Skip to main content

User Management in Linux

 


Linux is a multi-user operating system, which means that multiple users can access the system and its resources simultaneously. User management is the process of creating, modifying, and deleting user accounts, as well as assigning them permissions and roles. In this post, we will cover some of the basic concepts and commands related to user management in Linux.

/etc/passwd and /etc/shadow files

The /etc/passwd and /etc/shadow files are two of the most important files for user management in Linux. They store the information about the users and their passwords, respectively.

/etc/passwd file

The /etc/passwd file contains one line for each user account, with the following format:

username:x:uid:gid:comment:home:shell

The fields are separated by colons, and they represent:

  • username: The name of the user, which is used for logging in and identifying the user.
  • x: A placeholder for the password, which is actually stored in the /etc/shadow file.
  • uid: The user ID, which is a unique number assigned to each user. It is used by the system to identify the user and grant them access to resources.
  • gid: The group ID, which is a number that represents the primary group of the user. A group is a collection of users that share some common attributes and permissions.
  • comment: A field that can store any additional information about the user, such as their full name, phone number, etc.
  • home: The home directory of the user, which is the default location where the user can store their files and settings.
  • shell: The default shell of the user, which is the program that interprets the commands entered by the user.

For example, a line in the /etc/passwd file may look like this:

alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash

This means that the user alice has a password stored in the /etc/shadow file, a user ID of 1001, a group ID of 1001, a comment of “Alice Smith”, a home directory of /home/alice, and a default shell of /bin/bash.

/etc/shadow file

The /etc/shadow file contains the encrypted passwords of the users, along with some other information related to password security. It has the following format:

username:password:last_change:min_change:max_change:warn:inactive:expire:reserved

The fields are separated by colons, and they represent:

  • username: The name of the user, which matches the one in the /etc/passwd file.
  • password: The encrypted password of the user, which is generated by a hashing algorithm. A blank entry means that the user does not have a password, and a * entry means that the user account is disabled.
  • last_change: The number of days since January 1, 1970 that the password was last changed.
  • min_change: The minimum number of days before the password can be changed. A zero value means that the password can be changed at any time.
  • max_change: The maximum number of days after which the password must be changed. A 99999 value means that the user can keep the password unchanged for a long time.
  • warn: The number of days before the password expires that the user will receive a warning message.
  • inactive: The number of days after the password expires that the user account will be disabled.
  • expire: The number of days since January 1, 1970 that the user account will expire. A blank value means that the account will never expire.
  • reserved: A field for possible future use.

For example, a line in the /etc/shadow file may look like this:

alice:$6$zWzXZQ8m$gZkaY5Rjy8bZzRfCj1jcjH.:18648:0:90:7:::

This means that the user alice has a password that is encrypted with the SHA-512 algorithm, and the password was last changed 18648 days since January 1, 1970. The password can be changed at any time


Delving into the Shadows: Understanding /etc/shadow for Enhanced Password Security

In the realm of Linux security, the /etc/shadow file reigns as a gatekeeper for password protection. Unveiling its secrets is crucial for system administrators seeking to fortify their systems against unauthorized access.

Unlocking the /etc/shadow File:

  • Purpose: This file stores encrypted user passwords, offering a crucial layer of defense against password breaches.
  • Location: Resides within the /etc directory, accessible only to root users.
  • Structure: Comprises nine colon-separated fields:
    1. Username: The user's login name.
    2. Encrypted Password: The password's hashed representation, safeguarded by encryption.
    3. Last Password Change: The date of the last password modification (in days since January 1, 1970).
    4. Minimum Password Age: The minimum number of days between password changes.
    5. Maximum Password Age: The maximum duration a password remains valid.
    6. Password Warning Period: The time before password expiration when warnings commence.
    7. Inactive Account Expiration: The number of days after password expiration before account deactivation.
    8. Reserved for Future Use: Placeholder for potential future enhancements.

Encryption's Enigmatic Role:

  • Hashing: Passwords aren't stored in plain text. Instead, they undergo one-way hashing transformations, generating unique, fixed-length strings.
  • Common Hashing Algorithms:
    • MD5 (Message-Digest Algorithm 5)
    • SHA-256 (Secure Hash Algorithm 256)
    • SHA-512 (Secure Hash Algorithm 512)
  • Salting the Hash: Random data (the "salt") is incorporated into the hashing process, thwarting precomputed attacks and bolstering password resilience.

Illustrative Example:

An entry in /etc/shadow might resemble this:

root:$6$S54aC5/5$y5i54a754C54a754a754a754a/54a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a754a:18546:0:99999:7:::

Key Takeaways:

  • The /etc/shadow file is a cornerstone of Linux password security.
  • Understanding its structure and encryption mechanisms is paramount for system administrators.
  • Employ robust hashing algorithms and salting techniques to safeguard passwords effectively.
  • Regularly review and update password policies to maintain a secure environment.

