487 lines
17 KiB
HTML
487 lines
17 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux Shadow Password HOWTO: Putting the Shadow Suite to use.</TITLE>
|
|
<LINK HREF="Shadow-Password-HOWTO-8.html" REL=next>
|
|
<LINK HREF="Shadow-Password-HOWTO-6.html" REL=previous>
|
|
<LINK HREF="Shadow-Password-HOWTO.html#toc7" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Shadow-Password-HOWTO-8.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-6.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc7">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="sec-work"></A> <A NAME="s7">7. Putting the Shadow Suite to use.</A></H2>
|
|
|
|
<P>This section discusses some of the things that you will want to know now
|
|
that you have the <EM>Shadow Suite</EM> installed on your system. More
|
|
information is contained in the manual pages for each command.
|
|
<P>
|
|
<H2><A NAME="ss7.1">7.1 Adding, Modifying, and deleting users</A>
|
|
</H2>
|
|
|
|
<P>The <EM>Shadow Suite</EM> added the following command line oriented commands
|
|
for adding, modifying, and deleting users. You may also have installed the
|
|
<CODE>adduser</CODE> program.
|
|
<P>
|
|
<H3>useradd</H3>
|
|
|
|
<P>The <CODE>useradd</CODE> command can be used to add users to the system. You
|
|
also invoke this command to change the default settings.
|
|
<P>The first thing that you should do is to examine the default settings and
|
|
make changes specific to your system:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
useradd -D
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<HR>
|
|
<PRE>
|
|
GROUP=1
|
|
HOME=/home
|
|
INACTIVE=0
|
|
EXPIRE=0
|
|
SHELL=
|
|
SKEL=/etc/skel
|
|
</PRE>
|
|
<HR>
|
|
<P>The defaults are probably not what you want, so if you started adding users
|
|
now you would have to specify all the information for each user. However, we
|
|
can and should change the default values.
|
|
<P>On my system:
|
|
<UL>
|
|
<LI>I want the default group to be 100</LI>
|
|
<LI>I want passwords to expire every 60 days</LI>
|
|
<LI>I don't want to lock an account because the password is expired</LI>
|
|
<LI>I want to default shell to be <CODE>/bin/bash</CODE></LI>
|
|
</UL>
|
|
|
|
To make these changes I would use:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
useradd -D -g100 -e60 -f0 -s/bin/bash
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<P>Now running <CODE>useradd -D</CODE> will give:
|
|
<HR>
|
|
<PRE>
|
|
GROUP=100
|
|
HOME=/home
|
|
INACTIVE=0
|
|
EXPIRE=60
|
|
SHELL=/bin/bash
|
|
SKEL=/etc/skel
|
|
</PRE>
|
|
<HR>
|
|
<P>Just in case you wanted to know, these defaults are stored in the file
|
|
<CODE>/etc/default/useradd</CODE>.
|
|
<P>Now you can use <CODE>useradd</CODE> to add users to the system. For example,
|
|
to add the user <CODE>fred</CODE>, using the defaults, you would use the
|
|
following:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
useradd -m -c "Fred Flintstone" fred
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
This will create the following entry in the <CODE>/etc/passwd</CODE> file:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
And the following entry in the <CODE>/etc/shadow</CODE> file:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
fred:!:0:0:60:0:0:0:0
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<CODE>fred</CODE>'s home directory will be created and the contents of
|
|
<CODE>/etc/skel</CODE> will be copied there because of the <CODE>-m</CODE> switch.
|
|
<P>Also, since we did not specify a UID, the next available one was used.
|
|
<P><CODE>fred</CODE>'s account is created, but <CODE>fred</CODE> still won't be able to
|
|
login until we unlock the account. We do this by changing the password.
