Linux Account and identity management

Linux Account and identity management

 

1. Linux accounts and user groups

User ID: UID and GID

Although we usually enter an account when logging on to a Linux host, Linux does not directly know our account. It only knows ID. ID is a string of numbers stored in/etc/passwd. The account is only used to make it easier for us to remember.

In Linux, there are two types of IDS: UID and gid. uid is the user identity, and GID is the group identity, which exists in/etc/shadow.

 

2. User Account

When we log on to the host, a login interface will prompt us to log on. What will Linux do after we enter our account and password?

1) first look for/etc/passwd to see if this account exists. If not, exit. Otherwise, read the UID, GID, Shell, home directory, and other information of the user.

2) Go to/etc/shadow in Linux to find the corresponding account and uid, and check whether the password entered by the user is consistent with the password in it.

3) if everything is consistent, go to the shell control stage.

 

The above process shows that the two most important files related to the account are/etc/passwd and/etc/shadow, one administrator account and one administrator password.

 

/Etc/passwd file structure

Root: X: 0: 0: Root:/root:/bin/bash

Huli: X: 500: 500: Huli:/home/Huli:/bin/bash

Each row represents a field. Some accounts are required for normal system operation. We call them system accounts. Each row contains seven fields separated ':'.

1) User Name

2) password, which is generally 'x'. For security reasons, all passwords in current versions are moved to/etc/shadow.

3) uid

4) gid

5) account description

6) user's home directory

7) the user's default shell

Note: If the UID is 0, it indicates that the account is a system administrator. Therefore, to change an account to a system administrator, you can set the UID to 0.

 

/Etc/shadow file structure

Root: $1 $3 furypzx $ cxcc2ghsgpjp7mzbwaal: 15251: 0: 99999: 7 :::

Similarly, each row of shadow represents an account, which is separated by ':', but it has nine fields.

1) user name, which corresponds to passwd

2) password: this is the real password. It is encrypted. If the first character in the password column is '*' or '! ', Indicating that this account is not used for logon.

3) date of the last password change, which is the number of days from January 1, January 1, 1970.

4) days when the password cannot be changed: this field indicates that the password of this account can be changed after several days. If it is 0, the password can be changed at any time.

5) Number of days for password re-change: If it is 99999, the password does not need to be changed

6) warning period before the Password Change Period

7) Password Expiration grace time: if the password expires, you can also use this password to log on within the number of days set in this field. If the password has not been changed after this number of days, then the account cannot log on again.

8) Account expiration date. This field indicates the total number of days since January 1, 1970.

9) Reserved

 

Valid user group and initial user group

Initial user group: Default User Group when an account is added

Valid user group: the user group to which the file belongs when a file is created.

You can use groups to view the user group to which the current user belongs. In the output message, the first output user group is a valid user group. We can use newgrp to change our valid user group.

 

Account Management: useradd, related configuration files, passwd, usermod, userdel

Useradd Username

Parameters:

-U: followed by uid, which is a group of numbers. Create a specific uid for this account.

-G: the user group name that follows is the initial user group mentioned above.

-G: the name of the user group that is followed by the user group that this account can support

-M: mandatory. Do not create a user's home directory.

-M: mandatory. Create a user's home directory.

-C: This is the description in the/etc/passwd 5th column.

-D: specify a directory as the Home Directory instead of the default value.

-R: Create a system account. The UID of this account is limited (/etc/login. defs)

-S: the default shell used

This command may change the following files:

/Etc/passwd

/Etc/shadow

/Etc/group

/Etc/gshadow

/Home/Username

 

The files referenced by this command include:

/Etc/default/useradd

/Etc/login. defs

/Etc/skel /*

 

Passwd (Change Password)

Passwd [-lunxws] Username

Parameters:

-L: Lock the username account and modify it in the password bar of/etc/shadow.

-U: Unlock the Lock of-l

-N: Number of followed days, and the fourth column in/etc/shadow

-X: Number of followed days, and the Fifth Column in/etc/shadow

-W: Number of followed days, column 6 in/etc/shadow

-S: displays information about the current username.

Note: All users can use passwd to change their passwords, but only root can use this command to change others' passwords..

 

Usermod (used to modify account information)

Usermod [-cdegglsulu] Username

Parameters:

-C: account description, column 5th of/etc/passwd

-D: Home directory followed by the account, column 6th of/etc/passwd

-E: followed by date, format is YYYY-MM-DD,/etc/shadow column 8th

-G: followed by column 4th of group name,/etc/passwd

-G: Modify the user group that this user supports. The modified User Group is/etc/group.

-L: followed by the account name, the first column of/etc/passwd

-S: the actual file followed by the shell, if/bin/bash

-U: followed by uid,/etc/passwd column 3rd

-L: temporarily freeze the user, that is, change the password bar of/etc/shadow.

-U: in the/etc/shadow password column! Remove and unfreeze.

 

Userdel (delete account)

Userdel [-R] Username

Parameters:

-R: deleted together with the user's home directory

 

Switch user identity (Su, SUDO)

Su can switch to the root identity, but the root password is required. If Su is used directly, the environment variables such as mail/path/user are still logged on (note that the home variable will be switched). If you want to change the environment variables when switching identities, we recommend that you use Su -.

Su [-LMC] [username]

Parameters:

-: If Su-is executed, the user wants to change the identity to root and use the root environment parameter file, such as/root/. bash_profile.

-L: users can be followed, for example, Su-l Huli. The advantage of this-L is that the user can be changed.

.

-M:-m is the same as-P, which indicates "use the current environment settings without re-reading the setting files of new users"

-C: run the command only once.-C is followed by the command.

 

One drawback of sudo is that common users must know the administrator password. When there are many users in the system,

If every user knows the administrator password, there is a security risk. At this time, you can use

Sudo,How does sudo work?

When a user executes sudo, the system first looks for the/etc/sudoers file to determine whether the user has sudo.

If you have the permission, you are prompted to enter your password for confirmation.

If the password is entered successfully, you can execute the command.

Sudo [-U [username | # uid] command

Parameters:

-U: followed by the user account name or uid.

 

Manually add users

If you want to manually add users, you must understand all the relevant settings files.

Generally, manually adding users involves modifying the following files:

/Etc/passwd

/Etc/shadow

/Etc/group

/Etc/gshadow

/Home/Username

The system provides some tools to ensure the security of manually added users.

Peck

It can check the information in the/etc/passwd account setting file and whether the actual home directory exists.

You can also compare the information of/etc/passwd and/etc/shadow. In addition, if

The/etc/passwd nede data field is incorrect and a message is displayed for modification.

Pwconv

The purpose of this command is to move the account and password in/etc/passwd to/etc/shadow.

 

Pwunconv

The purpose of this command is to write the password column data in/etc/shadow back to/etc/passwd.

 

Kgconv

The purpose of this command is to move the account and password in/etc/group to/etc/gshadow.

 Chpasswd

This command can read the password before encryption, and after encryption, write the encrypted password

/Etc/shadow. It can read data from standard input. The format of each data is:

"Username: Password"

Example: Echo "skind: user! @ # "| Chpasswd