Account Management under CentOS

In Linux, each file is divided into 3 types of permissions: The account itself, the account's group, and other permissions. Accounts and groups are many-to-many relationships, where an account can belong to multiple groups, and a group can contain multiple accounts. However, for each account that is logged in, only one group that is currently in effect (the initial group) can exist.

Account management related profiles are as follows: The account information file is/etc/passwd, the account password file is/etc/shadow, the group information file is/etc/group, the group password file is/etc/gshadow.

1,/etc/passwd file how to see

For example, each of the actions in the/etc/passwd file is an account, with a colon as the segment each of the fields meaning by ordinal as follows:

[1] Account name. Renaming using the command usermod-l

[2] Password, this field is enabled. Account password in/etc/shadow file configuration

[3] UID, unique identification of the account. The commands that affect the value of this field include: Useradd-u, Usermod-u

[4] GID, the unique identifier of the initial group, associated with the 3rd field of the/etc/group file. The group is the default active group for the account (active groups can be toggled using the NEWGRP command). The commands that affect the value of this field include: Useradd-g, Usermod-g

[5] Description. The commands that affect the value of this field include: Useradd-c, Usermod-c

[6] Home directory absolute path. The commands that affect the value of this field include: Useradd-d, usermod-d

[7] Shell, the account is enabled by default shell, when the account cannot log on when/sbin/nologin. The shell that the account can use can be queried with the command chsh-l (the query results are the contents of the/etc/shells file). The commands that affect the value of this field include: Useradd-s, Usermod-s

2,/etc/shadow file how to see

For example, each line of the file/etc/shadow corresponds to the password information for one account, and each field with a colon as the segment means the following sequence:

[1] Account name, the 1th field of the associated/etc/passwd file

[2] Password, encrypted ciphertext, the encryption algorithm is specified by the Encrypt_method in the/etc/login.defs file, here is SHA512. The commands that affect the value of this field include: Usermod-l (front-facing!!) Frozen), Usermod-u (Thaw), passwd-l (frozen), passwd-u (Thaw),

[3] The creation date, which displays a number that represents the number of days that have elapsed since 1970-01-01. The commands that affect the value of this field include: chage-d

[4] The number of days after the password is created to be modified again, 0 means no such limit. The commands that affect the value of this field include: Passwd-n, chage-m

[5] The number of days after the creation of the password expires, 99,999 days is about 99999/365 years, several hundred months means that the password will not expire. The commands that affect the value of this field include: Passwd-x, chage-m

[6] The number of days before the password expires to send a warning message to the user. The commands that affect the value of this field include: Passwd-w, chage-w

[7] The password expires after the number of days, in this time the user can also log in and change the password, over this period of time users will not be able to log in. The commands that affect the value of this field include: Useradd-f, Usermod-f, Passwd-i, chage-i

[8] Expiration date, a number representing the number of days that have elapsed since 1970-01-01. After this day, the user's password expires, no matter whether it expires or not, you can sign in again. The commands that affect the value of this field include: Useradd-e, USERMOD-E, chage-e

[9] Reserved

3,/etc/group file how to see

For example, each line of the file/etc/group corresponds to a group, and each field with a colon as a segment means the following sequence:

[1] Group name. Renaming use command: Groupmod-n

[2] password, enabled, group password configured in the/etc/gshadow file

[3] GID, group Unique identifier, is associated with the 4th field in the/etc/passwd file as the initial group for the corresponding account. The commands that affect the value of this field include: Groupadd-g, Groupmod-g

[4] List of account names, separated by commas. These accounts can be actively switched to members of the group, such as user Mophee (initial group Mophee) can use the NEWGRP command to switch its effective group to MySQL or mail. The commands that affect the value of this field include: Useradd-g, Usermod-[a]g

4,/etc/gshadow file how to see

For example, each row in the file/etc/gshadow corresponds to a group's password information, with a colon as the separated field meaning by ordinal as follows:

[1] group name, corresponding to the group name in/etc/group

[2] Password, encrypted ciphertext, using the command gpasswd Group_name can set the group password, using gpasswd-r group_name Delete password

[3] group administrator, using the command gpasswd-a user1,... Group_name can set the group's administrator. Note: Group admins can set passwords for group members

[4] Group member, the field is the same as the 4th field of/etc/group and synchronized changes, in addition to using USERADD-G, usermod-g command maintenance, you can also use gpasswd-[adm] for maintenance. The commands that affect the value of this field include: Useradd-g, Usermod-[a]g

-----------------------------------------------

In theory, it is possible to modify the above 4 profiles to manage accounts, but this is not recommended for account management. Linux provides enough commands to manage accounts, although these commands are essentially modifying the contents of these 4 files, it is recommended to use these commands:

Useradd: Add an Account

#建立系统帐号mophee3, UID and GID range: 100~499, no home directory

Usermod: Modify Account

Userdel: Delete Account

#除了删除账户外, also delete their home directory and Mail directory

PASSWD: Account password Management

#列出帐号mophee相关的密码信息

Chage: Modify the account password, the general user can use this command to modify their own password

#列出帐号mophee相关的密码信息

Groupadd: Adding groups

Groupmod: Modifying a group

Groupdel: Deleting a group

GPASSWD: group password, Group Admins, and member management

Groups: View the group you belong to

#列出帐号mophee所属的群组

NEWGRP: Toggle Active Group

----------------------------------------------

Other profiles related to account management:/etc/login.defs,/etc/default/useradd (some default values when using command Useradd).

1, file/etc/default/useradd how to see

Group: Pre-set Group ID

Home: Home directory, add account and create home directory is equivalent to creating a new directory under the base directory with the same name as the account name, affecting the 6th field of/etc/passwd

INACTIVE: Set whether the password expires after expiration, 1 means it will not expire, affecting the 7th field of/etc/shadow

EXPIRE: Password expiration date, 8th field that affects/etc/shadow

Shell: The default shell, which affects the 7th field of/ETC/PASSWD

SKEL: Creating a home directory is a reference to the initial content, that is, when you create a home directory, the contents of the directory will be copied to a home directory

Create_mail_spool: Whether to create the corresponding mailbox directory, yes/no,yes in the/var/spool/mail/directory to create a directory with the same name as the account name used to store the account's mail

2, file/etc/login.defs how to see

Mail_dir: The base directory of the Mail directory, generally/var/spool/mail

Pass_max_days: Number of days from the date of password creation to expiration, affecting the 5th field of/etc/shadow

Pass_min_days: Number of days after password creation does not allow changes, affecting the 4th field of/etc/shadow

Pass_min_len: Set the minimum allowed length of the password, enabled and replaced by the PAM module

Pass_warn_age: The number of days to start sending warning messages before the password expires, affecting the 6th field of/etc/shadow

Uid_min: The UID that is less than the numeric value is the System account number, which is set to 500 by default. Account UID added when using Useradd and the-r option is not added is greater than this value

Uid_max: Maximum UID value supported by the system

Gid_min: Similar to the Uid_min function, the effect is GID

Gid_max: Similar to the Uid_max function, the effect is GID

Create_home: Whether to create a home directory by default, yes/no

UMASK: Home Directory default permissions of the code, that is, when the value is 077, the home directory has a permission of 700

Usergroups_enab: Set whether the group is deleted when the account is deleted using the Userdel command, if there are no other member accounts under its initial group. Yes/no

Encrypt_method: Cryptographic algorithms, such as SHA512

Account Management under CentOS