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
passwd fred
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<HR>
|
|
<PRE>
|
|
Changing password for fred
|
|
Enter the new password (minimum of 5 characters)
|
|
Please use a combination of upper and lower case letters and numbers.
|
|
New Password: *******
|
|
Re-enter new password: *******
|
|
</PRE>
|
|
<HR>
|
|
|
|
Now the <CODE>/etc/shadow</CODE> will contain:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
And <CODE>fred</CODE> will now be able to login and use the system. The nice
|
|
thing about <CODE>useradd</CODE> and the other programs that come with the
|
|
<EM>Shadow Suite</EM> is that they make changes to the <CODE>/etc/passwd</CODE>
|
|
and <CODE>/etc/shadow</CODE> files atomically. So if you are adding a user, and
|
|
another user is changing their password at the same time, both operations
|
|
will be performed correctly.
|
|
<P>You should use the supplied commands rather than directly editing
|
|
<CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE>. If you were editing the
|
|
<CODE>/etc/shadow</CODE> file, and a user were to change his password while you
|
|
are editing, and then you were to save the file you were editing, the user's
|
|
password change would be lost.
|
|
<P>Here is a small interactive script that adds users using <CODE>useradd</CODE>
|
|
and <CODE>passwd</CODE>:
|
|
<HR>
|
|
<PRE>
|
|
#!/bin/bash
|
|
#
|
|
# /sbin/newuser - A script to add users to the system using the Shadow
|
|
# Suite's useradd and passwd commands.
|
|
#
|
|
# Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux
|
|
# Shadow Password Howto. Permission to use and modify is expressly granted.
|
|
#
|
|
# This could be modified to show the defaults and allow modification similar
|
|
# to the Slackware Adduser program. It could also be modified to disallow
|
|
# stupid entries. (i.e. better error checking).
|
|
#
|
|
##
|
|
# Defaults for the useradd command
|
|
##
|
|
GROUP=100 # Default Group
|
|
HOME=/home # Home directory location (/home/username)
|
|
SKEL=/etc/skel # Skeleton Directory
|
|
INACTIVE=0 # Days after password expires to disable account (0=never)
|
|
EXPIRE=60 # Days that a passwords lasts
|
|
SHELL=/bin/bash # Default Shell (full path)
|
|
##
|
|
# Defaults for the passwd command
|
|
##
|
|
PASSMIN=0 # Days between password changes
|
|
PASSWARN=14 # Days before password expires that a warning is given
|
|
##
|
|
# Ensure that root is running the script.
|
|
##
|
|
WHOAMI=`/usr/bin/whoami`
|
|
if [ $WHOAMI != "root" ]; then
|
|
echo "You must be root to add news users!"
|
|
exit 1
|
|
fi
|
|
##
|
|
# Ask for username and fullname.
|
|
##
|
|
echo ""
|
|
echo -n "Username: "
|
|
read USERNAME
|
|
echo -n "Full name: "
|
|
read FULLNAME
|
|
#
|
|
echo "Adding user: $USERNAME."
|
|
#
|
|
# Note that the "" around $FULLNAME is required because this field is
|
|
# almost always going to contain at least on space, and without the "'s
|
|
# the useradd command would think that you we moving on to the next
|
|
# parameter when it reached the SPACE character.
|
|
#
|
|
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
|
|
-f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
|
|
##
|
|
# Set password defaults
|
|
##
|
|
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
|
|
##
|
|
# Let the passwd command actually ask for password (twice)
|
|
##
|
|
/bin/passwd $USERNAME
|
|
##
|
|
# Show what was done.
|
|
##
|
|
echo ""
|
|
echo "Entry from /etc/passwd:"
|
|
echo -n " "
|
|
grep "$USERNAME:" /etc/passwd
|
|
echo "Entry from /etc/shadow:"
|
|
echo -n " "
|
|
grep "$USERNAME:" /etc/shadow
|
|
echo "Summary output of the passwd command:"
|
|
echo -n " "
|
|
passwd -S $USERNAME
|
|
echo ""
|
|
</PRE>
|
|
<HR>
|
|
|
|
<P>Using a script to add new users is really much more preferable than editing
|
|
the <CODE>/etc/passwd</CODE> or <CODE>/etc/shadow</CODE> files directly or using a
|
|
program like the Slackware <CODE>adduser</CODE> program. Feel free to use and
|
|
modify this script for your particular system.
