The operating system UNIX has been chosen because it is the most used as far as the authentication of users is concerned. As far as his implementation is concerned, only we should take into account this operating system in the machine that acts like servant, not being necessary in the peripheral one of the user, who will have a paper solely, at the most, transmitting encrypted keys.

There is a brief introduction of the access systems and security of this operating system, followed by a description of each one of the used systems of authentication under this system.

These systems of access can be used like support to previously explained, so that the security is increased exponentially.

Classic authentication

In an habitual UNIX system each user has a name of entrance to the system or login and a key or password; both data store generally in the file /etc/passwd. This file contains a line by user (although there are entrances that does not correspond to real users, as we will see next) where indicates the necessary information so that the users can connect to the system and work in him, separating the different fields.

In first place they appear the login of the user and its encode key; next we have two numbers that will be the user identifier and the one of group respectively. Fifth field, denominated GECOS is simply administrative information about the real identity of the user, like its name, telephone or number of office. Finally, last fields correspond to the directory of the user (initial his $HOME) and to the shell that has been assigned to him.

On the contrary much people think, UNIX is not able to distinguish its users by its name of entrance to the system. For the operating system what really it distinguishes to a person of another one (or at least to a user of another one) it is the UID of the user at issue; login is something that is used mainly for comfort of the people (obvious it is easier to remember a name of entrance like toni who of a UID like 2643, mainly if it is took into account in several machines, each one with a different UID). Therefore, if in /etc/password exits two entrances with a same UID , for UNIX will be the same user, although they have login and password different: thus, if two users have assigned UID 0, both will have superuser privileges, without concerning login that use. This specially is taken advantage of by attackers who have obtained privileges of administrator in a machine: they can add a line mixed between all the others, with a name of normal user but with UID 0; thus they guarantee its entrance to the system as administrators in case of being discovered, for example to erase fingerprints.

In the file of keys they are going to exist entrances that do not correspond to real users, but that is used by certain programs or it is accounts maintained by reasons for compatibility with other systems; typical examples of this type of entrances are lp, UUCP or postmaster.

These accounts have to be blocked in most cases to avoid that somebody can use them to accede to our system: they only have to be accessible for root by means of the order his. Although in his majority they fulfil this condition, in some systems these accounts have keys by defect or, worse, they do not have keys, which turns a completely open door the intruders; he is advisable that, once installed the operating system, and before putting to work the machine, we verify that they are blocked, or in defect that have non-trivial . Some examples of accounts on which there are to pay a special attention are root, guest, lp, we give, 4DGifts, tour, UUCP, nuucp, games or postmaster; he is very recommendable to consult the manuals of each concrete system, and periodically to check the existence of accounts without key or accounts that would have to remain blocked and they are not it.

In order to encode the keys of access of its users, the operating system UNIX uses an irreversible cryptosystem that uses the standard function of C crypt(3), based in algorithm DES. This function takes as key the eight first characters from the password chosen by the user (if the length of this one is smaller, is completed with zeros) to base a clear text block in of 64 bits put to zero; in order to avoid that two equal passwords

are in a same based text, an exchange is made during the process of coding chosen of automatic and at random for each user, based on a field formed by a number of 12 bits (with which we obtained 4096 different exchanges) call salt. The resulting coding becomes to base again using the password of the user like key, and permuting with same salt, repeating the process 25 times. The based block final, of 64 bits, is linked with two bits zero, obtaining 66 bits that become representable in 11 characters of 6 bits each one and that, along with salt, happens to constitute the field password of the file of passwords, usually /etc/passwd. Thus, both first characters of this field will be constituted by salt and the 11 rest by the based password: