User and Group Management
Why should I have user and group management?
For Security and task assignment (identity authentication)
Form:
AAA (Cisco developed and established):
1, Authentication (authentication): Verify that the user can gain access.
2. Authorization (Authorization): Which services are available to authorized users.
3. Bookkeeping (Accounting): Record the user's use of network resources.
Linux is a multi-tasking, multi-user operating system
The subject of resource usage and task completion is the application process
Security contexts: Secure context
A process is run as its initiator, and it can be understood that the owner of the process is its initiator, and that the identity information of the owner is marked on each process;
When a process attempts to access a resource, the security context is more than the relationship between the owner of the process and the owner of the resource:
First, see if the owner of the process is the same user as the resource owner, and if so, use the resource according to the owner-owned permissions;
If not, determine whether the owner of the process belongs to a member of the group to which the resource belongs, and if so, use the resource in accordance with the permissions of the owning group;
If not, use resources according to the privileges of the most common other users;
User accounts: Is the basis for interactive operation between the operator and the computer
Super User (Administrator root)
Normal User: System user (not logged in user): In order to ensure the security of the system, some processes or services must be run as a non-administrator user, such users are not allowed to log on to the system
Logged-on User: a user who can authenticate a user through logon behavior and gain access to resources and manipulate resources, called logged-on users;
How user accounts are identified:
User Login Name:
Provide the operator with a simple and easy-to-remember string identifier;
User's digital ID (UID):
Standard digital identification symbols for computer operating systems, 0~2^ (32-1)
Super users:
User name: Root
uid:0
Normal User:
System users:
Previous versions of CentOS 6:1~499
After CentOS 7 version: 1~999
Logged in user
Previous versions of CentOS 6:
After CentOS 7 version: 1000+
* Note: More than 60000 UID usually requires user-defined identification;
Name resolution:
Conversion of user name and UID
User Name Resolution Library:/ETC/PASSWD
The authentication component in the operating system realizes the authentication mechanism through the parsing library, namely verifies whether the logged-in user is an existing user;
User's Certification library:/etc/shadow
Through the previous analysis of the library to determine the existence of the user, in the Certification library certification, to prove that it is the user of the Declaration;
Default authentication mechanism: Password Authentication
Password complexity requirements:
A) Avoid using regular or derived strings from the dictionary as passwords;
b) password should be long enough, generally not less than 6 characters;
c) The password should be complex enough, which should include at least uppercase letters, lowercase letters, and numbers extremely symbolic
d) non-regular replacement
In Linux, the password saved to the authentication library is processed by an encryption algorithm;
Cryptographic cipher Algorithms:
Md:
MD5 (Message Digest version 5), Messages Digest algorithm fifth edition
128-bit fixed-length output
SHA (Secure Hash algorithm secured hash algorithm):
sha1:160 Encrypted output
sha224:
SHA256:
sha384:
SHA512: Default encryption algorithm
Salt: Random number calculated by random algorithm
Generating devices for random numbers:
/dev/random
Only the random number is returned from the entropy pool, and if the random number in the entropy pool is exhausted, the process is blocked;
/dev/urandom
The first attempt is to return the random number from the entropy pool, and if the random number in the entropy pool is exhausted, the pseudo-random number generator is used to generate the pseudorandom number.
The final form of the password in the Authentication library: algorithm +salt+ encrypted string
Algorithm: $1~$6
salt:$+ Random string
Encrypted string: $+ results of one-way encryption
Group accounts: A collection that ties together users of the same user or similar attributes to facilitate centralized authorization
Categories of groups:
Super User Group
General user groups
System User Group
Logon user Group
How to identify the group account:
Group account name:
Group account ID (GID)
Super Users group: 0
Normal User:
System User group:
Previous versions of CentOS 6:1~499
After CentOS 7 version: 1~999
Logon user group:
Previous versions of CentOS 6:
After CentOS 7 version: 1000+
Group Name resolution:
Analytic Library:/etc/group
Certification Library:/etc/gshadow
Groups also need to use password encryption protection
Relationship between the user account and the group account:
In Linux, each user must belong to at least one group
The GID identity of the user account is called the user's primary group (Basic group), primary
Group: Each user must have a primary group, and only one, on the basis of the primary group, the user can have a logical relationship with other group accounts, called the user's additional group (satellite group), addition
Group: For users, such groups may or may not have more than one.
Administrative commands for users and groups:
Administrative commands for group accounts:
Groupadd, Groupdel, Groupmod (modify group information)
Commands for user account management
Useradd, Userdel, Usermod
Certification-related commands:
passwd (set user password ...) ), GPASSWD (set Group password ...) )
Other Related commands:
Chage (change password time), Chsh (Modify set user shell), finger (check user status information), SU (Switch user identity), ID (view user uid,gid information)
Commands related to users and groups
1.groupadd-Create a group
Format: groupadd [options] Group
Common options:
-G GID, specifying the GID to create the group
-R, create a system group. Ensure that GID is within the specified range
2. Groupdel-Delete a group
Format: Groupdel [options] GROUP
* Note: If a group is the primary group of a system user, the reorganization cannot be deleted;
3. Groupmod-modify a group definition on the system
Format: groupmod [options] GROUP
Common options:
-G GID: Modify the GID for the specified group
-N newname name, modifying the group account name for the specified group
4.useradd-Create a new user or update the default new user information
useradd [Options] Login
useradd-d [Options]
Common options:-C,--commentcomment add comment information to the user
-D,--home-dir home_dir the path to the user-specified home directory
-E,--expiredateexpire_date the absolute time that the user password expires
-F,--inactiveinactive specifies the grace period after which the user has reached the maximum time to use the password
-G,--gidgroup for the user to indicate GID; If you do not write this option, the system creates a group with the same user name and sets it as the user's primary group
-G,--groupsgroup1[,group2,... [, GROUPN]] Add an additional group to a user
-M,--create-home must create a home directory for the user
-M,--no-create-home does not create home directories for users, and this option is often used when creating system users
-S,--shellshell specifies the default shell for the user
-U,--uiduid assigns uid to user
-R,--system create a system account.
5.userdel-Delete user accounts and related files
Format: Userdel [options] Login
Common options:-r,--remove delete users with home directory and user mailbox
6.usermod-Modify a user account
Format: usermod [options] Login
Common options:
-C,--commentcomment Modify user's comment information
-D,--homehome_dir modify the user's home directory
-E,--expiredateexpire_date Modify the absolute date of user password expiration
-F,--inactiveinactive change the grace period after the user's password
-G,--gidgroup Modify the user's primary group (GID)
-G,--groupsgroup1[,group2,... [, GROUPN]] Modify the user's additional group to the group in this list, and if you use the-a option at the same time, keep the existing additional group and append the group in this list to the user's list of additional groups
-L,--loginnew_login modify the user's login name
-S,--shellshell modify the user login Shell
-U,--uiduid Modify the UID of the user
-L,--lock Lock user
-U,--unlock unlock is usermod-l locked by a user with a priority higher than passwd
7.passwd-update user ' s authentication tokens
Format: passwd [-K] [-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays] [-I inactivedays] [-S] [--stdin] [Usernam E
Common options:
-L,--lock Lock user
-U,--unlock unlock user
--stdin accepts passwords through standard input and can be used for pipelines
-D,--delete Delete user password, can also be used to unlock user
-E,--expire directly set user password expiration
-N,--minimum days the minimum length of use for a user password is the default value of 0
-X,--maximum days the longest use of the user password is the default value of 99999
-W,--warning days start sending warning messages before the user password expires
-I,--inactive days after the expiration of the user password period
-S,--status
8.chage-change user password expiration information
Format: chage [options] Login
Common options:
-D,--lastdaylast_day change the password deadline
-E,--expiredateexpire_date modify expiration Time
-I,--inactiveinactive modify grace period
-L,--list reality account age Information
-M,--mindaysmin_days the minimum effective time to change the password
-M,--maxdaysmax_days the maximum effective time to change the password
-W,--warndayswarn_days Modify warning time
9.CHSH-Change Login shell
Format: chsh [-S Shell] [-l] [-u] [-v] [username]
10.finger-User Information Finder
Format: Finger [-lmsp] [user ...] [[email protected] ...]
11:id-Shows true and valid UID and GID
Format: ID [OPTION] ... [USERNAME]
Common options:
-U,--user only display user ID
-G,--group only show group ID
-N,--name for-UGG display name instead of numeric value
12.su-Shell that runs the replacement user and group identity
Format: su [OPTION] ... [-] [USER [ARG] ...]
Common options:
-,-L,--login allows the shell to log in to the system as a login shell
-C,--commmand=command to run as the user specified previously; no identity logon switchover
This article is from the "Little Children" blog, please make sure to keep this source http://yigechenlin.blog.51cto.com/13306169/1978535
Linux users and Groups manage content---learning notes