Difference Between Authentication and Authorization ?
What is the difference between authentication and authorization? Why it is important to understand difference between the two? Authentication vs. Authorization -- what are they and how do they differ?
Authentication
Authentication verifies who you are. For example, you can login into your Unix server using the ssh client, or access your email server using the POP3 and SMTP client. Usually, PAM (Pluggable Authentication Modules) are used as low-level authentication schemes into a high-level application programming interface (API), which allows programs that rely on authentication to be written independently of the underlying authentication scheme.
Authorization
Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication. Authorization can be controlled at file system level or using various application level configuration options such as chroot(2).
Usually, the connection attempt must be both authenticated and authorized by the system. You can easily find out why connection attempts are either accepted or denied with the help of these two factors.
Example: Authentication And Authorization
A user called Sahil Rai is allowed to login to http://www.hackrhino.com/ server securely using the OpenSSH ssh client/server module. In this example authentication is the mechanism whereby system running at http://www.hackrhino.com/ may securely identify user Sahil Rai. The authentication systems provide an answers to the questions:
Who is the user sahil?
Is the user Sahil Rai really who he represents himself to be?
The server running at http://www.hackrhino.com/ depend on some unique bit of information known only to the Sahil Rai user. It may be as simple as a password, public key authentication, or as complicated as Kerberos based system. In all cases user Sahil Rai needs some sort of secret to login into http://www.hackrhino.com/ server via the ssh client. In order to verify the identity of a user called Sahil Rai, the authenticating system running at http://www.hackrhino.com/ will challenges the sahil to provide his unique information (his password, or fingerprint, etc.) -- if the authenticating system can verify that the shared secret was presented correctly, the user sahil is considered authenticated.
Sahil Rai is Authenticated? What Next?
Authorization.
The Unix server running at http://www.hackrhino.com/ determines what level of access a particular authenticated user called sahil rai should have. For example, Sahil Rai can compile programs using GNU gcc compilers but not allowed to upload or download files. So
Is user Sahil Rai authorized to access resource called ABC?
Is user Sahil Rai authorized to perform operation XYZ?
Is user Sahil Rai authorized to perform operation P on resource R?
Is user Sahil Rai authorized to download or upload files?
Is user Sahil Rai authorized to apply patches to the Unix systems?
Is user Sahil Rai authorized to make backups?
In this example Unix server used the combination of authentication and authorization to secure the system. The system ensures that user claiming to be Sahil Rai is the really user Sahil Rai and thus prevent unauthorized users from gaining access to secured resources running on the Unix server at http://www.hackrhino.com/.
© HaCkRhInO-TeaM ! 2014
R0oTx:Sahil_Rai
Thanks to
Source: http://www.cyberciti.biz/faq/authentication-vs-authorization