|
|
<P>For more information on the <CODE>useradd</CODE> see the online manual page.
|
|
<P>
|
|
<H3>usermod</H3>
|
|
|
|
<P>The <CODE>usermod</CODE> program is used to modify the information on a user.
|
|
The switches are similar to the <CODE>useradd</CODE> program.
|
|
<P>Let's say that you want to change <CODE>fred</CODE>'s shell, you would do the
|
|
following:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
usermod -s /bin/tcsh fred
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Now <CODE>fred</CODE>'s <CODE>/etc/passwd</CODE> file entry would be change to this:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Let's make <CODE>fred</CODE>'s account expire on 09/15/97:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
usermod -e 09/15/97 fred
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Now <CODE>fred</CODE>'s entry in <CODE>/etc/shadow</CODE> becomes:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>For more information on the <CODE>usermod</CODE> command see the online manual
|
|
page.
|
|
<P>
|
|
<H3>userdel</H3>
|
|
|
|
<P><CODE>userdel</CODE> does just what you would expect, it deletes the user's
|
|
account. You simply use:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
userdel -r username
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
The <CODE>-r</CODE> causes all files in the user's home directory to be removed
|
|
along with the home directory itself. Files located in other file system
|
|
will have to be searched for and deleted manually.
|
|
<P>If you want to simply lock the account rather than delete it, use the
|
|
<CODE>passwd</CODE> command instead.
|
|
<P>
|
|
<H2><A NAME="ss7.2">7.2 The passwd command and passwd aging.</A>
|
|
</H2>
|
|
|
|
<P>The <CODE>passwd</CODE> command has the obvious use of changing passwords.
|
|
Additionally, it is used by the <EM>root</EM> user to:
|
|
<UL>
|
|
<LI>Lock and unlock accounts (<CODE>-l</CODE> and <CODE>-u</CODE>)</LI>
|
|
<LI>Set the maximum number of days that a password remains valid
|
|
(<CODE>-x</CODE>)</LI>
|
|
<LI>Set the minimum days between password changes (<CODE>-n</CODE>)</LI>
|
|
<LI>Sets the number of days of warning that a password is about to expire
|
|
(<CODE>-w</CODE>)</LI>
|
|
<LI>Sets the number of days after the password expires before the account
|
|
is locked (<CODE>-i</CODE>)</LI>
|
|
<LI>Allow viewing of account information in a clearer format (<CODE>-S</CODE>)</LI>
|
|
</UL>
|
|
<P>For example, let look again at <CODE>fred</CODE>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
passwd -S fred
|
|
fred P 03/04/96 0 60 0 0
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
This means that <CODE>fred</CODE>'s password is valid, it was last changed on
|
|
03/04/96, it can be changed at any time, it expires after 60 days, fred will
|
|
not be warned, and and the account won't be disabled when the password
|
|
expires.
|
|
<P>This simply means that if <CODE>fred</CODE> logs in after the password expires,
|
|
he will be prompted for a new password at login.
|
|
<P>If we decide that we want to warn <CODE>fred</CODE> 14 days before his password
|
|
expires and make his account inactive 14 days after he lets it expire, we
|
|
would need to do the following:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
passwd -w14 -i14 fred
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Now <CODE>fred</CODE> is changed to:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
fred P 03/04/96 0 60 14 14
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
For more information on the <CODE>passwd</CODE> command see the online manual
|
|
page.
|
|
<P>
|
|
<H2><A NAME="ss7.3">7.3 The login.defs file.</A>
|
|
</H2>
|
|
|
|
<P>The file <CODE>/etc/login</CODE> is the configuration file for the
|
|
<CODE>login</CODE> program and also for the <EM>Shadow Suite</EM> as a whole.
