Objectives
- Explain the purpose of individual user accounts and list their main attributes
- Create new user accounts and modify existing account properties as well as remove or lock accounts
- Understand how user passwords are set, encrypted and stored, and how to require changes in passwords over time for security purposes
- Explain how restricted shells and restricted accounts work
- Understand the role of the root account and when to use it
User Accounts
Linux allows multi user support by
- Make available user space
- A location in the filesystem in which the user can have
- files
- scripts
- programs
- custom configurations
- A location in the filesystem in which the user can have
- Allow the creation of user for several purposes
- Have a mechanism of priviledges
Attributes of a User Account
Each user on the system has an entry within
/etc/passwd .... beav:x:1000:1000:Theodore Cleaver:/home/beav:/bin/bash warden:x:1001:1001:Ward Cleaver:/home/warden:/bin/bash dobie:x:1002:1002:Dobie Gillis:/home/dobie:/bin/bash ....
The seven elements here are
- User name
- User password
- User identification number (UID)
- Group identification number
- Comment or GECOS information
- Home directory
- Login shell
Creating User Accounts with useradd
$ sudo useradd alejandro
This command does
- Assing the next available UID (specified in /etc/login.defs)
- Create a primary group with GID equals to UID and assign it to the user
- Create a home directory /home/alejandro and make the user owner of such directory
- Set the default login (/bin/bash) shell to the user
- Copy the content of /etc/skel to /home/alejandro
- Set either !! or ! into /etc/shadow file for the user entry in order to make the administrator set a default password for the user to be usable
This command can also be used with different parameters
$ sudo useradd -s /bin/csh -m -k /etc/skel -c "Alejandro Bernal Collazos" bmoose
Modifying and Deleting User Accounts
Delete
The root user can remove user accounts using userdel
$ sudo userdel alejandro
This command will
- Erase the user entries from /etc/passwd
- Erase the user entries from /etc/shadow
- Erase the user entries from /etc/group
- Does NOT delete the home directory /home/alejandro
- In case the account can be restablished later
- However if the -r option is used the user's home directory will also be deleted
Modify
We can perform this sort of modifications
- change group memberships
- change home directory
- change login name
- change password
- change default shell
- change user id
- change user attributes
Usage
$ sudo usermod --help
Adding user "sampleuser" to group "samplegroup"
$ sudo usermod -aG samplegroup sampleuser
List the groups that a user sampleuser belongs to
$ sudo groups sampleuser
Locked Accounts
These accounts can run programs but never can login to the system and have no valid password associated with them.
Sample
bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin
The nologin shell returns the following if a locked user tries to login to the system
This account is currently not available
Or whatever message is stored in
/etc/nologin.txt
Such locked accounts are created for special purposes, either by systems services or applications. We can check which are those users scanning for the nologin at
/etc/passwd
In order to lock an account of a particular user execute
$ sudo usermod -L alejandro
To unlock a user the -U option
$ sudo usermod -U alejandro
Other way to lock an account is to use an expiration date of the user in the past
$ sudo chage -E 2014-09-12 alejandro
Another approach is to edit the file
/etc/shadow
Replacing the user's hashed password with !! or some other invalid string
User IDs and /etc/passwd
Within the file
/etc/passwd
we can see the registry per user.
The password of a user is often hashed and stored within the file
/etc/shadow
if the shadow file is used we can see the use of a "x" within the registry of the user at the /etc/passwd file.
if the shadow file is not user then the password is hashed and stored within the /etc/passwd.
Convention
Users with userid less than 1000 are considered special and belongs to the system. That's why normal user ID's start from 1000. The actual value can be defined as UID_MIN and is defined in
/etc/login.defs
/etc/shadow
This file contains a registry per user that determines certain attributes
Sample
daemon:*:16141:0:99999:7:::
The fields means
- username
- Unique user name
- password
- Hashed (sha512) value of the password
- lastchange
- Days since Jan 1, 1970 that password was last changed
- mindays
- Minimun days before password must be changed
- maxdays
- Maximin days after which password must be changed
- warn
- Days before password expires that the user is warned
- grace
- Days after password expires that account is disabled
- expire
- Data that account is/will be disabled
- reserved
- Reserved field
Why Use /etc/shadow
Regrettably the file /etc/passwd has 644 permission, meaning that anyone can read and extrat the user's hashed password (Utilities Crack and John the Ripper can be used to decode the hashed password).
