Account Management under CentOS

Account Management under CentOS

In Linux, each file has three types of permissions: account permissions, group permissions, and other permissions. Accounts and groups are many-to-many relationships, that is, an account can belong to multiple groups, and a group can contain multiple accounts. However, for each logged-on account, only one effective group (initial group) exists ).
The configuration files related to account management are as follows: the account information file is/etc/passwd, the account password file is/etc/shadow, the group information file is/etc/group, and the group password file is/etc/gshadow.
1. view the/etc/passwd file

For example, in the/etc/passwd file, each row is an account, and each field separated by a colon means the following by serial number:
[1] account name. Rename usermod-l
[2] password. This field is enabled. Configure the account password in the/etc/shadow file
[3] UID, the unique ID of the account. Commands that affect the field value include: useradd-u, usermod-u
[4] GID, the unique ID of the initial group. It is associated with the 3rd fields in the/etc/group file. This group is the default valid group for the Account (the valid group can be switched using the newgrp command ). Commands that affect the field value include: useradd-g and usermod-g.
[5] description. Commands that affect the field value include: useradd-c, usermod-c
[6] absolute path of the home directory. Commands that affect the field value include: useradd-d, usermod-d
[7] shell: The shell enabled by the account by default. If it is/sbin/nologin, the account cannot log on. The shell that can be used by the account can be queried using the command chsh-l (the query result is the content of the/etc/shells file ). Commands that affect the field value include: useradd-s, usermod-s
2. view the/etc/shadow file
 
For example, each line in the file/etc/shadow corresponds to the password information of an account. The meaning of each field separated by a colon is as follows:
[1] account name, associated with the 1st fields in the/etc/passwd file
[2] Password, encrypted ciphertext. the encryption algorithm is specified by ENCRYPT_METHOD in the/etc/login. defs file. Here it is SHA512. Commands that affect the field value include: usermod-L (front !! Freeze), usermod-U (unfreeze), passwd-l (freeze), passwd-u (unfreeze ),
[3] creation date. A number is displayed, indicating the number of days that have elapsed since January 1. Commands that affect the field value include: chage-d
[4] How many days after a password is created can it be changed again? 0 indicates no such restriction. Commands that affect the field value include passwd-n and chage-m.
[5] The password will expire after several days of creation. The password will expire after 99999 days, which is about 99999/365 years. Several hundred years means the password will not expire. Commands that affect the field value include passwd-x and chage-M.
[6] How many days before the password expires to send a warning message to the user. Commands that affect the field value include passwd-w and chage-W.
[7] How many days can the password be extended after it expires? In this period, the user can log on and change the password. After this period, the user cannot log on. Commands that affect the field value include: useradd-f, usermod-f, passwd-I, chage-I
[8] expiry date, a number indicating the number of days that have elapsed since January 1. After this day, the user's password becomes invalid. no matter whether the password expires or not, you cannot log on again. Commands that affect the field value include: useradd-e, usermod-e, chage-E
[9] Reserved
3. view the/etc/group file

For example, each row of the file/etc/group corresponds to a group, and each field separated by a colon indicates the following by serial number:
[1] group name. Command for renaming: groupmod-n
[2] Password, enabled, and the group password is configured in the/etc/gshadow File
[3] GID, which uniquely identifies a group. It is associated with the 4th fields in the/etc/passwd file and serves as the initial group of the corresponding account. Commands that affect the field value include groupadd-g and groupmod-g.
[4] list of account names separated by commas. These accounts can actively switch to members of this group. For example, if you use mophee (the initial group is mophee), you can use the newgrp command to switch the valid group to mysql or mail. Commands that affect the field value include: useradd-G, usermod-[a] G
4. view the/etc/gshadow File

