Managing Users - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Managing Users

Description:

Every file and program must be owned by a user in order to be utilized by ... Firewalling rules must be updated. Linuxconf acts based on configuration files. ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 26
Provided by: clint6
Category:

less

Transcript and Presenter's Notes

Title: Managing Users


1
Managing Users
  • By Clint Pate

2
Linux IDs
  • Every file and program must be owned by a user in
    order to be utilized by the Operating System.
  • User ID (UID)
  • Unique to the user
  • Group ID (GID)
  • Unique to the group

3
UID/GID
  • Linuxs User ID and the Group ID is much like the
    Windows NT/2000 Security Identifier (SID).
  • Unlike Windows, Unix/Linux does not use ACLs.
  • The ROOT is also known as superuser, and has
    access to all files and programs.

4
SUID
  • Suid root refers to set user id root. This allows
    the program to do functions not normally allowed
    for users to do themselves.  Low level networking
    routines,  controlling graphical display
    functions, changing passwords, and logging in are
    all examples of programs that rely on executing
    their functions as a user that is not restricted
    by standard file permissions.  While many
    programs need this functionality,  the program
    must be bug free in only allowing the user to do
    the function the program was designed for.

5
Home Directories
  • Users that log in to the system have
    configuration files which are placed in a
    directory called home.
  • The home directory is usually located off the
    root (/home).
  • An example
  • /home/yourusername
  • The home folder for ROOT is /, and is common in
    most variants of Linux.
  • Some break up the home directory by department or
    some other method
  • Example /home/cns
  • /home/cst

6
Passwords
  • Every account should have either have a password
    or be tagged as impossible to log in to.
  • Users passwords are encrypted/encoded when
    entered at the login prompt using crypt(3).
  • The encoded value is then matched with the
    encoded password store.
  • The Linux password file can be accessed by any
    user on the system.

7
Shadow Passwords
  • On a Linux system without the Shadow Suite
    installed, user information including passwords
    is stored in the /etc/passwd file. The password
    is stored in an encrypted format.
  • If you ask a cryptography expert, however, he or
    she will tell you that the password is actually
    in an encoded rather than encrypted format
    because when using crypt(3), the text is set to
    null and the password is the key.
  • The algorithm used to encode the password field
    is technically referred to as a one way hash
    function.

8
To Shadow Or Not???
  • Why you might NOT want to shadow your passwd
    file.
  • There are a few circumstances and configurations
    in which installing the Shadow Suite would NOT be
    a good idea
  • The machine does not contain user accounts.
  • Your machine is running on a LAN and is using NIS
    (Network Information Services) to get or supply
    user names and passwords to other machines on the
    network. (This can actually be done, but is
    beyond the scope of this document, and really
    won't increase security much anyway)
  • Your machine is being used by terminal servers to
    verify users via NFS (Network File System), NIS,
    or some other method.
  • Your machine runs other software that validates
    users, and there is no shadow version available,
    and you don't have the source code.

9
Root Access Only!
  • The Shadow Suite solves the problem by relocating
    the passwords to another file (usually
    /etc/shadow).
  • The /etc/shadow file is set so that it cannot be
    read by just anyone.
  • Only root will be able to read and write to the
    /etc/shadow file.
  • Some programs (like xlock) don't need to be able
    to change passwords, they only need to be able to
    verify them. These programs can either be run
    suid root or you can set up a group shadow that
    is allowed read only access to the /etc/shadow
    file. Then the program can be run sgid shadow.

10
Shadowing Features
  • A configuration file to set login defaults
    (/etc/login.defs)
  • Utilities for adding, modifying, and deleting
    user accounts and groups
  • Password aging and expiration
  • Account expiration and locking
  • Shadowed group passwords (optional)
  • Double length passwords (16 character passwords)
    NOT RECOMMENDED
  • Better control over user's password selection
  • Dial-up passwords
  • Secondary authentication programs NOT
    RECOMMENDED

11
Startup Scripts
  • Remember the old days of DOS?
  • Autoexec.bat
  • Linuxs Autoexec which sets all environment
    variables. The dot means that it is hidden.
  • .bashrc

12
User Database
  • Locally, Linux is not like Windows when it comes
    to managing a user database!
  • Linux uses textfiles based on appropriate rights.
  • LinuxConf utilizes the user/group text file for
    database functionality which is flat (not
    relational)