By delving into the shadows of /etc/shadow, you'll gain mastery over password protection and fortify your Linux systems against unauthorized access.


A. getent

  • The getent command is used to retrieve entries from databases supported by the Name Service Switch libraries, which are configured in /etc/nsswitch.conf12.
  • The databases include passwd, group, hosts, services, protocols, and others.
  • The syntax of the getent command is: getent [option]... database [key]...
  • The option can be used to specify the service to use for the lookup, such as files, dns, ldap, etc.
  • The database is the name of the database to query, such as passwd, group, hosts, etc.
  • The key is the value to search for in the database, such as a username, a group name, a hostname, etc.
  • If no key is provided, the command will display all the entries in the database.
  • For example, to get the information of the user linuxize from the passwd database, you can use: getent passwd linuxize
  • To get the IP address of the hostname www.google.com from the hosts database, you can use: getent hosts www.google.com
  • To get the port number and protocol name of the service ssh from the services database, you can use: getent services ssh

B. usermod

  • The usermod command is used to modify the properties of an existing user account, such as the username, the password, the home directory, the login shell, the primary and secondary groups, and others34.
  • The syntax of the usermod command is: usermod [option]... username
  • The option can be used to specify the attribute to change, such as -c for comment, -d for home directory, -g for primary group, -G for secondary groups, -l for login name, -p for password, -s for shell, -u for user ID, and others.
  • The username is the name of the user account to modify.
  • Only root or users with sudo access can use the usermod command.
  • For example, to change the login name of the user test_user to test_account, you can use: usermod -l test_account test_user
  • To change the home directory of the user www-data to /var/www and move the content of the old home directory to the new one, you can use: usermod -d /var/www -m www-data
  • To change the default shell of the user linuxize to /bin/zsh, you can use: usermod -s /bin/zsh linuxize
  • To add the user linuxize to the games group as a secondary group, you can use: usermod -a -G games linuxize




Labels:

Popular posts from this blog

Cockpit vs. Webmin: A Detailed Comparison for Linux Administration

  Introduction In the realm of Linux system administration, having efficient tools for managing and monitoring servers is crucial. Two popular tools that system administrators often use are  Cockpit  and  Webmin . Both of these tools provide a graphical interface accessible via a web browser, simplifying the management of Linux systems. This blog post will explore what Cockpit and Webmin are, their purposes, a comparison table, and additional information to help you choose the right tool for your needs. What is Cockpit? Overview Cockpit is a web-based graphical interface for managing Linux systems. It is designed to be easy to use, enabling both experienced and novice administrators to manage their systems effectively. Cockpit integrates seamlessly with the system’s existing infrastructure, providing real-time monitoring and management capabilities. Purpose Cockpit is primarily used for: Monitoring system performance and resource usage Managing system services Handli...
Post a Comment
Read more

How to Set Up Custom Screen Resolution on Fedora 38 Permanently

  If you are using Fedora 38 as your operating system, you may have encountered some issues with the screen resolution. The default resolution may not be suitable for your monitor or your preferences, and you may want to change it to a higher or lower value. However, changing the resolution from the Settings menu may not work properly, or it may not persist after a reboot. In this blog post, I will show you how to set up a custom screen resolution on Fedora 38 permanently using some simple commands and configuration files. The first step is to disable the Wayland display server, which is the default display server for Fedora 38. Wayland is a modern and secure display server, but it may not support some custom resolutions or drivers. To disable Wayland, you need to edit the /etc/gdm/custom.conf file as root. You can use any text editor of your choice, such as nano, vim, or gedit. To open the file with nano, for example, you can type the following command in the terminal: sudo nano ...
Post a Comment
Read more

Key Concepts and Tools for a Linux System Administrator

  A Linux System Administrator needs to have a comprehensive understanding of various concepts and tools to manage, configure, and maintain Linux systems effectively. Below is a categorized list of essential skills and tools with brief descriptions. Category Key Concepts & Tools Description Operating System Linux Distributions (e.g., Fedora, Ubuntu, CentOS) Knowledge of different Linux distributions, their package management systems, and unique features. Kernel Configuration and Management Understanding how to configure and optimize the Linux kernel for different workloads. System Boot Process (GRUB, systemd) Familiarity with the boot process, bootloaders, and system initialization processes. Command Line Skills Bash Shell Scripting Ability to write and debug shell scripts for automation of tasks. Core Commands (ls, cp, mv, rm, find, grep, awk, sed) Proficiency in using basic and advanced command-line utilities for system management. File System File System Hierarchy Standard (...
Post a Comment
Read more