User & Group Management – Shell Based Tools

####### User Management – Shell based tools #######

useradd – adds users to /etc/passwd /etc/shadow

-bash-3.00# ls -ltr passwd shadow -r-------- 1 root sys 422 Aug 11 04:54 shadow -rw-r--r-- 1 root sys 834 Aug 11 05:43 passwd

shadow file is readable only by the root user for security purposes

passwd file is flag world redable

Example /etc/passwd entry:

root:x:0:0:Super-User:/root:/usr/bin/bash daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:WebServer Reserved UID:/: postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh svctag:x:95:12:Service Tag UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:

username: x : uid : gid : description : home dir : default shell

username
x indicates that the password is located in the /etc/shadow
(uid) user id
(gid) group id
(description field) comment or person full name
(user home directory)
(Default Shell )

Note: root’s uid/gid values are always 0
Note: values 0 – 99 for uid/gid are reserved for System ID’s
Note: Max uid/gid = 2 billion, however, try not to exceed 60,000

Shadow File /etc/shadow
root:abbaabbaabba:6445:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: smmsp:NP:6445:::::: listen:*LK*::::::: gdm:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445::::::

username : encrypted_password : num of days sinces epoch password chaged : min hold period : max hold period: num of days prior to expiration to issue warning : inactivity limit : expiration date using unix epoch : failed _ login _ count

Note: Unix Expoch was Jan. 1 , 1970

##### useradd #####
useradd paco

/etc/passwd
paco:x:100:1::/home/paco:/bin/sh

/etc/shadow
paco:*LK*:::::::

grep 1 group
other::1:root staff::10: daemon::12:root sysadmin::14: nobody::60001: mysql::100: sasl::101:

Note: *LK* = password is not been set

Default algorithms password is weak
Password algorithms are defined in /etc/security/policy.conf

#### Change default Crypt Algorithms __unix__ to md5 #####


CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name __unix__ is used to refer to it. # #CRYPT_DEFAULT=__unix__ #CRYPT_DEFAULT=md5

Other Algorithms
# crypt(3c) Algorithms Configuration # # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to # be used for new passwords. This is enforced only in crypt_gensalt(3c). # CRYPT_ALGORITHMS_ALLOW=1,2a,md5

note: 2a is stronger than md5 ( blowfish algorithms )

Identifier
Description
Algorithm Man Page

1 The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems.

2a The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems.

md5 The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5.

__unix__ The traditional UNIX encryption algorithm. This algorithm is the default module in the policy.conf file.

####### usermod ‘Users attributes’ ##########

usermod -d /export/home/paco


-bash-3.00#usermod -d /export/home/paco

######## change user shell ##########
-bash-3.00#usermod -s /usr/bin/bash


-bash-3.00#echo $SHELL

-bash-3.00#set |grep -i shell

SHELL=/usr/bin/bash

####### To change user’s password use ‘passwd’ command ########

########Controlling the default password lenght policy ##########

cat /etc/default/passwd

Next: Group Managemnet Shell…