User management

  • Add a customized username: useradd -u <uid> -g <gid/group> -c "Comment" -m -d </home/homedir> -s <shell> username
  • Add the username to users group (GID 100): useradd -n <username>
  • Display the current default values: useradd -D
  • Change default shell (or edit /etc/default/useradd): useradd -D -s /bin/sh
  • Display the status of the password for a given account: passwd -S <username>
  • Print the list of shells listed in /etc/shells: chsh -l
  • Change your finger information: chfn <username>
  • Change your login shell: chsh -s /bin/sh <username>
  • Lock a user´s password (puts a ´!´ in front of the password): usermod -L <username> or passwd -l <username>
  • Unlock a user´s password (removes the ´!´): usermod -U <username> or passwd -u <username>
  • Set an encrypted password: usermod -p "<encrypted-password>" <username>
  • Set the nologin shell for an account: usermod -s /sbin/nologin <username>
  • Print group memberships: groups <username>
  • Update passwords in batch mode (password in text clear): echo "daniel:password" | chpasswd
  • Set password from standard input (password in text clear): echo "password" | passwd --stdin <username>
  • List all users with a password set: egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1, $2}'
  • List all users > UID_MIN (RHEL 5-6): awk -F: '($3>=500) && ($3!=65534)' /etc/passwd | cut -d ":" -f1
  • List all users > UID_MIN (RHEL 7): awk -F: '($3>=1000)' /etc/passwd | cut -d ":" -f1
  • List aging information for all users > UID_MIN (RHEL 5-6): awk -F':' '{ if ( $3 >= 500 ) print $0 }' /etc/passwd | cut -d: -f1 | xargs -I {} chage -l {}
  • Manually edit /etc/passwd: vipw
  • Manually edit /etc/group: vigr
  • Delete a password for an account: passwd -d <username>
  • Verify integrity of password files (/etc/passwd & /etc/shadow): pwck -s
  • Add the user to the group: usermod -a -G <group> <username> or gpasswd -a <username> <group>
  • Remove the user from the group: gpasswd -d <username> <group>
  • Remove all secondary groups for a user: usermod -G "" <username>
  • Set a password for a group: gpasswd <group>
  • Change the current group ID: newgrp <group>
  • Log out of current group ID: newgrp
  • Create a system account:
groupadd -r <group>
useradd -r -g <group> -c <comment> -s /sbin/nologin -d / <username>
  • Generate a random password:
echo `</dev/urandom tr -dc A-Za-z0-9 | head -c8`

chage

  • Operates in an interactive fashion: chage <username>
  • Show account aging information: chage -l <username>
  • The user is forced to change his password on the next log on: chage -d 0 <username> or passwd -e <username>
  • Set the account expiry date: chage -E 2017-05-24 <username>
  • Lock the account after X number of inactivity days: chage -I 30 <username>
  • Increase "Account expires" date by 90 days:
date -d "+90 day"
chage -E 2017-06-13 <username>
  • Increase "Password expires" date by 90 days:
date -d "+90 day"
chage -d 2017-06-13 <username>
  • Disable password aging: chage -m 0 -M 99999 -I -1 -E -1 <username>
  • Set the password expiry date (from the last password change, "Maximum number of days between password change" will be updated also): chage -M 30 <username>

/etc/login.defs

  • PASS_MAX_DAYS: The maximum number of days a password can be used
  • PASS_MIN_DAYS: The minimum number of days allowed between password changes
  • PASS_MIN_LEN: The minimum acceptable password length
  • PASS_WARN_AGE: The number of days’ warning to be given before a password expires

/bin/false vs /sbin/nologin

  • /bin/false return non-zero as /sbin/nologin

  • /sbin/nologin politely refuse a login (edit /etc/nologin.txt for custom message), this is recommended for nologin user's shell, this will allow FTP access for some FTP servers

This account is currently not available.

Creating bulk users

The format is the same as the /etc/passwd file, the password will be encrypted, files not are copied from skel.

vi list_users

daniel:password:502:502:Daniel:/home/daniel:/bin/bash
nicoleta:password:503:503:Nicoleta:/home/nicoleta:/bin/bash

newusers list_users

Configuring password complexity (RHEL 6)

vi /etc/pam.d/system-auth

password    requisite     pam_cracklib.so try_first_pass minlen=8 retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 remember=5
  • minlen=8: Minimum password length
  • lcredit=-1: Minimum of 1 lowercase
  • ucredit=-1: Minimum 1 uppercase
  • dcredit=-1: Minimum 1 decimal character
  • ocredit=-1: Minimum 1 special character
  • remember=5: Remembers the last 5 password changes

More details: man pam_cracklib

Configuring login failures (RHEL 6)

On RHEL6, pam_tally2 entries needs to be present in both system-auth and password-auth files.

The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded.

vi /etc/pam.d/system-auth and vi /etc/pam.d/password-auth

The first line should be above pam_env.so line

auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=1800
account     required      pam_tally2.so

Sample

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=1800
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
  • Check maximum attempts: pam_tally2 -u <username>
  • Reset the number of fail login counter: pam_tally2 -r -u <username>
  • More details: less /usr/share/doc/pam-{Version}/txts/README.pam_tally2

Changing UID/GID for an account

usermod -u 506 daniel
groupmod -g 506 daniel
find / -user 505 -exec ls -l {} \;
find / -group 505 -exec ls -l {} \;
find / -user 505 -exec chown -h daniel {} \;
find / -group 505 -exec chgrp -h daniel {} \;