Managing Users
Chia sẻ bởi Nguyễn Việt Vương |
Ngày 29/04/2019 |
80
Chia sẻ tài liệu: Managing Users thuộc Bài giảng khác
Nội dung tài liệu:
Managing Users
Objectives
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd, shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users
New User Requirements
When adding a new user, you need be familiar with files : passwd, shadow, group, gshadow under /etc directory
/etc/passwd contains information of all users : Login name, User ID, Group ID, Descriptive name, Home directory, Login shell
/etc/shadow stores parameters to control account access: user’s password hash and password aging information
/etc/group contains information about user’s groups
/etc/gshadow stores group’s password hash,…(rarely used)
Preparing Groups
Carefully constructed groups are very useful to users who are all working in the same department or project
Groups not only allow for a second level of access control but also allow the members in group to share files in secured environment
Each line in /etc/group file correspond to a group
Commands to modify groups: groupadd, groupmod, groupdel
The /etc/passwd
Each line in this file correspond to a user, has the following form :
name:password:UID:GID:comment:home directory:shell
# more /etc/passwd
root:x:0:0:Super User:/root:/bin/bash
henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh
...
Allocating User IDs
All Linux system come with several administrator users pre-configured, are intended to perform certain administrative work. They are typically assigned UID less than 100: root, bin, daemon, sys, adm, lp, …
System with administration tools allocate UIDs automatically, greater than 100 in general
Adding Users
The useradd utility is recommended for administering users. It creates the required record in /etc/passwd and /etc/shadow
A list of options can be used with useradd to override defaults:
Changing User Attributes
If you edit files manually, you risk corrupting file, resulting with users not being able to log in at all. Instead, use usermod utility
# usermod –g users –c “Henry Blake” henry
# usermod –u 321 –s /bin/ksh majorh
# usermod –f 10 henry
# usermod –e 2004-12-20 majorh
Changing Group Membership
Each user belongs to a group (primary) that can be changed by usermod –g
User can also belongs to secondary groups, controlled by usermod –G
# grep blofeldt /etc/passwd
blofeldt:x:416:400::/home/blofeldt:/bin/bash
# groups blofeldt
blofeldt: : mash
# groupadd –g 600 fleming
# usermod –G fleming blofeldt
# grep blofeldt /etc/group
fleming:x:600: blofeldt
Removing Users
When a user leaves, there are two main concerns:
Protect the system from unauthorized access via his/her account
Protect and manage his/her files, directories left on the system
The userdel command takes care of removing a user account. userdel can remove user’s home directory but does not user’s mail, crontab table, atd queues, …
Removing Users - userdel
Command format:
userdel [option]
-r This option will remove home directory
To safely remove a user from a system:
Lock the account password until you are ready to remove it altogether ( use chage command )
# chage –E 1999-01-01 henry
Save all file owned by the user somewhere outside the home directory
# find / -user henry –print | cpio ov | gzip >/hold/henry
# find / -user henry –type f –exec rm –f {} ;
# find / -user henry –type d –depth –exec rmdir {} ;
To safely remove a user from a system:
Change access permission on saved files to root only
# chown root /hold/henry ; chmod 700 /hold/henry
Consider crontab and at jobs setup by the user
Setup mail forwarding to send mail to a manager
Security
Use passwd command to change the password :
# passwd henry
current password :
new password:
retype new password:
Choosing password:
Not use proper words or names
Use letters and digits
Include symbols: !, @, #, $, %, …
Do not allow guest account to login to your system
The /etc/shadow File
If shadow passwords are used, encrypted passwords are stored in this file:
name:password:lastchange:min:max:warn:inactive:expire:flag
Account Security
Actions you can take to improve security:
Use preset expiration date for temporary employees
# usermod –e 2003-12-20 henry
Use inactivity counts to lock unused accounts
# usermod –f 5 henry
Change passwords known by someone who leaves. If they know the root password, change ALL password
Account Security
Password aging with chage command:
chage [options]
Options:
Summary
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd, shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users
Objectives
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd, shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users
New User Requirements
When adding a new user, you need be familiar with files : passwd, shadow, group, gshadow under /etc directory
/etc/passwd contains information of all users : Login name, User ID, Group ID, Descriptive name, Home directory, Login shell
/etc/shadow stores parameters to control account access: user’s password hash and password aging information
/etc/group contains information about user’s groups
/etc/gshadow stores group’s password hash,…(rarely used)
Preparing Groups
Carefully constructed groups are very useful to users who are all working in the same department or project
Groups not only allow for a second level of access control but also allow the members in group to share files in secured environment
Each line in /etc/group file correspond to a group
Commands to modify groups: groupadd, groupmod, groupdel
The /etc/passwd
Each line in this file correspond to a user, has the following form :
name:password:UID:GID:comment:home directory:shell
# more /etc/passwd
root:x:0:0:Super User:/root:/bin/bash
henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh
...
