LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Shadow-Password-HOWTO-7.html

487 lines
17 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux Shadow Password HOWTO: Putting the Shadow Suite to use.</TITLE>
<LINK HREF="Shadow-Password-HOWTO-8.html" REL=next>
<LINK HREF="Shadow-Password-HOWTO-6.html" REL=previous>
<LINK HREF="Shadow-Password-HOWTO.html#toc7" REL=contents>
</HEAD>
<BODY>
<A HREF="Shadow-Password-HOWTO-8.html">Next</A>
<A HREF="Shadow-Password-HOWTO-6.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc7">Contents</A>
<HR>
<H2><A NAME="sec-work"></A> <A NAME="s7">7. Putting the Shadow Suite to use.</A></H2>
<P>This section discusses some of the things that you will want to know now
that you have the <EM>Shadow Suite</EM> installed on your system. More
information is contained in the manual pages for each command.
<P>
<H2><A NAME="ss7.1">7.1 Adding, Modifying, and deleting users</A>
</H2>
<P>The <EM>Shadow Suite</EM> added the following command line oriented commands
for adding, modifying, and deleting users. You may also have installed the
<CODE>adduser</CODE> program.
<P>
<H3>useradd</H3>
<P>The <CODE>useradd</CODE> command can be used to add users to the system. You
also invoke this command to change the default settings.
<P>The first thing that you should do is to examine the default settings and
make changes specific to your system:
<BLOCKQUOTE><CODE>
<PRE>
useradd -D
</PRE>
</CODE></BLOCKQUOTE>
<HR>
<PRE>
GROUP=1
HOME=/home
INACTIVE=0
EXPIRE=0
SHELL=
SKEL=/etc/skel
</PRE>
<HR>
<P>The defaults are probably not what you want, so if you started adding users
now you would have to specify all the information for each user. However, we
can and should change the default values.
<P>On my system:
<UL>
<LI>I want the default group to be 100</LI>
<LI>I want passwords to expire every 60 days</LI>
<LI>I don't want to lock an account because the password is expired</LI>
<LI>I want to default shell to be <CODE>/bin/bash</CODE></LI>
</UL>
To make these changes I would use:
<BLOCKQUOTE><CODE>
<PRE>
useradd -D -g100 -e60 -f0 -s/bin/bash
</PRE>
</CODE></BLOCKQUOTE>
<P>Now running <CODE>useradd -D</CODE> will give:
<HR>
<PRE>
GROUP=100
HOME=/home
INACTIVE=0
EXPIRE=60
SHELL=/bin/bash
SKEL=/etc/skel
</PRE>
<HR>
<P>Just in case you wanted to know, these defaults are stored in the file
<CODE>/etc/default/useradd</CODE>.
<P>Now you can use <CODE>useradd</CODE> to add users to the system. For example,
to add the user <CODE>fred</CODE>, using the defaults, you would use the
following:
<BLOCKQUOTE><CODE>
<PRE>
useradd -m -c "Fred Flintstone" fred
</PRE>
</CODE></BLOCKQUOTE>
This will create the following entry in the <CODE>/etc/passwd</CODE> file:
<BLOCKQUOTE><CODE>
<PRE>
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash
</PRE>
</CODE></BLOCKQUOTE>
And the following entry in the <CODE>/etc/shadow</CODE> file:
<BLOCKQUOTE><CODE>
<PRE>
fred:!:0:0:60:0:0:0:0
</PRE>
</CODE></BLOCKQUOTE>
<CODE>fred</CODE>'s home directory will be created and the contents of
<CODE>/etc/skel</CODE> will be copied there because of the <CODE>-m</CODE> switch.
<P>Also, since we did not specify a UID, the next available one was used.
<P><CODE>fred</CODE>'s account is created, but <CODE>fred</CODE> still won't be able to
login until we unlock the account. We do this by changing the password.
<BLOCKQUOTE><CODE>
<PRE>
passwd fred
</PRE>
</CODE></BLOCKQUOTE>
<HR>
<PRE>
Changing password for fred
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******
</PRE>
<HR>
Now the <CODE>/etc/shadow</CODE> will contain:
<BLOCKQUOTE><CODE>
<PRE>
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
</PRE>
</CODE></BLOCKQUOTE>
And <CODE>fred</CODE> will now be able to login and use the system. The nice
thing about <CODE>useradd</CODE> and the other programs that come with the
<EM>Shadow Suite</EM> is that they make changes to the <CODE>/etc/passwd</CODE>
and <CODE>/etc/shadow</CODE> files atomically. So if you are adding a user, and
another user is changing their password at the same time, both operations
will be performed correctly.
