7. Putting the Shadow Suite to use.
This section discusses some of the things that you will want to know now that you have the Shadow Suite installed on your system. More information is contained in the manual pages for each command.
7.1 Adding, Modifying, and deleting users
The Shadow Suite added the following command line oriented commands
for adding, modifying, and deleting users. You may also have installed the
adduser
program.
useradd
The useradd
command can be used to add users to the system. You
also invoke this command to change the default settings.
The first thing that you should do is to examine the default settings and make changes specific to your system:
useradd -D
GROUP=1 HOME=/home INACTIVE=0 EXPIRE=0 SHELL= SKEL=/etc/skel
The defaults are probably not what you want, so if you started adding users now you would have to specify all the information for each user. However, we can and should change the default values.
On my system:
- I want the default group to be 100
- I want passwords to expire every 60 days
- I don't want to lock an account because the password is expired
- I want to default shell to be
/bin/bash
useradd -D -g100 -e60 -f0 -s/bin/bash
Now running useradd -D
will give:
GROUP=100 HOME=/home INACTIVE=0 EXPIRE=60 SHELL=/bin/bash SKEL=/etc/skel
Just in case you wanted to know, these defaults are stored in the file
/etc/default/useradd
.
Now you can use useradd
to add users to the system. For example,
to add the user fred
, using the defaults, you would use the
following:
useradd -m -c "Fred Flintstone" fred
This will create the following entry in the /etc/passwd
file:
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash
And the following entry in the /etc/shadow
file:
fred:!:0:0:60:0:0:0:0
fred
's home directory will be created and the contents of
/etc/skel
will be copied there because of the -m
switch.
Also, since we did not specify a UID, the next available one was used.
fred
's account is created, but fred
still won't be able to
login until we unlock the account. We do this by changing the password.
passwd fred
Changing password for fred Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New Password: ******* Re-enter new password: *******
Now the
/etc/shadow
will contain:
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
And fred
will now be able to login and use the system. The nice
thing about useradd
and the other programs that come with the
Shadow Suite is that they make changes to the /etc/passwd
and /etc/shadow
files atomically. So if you are adding a user, and
another user is changing their password at the same time, both operations
will be performed correctly.
You should use the supplied commands rather than directly editing
/etc/passwd
and /etc/shadow
. If you were editing the
/etc/shadow
file, and a user were to change his password while you
are editing, and then you were to save the file you were editing, the user's
password change would be lost.
Here is a small interactive script that adds users using useradd
and passwd
:
#!/bin/bash # # /sbin/newuser - A script to add users to the system using the Shadow # Suite's useradd and passwd commands. # # Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux # Shadow Password Howto. Permission to use and modify is expressly granted. # # This could be modified to show the defaults and allow modification similar # to the Slackware Adduser program. It could also be modified to disallow # stupid entries. (i.e. better error checking). # ## # Defaults for the useradd command ## GROUP=100 # Default Group HOME=/home # Home directory location (/home/username) SKEL=/etc/skel # Skeleton Directory INACTIVE=0 # Days after password expires to disable account (0=never) EXPIRE=60 # Days that a passwords lasts SHELL=/bin/bash # Default Shell (full path) ## # Defaults for the passwd command ## PASSMIN=0 # Days between password changes PASSWARN=14 # Days before password expires that a warning is given ## # Ensure that root is running the script. ## WHOAMI=`/usr/bin/whoami` if [ $WHOAMI != "root" ]; then echo "You must be root to add news users!" exit 1 fi ## # Ask for username and fullname. ## echo "" echo -n "Username: " read USERNAME echo -n "Full name: " read FULLNAME # echo "Adding user: $USERNAME." # # Note that the "" around $FULLNAME is required because this field is # almost always going to contain at least on space, and without the "'s # the useradd command would think that you we moving on to the next # parameter when it reached the SPACE character. # /usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \ -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME ## # Set password defaults ## /bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1 ## # Let the passwd command actually ask for password (twice) ## /bin/passwd $USERNAME ## # Show what was done. ## echo "" echo "Entry from /etc/passwd:" echo -n " " grep "$USERNAME:" /etc/passwd echo "Entry from /etc/shadow:" echo -n " " grep "$USERNAME:" /etc/shadow echo "Summary output of the passwd command:" echo -n " " passwd -S $USERNAME echo ""
Using a script to add new users is really much more preferable than editing
the /etc/passwd
or /etc/shadow
files directly or using a
program like the Slackware adduser
program. Feel free to use and
modify this script for your particular system.
For more information on the useradd
see the online manual page.
usermod
The usermod
program is used to modify the information on a user.
The switches are similar to the useradd
program.
Let's say that you want to change fred
's shell, you would do the
following:
usermod -s /bin/tcsh fred
Now fred
's /etc/passwd
file entry would be change to this:
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh
Let's make fred
's account expire on 09/15/97:
usermod -e 09/15/97 fred
Now fred
's entry in /etc/shadow
becomes:
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0
For more information on the usermod
command see the online manual
page.
userdel
userdel
does just what you would expect, it deletes the user's
account. You simply use:
userdel -r username
The -r
causes all files in the user's home directory to be removed
along with the home directory itself. Files located in other file system
will have to be searched for and deleted manually.
If you want to simply lock the account rather than delete it, use the
passwd
command instead.
7.2 The passwd command and passwd aging.
The passwd
command has the obvious use of changing passwords.
