THE ADMIN's LAB : LINUX-7 USER MANAGEMENT (RHEL-7)

LINUX-7 USER MANAGEMENT

User Types: Root / Regular / Service

Root: user with administrative privilege

Regular: user level rights, can’t perform admin tasks.

Service: service user means user who take care of installed services like apace, ftp, mail, ntp, postfix, qemu…etc…

User account info for local users are located at…

/etc/passwd user info

/etc/shadow user’s password info

/etc/group group info

/etc/gshadow group config file

/etc/passwd:

araman:x:1000:1000:Anurag Raman:/home/araman:/bin/bash

1 :2: 3 : 4 : 5 : 6 : 7

1: user name

2: user has passwd

3: user id

4: group id which user belongs

5: comment

6: home dir of user

7: user’s login shell

/etc/shadow

araman:$6$VpD0G1vnc9wzAPXC$:17096:0:99999:7:::

1 : 2 : 3 :4: 5 :6:7:8:9

1: user id

2: Encrypted passwd

3: Last change from 1^st jan 1970

4: min days-days before passwd should be changed

5: max validity of passwd-days after which passwd must change (def-99999)

6: warn days-warn a user that a forced passwd change day is upcoming (def-7day)

7: inactive days-days to disable a/c after passwd expiry

8: disabled days

9: not used

/etc/group

araman:x:1000:araman

1 :2: 3 : 4

1: group name

2: group passwd
3: group id

4: group members

/etc/gshadow

araman:!!::araman

1 : 2:3: 4

1: group name

2: Encrypted passwd

3: group admins

4: group members

Group config file, which includes “group administrators” which have right to add other group members using “gpasswd” cmd.

DEFAULT VALUES FOR PASSWD/SHADOW SUITE.

/etc/login.defs

Some values from the file:

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_MIN_LEN 5

PASS_WARN_AGE 7

UID_MIN 1000

UID_MAX 60000

SYS_UID_MIN 201

SYS_UID_MAX 999

GID_MIN 1000

GID_MAX 60000

SYS_GID_MIN 201

SYS_GID_MAX 999

CREATE_HOME yes

These values can be altered

INTEGRITY OF PASSWD/SHADOW FILES:

[root@rhel7-server ~]# yum list installed |grep shadow

Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast

shadow-utils.x86_64 2:4.1.5.1-13.el7 @anaconda/7.0

[root@rhel7-server ~]# cp /etc/passwd /etc/passwd.org

[root@rhel7-server ~]# cp /etc/shadow /etc/shadow.org

[root@rhel7-server ~]# grep -i anurag /etc/passwd

-->uid removed<--:x:-->500<--:1000:Anurag Raman:/home/araman:/bin/bash

[root@rhel7-server ~]# pwck

user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist

user 'pulse': directory '/var/run/pulse' does not exist

user 'gnome-initial-setup': directory '/run/gnome-initial-setup/' does not exist

invalid user name '' ß

no matching password file entry in /etc/shadow

add user '' in /etc/shadow? Y ß

no matching password file entry in /etc/passwd

delete lineß

'araman:$6$VpD0G1vnc9wzAPXC$JAzsYymQsOzoXVbZAG70J/EV/wC4.yb9a1cc7TepuR/0RIzQRuD7iAsoFZmSKrq4XXGdb4NTCOpivyBlk1aOM/:17096:0:99999:7:::'? n

pwck: the files have been updated

What happen to /etc/shadow file?

Following entry is added to /etc/shadow file

:x:17161:0:99999:7:::

What Happened ???

Shadow file is synced according to passwd file.

[root@rhel7-server ~]# useradd raman

[root@rhel7-server ~]# passwd raman

Changing password for user raman.

New password:

BAD PASSWORD: The password is shorter than 8 characters

Retype new password:

passwd: all authentication tokens updated successfully.

[root@rhel7-server ~]# grep raman /etc/passwd

raman:x:1001:1001::/home/raman:/bin/bash

[root@rhel7-server ~]# grep raman /etc/shadow

raman:$6$rRgMEDVr$cYZXfIZm5fMoRrM6O54/2vmIIjIXm6Wo0ImEAuLUr6/mXCw.Mbk60/I1/KpaTcPj2ONL7SNfDo7NkoaBFe83c0:17161:0:99999:7:::

Removed the entry of raman from /etc/shadow

[root@rhel7-server ~]# pwck

user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist

user 'pulse': directory '/var/run/pulse' does not exist

user 'gnome-initial-setup': directory '/run/gnome-initial-setup/' does not exist

no matching password file entry in /etc/shadow

add user 'raman' in /etc/shadow? Y ß

pwck: the files have been updated

[root@rhel7-server ~]# grep raman /etc/shadow

raman:x:17161:0:99999:7:::

What Happened ???