<P>You should use the supplied commands rather than directly editing
<CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE>. If you were editing the
<CODE>/etc/shadow</CODE> file, and a user were to change his password while you
are editing, and then you were to save the file you were editing, the user's
password change would be lost.
<P>Here is a small interactive script that adds users using <CODE>useradd</CODE>
and <CODE>passwd</CODE>:
<HR>
<PRE>
#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
# Suite's useradd and passwd commands.
#
# Written my Mike Jackson &lt;mhjack@tscnet.com> as an example for the Linux
# Shadow Password Howto. Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program. It could also be modified to disallow
# stupid entries. (i.e. better error checking).
#
##
# Defaults for the useradd command
##
GROUP=100 # Default Group
HOME=/home # Home directory location (/home/username)
SKEL=/etc/skel # Skeleton Directory
INACTIVE=0 # Days after password expires to disable account (0=never)
EXPIRE=60 # Days that a passwords lasts
SHELL=/bin/bash # Default Shell (full path)
##
# Defaults for the passwd command
##
PASSMIN=0 # Days between password changes
PASSWARN=14 # Days before password expires that a warning is given
##
# Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
echo "You must be root to add news users!"
exit 1
fi
##
# Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
-f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
# Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&amp;1
##
# Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
# Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n " "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n " "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n " "
passwd -S $USERNAME
echo ""
</PRE>
<HR>
<P>Using a script to add new users is really much more preferable than editing
the <CODE>/etc/passwd</CODE> or <CODE>/etc/shadow</CODE> files directly or using a
program like the Slackware <CODE>adduser</CODE> program. Feel free to use and
modify this script for your particular system.
<P>For more information on the <CODE>useradd</CODE> see the online manual page.
<P>
<H3>usermod</H3>
<P>The <CODE>usermod</CODE> program is used to modify the information on a user.
The switches are similar to the <CODE>useradd</CODE> program.
<P>Let's say that you want to change <CODE>fred</CODE>'s shell, you would do the
following:
<BLOCKQUOTE><CODE>
<PRE>
usermod -s /bin/tcsh fred
</PRE>
</CODE></BLOCKQUOTE>
Now <CODE>fred</CODE>'s <CODE>/etc/passwd</CODE> file entry would be change to this:
<BLOCKQUOTE><CODE>
<PRE>
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh
</PRE>
</CODE></BLOCKQUOTE>
Let's make <CODE>fred</CODE>'s account expire on 09/15/97:
<BLOCKQUOTE><CODE>
<PRE>
usermod -e 09/15/97 fred
</PRE>
</CODE></BLOCKQUOTE>
Now <CODE>fred</CODE>'s entry in <CODE>/etc/shadow</CODE> becomes:
<BLOCKQUOTE><CODE>
<PRE>
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0
</PRE>
</CODE></BLOCKQUOTE>
<P>For more information on the <CODE>usermod</CODE> command see the online manual
page.
<P>
<H3>userdel</H3>
<P><CODE>userdel</CODE> does just what you would expect, it deletes the user's
account. You simply use:
<BLOCKQUOTE><CODE>
<PRE>
userdel -r username
</PRE>
</CODE></BLOCKQUOTE>
The <CODE>-r</CODE> causes all files in the user's home directory to be removed
along with the home directory itself. Files located in other file system
will have to be searched for and deleted manually.
<P>If you want to simply lock the account rather than delete it, use the
<CODE>passwd</CODE> command instead.
<P>
<H2><A NAME="ss7.2">7.2 The passwd command and passwd aging.</A>
</H2>
<P>The <CODE>passwd</CODE> command has the obvious use of changing passwords.
