авторизация и аутентификация-разница

mai mai at ssi.ru
Tue Apr 30 07:19:49 UTC 2013 

  Аутентификация-это кто вы, Авторизация-что вам разрешено делать в
  системе. Например, войдя в систему после аутентификации (логин,
  пароль) вам не дают доступ к каким-то файлам - авторизация-разрешение.
  Вот ответ тех, от кого мы набрались этих слов.


  С уважением к тем, кто хочет разобраться, Мишин Александр, Самара
  (переводчик в IT).



  What Is The Difference Between Authentication And Authorization?

byNIXCRAFT <http://www.cyberciti.biz/tips/about-us>onMARCH 13, 2009·15 
COMMENTS 
<http://www.cyberciti.biz/faq/authentication-vs-authorization/#comments>· last 
updated atFEBRUARY 28, 2012

<http://www.cyberciti.biz/faq/category/unix/>

What is the difference between authentication and authorization? Why it 
is important to understand difference between the two? Authentication 
vs. Authorization -- what are they and how do they differ?


    Authentication

<http://www.cyberciti.biz/faq/category/linux/>

Authentication verifies*who you are*. For example, you can login into 
your Unix server using the ssh client, or access your email server using 
the POP3 and SMTP client. Usually, PAM (Pluggable Authentication 
Modules) are used as low-level authentication schemes into a high-level 
application programming interface (API), which allows programs that rely 
on authentication to be written independently of the underlying 
authentication scheme.


    Authorization

Authorization verifies*what you are authorized to do*. For example, you 
are allowed to login into your Unix server via ssh client, but you are 
not authorized to browser /data2 or any other file system. Authorization 
occurs after successful authentication. Authorization can be controlled 
at file system level or using various application level configuration 
options such as chroot(2).

Usually, the connection attempt must be both authenticated and 
authorized by the system. You can easily find out why connection 
attempts are either accepted or denied with the help of these two factors.


    Example: Authentication And Authorization

A user called vivek is allowed to login to www.cyberciti.biz server 
securely using the OpenSSH ssh client/server module. In this example 
authentication is the mechanism whereby system running at 
www.cyberciti.biz may securely identify user vivek. The authentication 
systems provide an answers to the questions:

  * Who is the user vivek?
  * Is the user vivek really who he represents himself to be?

The server running at www.cyberciti.biz depend on some unique bit of 
information known only to the vivek user. It may be as simple as a 
password, public key authentication, or as complicated as Kerberos based 
system. In all cases user vivek needs some sort of secret to login into 
www.cyberciti.biz server via the ssh client. In order to verify the 
identity of a user called vivek, the authenticating system running at 
www.cyberciti.biz will challenges the vivek to provide his unique 
information (his password, or fingerprint, etc.) -- if the 
authenticating system can verify that the shared secret was presented 
correctly, the user vivek is considered authenticated.


      vivek is Authenticated? What Next?

Authorization.

The Unix server running at www.cyberciti.biz determines what level of 
access a particular authenticated user called vivek should have. For 
example, vivek can compile programs using GNU gcc compilers but not 
allowed to upload or download files. So

 1. Is user vivek authorized to access resource called ABC?
 2. Is user vivek authorized to perform operation XYZ?
 3. Is user vivek authorized to perform operation P on resource R?
 4. Is user vivek authorized to download or upload files?
 5. Is user vivek authorized to apply patches to the Unix systems?
 6. Is user vivek authorized to make backups?

In this example Unix server used the combination of authentication and 
authorization to secure the system. The system ensures that user 
claiming to be vivek is the really user vivek and thus prevent 
unauthorized users from gaining access to secured resources running on 
the Unix server at www.cyberciti.biz.


    Dealing With Large Linux / Unix Setups

Large Linux / UNIX installation equipped with central LDAP directory 
servers to authenticate users. A user must provide username and password 
against all services such as Squid proxy, Wi-Fi, SMTP, POP3 email server 
etc. LDAP directory allows you to obtain required information such as 
employee number, email address, department code, and much more. The 
directory provides additional data lookup and search 
capabilities.OpenLDAP <http://www.openldap.org/>and theFedora Directory 
Server <http://directory.fedoraproject.org/>(FDS) is an LDAP 
(Lightweight Directory Access Protocol) servers for Linux and Unix like 
operating systems. Kerberos is a network authentication protocol. It is 
designed to provide strong authentication for client/server applications 
by using secret-key cryptography. A free implementation of this protocol 
is available from theMassachusetts Institute of Technology 
<http://web.mit.edu/kerberos/>.

Red Hat Directory Server 
<http://www.cyberciti.biz/faq/authentication-vs-authorization/>is an 
LDAP-compliant server that centralizes user identity and application 
information. It provides an operating system-independent, network-based 
registry for storing application settings, user profiles, group data, 
policies, and access control information.

More information about the freebsd-doc mailing list