That is why the file /etc/shadow does exist since it has 400 as permission, meaning that only root can read this file.
Password Management
Password can be changed with the command
passwd
A normal user can change its password, while root can change any password.
$ sudo passwd alejandro
Password Aging
The utility that we can use for this purpose is
change [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] <user>
Examples
$ sudo chage -l stephane $ sudo chage -m 14 -M 30 kevin $ sudo chage -E 2016-9-1 alejandro $ sudo chage -d 0 clyde
Only the root user can use chage. The only exception is that every user can use chage to see their aging information.
Example
$ sudo chage -l alejandro Last password change : never Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To force a user to change their password at their next login
$ sudo chage -d 0 <user>
Restricted Shell
Under Linux it is possible to use a restricted shell which can be invoked as
$ /bin/bash -r
Is a tightly controlled environment that a standard shell. In particular it
- Prevents the user from changing to any directory outside of their home directory tree
- Prevents the user from redefining the following environment variables: SHELL, ENV and PATH
- Does not permit the user to specify the absolute path or executable command names starting from /
- Prevents the user from redirecting input and/or output
Because the restricted shell executes $HOME/.bash_profile without restriction, the user must have neither write nor execute permission on the /home directory
Restricted Accounts
There are times when granting access to a user is necessary but should be limited in scope. Setting up a restricted user account can be useful in this context. A restricted account
- Uses the restricted shell
- Limits available system programs and user applications
- Limits system resources
- Limits access times
- Limits access locations
From the command line, or from a script, a restricted shell may be invoked with
/bin/bash -r
However flags may not be specified in the /etc/passwd file. A simple way to get around this restriction would be to do one of these
- $ cd /bin ; sudo ln -s bash rbash
- $ cd /bin ; sudo ln bash rbash
- $ cd /bin ; sudo cp bash rbash
And the use /bin/rbash as the shell in
/etc/passwd
The root Account
By default root login through the network are generally prohibited for security reasons. One can permit secure shell logins using ssh, which is configured with
/etc/ssh/sshd_config
And PAM (Pluggable Authentication Modules), through the pam_securetty.so module and the associated
/etc/securetty
Root login is permitted only from the devices listed in
/etc/securetty
PAM can also be used to restrict which users are allowed to su to root. It might also be worth it to configure auditd to log all commands executed as root
SSH
Secure Shell
$ whoami alejandro $ ssh alejandrobernalcollazos.com [email protected]'s password: (type password)
To login with a different user
$ ssh <user>@alejandrobernalcollazos.com [email protected]'s password: (type password)
or
$ ssh -l root alejandrobernalcollazos.com [email protected]'s password: (type password)
To copy files from one system to another
$ scp file.txt alejandrobernalcollazos.com:/tmp $ scp file.txt [email protected]/home/student $ scp -r some_dir alejandrobernalcollazos.com:/tmp/some_dir
To run a command on multiple machines simultaneously
$ for machines in node1 node2 node3 do (ssh $machines some_command &) done
Ssh configuration files
There is a file called
.ssh
Within every user's home directory, which contains
- id_rsa
- User's private encryption key
- id_rsa.pub
- User's public encryption key
- authorized_keys
- A list of public keys that are permitted to login
- known_hosts
- A list of host from which logins have been allowed in the past
- config
- A configuration file for specifying various options
First we need to generate our private and public encryption keys with ssh-keygen
$ ssh-keygen
This will also generate the public key
id_rsa.pub
The private key must never ever be shared with anyone.
The public key can be given to any machine with which you want to permit password-less access. It should be added to your authorized_keys file.
known_hosts file is gradually built up as ssh accesses occur. If the system detects changes in the users who are trying to log in through ssh it will warn you of them and afford the opportunity to deny access. Note that the authorized keys file contains information about users and machines.
$ cat authorized_keys
While the known hosts only contains information about computer nodes
$ cat known_hosts