Additionally, it is used by the <EM>root</EM> user to:
<UL>
<LI>Lock and unlock accounts (<CODE>-l</CODE> and <CODE>-u</CODE>)</LI>
<LI>Set the maximum number of days that a password remains valid
(<CODE>-x</CODE>)</LI>
<LI>Set the minimum days between password changes (<CODE>-n</CODE>)</LI>
<LI>Sets the number of days of warning that a password is about to expire
(<CODE>-w</CODE>)</LI>
<LI>Sets the number of days after the password expires before the account
is locked (<CODE>-i</CODE>)</LI>
<LI>Allow viewing of account information in a clearer format (<CODE>-S</CODE>)</LI>
</UL>
<P>For example, let look again at <CODE>fred</CODE>
<BLOCKQUOTE><CODE>
<PRE>
passwd -S fred
fred P 03/04/96 0 60 0 0
</PRE>
</CODE></BLOCKQUOTE>
This means that <CODE>fred</CODE>'s password is valid, it was last changed on
03/04/96, it can be changed at any time, it expires after 60 days, fred will
not be warned, and and the account won't be disabled when the password
expires.
<P>This simply means that if <CODE>fred</CODE> logs in after the password expires,
he will be prompted for a new password at login.
<P>If we decide that we want to warn <CODE>fred</CODE> 14 days before his password
expires and make his account inactive 14 days after he lets it expire, we
would need to do the following:
<BLOCKQUOTE><CODE>
<PRE>
passwd -w14 -i14 fred
</PRE>
</CODE></BLOCKQUOTE>
Now <CODE>fred</CODE> is changed to:
<BLOCKQUOTE><CODE>
<PRE>
fred P 03/04/96 0 60 14 14
</PRE>
</CODE></BLOCKQUOTE>
For more information on the <CODE>passwd</CODE> command see the online manual
page.
<P>
<H2><A NAME="ss7.3">7.3 The login.defs file.</A>
</H2>
<P>The file <CODE>/etc/login</CODE> is the configuration file for the
<CODE>login</CODE> program and also for the <EM>Shadow Suite</EM> as a whole.
<P><CODE>/etc/login</CODE> contains settings from what the prompts will look like
to what the default expiration will be when a user changes his password.
<P>The <CODE>/etc/login.defs</CODE> file is quite well documented just by the
comments that are contained within it. However, there are a few things to
note:
<UL>
<LI>It contains flags that can be turned on or off that determine the
amount of logging that takes place.</LI>
<LI>It contains pointers to other configuration files.</LI>
<LI>It contains defaults assignments for things like password aging.</LI>
</UL>
<P>From the above list you can see that this is a rather important file, and
you should make sure that it is present, and that the settings are what you
desire for your system.
<P>
<H2><A NAME="ss7.4">7.4 Group passwords.</A>
</H2>
<P>The <CODE>/etc/groups</CODE> file may contain passwords that permit a user to
become a member of a particular group. This function is enabled if you
define the constant <CODE>SHADOWGRP</CODE> in the
<CODE>/usr/src/shadow-YYMMDD/config.h</CODE> file.
<P>If you define this constant and then compile, you must create an
<CODE>/etc/gshadow</CODE> file to hold the group passwords and the group
administrator information.
<P>When you created the <CODE>/etc/shadow</CODE>, you used a program called
<CODE>pwconv</CODE>, there no equivalent program to create the
<CODE>/etc/gshadow</CODE> file, but it really doesn't matter, it takes care of
itself.
<P>To create the initial <CODE>/etc/gshadow</CODE> file do the following:
<BLOCKQUOTE><CODE>
<PRE>
touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow
</PRE>
</CODE></BLOCKQUOTE>
<P>Once you create new groups, they will be added to the <CODE>/etc/group</CODE>
and the <CODE>/etc/gshadow</CODE> files. If you modify a group by adding or
removing users or changing the group password, the <CODE>/etc/gshadow</CODE>
file will be changed.
<P>The programs <CODE>groups</CODE>, <CODE>groupadd</CODE>, <CODE>groupmod</CODE>, and
<CODE>groupdel</CODE> are provided as part of the <EM>Shadow Suite</EM> to
modify groups.
<P>The format of the <CODE>/etc/group</CODE> file is as follows:
<BLOCKQUOTE><CODE>
<PRE>
groupname:!:GID:member,member,...
</PRE>
</CODE></BLOCKQUOTE>
Where:
<DL>
<DT><B><CODE>groupname</CODE></B><DD><P>The name of the group
<DT><B><CODE>!</CODE></B><DD><P>The field that normally holds the password, but that
is now relocated to the <CODE>/etc/gshadow</CODE> file.
