User Accounts

Types of User Accounts

The root account
Regular user accounts
Non-regular user accounts

The root Account

Superuser account that has supervisory privileges throughout the Linux system
Used by the system administrator to administer the machine
The su (substitute user) utility

Changes any user account's permissions to the permissions assigned to another user account

[root@pattyo kickstart]# su - pattyo
[pattyo@pattyo ~]$

* The '-' means make the shell a login shell.

You will inherit the user's environment (.bashrc, .cshrc, ...).

Note the two different prompts provided by the shell.

The root account by default will use the pound sign (#) as its prompt.

Regular User Accounts

Intended for people who need to log in and use the system
Commonly associated with individuals
No more than eight characters for user name

Non-Regular User Accounts

Employed only by Linux programs
Programs can better control file permissions and therefore ensure the security of the system
Cannot be used to log in
Don't have a shell

This command will print accounts that do not have a login shell

any number of characters followed by the string 'sh'

$ grep -v '/bin/[a-z]*sh' /etc/passwd

bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false

There are other ways to do this. How about:

$ grep -v 'sh$' /etc/passwd

Non-Regular User Accounts

bin:x:1:1:bin:/bin:	Can be used by any program
daemon:x:2:2:daemon:/sbin:	Used by daemons
adm:x:3:4:adm:/var/adm:	Used for administrative purposes
lp:x:4:7:lp:/var/spool/lpd:	Used by the printer control daemon
sync:x:5:0:sync:/sbin:/bin/sync	Used to synchronize disk updates
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown	Used during system shutdown
halt:x:7:0:halt:/sbin:/sbin/halt	Used when the system is being halted
mail:x:8:12:mail:/var/spool/mail:	Used by the email server
news:x:9:13:news:/var/spool/news:	Used by the newsgroup server
uucp:x:10:14:uucp:/var/spool/uucp:	Used by programs related to the UUCP protocol
operator:x:11:0:operator:/root:	Can be used for system administration work, ie, backups
games:x:12:100:games:/usr/games:	Used by game programs to control system access
ftp:x:14:50:FTP User:/home/ftp:	Used for anonymous FTP access
nobody:x:99:99:Nobody:/:	Used as a restricted access account, ie, http account

Unix Groups

Group

A collection of user accounts that can be granted access to the system collectively

User Private Group

Security system used by many Linux systems
Creates a new group containing one user when that user is first created
This is the default for our systems

User and Group Files

User account information

Stored in the /etc/passwd file
encrypted password hash stored in /etc/shadow

Groups

Defined in the /etc/group file

Fields in the /etc/passwd File

User account name

Password (encrypted, or x if shadow file used)

User ID number (UID)

Group ID number (GID)

User's real name

Home directory

Default shell

root:x:0:0:root:/root:/bin/bash
testuser:x:2045:100:Test User:/home/testuser:/bin/bash

Fields in the /etc/group File

Name of the group

Group password (rarely used)

Group ID (GID)

Members of the group

$ cat /etc/group

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
...
users:x:100:

Shadow Password System

Security system used to restrict access to encrypted password text
The /etc/shadow file that can only be read by the root user

Permissions on the two files:

$ ls -l /etc/passwd
-rw-r--r-- 1 root root 893 Mar 12 15:54 /etc/passwd
$ ls -l /etc/shadow
-r-------- 1 root root 781 Mar 12 15:54 /etc/shadow

Excerpt from /etc/shadow file using DES encryption:

   testuser:N1n9MgqO7TvHk:11179:0:99999:7:::

56-bit key produces 13-character string
password can only be eight characters
first two characters in encrypted password is the salt
Developed in part by US government, not exportable

Excerpt from /etc/shadow file using md5 encryption:

testuser:$1$adm/jjY7$F/QCYbF0.gOTMhKIY4xnT.:11901:0:99999:7:::

hash algorithm
infinite length password
much larger key, 128-bit, which produces 34 character hash
not developed by US government so its exportable

One-way encryption ("secure Hashing"): How does it work?

Hash function takes an input string of variable length and converts it into an output of fixed length
Not possible to reverse the process, except by trying every possible input.

$ echo "some string of characters" | md5sum
$ echo "short" | md5sum

Unix password database contains hashes

When user types their password, the hash function is applied and compared to the stored hashed password

In theory, the password can't be recovered from the hash

In practice, users pick bad passwords which are easily guessed

PAM (Pluggable Authentication Modules)

Highly configurable authentication scheme:

allows you to configure your environment for the level of security you feel you need.

Loadable modules that handle the authentication tasks for all applications and services on the system.

login, samba, pop, sshd ...

Better than having each each service or application implement its own security policy

/lib/security

PAM modules are dynamically loadable libraries
Provides centralized security
Configuration takes place at load time

/etc/pam.d

PAM configuration files for each service PAM supports (PAM clients)
Allows each service to use its own authentication scheme

# cat /etc/pam.d/passwd

#%PAM-1.0
auth      required  /lib/security/pam_pwdb.so shadow nullok
account   required  /lib/security/pam_pwdb.so
password  required  /lib/security/pam_cracklib.so retry=3
password  required  /lib/security/pam_pwdb.so use_authtok nullok md5 shadow

module-type

control-flag

module-path

arguments

Each module has a requirement of the user and may require user input.
They are performed in the order they appear in the config file.
The two entries for the password module-type are referred to as stacked entries.
PAM can be used to control password choices and password aging.
pam_pwdb functions differently depending on the type specified.

The configuration files contain 4 fields:

module-type

control-flag

module-path

arguments

Field 1:

module-type (Management Task)	Description
auth	Prompts user for identification such as a password. options: nullok, nodelay
account	checks account info, ensures user account and password are active
session	Sets up logging for application
password	Allows users to update password. options: nullok, md5, shadow, remember=n

Field 2:

Control Flag Description

required Success of the module is required, failure is not reported until all modules have executed. So user doesn't know where they failed in the process.

requisite Success of the module is required, failure causes PAM to return immediate failure to the calling application. Faster but hosile users know where they failed in the auth stack

optional Success or failure have no affect on the calling application

sufficient If this module succeeds all the remaining modules are ignored, returns immediately to calling program. You might allow less stringent checks on your laptop then on your workstation...

When pam_pwdb is used with auth, it prompts the user for a password
When pam_pwdb is used with module type account, it checks the user's account information

checks to see if the user has an account
what password aging parameter are in place (it may not be permitted to change it now)
whether the user needs to be warned about pending password expiration
whether the user needs advice on choosing a new password

The pam_cracklib module only works with the password module type.

It will check a password for strength and length.

These are configurable with arguments

The pam_pwdb module with module type password

updates the users password in the database (whichever database the system is using)

* In the above example, all four entries use the control flag required. This means all four modules must return successfully for the password change to work.

Arguments:

nullok: not recommended, allows a null password
shadow: use shadow password database
md5: choose md5 password hashing algorithm (instead of conventional UNIX password hashing)
retry: the number of retries the module will allow when changing a password
use_authtok: the module sets the new password to the one received from the previous module in the stack

Locking users out via PAM

# less /etc/pam.d/login
auth     required   /lib/security/pam_securetty.so
auth     required   /lib/security/pam_stack.so service=system-auth
auth     required   /lib/security/pam_nologin.so
account required   /lib/security/pam_stack.so service=system-auth
password required   /lib/security/pam_stack.so service=system-auth
session required   /lib/security/pam_stack.so service=system-auth
session optional   /lib/security/pam_console.so

pam_nologin.so will prevent users from logging into the system if the file /etc/nologin exists.

The contents of /etc/nologin is displayed during login attempt

1. Create the file /etc/nologin
# echo "Sorry, no joy today" > /etc/nologin
2. Type <Cntr><Alt><F2> to access a virtual console
3. Try logging in as userxx on your workstations
4. What happened?
5. Delete the /etc/nologin file and try logging in again

Running Crack to check user password on your system

Freely available program for guessing UNIX passwords
Download

http://www.users.dircon.co.uk/~crypto/index.html

Install and setup for MD5

$ tar xzf crack5.0.tar.gz

$ cd c50a

$ mv src/libdes src/libdes.orig

$ cd src/util

$ cp -f elcid.c,bsd elcid.c

$ cd ../..

