Acct & Password Mgmt

# Account & Group Mgmt - `useradd -D` to show defaults - to change defaults `sudo useradd -D -s /bin/bash` to change default shell - `useradd -r user_name` creates a system user, which will typically entail no expiration, no home directory, and a UID below 1000 - `useradd -m user_name` adds user_name and adds a home directory - does not create a password for the new user - see `/etc/default/useradd` for associated default info - `sudo passwd user_name` to create a password - `passwd -aS` displays all users with status info ![[images/Pasted image 20250805195843.png]] - `id user_name` to show user's groups ![[images/Pasted image 20250807181401.png]] - `sudo userdel -rf user_name` to delete user_name, home directory, and spool folder - `sudo groupadd group_name` to create group - `sudo groupdel group_name` to delete group - `sudo usermod -aG group_name user_name` append supplemental group for user - `sudo usermod -p user_name` to change password for user - `sudo usermod -c "comment" user_name` to change comment field for user - -R indicates `chroot` directory for user - -d to change home directory and -m to indicate location to move home directory for user - `sudo passwd user_name` to change password for user - `sudo groupmod` to edit groups - `w` will show users logged in and what they are doing - `who` shows users logged in and how they are logged in # Password & Other Account Mgmt Config Files - `/etc/passwd` stores user info - `user_name` :` x` : `user_id (UID)` : `group_id (GID)` : `comment such as full name` : `home_dir` : `login_shell` ![[images/Pasted image 20250805193457.png]] - x is a placeholder that points to `/etc/shadow` - \* instead of x indicates disabled for login - can directly edit instead of using `usermod` but not recommended - `stat /etc/passwd` to see details about file as to last modification/access ![[images/Pasted image 20250801183207.png]] - `sudo vipw` is used to safely edit `/etc/passwd` with syntax checking - `/etc/shadow` stores user login password hashes - `user_name` : `salted and hashed password` : `last password change` | `min password age` : `max password age` : `warning period` : `inactivity period` : `expiry date` : `unused` ![[images/Pasted image 20250805193642.png]] - `sudo vipw -s` is used to safely edit `/etc/shadow` with syntax check - `/etc/group` and `/etc/gshadow` store group info - `/etc/group` is a multi-field db delimited by colons - `group_name` : `password` : `group_id (GID)` : `user_names_in_group` ![[images/Pasted image 20250805194038.png]] - can directly edit instead of using `groupmod` or `groupadd` but not recommended - groups can have passwords associated with them, which is not commonly used - password = x if group password hash located in `/etc/gshadow` - `sudo vigr` to safely edits `/etc/group` - `sudo vigr -s` to safely edits `/etc/gshadow` - `/etc/skel` is used when new users are added - can provide baseline skeleton to all new users such as home directories folder, starter files, shortcuts, etc. ![[images/Pasted image 20250805194209.png]] # Shell Distinctions & Parameters - shell types - login or non-login - interactive or non-interactive - scripts sometimes run in separate non-interactive shell - login shell only accepts user_name + password, whereas interactive shell accepts commands (already logged in) - `/etc/profile` - system-wide profile that is loaded into login shell - `--norc` option causes bash to execute without reading the `/etc/bash.bashrc` (debian) or `/etc/bashrc` (red hat) file or the local `~/.bashrc file`![[images/Pasted image 20250805194140.png]] - `~/.bash_profile` - user-specific profile loaded into login shell - User‐based configuration files are located in the order `~/.bash_profile`, `~/.bash_login`, and `~/.profile` - Only the first file found is executed; the others are ignored. - includes `$PATH` and other ENV variable - exit and re-login to load in changed ENV variables for sue in interactive shell ![[images/Pasted image 20250805194336.png]] - `~/.bashrc` - user-specific info loaded into interactive shell - interactive shell inherits login shell info from `/etc/profile` and `.bash_profile` - includes aliases and other goodies - ![[images/Pasted image 20250801182955.png]] # Password Mgmt - `passwd` change or set password for yourself or other users when root - `sudo vi /etc/login.defs` to edit system-wide password related parameters - `chage` to shows and change password aging parameters for specific users - `chage -l user_name` to show password age parameters ![[images/Pasted image 20250802210001.png]] - -E for expire date param, -m for min days param, -M for max days param, -I for inactive param, -W for warn param ![[images/Pasted image 20250630190501.png]] - PAM password related tools - add modules to `/etc/pam.d/password-auth` - `pam_unix.so` performs identification using account and password data stored in `/etc/passwd` and `/etc.shadow` - `pam_pwhistory.so` checks new password against a historicla database of salted and hashed passwords - `pam_pwquality.so` enforces password quality parameters/directives - edit parameters/directives in `/etc/security/pwquality.conf` - `minlen = N` enforces min number of chars for new password; credit directives effect N - `dcredit = N` positive number adds N credits to `minlen` for included digits; negative number requires N included digits - `ucredit = N` positive number adds N credits to `minlen` for included upper case chars; negative number requires N included upper case chars - `lcerdit = N` positive number adds N credits to `minlen` for included lower case chars; negative number requires N included lower case chars - `ocredit = N` positive number adds N credits to `minlen` for included other chars; negative number requires N included other chars - `difok = N` enforces number of chars that must be different in new password - tools related to failed login attempts - see `/etc/pam.d` for PAM modules - `pam_tally2` - old PAM module that locks account after X failed attempts - `faillock` - edit `/etc/pam.d/common-account` and `/etc/pam.d/common-auth` to enable faillock - insert `account required pam faillock.co` into `/etc/pam.d/common-account` - insert two lines into `/etc/pam.d/common-auth` - `faillock --user user_name` to show failed login attempts for user - `sudo faillock --user user_name --reset` to reset login attempt counter for user - `sudo faillock --reset` rsets login attempt counter for all users - `fail2ban` - newer tool that also works for services in addition to system login