Shadow is ssynced a/c to passwd file and user raman is recreated with same details except “users password”.

Set the user passwd and all done,

So if the shadow is corrupted then it can be recovered via passwd file.

PREVENTING CORRUPTION IN PASSWD/SHADOW FILE:

[root@rhel7-server ~]# vipw

vipw: /etc/passwd is unchanged

[root@rhel7-server ~]# vipw -s

vipw: /etc/shadow is unchanged

[root@rhel7-server ~]# vigr

vigr: /etc/group is unchanged

[root@rhel7-server ~]# vigr -s

vigr: /etc/gshadow is unchanged

imagine a rare condition when admin is editing passwd file and same time a user is changing his/her passwd, at that time it will be accepted for user but lost after saving by admin.

While running “vipw” in other terminal

[root@rhel7-server ~]# ls -l /etc/passwd*

-rw-r--r--. 1 root root 2014 Dec 26 18:14 /etc/passwd

-rw-r--r--. 1 root root 2014 Dec 26 18:14 /etc/passwd.edit

-rw-------. 1 root root 6 Dec 26 18:24 /etc/passwd.lock

After quitting from “vipw”

[root@rhel7-server ~]# ls -l /etc/passwd*

-rw-r--r--. 1 root root 2014 Dec 26 18:14 /etc/passwd

-rw-r--r--. 1 root root 1973 Dec 26 17:56 /etc/passwd.org

[root@rhel7-server ~]#

Let’s begin with user management

DEFAULT CONFIG FILES:

[root@rhel7-server ~]# cat /etc/login.defs

We already checked this file

[root@rhel7-server ~]# cat /etc/default/useradd

# useradd defaults file

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

Command tools used for user management (part of “shadow-utils” pkg)

Useradd

Usermod

Userdel

Chage to set/modify passwd aging attributes for a user

Passwd

USERADD………………………….

-c comment

-d home dir

-g gid (primary)

-G gid (secondary-user can be member of 20 sec groups)

-m create a home dir if not

-o non unique, shared uid

-r system a/c with uid below 1000, never expiring passwd

-s shell

-e expiry date for user a/c (YYYY-MM-DD)

-f num (no. of days after passwd expiration when a/c is disabled)

-u uid

USERMOD……………………………….

-a –G <group9> append to existing group membership

-l <newuser> change username to “newuser” without changing home dir

-L lock user passwd

-U unlock user passwd

-m create a new home dir and move contents from old to new

CHAGE……………………………………….

[root@rhel7-server ~]# chage -l

Usage: chage [options] LOGIN

Options:

-d, --lastday LAST_DAY set date of last password change to LAST_DAY

-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE

-h, --help display this help message and exit

-I, --inactive INACTIVE set password inactive after expiration

to INACTIVE

-l, --list show account aging information

-m, --mindays MIN_DAYS set minimum number of days before password

change to MIN_DAYS

-M, --maxdays MAX_DAYS set maximim number of days before password

change to MAX_DAYS

-R, --root CHROOT_DIR directory to chroot into

-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS

PASSWD………………………………………….

[root@rhel7-server ~]# passwd --help

Usage: passwd [OPTION...] <accountName>

-k, --keep-tokens keep non-expired authentication tokens

-d, --delete delete the password for the named account (root only)

-l, --lock lock the password for the named account (root only)

-u, --unlock unlock the password for the named account (root only)

-e, --expire expire the password for the named account (root only)

-f, --force force operation

-x, --maximum=DAYS maximum password lifetime (root only)

-n, --minimum=DAYS minimum password lifetime (root only)

-w, --warning=DAYS number of days warning users receives before password expiration (root only)

-i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only)

-S, --status report password status on the named account (root only)

--stdin read new tokens from stdin (root only)

[root@rhel7-server ~]# useradd -D

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

[root@rhel7-server ~]# useradd -D user1

Usage: useradd [options] LOGIN

useradd -D

useradd -D [options]

Options:

-b, --base-dir BASE_DIR base directory for the home directory of the

new account

-c, --comment COMMENT GECOS field of the new account

-d, --home-dir HOME_DIR home directory of the new account

-D, --defaults print or change default useradd configuration

-e, --expiredate EXPIRE_DATE expiration date of the new account

-f, --inactive INACTIVE password inactivity period of the new account

-g, --gid GROUP name or ID of the primary group of the new

account

-G, --groups GROUPS list of supplementary groups of the new

account

-h, --help display this help message and exit

-k, --skel SKEL_DIR use this alternative skeleton directory

-K, --key KEY=VALUE override /etc/login.defs defaults

-l, --no-log-init do not add the user to the lastlog and

faillog databases

-m, --create-home create the user's home directory

-M, --no-create-home do not create the user's home directory

-N, --no-user-group do not create a group with the same name as

the user

-o, --non-unique allow to create users with duplicate

(non-unique) UID

-p, --password PASSWORD encrypted password of the new account

-r, --system create a system account

-R, --root CHROOT_DIR directory to chroot into

-s, --shell SHELL login shell of the new account

-u, --uid UID user ID of the new account

-U, --user-group create a group with the same name as the user

-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping

[root@rhel7-server ~]#

[root@rhel7-server ~]# useradd user1

[root@rhel7-server ~]# cd /etc

[root@rhel7-server etc]# grep user1 passwd shadow group gshadow

passwd:user1:x:1002:1002::/home/user1:/bin/bash

shadow:user1:!!:17161:0:99999:7:::