Modify Crack ascii file
comment out first CC and CFLAGS lines

# CC=cc

# CFLAGS=

#LIBS=

uncomment second CC, CFLAGS, and LIBS lines

CC=gcc

CFLAGS="-g -02 -Wall $C5FLAGS"

LIBS=-lcrypt...

Compile

$ ./Crack -makeonly

Create dictionaries

$ ./Crack -makedict

Setup crack for shadow passwords by generating a local copy of the passwd file from the shadow file

$ sudo scripts/shadmrg.sv > passwd.txt

Run crack on the passwd.txt file you just generated -- this can take a looooonnng time

$ sudo ./Crack passwd.txt

Watch the output

$ tail -f run/DstationXX.PID

Creating New User Accounts

Edit the necessary files

/etc/passwd, /etc/shadow, /etc/group if required

use mkdir command to create a home directory
fix the permissions on the users home directory
copy environment files such as .cshrc, .login, .bashrc, .bash_profile...

use the Graphical User Account Configuration Tools

Many operating systems have a graphical tool for adding new users
KDE's program is kuser

Use the useradd command

Most secure method
Allows you to automate user creation
Update user accounts

Excerpt from man page (man useradd):

SYNOPSIS
       useradd [-c comment] [-d home_dir]
               [-e expire_date] [-f inactive_time]
               [-g initial_group] [-G group[,...]]
               [-m [-k skeleton_dir] | -M] [-p passwd]
               [-s shell] [-u uid [ -o]] [-n] [-r] login

       useradd -D [-g default_group] [-b default_home]
               [-f default_inactive] [-e default_expire_date]
               [-s default_shell]

Information Returned by -D Option (returns default settings)

Group

Home

Inactive

Expire

Shell

Skel

[root@pattyo /]# useradd -D

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

If you like the defaults you may not need to remember all the arguments to the useradd command
The useradd defaults are stored in the file /etc/default/useradd.

[root@pattyo /etc]# useradd -g users test2

[root@pattyo /etc]# tail /etc/passwd
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
qcroot:x:0:0:qcroot:/home/qcroot:/bin/bash
pattyo:x:21818:111:Pattyo Test Account:/home/pattyo:/bin/tcsh
test:x:41415:100:test me:/home/test:/bin/bash
junk:x:41416:100:junk mail:/home/junk:/bin/tcsh
test3:x:41428:41428:Patty O'Reilly:/home/test3:/bin/tcsh
test2:x:41607:100::/home/test2:/bin/bash
^^^^^

Useradd Command Options

`# useradd -c "Test Acct" -m -k /etc/skel -d /home/test \ -u 5001 -g 100 -s /bin/bash test -c Comment field -d Specifies the home directory -g Specifies the primary group -m Creates the users home directory if it doesn't exist -k Copies the files in /etc/skel to the user's home directory -u Specifies a user id -s Specifies the shell`

Changing User Passwords

Use passwd command (as root) to change or initially set up a password on a user account

Standard procedure

System administrator assigns initial password to a new account and tells it to the new user
New user immediately selects a new password that is unknown to the root user or any other users
Change passwords monthly, or pick a terrific password and change less frequently

# passwd pattyo

Changing password for user pattyo
New UNIX password: 
BAD PASSWORD: it does not contain enough DIFFERENT characters
Retype new UNIX password:

Characteristics of Good Passwords

At least 8 characters long; more characters is more secure.

Include digits or punctuation marks

Mix upper- and lowercase letters in nonstandard ways

Easy for account user to remember, but hard for anyone else to guess

Not created from simple manipulation of a word found in a dictionary, or the name of a person or place

Creating New Groups

Use the groupadd command
Use GUI (RedHat User Manager)
Or edit /etc/group file by hand

From the man page:

SYNOPSIS
groupadd [-g gid [-o]] [-r] [-f] group

Or edit the group file directly:

# vi /etc/group

Modifying User Accounts

Use usermod command or groupmod command
Use GUI
Or edit /etc/passwd, /etc/shadow, or /etc/group by hand