Allocating User IDs
All Linux system come with several administrator users pre-configured, are intended to perform certain administrative work. They are typically assigned UID less than 100: root, bin, daemon, sys, adm, lp, …
System with administration tools allocate UIDs automatically, greater than 100 in general
Adding Users
The useradd utility is recommended for administering users. It creates the required record in /etc/passwd and /etc/shadow
A list of options can be used with useradd to override defaults:
Changing User Attributes
If you edit files manually, you risk corrupting file, resulting with users not being able to log in at all. Instead, use usermod utility
# usermod –g users –c “Henry Blake” henry
# usermod –u 321 –s /bin/ksh majorh
# usermod –f 10 henry
# usermod –e 2004-12-20 majorh
Changing Group Membership
Each user belongs to a group (primary) that can be changed by usermod –g
User can also belongs to secondary groups, controlled by usermod –G
# grep blofeldt /etc/passwd
blofeldt:x:416:400::/home/blofeldt:/bin/bash
# groups blofeldt
blofeldt: : mash
# groupadd –g 600 fleming
# usermod –G fleming blofeldt
# grep blofeldt /etc/group
fleming:x:600: blofeldt
Removing Users
When a user leaves, there are two main concerns:
Protect the system from unauthorized access via his/her account
Protect and manage his/her files, directories left on the system
The userdel command takes care of removing a user account. userdel can remove user’s home directory but does not user’s mail, crontab table, atd queues, …
Removing Users - userdel
Command format:
userdel [option]
-r This option will remove home directory
To safely remove a user from a system:
Lock the account password until you are ready to remove it altogether ( use chage command )
# chage –E 1999-01-01 henry
Save all file owned by the user somewhere outside the home directory
# find / -user henry –print | cpio ov | gzip >/hold/henry
# find / -user henry –type f –exec rm –f {} ;
# find / -user henry –type d –depth –exec rmdir {} ;
To safely remove a user from a system:
Change access permission on saved files to root only
# chown root /hold/henry ; chmod 700 /hold/henry
Consider crontab and at jobs setup by the user
Setup mail forwarding to send mail to a manager
Security
Use passwd command to change the password :
# passwd henry
current password :
new password:
retype new password:
Choosing password:
Not use proper words or names
Use letters and digits
Include symbols: !, @, #, $, %, …
Do not allow guest account to login to your system
The /etc/shadow File
If shadow passwords are used, encrypted passwords are stored in this file:
name:password:lastchange:min:max:warn:inactive:expire:flag
Account Security
Actions you can take to improve security:
Use preset expiration date for temporary employees
# usermod –e 2003-12-20 henry
Use inactivity counts to lock unused accounts
# usermod –f 5 henry
Change passwords known by someone who leaves. If they know the root password, change ALL password
Account Security
Password aging with chage command:
chage [options]
Options:
Summary
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd, shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users
* Một số tài liệu cũ có thể bị lỗi font khi hiển thị do dùng bộ mã không phải Unikey ...
Người chia sẻ: Nguyễn Việt Vương
Dung lượng: |
Lượt tài: 4
Loại file:
Nguồn : Chưa rõ
(Tài liệu chưa được thẩm định)