13
Password File
  • Format of the /etc/passwd file
  • A non-shadowed /etc/passwd file has the following
    format
  • usernamepasswdUIDGIDfull_namedirectoryshell
    Where
  • username
  • The user (login) name
  • passwd
  • The encoded password
  • UID
  • Numerical user ID
  • GID
  • Numerical default group ID
  • full_name
  • The user's full name - Actually this field is
    called the GECOS (General Electric Comprehensive
    Operating System) field and can store information
    other than just the full name. The Shadow
    commands and manual pages refer to this field as
    the comment field.
  • directory
  • User's home directory (Full pathname)
  • shell
  • User's login shell (Full Pathname)
  • For example usernameNpge08pfz4wuk503100Full
    Name/home/username/bin/sh

14
Shadow File
  • Format of the shadow file
  • The /etc/shadow file contains the following
    information
  • usernamepasswdlastmaymustwarnexpiredisable
    reserved Where
  • username
  • The User Name
  • passwd
  • The Encoded password
  • last
  • Days since Jan 1, 1970 that password was last
    changed
  • may
  • Days before password may be changed
  • must
  • Days after which password must be changed
  • warn
  • Days before password is to expire that user is
    warned
  • expire
  • Days after password expires that account is
    disabled
  • disable
  • Days since Jan 1, 1970 that account is disabled

15
User Management Programs
  • chfn - Change a user's finger information
  • chsh - Change a user's shell
  • gpasswd - Used to administer the /etc/group file
    and /etc/gshadow file.
  • -A - Define group administrator.
  • gpasswd -a user group - Adds a user to a group.
  • gpasswd -d user group - Deletes a user from a
    group.
  • -M - Define group members.
  • gpasswd -R group - Removes a group disabling
    access to it using the newgrp command.
  • gpasswd -r group - Remove a group password.
  • groupadd - Create a new group.
  • groupdel - Delete a group
  • groupmod - Modify a group ID or name.
  • id - Print group or user ID numbers for the
    specified user
  • newgrp - Allows a user to log in to a new group.
  • newusers - Used to update many user accounts at a
    single time by reading a file with user names and
    clear text passwords.
  • passwd - Allows a user or root to change their or
    their user's passwords.
  • su - Allows a user to run in a shell with a
    different user and group ID. A user may become
    root with this command if they know the root
    password.
  • useradd - Used to create a new user or update
    information.
  • userdel - Used to delete a user. The user's home
    directory can be deleted using the -r option.

16
Shadow Password Utility Programs
  • The following programs are available as tools to
    manipulate shadow passworda and user password
    entry information/requirements.
  • chage - Used to change information on the
    required number of days between user password
    changes and date of the last change. Non-root
    users can only use chage with the -l option to
    see when their password will expire. Options are
  • l -
  • m - Set the minimum days between password changes
  • M - Set the maximum days a password will be valid
    for.
  • W - Sets the number of days the user is warned
    before their password expires.
  • d - Used to change the time of the last password
    change.
  • E - Set a date the user's account will not be
    accessible.
  • I - The days of inactivity after a password has
    expired until the account is locked.
  • pwconv - Used to create the file /etc/shadow from
    the file /etc/passwd. In short, it converts to a
    shadow password system. It uses the file
    /etc/login.defs to get PASS_MIN_DAYS,
    PASS_MAX_DAYS, and PASS_WARN_AGE values to help
    generate the /etc/shadow file.
  • pwunconv - Uses the files /etc/passwd and
    /etc/shadow to create /etc/passwd, then deletes
    /etc/shadow. In short, it removes the shadow
    password system.
  • grpconv - Creates /etc/gshadow form the file
    /etc/group.
  • grpunconv - Uses the files /etc/passwd and
    /etc/shadow to create /etc/passwd, then deletes
    /etc/shadow.
  • pwck - Checks the /etc/passwd and /etc/shadow
    files for errors.
  • grpck - Checks the /etc/group and /etc/sgroup
    files for errors.
  • usermod - Modify a user's account. Options are
  • d - Change the user's home directory
  • e - Change the user's account expiration date in
    the format YYYY-MM-DD.
  • f - Change the number of days after the password
    expires to when the account is disabled.