|
|
<P><CODE>/etc/login</CODE> contains settings from what the prompts will look like
|
|
to what the default expiration will be when a user changes his password.
|
|
<P>The <CODE>/etc/login.defs</CODE> file is quite well documented just by the
|
|
comments that are contained within it. However, there are a few things to
|
|
note:
|
|
<UL>
|
|
<LI>It contains flags that can be turned on or off that determine the
|
|
amount of logging that takes place.</LI>
|
|
<LI>It contains pointers to other configuration files.</LI>
|
|
<LI>It contains defaults assignments for things like password aging.</LI>
|
|
</UL>
|
|
<P>From the above list you can see that this is a rather important file, and
|
|
you should make sure that it is present, and that the settings are what you
|
|
desire for your system.
|
|
<P>
|
|
<H2><A NAME="ss7.4">7.4 Group passwords.</A>
|
|
</H2>
|
|
|
|
<P>The <CODE>/etc/groups</CODE> file may contain passwords that permit a user to
|
|
become a member of a particular group. This function is enabled if you
|
|
define the constant <CODE>SHADOWGRP</CODE> in the
|
|
<CODE>/usr/src/shadow-YYMMDD/config.h</CODE> file.
|
|
<P>If you define this constant and then compile, you must create an
|
|
<CODE>/etc/gshadow</CODE> file to hold the group passwords and the group
|
|
administrator information.
|
|
<P>When you created the <CODE>/etc/shadow</CODE>, you used a program called
|
|
<CODE>pwconv</CODE>, there no equivalent program to create the
|
|
<CODE>/etc/gshadow</CODE> file, but it really doesn't matter, it takes care of
|
|
itself.
|
|
<P>To create the initial <CODE>/etc/gshadow</CODE> file do the following:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
touch /etc/gshadow
|
|
chown root.root /etc/gshadow
|
|
chmod 700 /etc/gshadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Once you create new groups, they will be added to the <CODE>/etc/group</CODE>
|
|
and the <CODE>/etc/gshadow</CODE> files. If you modify a group by adding or
|
|
removing users or changing the group password, the <CODE>/etc/gshadow</CODE>
|
|
file will be changed.
|
|
<P>The programs <CODE>groups</CODE>, <CODE>groupadd</CODE>, <CODE>groupmod</CODE>, and
|
|
<CODE>groupdel</CODE> are provided as part of the <EM>Shadow Suite</EM> to
|
|
modify groups.
|
|
<P>The format of the <CODE>/etc/group</CODE> file is as follows:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
groupname:!:GID:member,member,...
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Where:
|
|
<DL>
|
|
<DT><B><CODE>groupname</CODE></B><DD><P>The name of the group
|
|
<DT><B><CODE>!</CODE></B><DD><P>The field that normally holds the password, but that
|
|
is now relocated to the <CODE>/etc/gshadow</CODE> file.
|
|
<DT><B><CODE>GID</CODE></B><DD><P>The numerical group ID number
|
|
<DT><B><CODE>member</CODE></B><DD><P>List of group members
|
|
</DL>
|
|
<P>The format of the <CODE>/etc/gshadow</CODE> file is as follows:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
groupname:password:admin,admin,...:member,member,...
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Where:
|
|
<DL>
|
|
<DT><B><CODE>groupname</CODE></B><DD><P>The name of the group
|
|
<DT><B><CODE>password</CODE></B><DD><P>The encoded group password.
|
|
<DT><B><CODE>admin</CODE></B><DD><P>List of group administrators
|
|
<DT><B><CODE>member</CODE></B><DD><P>List of group members
|
|
</DL>
|
|
<P>The command <CODE>gpasswd</CODE> is used only for adding or removing
|
|
administrators and members to or from a group. <CODE>root</CODE> or someone in
|
|
the list of administrators may add or remove group members.
