CompTIA Security+ Sy0-601 Chapter 11
questions and answers well illustrated.
Which identity federation component authenticates users?
A. Identity provider
B. Resource provider
C. OAuth
D. SAML - CORRECT ANSWER.A. Identity providers (IdPs) contain user accounts and
perform authentication, and along with federated identify environments, they will
generate a security token that may contain assertions (claims) about the user such as
date of birth, department, and so on. The security token is then digitally signed by the
IdP with its private key. Applications that trust the IdP signature (using the IdP public
key) accept tokens and allow user access.
After successful authentication, which SAML component contains claim information?
A. Resource provider
B. Security token service
C. PKI certificate
D. Token - CORRECT ANSWER.D. The SAML standard is used to transmit authentication
and authorization messages between users, IdPs, and resource providers. IdPs digitally
sign security tokens, which can contain claims, or assertions, about a user or device,
such as a date of birth, cost center, subnet address range, and so on. Claims are often
derived from user or device attributes stored with the user or device account.
A, B, and C are incorrect. Resource providers accept security tokens from trusted IdPs
and allow access, such as to a web application. IdPs in a federated identity
configuration run as a security token service (STS), which digitally signs tokens upon
successful user or device authentication; the token is then used to grant resource
access. A Public Key Infrastructure (PKI) certificate is a security certificate that can be
, stored in a file, a network directory service, or a smartcard. It uniquely identifies a
subject such as a device or user.
You are configuring file system security such that Microsoft Active Directory user
accounts with a specific manager configured in their user account properties are
granted file system access. What type of access control configuration is this?
A. Role-based
B. Discretionary
C. Attribute-based
D. Time-based - CORRECT ANSWER.C. User accounts contain many attributes
(properties) such as manager name, group membership, last login time, city, and so
on. These attributes can be compared to conditional access policies to allow or block
file system access.
Which of the following constitutes multifactor authentication?
A. Username, password
B. Username, PIN
C. Smartcard, PIN
D. Smartcard, key fob - CORRECT ANSWER.C. A smartcard (something you have) is the
size of a credit card and is commonly used for authenticating to IT systems. Smartcards
can be used for other applications such as building access or as a credit card. Modern
credit cards contain an embedded microprocessor that can perform cryptographic
operations. Using a smartcard normally requires entering a PIN (something you know).
You are configuring SSH public key authentication for a Linux host. Which statements
about this configuration are correct? (Choose two.)
A. The public key is stored with the user.
B. The private key is stored with the user.
C. The public key is stored with the Linux host.
D. The private key is stored with the Linux host. - CORRECT ANSWER.B and C. SSH
public key authentication uses a public and private key pair for each user that will
authenticate to the Linux host. The public key is stored in the user's home directory in a
hidden directory named .ssh (the leading dot in Linux means the file or directory is
hidden). The private key is stored on the user management device and should be
protected with a passphrase. When users authenticate to the Linux host, they must
know the username and the passphrase for the private key.
A and D are incorrect. The public key is not stored with the user; it is stored on the Linux
host. The private key is stored on the device the user will use to remotely manage the
Linux host via SSH.
After configuring SSH public key authentication for a Linux host, users complain that
they are prompted for a passphrase when using SSH to connect to the host. Why is this
happening?
A. SSH is configured incorrectly on the Linux host.
B. SSH is configured incorrectly on the client device.
C. A passphrase has been configured to protect the private key.
questions and answers well illustrated.
Which identity federation component authenticates users?
A. Identity provider
B. Resource provider
C. OAuth
D. SAML - CORRECT ANSWER.A. Identity providers (IdPs) contain user accounts and
perform authentication, and along with federated identify environments, they will
generate a security token that may contain assertions (claims) about the user such as
date of birth, department, and so on. The security token is then digitally signed by the
IdP with its private key. Applications that trust the IdP signature (using the IdP public
key) accept tokens and allow user access.
After successful authentication, which SAML component contains claim information?
A. Resource provider
B. Security token service
C. PKI certificate
D. Token - CORRECT ANSWER.D. The SAML standard is used to transmit authentication
and authorization messages between users, IdPs, and resource providers. IdPs digitally
sign security tokens, which can contain claims, or assertions, about a user or device,
such as a date of birth, cost center, subnet address range, and so on. Claims are often
derived from user or device attributes stored with the user or device account.
A, B, and C are incorrect. Resource providers accept security tokens from trusted IdPs
and allow access, such as to a web application. IdPs in a federated identity
configuration run as a security token service (STS), which digitally signs tokens upon
successful user or device authentication; the token is then used to grant resource
access. A Public Key Infrastructure (PKI) certificate is a security certificate that can be
, stored in a file, a network directory service, or a smartcard. It uniquely identifies a
subject such as a device or user.
You are configuring file system security such that Microsoft Active Directory user
accounts with a specific manager configured in their user account properties are
granted file system access. What type of access control configuration is this?
A. Role-based
B. Discretionary
C. Attribute-based
D. Time-based - CORRECT ANSWER.C. User accounts contain many attributes
(properties) such as manager name, group membership, last login time, city, and so
on. These attributes can be compared to conditional access policies to allow or block
file system access.
Which of the following constitutes multifactor authentication?
A. Username, password
B. Username, PIN
C. Smartcard, PIN
D. Smartcard, key fob - CORRECT ANSWER.C. A smartcard (something you have) is the
size of a credit card and is commonly used for authenticating to IT systems. Smartcards
can be used for other applications such as building access or as a credit card. Modern
credit cards contain an embedded microprocessor that can perform cryptographic
operations. Using a smartcard normally requires entering a PIN (something you know).
You are configuring SSH public key authentication for a Linux host. Which statements
about this configuration are correct? (Choose two.)
A. The public key is stored with the user.
B. The private key is stored with the user.
C. The public key is stored with the Linux host.
D. The private key is stored with the Linux host. - CORRECT ANSWER.B and C. SSH
public key authentication uses a public and private key pair for each user that will
authenticate to the Linux host. The public key is stored in the user's home directory in a
hidden directory named .ssh (the leading dot in Linux means the file or directory is
hidden). The private key is stored on the user management device and should be
protected with a passphrase. When users authenticate to the Linux host, they must
know the username and the passphrase for the private key.
A and D are incorrect. The public key is not stored with the user; it is stored on the Linux
host. The private key is stored on the device the user will use to remotely manage the
Linux host via SSH.
After configuring SSH public key authentication for a Linux host, users complain that
they are prompted for a passphrase when using SSH to connect to the host. Why is this
happening?
A. SSH is configured incorrectly on the Linux host.
B. SSH is configured incorrectly on the client device.
C. A passphrase has been configured to protect the private key.