17
LinuxConf
  • Linuxconf is a sophisticated administration
    system for the Linux operating system. In many
    ways, Linuxconf is different from other
    administration schemes found on Unix operating
    systems and most other systems.

18
LinuxConf 4 Interfaces
  • There are four user interfaces for Linuxconf
    planned. Three are already done.
  • Text-based Interface
  • Web Interface
  • Graphical Interface
  • Command-line Interface (still in development)
  • Linuxconf allows you to configure the workstation
    even before it is fully booted. This is a winner
    as it saves you from false start boot (often with
    an invalid network configuration).

19
LinuxConf Does It For You!
  • Linuxconf is both a configurator and an
    activator. It is the one which decide if ...
  • A daemon must be started.
  • A configuration command must be executed.
  • A daemon must be killed/restarted.
  • A daemon must be signaled (kill -HUP ...).
  • A network interface must be (re)configured.
  • A network route must be set/remove.
  • A volume must be (re)mount.
  • Firewalling rules must be updated.
  • Linuxconf acts based on configuration files. It
    knows about most Linux configuration files and
    can compare their status with what is running
    currently. Based on this query, Linuxconf can
    bring your system "current". Whether you use
    Linuxconf's user interface or edit the
    configuration files by hand is unimportant. The
    following command
  • linuxconf --status
  • Will give you a report of what has to be done to
    bring the system "current".
  • linuxconf --update
  • Will do it for you!

20
LinuxConf Modules
  • What modules come with the Redhat version of
    Linuxconf? In addition to the capabilities that
    are built in to linuxconf, the following modules
    are present in the Redhat 6.1 distribution
    version
  • apache
  • dhcpd
  • dialout
  • dnsconf
  • firewall
  • inittab
  • mailconf
  • modemconf
  • motd
  • mrtg
  • netadm
  • pppdialin
  • rarp
  • redhatppp
  • samba
  • squid
  • status
  • treemenu

21
LinuxConf Modules
  • Available Modules
  • Linuxconf SSL - Using apache SSL/proxy to protect
    the HTML interface.
  • ldapconf - Manage LDAP for linux.
  • htmlplus - Enhanced HTML interface.
  • isdnadmin - Manage isdn4net/isdn4linux devices.
  • tpconf - Control the ThinkPad BIOS (via tpctl).
  • tobot - Simple backup module using tob.
  • Misc
  • pam_vdomain - exprimental pam module for
    linuxconf vdomains.
  • Linuxconf portal - exprimental project central
    using SourceForge technology.

22
PAM
  • PAM Pluggable Authentication Modules Basically,
    it is a flexible mechanism for authenticating
    users.
  • PAM allows integration of various authentication
    technologies such as UNIX, Kerberos, RSA, smart
    cards and DCE into system entry services such as
    login, passwd, rlogin, telnet, ftp, and su
    without changing any of these services.

23
PAM Development
  • Since the beginnings of UNIX, authenticating a
    user has been accomplished via the user entering
    a password and the system checking if the entered
    password corresponds to the encrypted official
    password that is stored in /etc/passwd .
  • The idea being that the user is really that
    user if and only if they can correctly enter
    their secret password. That was in the beginning.
    Since then, a number of new ways of
    authenticating users have become popular.
    Including more complicated replacements for the
    /etc/passwd file, and hardware devices Smart
    cards etc..
  • The problem is that each time a new
    authentication scheme is developed, it requires
    all the necessary programs (login, ftpd etc...)
    to be rewritten to support it.
  • PAM provides a way to develop programs that are
    independent of authentication scheme.
  • These programs need "authentication modules" to
    be attached to them at run-time in order to work.
    Which authentication module is to be attached is
    dependent upon the local system setup and is at
    the discretion of the local system administrator.

24
PAMs for MS Connectivity
  • pam_ldap
  • The pam_ldap module provides the means for
    Solaris and Linux workstations to authenticate
    against LDAP directories, and to change their
    passwords in the directory.
  • Active Directory and the NIS/LDAP Gateway
  • The NIS/LDAP Gateway is able to act as a NIS
    front-end to an Active Directory server
    configured with the Microsoft Services for UNIX
    schema.

25
WEBMIN UG Management
Write a Comment
User Comments (0)
About PowerShow.com