such as OpenSSH
and Apache
. It originated with BSD/OS and although the specification and implementation were donated to the FreeBSD
project by BSDi, ultimately OpenBSD chose to adopt the framework in release 2.9. Pluggable Authentication Modules
(PAM) serves a similar purpose on other operating systems such as Linux
, FreeBSD
and NetBSD
.
BSD Auth performs authentication by executing scripts or programs as separate process
es from the one requiring the authentication. This prevents the child authentication process from interfering with the parent except through a narrowly defined inter-process communication
API, a technique inspired by the principle of least privilege
and known as privilege separation. This behaviour has significant security benefits, notably improved fail-safeness
of software, and robustness against malicious and accidental software bug
s. PAM uses an alternative system where the modules providing authentication are dynamically linked
into the requesting process. This method is considered to be more flexible than BSD Auth, but does not provide privilege separation
without additional configuration.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
framework
Software framework
In computer programming, a software framework is an abstraction in which software providing generic functionality can be selectively changed by user code, thus providing application specific software...
and software API employed by some Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, specifically OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
and BSD/OS
BSD/OS
BSD/OS was a proprietary version of the BSD operating system developed by Berkeley Software Design, Inc. ....
, and accompanying system
System software
System software is computer software designed to operate the computer hardware and to provide a platform for running application software.The most basic types of system software are:...
and application
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
software such as OpenSSH
OpenSSH
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
and Apache
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
. It originated with BSD/OS and although the specification and implementation were donated to the FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
project by BSDi, ultimately OpenBSD chose to adopt the framework in release 2.9. Pluggable Authentication Modules
Pluggable Authentication Modules
Pluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
(PAM) serves a similar purpose on other operating systems such as Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
and NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
.
BSD Auth performs authentication by executing scripts or programs as separate process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
es from the one requiring the authentication. This prevents the child authentication process from interfering with the parent except through a narrowly defined inter-process communication
Inter-process communication
In computing, Inter-process communication is a set of methods for the exchange of data among multiple threads in one or more processes. Processes may be running on one or more computers connected by a network. IPC methods are divided into methods for message passing, synchronization, shared...
API, a technique inspired by the principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
and known as privilege separation. This behaviour has significant security benefits, notably improved fail-safeness
Fail-safe
A fail-safe or fail-secure device is one that, in the event of failure, responds in a way that will cause no harm, or at least a minimum of harm, to other devices or danger to personnel....
of software, and robustness against malicious and accidental software bug
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
s. PAM uses an alternative system where the modules providing authentication are dynamically linked
Library (computer science)
In computer science, a library is a collection of resources used to develop software. These may include pre-written code and subroutines, classes, values or type specifications....
into the requesting process. This method is considered to be more flexible than BSD Auth, but does not provide privilege separation
Privilege separation
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
without additional configuration.