Skip to main content

Users & groups,usermod, passwd and shadow file






Users and groups

Adding User Accounts


To add a new user account, you can run either of the following two commands as root.
# adduser [new_account]
# useradd [new_account]
 
When a new user account is added to the system, the following operations are performed.
1. His/her home directory is created (/home/username by default).
2. The following hidden files are copied into the user’s home directory, and will be used to provide environment variables for his/her user session.
.bash_logout
.bash_profile
.bashrc
 
3. A mail spool is created for the user at /var/spool/mail/username.
4. A group is created and given the same name as the new user account.
Understanding /etc/passwd

The full account information is stored in the /etc/passwd file. This file contains a record per system user account and has the following format (fields are delimited by a colon).
[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]
#cat /etc/passwd

Store info about local users. Format follows seven colon separated fields
username : password : UID : GID : GECOS : /home/dir :shell

1.       username is a mapping of a UID to a name for the benefit of human users.
                                                                #id
command is used to show info about current logged in user.
Shows uid , gid groups

#ps au  
To view process info use ps command, a is all, u is user
It shows user name pid
2.       password  where passwords were kept in an encrypted format. They are stored in a separate file called /etc/shadow.
3.       UID is a user lD, a number that identifies the user at the most fundamental level.
UID is secondary or supplementary group

Commands:

#groupadd sysadmins (group creating with name sysadmins)
#useradd harry -G sysadmins (creating user to sysadmins secondary group)

#usermod -modifies existing users
#usermod –help (display basic options)
#usermod -G  groupname username              
This will add user in secondary group and remove from other group
#usermod –aG groupname username
This will add user in secondary group and  keeps in other group ( a is append, G is supplementary/secondary)
               
4.       GID is the user's primary group lD number.

Commands:
#usermod –g groupname username               
                                                                                This will add user in primary group and remove from other group

To remove user, change group name

#groupmod (modifies existing groups)
#groupmod -n newnameoldname (to change name of group)
#groupmems -g grpname -d username (removes user from group)

5.       GECOS field is arbitrary text or comments, which usually includes the user's  real name.
                                                                #usermod -c “localuser” username (to add comment)

6.        /home/dir Is the location of the user‘s personal data and configuration files.

#usermod -d /home/user2 user1 (to change home directory of user1)

To  add user with uid4032 and  directory /India/Redhat
#mkdir -P /India/Redhat
#useradd -u 4032 username -b /India/Redhat

7.       shell Is a program that runs as the user logs In. For a regular user, this is normally the program that provides the user's command line prompt.
#echo $SHELL (to check current logged shell)

To view all available shell
#chsh -l
#less /etc/shells (list available shell details)

Alternative ways to change shells:
#/bin/bash (to change shell temporarily)
#chsh -shell /bin/bash username (change shell permanently)
#usermod -s or -shell /bin/bash username (to change shell)
#usermod -s /sbin/nologin username (to change shell nologin)
#vim /etc/passwd (change 7th field last field )



                                                DIFFERENCE BETWEEN SHELLS:

OPTIONS TO USERMOD:

#usermod -L username
(to lock user account it will add ! mark precedded/ at startline by password in /etc/shadow file)

#usermod -U username
(to unlock user account it will  remove ! mark precedded/ at startline by password in /etc/shadow file)

#userdel username (delete user but keep files)

#userdel -r username (delete user with all files)



Understanding /etc/shadow:



Managing User Passwords

Shadow passwords and password policy
In the distant past, encrypted passwords were stored in the world-readable /etc/passwd file. This was thought to be reasonably secure until dictionary attacks on encrypted passwords became common. At that point, the encrypted passwords, or "password hashes," were moved to the mere secure [etc/shadow file. This new file also allowed password aging and expiration features to be impiemented.
#ls –l /etc/shadow
                r--- --- --- (only read permission to root user)

There are three pieces of information stored in a modern password hash:
$1$gCj La2/Z$6PueEKOAszj xijhoLOB/
1: The hashing algorithm. The number 1 indicates an MD5 hash. The number 6 appears when a SHA-512 hash is used.

2. gCj La2/Z: The salt used to encrypt the hash. This is originally chosen at random. The salt and the unencrypted password are combined and encrypted to create the encrypted password hash. The use of a salt prevents two users with the same password from having identical entries In the /etc/shadow file.