Excerpt from man page:

SYNOPSIS
       usermod [-c comment] [-d home_dir [ -m]]
               [-e expire_date] [-f inactive_time]
               [-g initial_group] [-G group[,...]]
               [-l login_name] [-p passwd]
               [-s shell] [-u uid [ -o]] [-L|-U] login

Example 1: change the default shell for the user, test, from bash to tcsh

# grep test /etc/passwd
test:x:5001:100:Test Acct:/home/test:/bin/bash
^^^^

# usermod -s /bin/tcsh test

# grep test /etc/passwd
test:x:5001:100:Test Acct:/home/test:/bin/tcsh
^^^^
It is easy to change one's own default shell with the chsh command.

        $ chsh 
        Changing shell for pattyo.
        New shell [/bin/tcsh]: /bin/bash
        Shell changed.

Example 2: Change the primary group from test to users

# usermod -g 100 test

# grep test /etc/passwd

Automating Home Directory Creation

When creating a new user account, include basic configuration files in new user's home directory by using the '-k /etc/skel' option and argument.

Use the /etc/skel directory to automatically copy files to each new user account as you create the account

# ls -la /etc/skel

^^^

Remember you need the '-a' option to ls to see the files beginning with a dot.

total 40
drwxr-xr-x    4 root root    4096 Sep 29 16:18 .
drwxr-xr-x   37 root root    4096 Oct 3 09:44 ..
-rw-r--r--    1 root root      24 Jul 13 1994 .bash_logout
-rw-r--r--    1 root root     230 Aug 22 1998 .bash_profile
-rw-r--r--    1 root root     124 Aug 23 1995 .bashrc
-rwxr-xr-x    1 root root     333 Feb 21 2000 .emacs
drwxr-xr-x    3 root root    4096 Dec 20 1998 .kde
-rw-r--r--    1 root root     435 Sep 23 1999 .kderc
-rw-r--r--    1 root root    3394 Mar 7 2000 .screenrc

`drwxr-xr-x 5 root root 4096 Sep 29 16:15 Desktop`

Creating Aliases to Make Life Easier for your Users

Alias

Command used to create a text substitution in a command-line shell, effectively giving any Linux command a new name

Purposes of an alias

To shorten commonly used commands
To fix typing errors
To make operations safer by including options to confirm file deletions

To find out what aliases are defined for you:

$ alias

alias cp='cp -i'
alias ls='ls --color=tty'
alias mv='mv -i'
alias new='ls -lt|head'
alias rm='rm -i'

To setup a new alias from the command line for bash shell:

$ alias big='ls -l | sort -nr +4 | head -20'

*There are no space around the '='.

To setup a new alias from the command line for tcsh shell:

$ alias big 'ls -l | sort -nr +4 | head -20'

Example:

[root@pattyo /var]# cd /var/log

[root@pattyo log]# big
-rw-r--r--    1 root root 5981912 Oct 2 17:16 lastlog
-rw-------    1 root root 2756092 Sep 24 03:58 secure.2
-rwx------    1 root root 2026574 Sep 24 03:58 syslog.2
-rw-------    1 root root 1825869 Sep 29 17:09 secure.1
-rw-------    1 root root 1468097 Sep 12 03:57 secure.4
-rwx------    1 root root 1355669 Oct 1 03:58 syslog.1
-rw-------    1 root root 818708 Sep 17 03:59 secure.3
-rw-------    1 root root 696420 Oct 1 04:02 messages.1
-rw-rw-r--    1 root utmp 664704 Sep 29 17:04 wtmp.1
-rwx------    1 root root 398008 Sep 17 04:01 syslog.3

*You can add your aliases to the .bashrc file in your home directory.

Control Flag	Description
required	Success of the module is required, failure is not reported until all modules have executed. So user doesn't know where they failed in the process.
requisite	Success of the module is required, failure causes PAM to return immediate failure to the calling application. Faster but hosile users know where they failed in the auth stack
optional	Success or failure have no affect on the calling application
sufficient	If this module succeeds all the remaining modules are ignored, returns immediately to calling program. You might allow less stringent checks on your laptop then on your workstation...