Additionally, it is used by the root user to:
- Lock and unlock accounts (
-l
and-u
) - Set the maximum number of days that a password remains valid
(
-x
) - Set the minimum days between password changes (
-n
) - Sets the number of days of warning that a password is about to expire
(
-w
) - Sets the number of days after the password expires before the account
is locked (
-i
) - Allow viewing of account information in a clearer format (
-S
)
For example, let look again at fred
passwd -S fred
fred P 03/04/96 0 60 0 0
This means that fred
's password is valid, it was last changed on
03/04/96, it can be changed at any time, it expires after 60 days, fred will
not be warned, and and the account won't be disabled when the password
expires.
This simply means that if fred
logs in after the password expires,
he will be prompted for a new password at login.
If we decide that we want to warn fred
14 days before his password
expires and make his account inactive 14 days after he lets it expire, we
would need to do the following:
passwd -w14 -i14 fred
Now fred
is changed to:
fred P 03/04/96 0 60 14 14
For more information on the passwd
command see the online manual
page.
7.3 The login.defs file.
The file /etc/login
is the configuration file for the
login
program and also for the Shadow Suite as a whole.
/etc/login
contains settings from what the prompts will look like
to what the default expiration will be when a user changes his password.
The /etc/login.defs
file is quite well documented just by the
comments that are contained within it. However, there are a few things to
note:
- It contains flags that can be turned on or off that determine the amount of logging that takes place.
- It contains pointers to other configuration files.
- It contains defaults assignments for things like password aging.
From the above list you can see that this is a rather important file, and you should make sure that it is present, and that the settings are what you desire for your system.
7.4 Group passwords.
The /etc/groups
file may contain passwords that permit a user to
become a member of a particular group. This function is enabled if you
define the constant SHADOWGRP
in the
/usr/src/shadow-YYMMDD/config.h
file.
If you define this constant and then compile, you must create an
/etc/gshadow
file to hold the group passwords and the group
administrator information.
When you created the /etc/shadow
, you used a program called
pwconv
, there no equivalent program to create the
/etc/gshadow
file, but it really doesn't matter, it takes care of
itself.
To create the initial /etc/gshadow
file do the following:
touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow
Once you create new groups, they will be added to the /etc/group
and the /etc/gshadow
files. If you modify a group by adding or
removing users or changing the group password, the /etc/gshadow
file will be changed.
The programs groups
, groupadd
, groupmod
, and
groupdel
are provided as part of the Shadow Suite to
modify groups.
The format of the /etc/group
file is as follows:
groupname:!:GID:member,member,...
Where:
groupname
The name of the group
!
The field that normally holds the password, but that is now relocated to the
/etc/gshadow
file.GID
The numerical group ID number
member
List of group members
The format of the /etc/gshadow
file is as follows:
groupname:password:admin,admin,...:member,member,...
Where:
groupname
The name of the group
password
The encoded group password.
admin
List of group administrators
member
List of group members
The command gpasswd
is used only for adding or removing
administrators and members to or from a group. root
or someone in
the list of administrators may add or remove group members.
The groups password can be changed using the passwd
command by
root or anyone listed as an administrator for the group.
Despite the fact that there is not currently a manual page for
gpasswd
, typing gpasswd
without any parameters gives a
listing of options. It's fairly easy to grasp how it all works once you
understand the file formats and the concepts.
7.5 Consistency checking programs
pwck
The program pwck
is provided to provide a consistency check on the
/etc/passwd
and /etc/shadow
files. It will check each
username and verify that it has the following:
- the correct number of fields
- unique user name
- valid user and group identifier
- valid primary group
- valid home directory
- valid login shell
It will also warn of any account that has no password.
It's a good idea to run pwck
after installing the Shadow
Suite. It's also a good idea to run it periodically, perhaps weekly or
monthly. If you use the -r
option, you can use cron
to run
it on a regular basis and have the report mailed to you.
grpck
grpck
is the consistency checking program for the
/etc/group
and /etc/gshadow
files. It performs the
following checks:
- the correct number of fields
- unique group name
- valid list of members and administrators
It also has the -r
option for automated reports.
7.6 Dial-up passwords.
Dial-up passwords are another optional line of defense for systems that allow
dial-in access. If you have a system that allows many people to connect
locally or via a network, but you want to limit who can dial in and connect,
then dial-up passwords are for you. To enable dial-up passwords, you must
edit the file /etc/login.defs
and ensure that
DIALUPS_CHECK_ENAB
is set to yes
.
Two files contain the dial-up information, /etc/dialups
which
contains the ttys (one per line, with the leading "/dev/" removed). If a
tty is listed then dial-up checks are performed.
The second file is the /etc/d_passwd
file. This file contains the
fully qualified path name of a shell, followed by an optional password.
If a user logs into a line that is listed in /etc/dialups
, and his
shell is listed in the file /etc/d_passwd
he will be allowed access
only by suppling the correct password.
Another useful purpose for using dial-up passwords might be to setup a line that only allows a certain type of connect (perhaps a PPP or UUCP connection). If a user tries to get another type of connection (i.e. a list of shells), he must know a password to use the line.
Before you can use the dial-up feature, you must create the files.
The command dpasswd
is provided to assign passwords to the shells
in the /etc/d_passwd
file. See the manual page for more
information.
Next Previous Contents