Linux Account Management

Managing user accounts and groups is an essential part of system administration within an organization. But to do this effectively, a good system administrator must first understand what user accounts and groups are and how they work.

Managing user accounts

  • The primary reason for user accounts is to verify the identity of each individual using a computer system.

  • A secondary (but still important) reason for user accounts is to permit the per-individual tailoring of resources and access privileges.

  • Resources can include files, directories, and devices.

  • Controlling access to these resources is a large part of a system administrator’s daily routine, often the access to a resource is controlled by groups.

  • Groups are logical constructs that can be used to cluster user accounts together for a common purpose.

  • For example, if an organization has multiple system administrators, they can all be placed in one system administrator group. The group can then be given permission to access key system resources.

What are the advantages of user management?

  1. It will provide fully integrated security in the form of user logon’s and authentication. 2. It makes easy in administration in the form of group policies and permissions.

  2. It makes easy to identify the resources.

  3. It will provide scalability, flexibility and extensibility.

  4. It is tightly integrated with DNS services for all its operations, which will provide better in identifications and migrations.

  5. It services will provide Automatic replication of information between the domain controllers. 7. It supports integration of the other directory services also.

  6. It supports multiple authentication protocols.

Who Is Super user?

The superuser with unrestricted access to all system resources and files is the user named root. You will need to log in as user root to add new users to your Linux box. Superuser is the app that manages what apps on your rooted device have access to su. Apps that are granted su have elevated permissions and can modify just about any part of the system.

There are three types of accounts on a UNIX system

Root account

This is also called superuser and would have complete and unfettered control of the system. A superuser can run any commands without any restriction. This user should be assumed as a system administrator.

System accounts

System accounts are those needed for the operation of system-specific components for example mail accounts and the sshd accounts. These accounts are usually needed for some specific function on your system, and any modifications to them could adversely affect the system.

User accounts

User accounts provide interactive access to the system for users and groups of users. General users are typically assigned to these accounts and usually have limited access to critical system files and directories.

UNIX supports a concept of Group Account which logically groups a number of accounts. Every account would be a part of any group account. UNIX group‘s plays important role in handling file permissions and process management.

Passwds

A password provides a means of proving the authenticity of a person’s claim to be the user indicated by the username. The effectiveness of a password-based authentication scheme relies heavily on several aspects of the password.

The secrecy of the password

The resistance of the password to guessing

The resistance of the password to a brute-force attack

Weak Passwords

Weak password fails one of these three tests: It is secret

It is resistant to being guessed

It is resistant to a brute-force attack

Password Aging

Password aging is a feature (available in many operating systems) that sets limits on the time that a given password is considered valid. At the end of a password’s lifetime, the user is prompted to enter a new password, which can then be used until, it too, expires.

The key question regarding password aging that many system administrators face is that of the password lifetime. What should it be?

There are two diametrically-opposed issues at work with respect to password lifetime:

  • User convenience

  • Security

On one extreme, a password lifetime of 99 years would present very little (if any) user inconvenience. However, it would provide very little (if any) security enhancement.

Files controlling user accounts and groups

There are three main user administration files:

/etc/passwd

  • This file has the information regarding all the users in the system, their user id, group id, etc.

  • Every line in the file is an entry for one user; the following figure gives a break up of what each field in a line means.

  • If the password field does not have an “x” it means that the user does not have a password set, else the presence of x indicates there is a password and the same is stored in encrypted format in the /etc/shadow file.

  • The user information field can hold extra information about the user like contact address,phone number etc which can be read using the commands like finger.

  • The users who have a shell in their last field are the only ones who can log in.

/etc/groups

This file has information regarding the various groups in the system, each line gives informationabout one group

Understanding fields in etc/group file

  • Group_name: It is the name of group. If you run ls -l command, you will see this name printed in the groupfield.

  • Password: Generally password is not used; hence it is empty/blank. It can store encrypted password. This isuseful to implement privileged groups.

  • Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file.

  • Group List: It is a list of user names of users who are members of the group. The user names must beseparated by commas.

/etc/shadow

This file stores the password of all the users in an encrypted format, and other information related to the password. /etc/shadow file fields:

  1. User name: It is your login name

  2. Password: The password should be minimum 6-8 characters long including special characters/digits encrypted password

  3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed

  4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password

  5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)

  6. Warning: The number of days before password is to expire that user is warned that his/her password must be changed

  7. Inactive: The number of days after password expires that account is disabled

  8. Expire: days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

/etc/gshadow

This file contains secure group account information.

/etc/gshadow contains the shadowed information for group accounts. It contains lines with the following colon-separated fields:

  1. Group name

  2. Encrypted password

  3. comma-separated list of group administrators 4• comma-separated list of group members

Create a Group

You would need to create groups before creating any account otherwise you would have to use existing groups at your system. You would have all the groups listed in /etc/groups file. All the default groups would be system account specific groups and it is not recommended to use them for ordinary accounts.

← Devices
Quota Management →

Subscribe For More Content