For example, in the/etc/gshadow file, each line corresponds to the password information of a group. The meanings of each field separated by a colon are as follows:
[1] group name, corresponding to the group name in/etc/group
[2] Password, encrypted ciphertext. You can use the command gpasswd group_name to set the group password and use gpasswd-r group_name to delete the password.
[3] Group Administrator: Use the command gpasswd-A user1,... group_name to set the Group Administrator. Note: The group administrator can set a password for group members.
[4] group member. This field is the same as the 4th fields in/etc/group and must be modified synchronously. Besides the maintenance by using the useradd-G and usermod-G commands, you can also use gpasswd-[adM] for maintenance. Commands that affect the field value include: useradd-G, usermod-[a] G
-----------------------------------------------
In theory, you can modify the above four configuration files to manage your account, but we do not recommend that you manage your account. Linux provides enough commands to manage the account. Although these commands actually modify the content of these four files, we recommend that you use these commands:
Useradd: add an account
Useradd mophee # create a group mophee, create an account mophee, create a home directory/home/mophee, and set the permission to 700. You cannot log on without a password.
Useradd-u 519-g users mophee2 # create an account mophee2 and specify UID as 519 and initial group as users
Useradd-r mophee3 # create a system account mophee3. The UID and GID range are: 100 ~ 499, no home directory
Usermod: Modify an account
Userdel: deletes an account.
Userdel mophee # delete an account mophee:
#1. Delete from/etc/passwd and/etc/shadow;
#2. Remove the last field from/etc/group and/etc/gshadow;
#3. If the initial group has no other member accounts, delete the group.
Userdel-r mophee # In addition to deleting an account, it also deletes its home directory and email directory
Passwd: account password management
Passwd-S mophee # list password information related to the account mophee
 
Chage: Change the account password. You can use this command to change your password.
Chage-l mophee # list password information related to the account mophee
 
Groupadd: Add a group
Groupmod: modify a group
Groupdel: deletes a group.
Gpasswd: group password, Group Administrator, and member management
Groups: View groups
Groups mophee # list groups to which the account mophee belongs
 
Newgrp: switch to a valid group
----------------------------------------------
Other configuration files related to account management:/etc/login. defs,/etc/default/useradd (some default values when useradd is used ).
1. file/etc/default/useradd

GROUP: the default group id.
HOME: The base Directory of the HOME directory. Adding an account and creating a HOME directory is equivalent to creating a directory with the same name as the account under the base Directory, affecting the 6th fields of/etc/passwd.
INACTIVE: Set whether the password expires after expiration.-1 indicates that the password will not expire and affects the 7th fields in/etc/shadow.
EXPIRE: Password Expiration date, which affects the 8th fields of/etc/shadow.
SHELL: the default shell, which affects the 7th fields of/etc/passwd.
SKEL: creating a home directory is the initial content for reference. When you create a home directory, the content under this directory is copied to the home directory.
CREATE_MAIL_SPOOL: whether to create the corresponding mailbox directory. yes/no, yes, a directory with the same name as the account name will be created in the/var/spool/mail/directory to store emails of this account.
2. view the/etc/login. defs File
MAIL_DIR: The baseline directory of the mail directory, usually/var/spool/mail
PASS_MAX_DAYS: the number of days that have elapsed since the password was created, affecting the 5th fields in/etc/shadow.
PASS_MIN_DAYS: the number of days that cannot be changed after the password is created, affecting the 4th fields in/etc/shadow.
PASS_MIN_LEN: Set the shortest length allowed by the password. It is enabled and is replaced by the pam module.
PASS_WARN_AGE: Number of days before the password expires before the warning message is sent, affecting the 6th fields in/etc/shadow
UID_MIN: UID smaller than the specified number is a system account. The default value is 500. The UID of the Account Added when useradd is used and the-r option is not added is greater than this value.
UID_MAX: Maximum UID value supported by the system
GID_MIN: similar to UID_MIN, which affects GID
GID_MAX: similar to UID_MAX, which affects GID
CREATE_HOME: whether to create the home directory by default. yes/no
UMASK: The back code of the default permission of the home directory. If the value is 077, the permission of the home directory is 700.
USERGROUPS_ENAB: sets whether to delete an account if there is no other member account in the initial group when The userdel command is used to delete the account. Yes/no
ENCRYPT_METHOD: encryption algorithm, such as SHA512