group:user1:x:1002:

gshadow:user1:!::

[root@rhel7-server etc]#

[root@rhel7-server /]# useradd -u 1500 -g 1500 -m -d /home/user2 -k /etc/skel -s /bin/bash user2

useradd: group '1500' does not exist

[root@rhel7-server /]# useradd -u 1500 -m -d /home/user2 -k /etc/skel -s /bin/bash user2

[root@rhel7-server /]#

[root@rhel7-server /]# cd /etc

[root@rhel7-server etc]# grep user2 passwd shadow group gshadow

passwd:user2:x:1500:1500::/home/user2:/bin/bash

shadow:user2:!!:17161:0:99999:7:::

group:user2:x:1500:

gshadow:user2:!::

[root@rhel7-server etc]#

root@rhel7-server etc]# passwd -n 10 -x 35 -w 7 user2

Adjusting aging data for user user2.

passwd: Success

[root@rhel7-server etc]# grep user2 shadow

user2:!!:17161:10:35:7:::

-n min days

-x max days

-w warn days

[root@rhel7-server etc]# chage -l user2

Last password change : Dec 26, 2016

Password expires : Jan 30, 2017

Password inactive : never

Account expires : never

Minimum number of days between password change : 10

Maximum number of days between password change : 35

Number of days of warning before password expires : 7

[root@rhel7-server etc]# chage -m12 -M38 -W7 -E 2016-12-31 user2

[root@rhel7-server etc]# chage -l user2

Last password change : Dec 26, 2016

Password expires : Feb 02, 2017

Password inactive : never

Account expires : Dec 31, 2016

Minimum number of days between password change : 12

Maximum number of days between password change : 38

Number of days of warning before password expires : 7

[root@rhel7-server etc]#

[root@rhel7-server etc]# usermod -u 5000 -m -d /home/nuser2 -s /sbin/nologin -l nuser2 nuer2

[root@rhel7-server etc]# chage -l nuser2

Last password change : Dec 26, 2016

Password expires : Feb 02, 2017

Password inactive : never

Account expires : Dec 31, 2016

Minimum number of days between password change : 12

Maximum number of days between password change : 38

Number of days of warning before password expires : 7

[root@rhel7-server etc]# id nuser2

uid=5000(nuser2) gid=1500(user2) groups=1500(user2)

-l change login name

-u change uid

-d change home dir

-m copy the old contents to new

-s change the login shell

[root@rhel7-server etc]# usermod -e 2017-02-28 nuser2

[root@rhel7-server etc]# chage -l nuser2

Last password change : Dec 26, 2016

Password expires : Feb 02, 2017

Password inactive : never

Account expires : Feb 28, 2017

Minimum number of days between password change : 12

Maximum number of days between password change : 38

Number of days of warning before password expires : 7

[root@rhel7-server /]# chage -d0 -m5 -E -1 nuser2

[root@rhel7-server /]# chage -l nuser2

Last password change : password must be changed

Password expires : password must be changed

Password inactive : password must be changed

Account expires : never

Minimum number of days between password change : 5

Maximum number of days between password change : 38

Number of days of warning before password expires : 7

-d0 to expire user’s passwd and prompt to change it at next login

-m5 unable to change passwd in 5 days

-E -1 disable a/c expiry

[root@rhel7-server /]# usermod -L nuser2

[root@rhel7-server /]# usermod -U nuser2

[root@rhel7-server /]# passwd -l nuser2

Locking password for user nuser2.

passwd: Success

[root@rhel7-server /]# passwd -u nuser2

Unlocking password for user nuser2.

passwd: Success

[root@rhel7-server /]# userdel -r nuser2

[root@rhel7-server /]# grep nuser2 /etc/passwd

[root@rhel7-server /]# grep nuser2 /etc/shadow

[root@rhel7-server /]# ls -l /home/nuser2

ls: cannot access /home/nuser2: No such file or directory

THE ADMIN's LAB

Monday, 26 December 2016

LINUX-7 USER MANAGEMENT (RHEL-7)

No comments:

Post a Comment

Labels

WAREHOUSE

Total Pageviews