3. 6Pu0EKeAszj xj v2hoLOB/: The encrypted hash.
When a user tries to log in, the system looks up the entry for the user in /etc/ shadow, combines the salt for the user with the unencrypted password that was typed in, and encrypts them using the hashing algorithm specified.

Red Hat Enterprise Linux 7 defaults to using SHA-512 encryption.
/etc/shadow format The format of /etc/shadow follows (nine colon-separated fields):
name: password: lastchange: minage: maxage: warning: inactive: expire: b1ank

1.       The |login name. This must be a valid account name on the system.

2.       The encrypted password. A password field which starts with a exclamation mark means that the password is locked.

3.       The date of the last password change, represented as the number of days since 1970.01.01

4.       The minimum number of days before a password may be changed, where 0 means "no minimum age requirement”.
5.       The maximum number of days before a password must be changed.
6.       The warning period that a password is about to expire. Represented in days, where 0 means "no warning given.“
7.       The number of days an account remains active after a password has expired. A user may still log into the system and change the password during this period. After the specified number of days, the account is locked, becoming inactive.
8.       The account expiration date, represented as the number of days Since 1970.01.01.
9.       This blank field is reserved for future use.


[root@serverx ~]# chage -m 0 -M 90 -w 7 -I 14 username
                                -m(mindays), M(maxdays), -w(warn day), -I(inactive day)
[root@serverx ~]#chage -d 0 username
will force a password update on next login.

[root@serverx ~]#chage -l username
will list a username's current settings.

[root@serverx ~]#chage -E YYYY-MM-DD username
will expire an account on a specific day.
                                  

The date command can be used to calculate a date in the future.
[student@serverx ~]$ date -d "+45 days “
Sat Mar 22 11:47:06 EDT 2014
 


Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

sed

Sed Command in Linux/Unix with examples SED command in UNIX is stands for stream editor and it can perform lot’s of function on file like, searching, find and replace, insertion or deletion. Though most common use of SED command in UNIX is for substitution or for find and replace. By using SED you can edit files even without opening it, which is much quicker way to find and replace something in file, than first opening that file in VI Editor and then changing it. o     SED is a powerful text stream editor. Can do insertion, deletion, search and replace(substitution). o     SED command in unix supports regular expression which allows it perform complex pattern matching. Syntax: sed OPTIONS... [SCRIPT] [INPUTFILE...] Example: Consider the below text file as an input. $cat > geekfile.txt unix is great os. unix is opensource. unix is free os. learn operating system. unixlinux which one you choose. unix is easy to learn.unix ...
Post a Comment
Read more

initramfs" file is deleted or corrupted on your RHEL or CentOS 7

Initrd/Initramfs image provides the capability to load a RAM disk by the boot loader. This RAM disk can then be mounted as the root filesystem and programs can be run from it. Afterwards, a new root file system can be mounted from a different device. The previous root filesystem which was mounted from initrd/initramfs is then moved to a directory and can be subsequently unmounted. Their are chances that either you might have accidentally deleted "initramfs" file from the /boot partition or it is corrupted due to some reason.  Then boot process will get interrupted and you will see below error: error: file '/initramfs-3.10.0-957.el7.x86_64.img' not found. Good news is you can still recover this "initramfs" by following below steps: Step 1 :  Mount RHEL or CentOS 7 ISO image on your physical server and boot from it. In case you are using HPE Prolient server you can mount this ISO image on iLO, if this is virtual environment then mount it accordingly and reboot...
Post a Comment
Read more

nw commands

troubleshoot commands in Linux.   1. ifconfig ifconfig (interface configurator) command   is use to initialize an interface, assign IP  Address to interface and enable or disable  interface on demand. With this command  you can view IP Address and Hardware / MAC   address assign to interface and also MTU (Maximum transmission unit) size. # ifconfig   eth0       Link encap:EthernetHWaddr 00:0C:29:28:FD:4C inet addr:192.168.50.2   Bcast:192.168.50.255   Mask:255.255.255.0           inet6 addr: fe80::20c:29ff:fe28:fd4c/64 Scope:Link           UP BROADCAST RUNNING MULTICAST   MTU:1500   Metric:1           RX packets:6093 errors:0 dropped:0 overruns:0 frame:0  ...
3 comments
Read more
# # #