Chapter 33. User Account Management

Objectives

  • Explain the purpose of individual user accounts and list their main attributes
  • Create new user accounts and modify existing account properties as well as remove or lock accounts
  • Understand how user passwords are set, encrypted and stored, and how to require changes in passwords over time for security purposes
  • Explain how restricted shells and restricted accounts work
  • Understand the role of the root account and when to use it

User Accounts

Linux allows multi user support by

  • Make available user space
    • A location in the filesystem in which the user can have
      • files
      • scripts
      • programs
      • custom configurations
  • Allow the creation of user for several purposes
  • Have a mechanism of priviledges

Attributes of a User Account

Each user on the system has an entry within 

/etc/passwd
....
beav:x:1000:1000:Theodore Cleaver:/home/beav:/bin/bash
warden:x:1001:1001:Ward Cleaver:/home/warden:/bin/bash
dobie:x:1002:1002:Dobie Gillis:/home/dobie:/bin/bash
....

The seven elements here are

  1. User name
  2. User password
  3. User identification  number (UID)
  4. Group identification number
  5. Comment or GECOS information
  6. Home directory
  7. Login shell

Creating User Accounts with useradd

$ sudo useradd alejandro

​This command does

  • Assing the next available UID (specified in /etc/login.defs)
  • Create a primary group with GID equals to UID and assign it to the user
  • Create a home directory /home/alejandro and make the user owner of such directory
  • Set the default login (/bin/bash) shell to the user
  • Copy the content of /etc/skel to /home/alejandro
  • Set either !! or ! into /etc/shadow file for the user entry in order to make the administrator set a default password for the user to be usable 

This command can also be used with different parameters

$ sudo useradd -s /bin/csh -m -k /etc/skel -c "Alejandro Bernal Collazos" bmoose

Modifying and Deleting User Accounts

Delete

The root user can remove user accounts using userdel

$ sudo userdel alejandro

This command will

  • Erase the user entries from /etc/passwd
  • Erase the user entries from /etc/shadow
  • Erase the user entries from /etc/group
  • Does NOT delete the home directory /home/alejandro
    • In case the account can be restablished later
    • However if the -r option is used the user's home directory will also be deleted

Modify

We can perform this sort of modifications

  • change group memberships
  • change home directory
  • change login name
  • change password
  • change default shell
  • change user id
  • change user attributes

Usage

$ sudo usermod --help

Adding user "sampleuser" to group "samplegroup"

​$ sudo usermod -aG samplegroup sampleuser

List the groups that a user sampleuser belongs to

​$ sudo groups sampleuser

Locked Accounts

These accounts can run programs but never can login to the system and have no valid password associated with them. 

Sample

bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin

​The nologin shell returns the following if a locked user tries to login to the system

This account is currently not available

Or whatever message is stored in 

​/etc/nologin.txt

​Such locked accounts are created for special purposes, either by systems services or applications.  We can check which are those users scanning for the nologin at

/etc/passwd

In order to lock an account of a particular user execute

​$ sudo usermod -L alejandro

To unlock a user the -U option

$ sudo usermod -U alejandro

Other way to lock an account is to use an expiration date of the user in the past

$ sudo chage -E 2014-09-12 alejandro

Another approach is to edit the file

/etc/shadow

Replacing the user's hashed password with !! or some other invalid string

User IDs and /etc/passwd

Within the file

/etc/passwd

we can see the registry per user. 

The password of a user is often hashed and stored within the file

/etc/shadow

​if the shadow file is used we can see the use of a "x" within the registry of the user at the /etc/passwd file.

if the shadow file is not user then the password is hashed and stored within the /etc/passwd.

Convention

Users with userid less than 1000 are considered special and belongs to the system. That's why normal user ID's start from 1000. The actual value can be defined as UID_MIN and is defined in 

/etc/login.defs

​/etc/shadow

This file contains a registry per user that determines certain attributes

Sample

daemon:*:16141:0:99999:7:::

The fields means

  • username
    • Unique user name
  • password
    • Hashed (sha512) value of the password
  • lastchange
    • Days since Jan 1, 1970 that password was last changed
  • mindays
    • Minimun days before password must be changed
  • maxdays
    • Maximin days after which password must be changed
  • warn
    • Days before password expires that the user is warned
  • grace
    • Days after password expires that account is disabled
  • expire
    • Data that account is/will be disabled
  • reserved
    • Reserved field

Why Use /etc/shadow

Regrettably the file /etc/passwd has 644 permission, meaning that anyone can read and extrat the user's hashed password (Utilities Crack and John the Ripper can be used to decode the hashed password).

