###/Etc/passwd # root: x: 0: 0: root:/bin/bash # Account name: Password: UID: GID: user information description bar: User main directory: Shell ###/etc/shadow # root: $ 1% & hellip;: 15123: 0: 99999: 7 ::: # Account name: Password: recently changed password
###/Etc/passwd
# Root: x: 0: 0: root:/bin/bash
# Account name: Password: UID: GID: User information description bar: User main directory: Shell
###/Etc/shadow
# Root: $ 1% ...... : 15123: 0: 99999: 7 :::
# Account name: Password: Date of last password change: days when the password cannot be changed: days when the password needs to be changed again: days before the password needs to be changed (1: account grace time after Password Expiration (2: Account expiration date (3: Retained
#1): compared with the 5th Field, when the password validity period of several accounts is approaching (field 5th), the system will issue a warning to this account based on the setting of this field, remind him that your password will expire in the next n days. please set your password as soon as possible!
#2): compared with field 5th, the password validity period is [Update Date] + [change date]. after this period, the user still does not update the password, the password will expire. Although the password expires, this account can still be used for other work, including logging on to the system to obtain bash. However, if the password expires, then when you log on to the system, the system will force you to reset the password before you can log on to continue using it. If the user does not change the password after the password expires for a few days, the password of this account will be invalid and will be removed.
#3) account expiration date: This date is the same as the Third Field. it is set based on the total number of days since January 1, 1970. This field indicates that this account is created after the specified date in this field, it cannot be used again.
###/Etc/group
# Root: x: 0: root
# Group name: group password: GID: account name supported by this group
### Valid group and initial group)
# Groups-> view the group to which the note belongs, and the effective group is output first
# Switching between valid groups-newgrp
# Groups to be switched and supported by newgrp
###/Etc/gshadow (group administrator)
# Root: root
# Group name: password bar: Account of the group administrator: Account of the group
### Useradd
# Useradd [-u UID] [-g initial group] [-G secondary group] [-mM] [-c description bar] [-d home directory absolute path] [- s shell] user's vertex name
# *-M: Forced! Do not create a user's home directory! (Default system account number)
# *-M: Forced! Create a user's home directory! (Default for general accounts)
# *-R: create a system account. the UID of this digit will be limited.
# *-E: followed by a date in the format of [YYYY-MM-DD] this project can be written to the shadow eighth field, that is, the account expiration day of the set project ?? Br/> # *-f: followed by the project in the seventh field of shadow, specifying whether the password will be invalid. 0 indicates that it is invalid immediately.
# *-D: Display the default value used by useradd (stored in/etc/default/useradd)
The content is as follows: GROUP = 100 <= default GROUP
HOME =/home <= directory of the preset HOME directory
INACTIVE =-1 <= password expiration day, in the seventh column of shadow
EXPIRE = <= Account expiration date, in the eighth column of shadow
SHELL =/bin/bash
SKEL =/etc/skel <= content data reference directory of the user's home directory
CREATE MAIL_SPOOL = yes <= whether to CREATE a mailbox for the user
Note: INACTIVE: if the value is 0, the password will expire immediately. if the value is-1, the password will never expire. if the value is a number, for example, 30, the password will expire 30 days later.
SKEL =/etc/skel user directory reference baseline Directory
# */Etc/login. defs
### Passwd
# Passwd [-l] [-u] [-- sdtin] [-S] [-n days] [-x days] [-w days] [-I date] account
# * -- Stdin: data from the previous pipeline can be input as a password, which is helpful to shell script!
# *-L: it indicates Lock. it will add the front of the second column of/etc/shadow! Invalidate password
# *-U: opposite to-l, it means Unlock!
# *-S: list password-related parameters, namely, the information of most users in the shadow file
# *-N: the number of days followed by the shadow field 4th.
# *-X: The number of days followed by the shadow field 5th. the password must be changed within the specified time.
# *-W: The number of days to be followed, the 6th Field of shadow, and the number of days to be warned before the password expires
# *-I: followed by the date, the 7th Field of shadow, and the password change date
# * Echo "abc543CC" | passwd -- stdin vbird2
This operation will directly update the user's password without manual input again! The advantage is that it is easy to handle. The disadvantage is that the password will be kept in the command. if the system is cracked in the future, you can find the password in/root/. bash_history! Therefore, this action is usually used to create a large number of user accounts in shell scripts!
##### More detailed password parameter display function chage [-ldEImMW] account name
#-L: list detailed password parameters for this account
#-D: followed by date, modify the shadow third Field (date of the last password change), format YYYY-MM-DD
#-E: followed by the date, modify the shadow eighth field (Account expiration day), format YYYY-MMM-DD
#-I: next to the number of days, modify the seventh field of shadow (password expiration date)
#-M: next to the number of days, modify the Fourth Field of shadow (minimum password retention days)
#-M: next to the number of days, modify the fifth field of shadow (how long the password needs to be changed)
#-W: next to the number of days. modify the sixth field of shadow (warning date before password expiration)
#### Usermod [-cdegGlsuLU] username
#-C: The description of the account, that is, the description column in the fifth column of/etc/passwd. you can add some account descriptions.
#-D: the home directory followed by the account, that is, the sixth column for modifying/etc/passwd
#-E: followed by the date, the format is YYYY-MM-DD is in/etc/shadow in the eighth field data!
#-F: The next day, which is the seventh field of shadow.
#-G: followed by the initial group
#-G: next to a secondary group. modify the group that this user can support. The modified group is/etc/group ?? Br/> #-a: use it with-G. you can [add secondary group support] instead of [set!
#-L: The account name is followed by the account name, which is changed to the account name.