|
|
<P>The groups password can be changed using the <CODE>passwd</CODE> command by
|
|
<EM>root</EM> or anyone listed as an administrator for the group.
|
|
<P>Despite the fact that there is not currently a manual page for
|
|
<CODE>gpasswd</CODE>, typing <CODE>gpasswd</CODE> without any parameters gives a
|
|
listing of options. It's fairly easy to grasp how it all works once you
|
|
understand the file formats and the concepts.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss7.5">7.5 Consistency checking programs</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<P>
|
|
<H3>pwck</H3>
|
|
|
|
<P>The program <CODE>pwck</CODE> is provided to provide a consistency check on the
|
|
<CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE> files. It will check each
|
|
username and verify that it has the following:
|
|
<UL>
|
|
<LI>the correct number of fields</LI>
|
|
<LI>unique user name</LI>
|
|
<LI>valid user and group identifier</LI>
|
|
<LI>valid primary group</LI>
|
|
<LI>valid home directory</LI>
|
|
<LI>valid login shell</LI>
|
|
</UL>
|
|
<P>It will also warn of any account that has no password.
|
|
<P>It's a good idea to run <CODE>pwck</CODE> after installing the <EM>Shadow
|
|
Suite</EM>. It's also a good idea to run it periodically, perhaps weekly or
|
|
monthly. If you use the <CODE>-r</CODE> option, you can use <CODE>cron</CODE> to run
|
|
it on a regular basis and have the report mailed to you.
|
|
<P>
|
|
<H3>grpck</H3>
|
|
|
|
<P><CODE>grpck</CODE> is the consistency checking program for the
|
|
<CODE>/etc/group</CODE> and <CODE>/etc/gshadow</CODE> files. It performs the
|
|
following checks:
|
|
<UL>
|
|
<LI>the correct number of fields</LI>
|
|
<LI>unique group name</LI>
|
|
<LI>valid list of members and administrators</LI>
|
|
</UL>
|
|
<P>It also has the <CODE>-r</CODE> option for automated reports.
|
|
<P>
|
|
<H2><A NAME="ss7.6">7.6 Dial-up passwords.</A>
|
|
</H2>
|
|
|
|
<P>Dial-up passwords are another optional line of defense for systems that allow
|
|
dial-in access. If you have a system that allows many people to connect
|
|
locally or via a network, but you want to limit who can dial in and connect,
|
|
then dial-up passwords are for you. To enable dial-up passwords, you must
|
|
edit the file <CODE>/etc/login.defs</CODE> and ensure that
|
|
<CODE>DIALUPS_CHECK_ENAB</CODE> is set to <CODE>yes</CODE>.
|
|
<P>Two files contain the dial-up information, <CODE>/etc/dialups</CODE> which
|
|
contains the ttys (one per line, with the leading "/dev/" removed). If a
|
|
tty is listed then dial-up checks are performed.
|
|
<P>The second file is the <CODE>/etc/d_passwd</CODE> file. This file contains the
|
|
fully qualified path name of a shell, followed by an optional password.
|
|
<P>If a user logs into a line that is listed in <CODE>/etc/dialups</CODE>, and his
|
|
shell is listed in the file <CODE>/etc/d_passwd</CODE> he will be allowed access
|
|
only by suppling the correct password.
|
|
<P>Another useful purpose for using dial-up passwords might be to setup a line
|
|
that only allows a certain type of connect (perhaps a PPP or UUCP connection).
|
|
If a user tries to get another type of connection (i.e. a list of shells),
|
|
he must know a password to use the line.
|
|
<P>Before you can use the dial-up feature, you must create the files.
|
|
<P>The command <CODE>dpasswd</CODE> is provided to assign passwords to the shells
|
|
in the <CODE>/etc/d_passwd</CODE> file. See the manual page for more
|
|
information.
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Shadow-Password-HOWTO-8.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-6.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc7">Contents</A>
|
|
</BODY>
|
|
</HTML>
|