That is why the file /etc/shadow does exist since it has 400 as permission, meaning that only root can read this file.

Password Management

Password can be changed with the command

​passwd

A normal user can change its password, while root can change any password.

​$ sudo passwd alejandro

​Password Aging

The utility that we can use for this purpose is 

​change [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] <user>

​Examples

​$ sudo chage -l stephane
$ sudo chage -m 14 -M 30 kevin
$ sudo chage -E 2016-9-1 alejandro
$ sudo chage -d 0 clyde

Only the root user can use chage. The only exception is that every user can use chage to see their aging information.

Example

$ sudo chage -l alejandro
Last password change                    : never
Password expires                    : never
Password inactive                    : never
Account expires                        : never
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires    : 7

​To force a user to change their password at their next login

$ sudo chage -d 0 <user>

​Restricted Shell

Under Linux it is possible to use a restricted shell which can be invoked as

​$ /bin/bash -r

​Is a tightly controlled environment that a standard shell. In particular it

  • Prevents the user from changing to any directory outside of their home directory tree
  • Prevents the user from redefining the following environment variables: SHELL, ENV and PATH
  • Does not permit the user to specify the absolute path or executable command names starting from /
  • Prevents the user from redirecting input and/or output

Because the restricted shell executes $HOME/.bash_profile without restriction, the user must have neither write nor execute permission on the /home directory

Restricted Accounts

There are times when granting access to a user is necessary but should be limited in scope. Setting up a restricted user account can be useful in this context. A restricted account

  • Uses the restricted shell
  • Limits available system programs and user applications
  • Limits system resources
  • Limits access times
  • Limits access locations

From the command line, or from a script, a restricted shell may be invoked with

​/bin/bash -r 

​However flags may not be specified in the /etc/passwd file. A simple way to get around this restriction would be to do one of these

  • $ cd /bin ; sudo ln -s bash rbash
  • $ cd /bin ; sudo ln bash rbash
  • $ cd /bin ; sudo cp bash rbash

And the use /bin/rbash as the shell in

​/etc/passwd

​The root Account

By default root login through the network are generally prohibited for security reasons. One can permit secure shell logins using ssh, which is configured with 

/etc/ssh/sshd_config

​And PAM (Pluggable Authentication Modules), through the pam_securetty.so module and the associated

​/etc/securetty

Root login is permitted only from the devices listed in 

/etc/securetty

​PAM can also be used to restrict which users are allowed to su to root. It might also be worth it to configure auditd to log all commands executed as root

SSH

Secure Shell

​$ whoami
alejandro
$ ssh alejandrobernalcollazos.com
alejandro@alejandrobernalcollazos.com's password: (type password)

To login with a different user

$ ssh <user>@alejandrobernalcollazos.com
root@alejandrobernalcollazos.com's password: (type password)

​or

​$ ssh -l root alejandrobernalcollazos.com
root@alejandrobernalcollazos.com's password: (type password)

​To copy files from one system to another

​$ scp file.txt alejandrobernalcollazos.com:/tmp
$ scp file.txt student@alejandrobernalcollazos.com/home/student
$ scp -r some_dir alejandrobernalcollazos.com:/tmp/some_dir

To run a command on multiple machines simultaneously

$ for machines in node1 node2 node3
do (ssh $machines some_command &)
​done

Ssh configuration files

There is a file called 

.ssh

Within every user's home directory, which contains

  • id_rsa
    • User's private encryption key
  • id_rsa.pub
    • User's public encryption key
  • authorized_keys
    • A list of public keys that are permitted to login
  • known_hosts
    • A list of host from which logins have been allowed in the past
  • config
    • A configuration file for specifying various options

First we need to generate our private and public encryption keys with ssh-keygen

$ ssh-keygen

​This will also generate the public key

id_rsa.pub

​The private key must never ever be shared with anyone.

The public key can be given to any machine with which you want to permit password-less access. It should be added to your authorized_keys file.

known_hosts file is gradually built up as ssh accesses occur. If the system detects changes in the users who are trying to log in through ssh it will warn you of them and afford the opportunity to deny access. Note that the authorized keys file contains information about users and machines.

$ cat authorized_keys

While the known hosts only contains information about computer nodes

​$ cat known_hosts

Laboratory