#-S: the actual file followed by Shell, such as/bin/bash or/bin/csh
#-U: followed by a UID number! That is, the third column of/etc/passwd
#-L: temporarily freeze the user's password so that he cannot log in.
#-U: restore the user's password
* ** Chown-R is used to change the user/group attributes of all files in the same directory.
#### Userdel
# User data includes: User account/password parameters:/etc/passwd,/etc/shadow
User group parameters:/etc/group,/etc/gshadow
User profile data:/home/username,/var/spool/mail/username
# Userdel [-r] username
#-R: deleted together with the user's home directory
############## Account commands used by common users
### Finger can view many user-related information, mostly in the/etc/passwd file
# Finger [-s] username
# *-S: only lists the user's account, full name, terminal code, and logon time.
# *-M: List the vertices that match the following, instead of using partial comparison.
### Chfn is a bit like change finger!
# Chfn [-foph] [account name]
# *-F: followed by the complete name
# *-O: the number of your office room
# *-P: office phone number
# *-H: home phone number
### Chsh, short for change shell
# Chsh [-ls]
# *-L: list the currently available shell on the system, which is actually the content of/etc/shells.
# *-S: set and modify your own Shell
####### Group
### Groupadd
# Groupadd [-g gid] [-r] group name
# *-G: followed by a specific GID, used to directly give a GID
# *-R: establish a system group related to GID_MIN in/etc/login. defs
# * Modify/etc/group;/etc/gshadow
### Groupmod
# Groupmod [-g gid] [-n group_name] group name
### Groupdel group name
### Gpasswd group administrator function
# If the system administrator is too busy, some accounts cannot find help when they want to join a project! In this case, you can create a [group administrator]! The group administrator gives a group an administrator who can manage the numbers that can be added to or removed from the group!
# Gpasswd groupname: give groupname a password/etc/gshadow
# Gpasswd [-A user…] [-M user3,…] Groupname
# *-A: hand over the groupname's main control permission to subsequent users for management
# *-M: add some dots to this group!
# Gpasswd [-rR] groupname
# *-R: remove the password of groupname
# *-R: the password of groupname is invalid, so newgrp cannot be used.
# Group administrators can use the following
# Gpasswd [-ad] user groupname
# *-A: add a user to the groupname group.
# *-D: remove a user from the groupname group.
########## User identity switching
### Su [-lm] [-c command] [username]
# *-: Use-to log on to the system using the variable file reading method of login-shell. if the user name is not added, it indicates switching to the root identity.
# *-L: similar to-, but the user account to be switched must be added later! It is also the login-shell method.
# *-M:-m is the same as-p, indicating [use the current environment setting instead of reading the setting file of new users]
# *-C: only one command is executed. Therefore, instructions can be added after-c.
### Sudo [-B] [-u new user account]
# *-B: Place subsequent commands in the background for the system to execute on its own, without affecting the shell of the Directory.
# *-U: you can connect to the user you want to switch to. Otherwise, the user will be the root user.
########## Except do and/etc/sudoers
# Root ALL = (ALL) ALL
# Source host name of the user login account = (switchable identity) commands that can be issued
# % Wheel ALL = (ALL) ALL
# Add % to the leftmost to indicate the next [group]
# % Wheel ALL = (ALL) NOPASSWD: ALL
# No password required when using sudo
####/Sbin/nologin
### Edit/etc/nologin.txt to set the prompt when the/sbin/nologin user logs in
########### PAM module
###/Etc/pam. d/passwd
# Auth include system-auth
# Account include system-auth
# Password include system-auth
# Verify the parameters of the standard PAM module and the module.
### Include indicates that the files following the call should be used as an evidence of this category. Therefore, each line above must call/etc/pam repeatedly. d/system-auth file for verification
### Difficult certificate Category:
# Auth is the abbreviation of authentication. Although this type is mainly used to verify the user's identity, this type of authentication usually requires a password, so subsequent modules are used to verify the user's identity.
# Account authorization is mostly performed. Although this type is mainly used to check whether the user has the correct naming permission
# Session indicates the meaning during the meeting, so the session is managed by the environment set by PAM during the login. This category is usually used to record user login and logout information!
# Password! This category is mainly used to provide verification revisions. for example, it is to modify/change the password.
#### Control flag)
# Reuqired: if the verification succeeds, it carries the success mark. if the verification fails, it carries the failure mark, but the subsequent verification process will continue regardless of the success or failure. Since the subsequent difficult processes can continue, it is equivalent to having data logon, which is also the most common reason for PAM required.
# Requisite: if the verification fails, immediately return the flag of the original program failure and terminate the subsequent verification process. If the verification is successful, the success flag will be carried and subsequent verification processes will continue. The biggest difference between this project and required is that you do not need to continue verification when the project fails. Because # requisite is terminated upon failure, the PAM information generated during the failure cannot be recorded through subsequent modules.
# Sufficient: if the verification is successful, return success to the original program immediately, and terminate the subsequent verification process: if the verification fails, it carries the failure sign and continues the subsequent verification process. This is the opposite of requisits.
# Optional: This module controls mostly display messages, not for verification purposes.
##### Query users
# W who
# Last
# Lastlog view the latest logon time of each vertex/var/log/lastlog
##### User discussion
# Write user account [user's terminal interface]
# Mesg n refuse to accept information, but cannot reject root
# Mesg y accept information
# Wall "string" sends text messages to users on all systems
##### Account check tool
# Pwck: this command is used to check the information in the/etc/passwd account setting file and whether the actual home directory exists in the same email address, you can also check whether the information of/etc/passwd/etc/shadow is consistent.
# Grpck: check the life of the corresponding group
This article is from the lopnxrp blog