<DT><B><CODE>GID</CODE></B><DD><P>The numerical group ID number
<DT><B><CODE>member</CODE></B><DD><P>List of group members
</DL>
<P>The format of the <CODE>/etc/gshadow</CODE> file is as follows:
<BLOCKQUOTE><CODE>
<PRE>
groupname:password:admin,admin,...:member,member,...
</PRE>
</CODE></BLOCKQUOTE>
Where:
<DL>
<DT><B><CODE>groupname</CODE></B><DD><P>The name of the group
<DT><B><CODE>password</CODE></B><DD><P>The encoded group password.
<DT><B><CODE>admin</CODE></B><DD><P>List of group administrators
<DT><B><CODE>member</CODE></B><DD><P>List of group members
</DL>
<P>The command <CODE>gpasswd</CODE> is used only for adding or removing
administrators and members to or from a group. <CODE>root</CODE> or someone in
the list of administrators may add or remove group members.
<P>The groups password can be changed using the <CODE>passwd</CODE> command by
<EM>root</EM> or anyone listed as an administrator for the group.
<P>Despite the fact that there is not currently a manual page for
<CODE>gpasswd</CODE>, typing <CODE>gpasswd</CODE> without any parameters gives a
listing of options. It's fairly easy to grasp how it all works once you
understand the file formats and the concepts.
<P>
<P>
<H2><A NAME="ss7.5">7.5 Consistency checking programs</A>
</H2>
<P>
<P>
<H3>pwck</H3>
<P>The program <CODE>pwck</CODE> is provided to provide a consistency check on the
<CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE> files. It will check each
username and verify that it has the following:
<UL>
<LI>the correct number of fields</LI>
<LI>unique user name</LI>
<LI>valid user and group identifier</LI>
<LI>valid primary group</LI>
<LI>valid home directory</LI>
<LI>valid login shell</LI>
</UL>
<P>It will also warn of any account that has no password.
<P>It's a good idea to run <CODE>pwck</CODE> after installing the <EM>Shadow
Suite</EM>. It's also a good idea to run it periodically, perhaps weekly or
monthly. If you use the <CODE>-r</CODE> option, you can use <CODE>cron</CODE> to run
it on a regular basis and have the report mailed to you.
<P>
<H3>grpck</H3>
<P><CODE>grpck</CODE> is the consistency checking program for the
<CODE>/etc/group</CODE> and <CODE>/etc/gshadow</CODE> files. It performs the
following checks:
<UL>
<LI>the correct number of fields</LI>
<LI>unique group name</LI>
<LI>valid list of members and administrators</LI>
</UL>
<P>It also has the <CODE>-r</CODE> option for automated reports.
<P>
<H2><A NAME="ss7.6">7.6 Dial-up passwords.</A>
</H2>
<P>Dial-up passwords are another optional line of defense for systems that allow
dial-in access. If you have a system that allows many people to connect
locally or via a network, but you want to limit who can dial in and connect,
then dial-up passwords are for you. To enable dial-up passwords, you must
edit the file <CODE>/etc/login.defs</CODE> and ensure that
<CODE>DIALUPS_CHECK_ENAB</CODE> is set to <CODE>yes</CODE>.
<P>Two files contain the dial-up information, <CODE>/etc/dialups</CODE> which
contains the ttys (one per line, with the leading "/dev/" removed). If a
tty is listed then dial-up checks are performed.
<P>The second file is the <CODE>/etc/d_passwd</CODE> file. This file contains the
fully qualified path name of a shell, followed by an optional password.
<P>If a user logs into a line that is listed in <CODE>/etc/dialups</CODE>, and his
shell is listed in the file <CODE>/etc/d_passwd</CODE> he will be allowed access
only by suppling the correct password.
<P>Another useful purpose for using dial-up passwords might be to setup a line
that only allows a certain type of connect (perhaps a PPP or UUCP connection).
If a user tries to get another type of connection (i.e. a list of shells),
he must know a password to use the line.
<P>Before you can use the dial-up feature, you must create the files.
<P>The command <CODE>dpasswd</CODE> is provided to assign passwords to the shells
in the <CODE>/etc/d_passwd</CODE> file. See the manual page for more
information.
<P>
<P>
<HR>
<A HREF="Shadow-Password-HOWTO-8.html">Next</A>
<A HREF="Shadow-Password-HOWTO-6.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc7">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink