What Is The Difference Between Authentication And Authorization?

What is the difference between authentication and authorization? Why it is important to understand difference between the two? Authentication vs. Authorization — what are they and how do they differ?

Authentication

Authentication verifies who you are. For example, you can login into your Unix server using the ssh client, or access your email server using the POP3 and SMTP client. Usually, PAM (Pluggable Authentication Modules) are used as low-level authentication schemes into a high-level application programming interface (API), which allows programs that rely on authentication to be written independently of the underlying authentication scheme.

Authorization

Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication. Authorization can be controlled at file system level or using various application level configuration options such as chroot(2).

Usually, the connection attempt must be both authenticated and authorized by the system. You can easily find out why connection attempts are either accepted or denied with the help of these two factors.

Example: Authentication And Authorization

A user called vivek is allowed to login to www.cyberciti.biz server securely using the OpenSSH ssh client/server module. In this example authentication is the mechanism whereby system running at www.cyberciti.biz may securely identify user vivek. The authentication systems provide an answers to the questions:

  • Who is the user vivek?
  • Is the user vivek really who he represents himself to be?

The server running at www.cyberciti.biz depend on some unique bit of information known only to the vivek user. It may be as simple as a password, public key authentication, or as complicated as Kerberos based system. In all cases user vivek needs some sort of secret to login into www.cyberciti.biz server via the ssh client. In order to verify the identity of a user called vivek, the authenticating system running at www.cyberciti.biz will challenges the vivek to provide his unique information (his password, or fingerprint, etc.) — if the authenticating system can verify that the shared secret was presented correctly, the user vivek is considered authenticated.

vivek is Authenticated? What Next?

Authorization.

The Unix server running at www.cyberciti.biz determines what level of access a particular authenticated user called vivek should have. For example, vivek can compile programs using GNU gcc compilers but not allowed to upload or download files. So

  1. Is user vivek authorized to access resource called ABC?
  2. Is user vivek authorized to perform operation XYZ?
  3. Is user vivek authorized to perform operation P on resource R?
  4. Is user vivek authorized to download or upload files?
  5. Is user vivek authorized to apply patches to the Unix systems?
  6. Is user vivek authorized to make backups?

In this example Unix server used the combination of authentication and authorization to secure the system. The system ensures that user claiming to be vivek is the really user vivek and thus prevent unauthorized users from gaining access to secured resources running on the Unix server at www.cyberciti.biz.

Dealing With Large Linux / Unix Setups

Large Linux / UNIX installation equipped with central LDAP directory servers to authenticate users. A user must provide username and password against all services such as Squid proxy, Wi-Fi, SMTP, POP3 email server etc. LDAP directory allows you to obtain required information such as employee number, email address, department code, and much more. The directory provides additional data lookup and search capabilities. OpenLDAP and the Fedora Directory Server (FDS) is an LDAP (Lightweight Directory Access Protocol) servers for Linux and Unix like operating systems. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology.

Red Hat Directory Server is an LDAP-compliant server that centralizes user identity and application information. It provides an operating system-independent, network-based registry for storing application settings, user profiles, group data, policies, and access control information.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
33 comments… add one
  • Paul Jun 18, 2014 @ 11:24

    Good site. A colleague of mine always confuses those two vocabularies. I sent him the link. :)

  • kasi Jun 20, 2014 @ 11:56

    good explanation

  • ashish singh Jun 26, 2014 @ 7:23

    kudos man …. examples are the best way to explain things

    pretty good explanation indeed

  • Karishma Sep 10, 2014 @ 9:44

    with help your information i should clear my exam very easily..thanks.keep sharing knowledge..

  • Naila Feb 13, 2015 @ 20:55

    okay right.. i have a exam and i can’t understand the difference accuracy between authorization and authentication even into now..
    i can put it the question and please help me if you can ..

    joe uses windows 8 on his office computer. he wants to control the access rights to his computer. therefore. he specifies a user name and password to log on the computer.

    which of the following processes does the operating system perform to confirm his log on information ?

    1- authorization
    2- initialization
    3- authentication
    4- computation

    the answer is “3” but how is it :( i can’t understand ..
    please help me :*
    thank you

  • r Jun 7, 2015 @ 15:42

    Thanks mate

  • Brandon Miller Jun 18, 2015 @ 16:06

    Thanks for the clarification!
    I get the following picture when I think of this (pictures help me remember stuff long-term):
    We need to get into a secure building. First, we meet a guard and present him with our credentials. We claim that we are X. The officer eyeballs us and our credentials. After he’s satisfied that we are who we claim to be, he hands us our badge.
    After we get in, regardless of what we want to do–as long as it requires SOME credentials, we have to flash the badge. If I want to go into a secret room, I scan my badge and it determines if I have permission. If I walk up to the water fountain, I don’t need to scan my badge because the powers that be decided that as long as you are in the building you have access to it.
    So, access to anything secured required me to first go into the building through security, who determined if I am who I said I was and handed me my badge (that contains all of my access permissions).

    Does that sound accurate?
    Thank you for responding and may Jesus bless you today with eternal life and life more abundantly!

  • ElsaHuang Aug 5, 2015 @ 3:30

    Nice explanation! Very useful! Thanks!

  • james Aug 27, 2015 @ 12:01

    Short and clear explanation, thanks!

  • Ittiphol Dec 15, 2015 @ 9:45

    So obvious, Thank you

  • Prem Ananth C Mar 27, 2016 @ 2:21

    Thanks for the clear explanation.

  • Isaac Dec 30, 2016 @ 7:37

    Short and clear explanation, thanks!

  • Shatil Jan 5, 2017 @ 11:12

    Nice explanation thanks…

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.