Managing user account is an important task for the system administrators on their daily task, in this article I will explain to you how to administrate the user accounts and also we will see the configuration files that are needed for maintaining the user accounts.Basically all the users on the system are identified by username and the user id(UID) number,Humans can recognize the user by its username but the operating system uses the UID number to identify the users in your system, when you create a user account by default a UID will get generate with an account.Each and every user will have the unique UID number.
While installing the operating system some default user accounts will get created in your system, these accounts are normally called as the default system accounts.These special users will have different UID numbers.
Every user on your system is also a member of one or more groups.Instead of setup individual permissions for each and every user, adding a user to a group and then assigning the permission is the easiest way of setting permissions for different users.Like UID groups will have GID (group identification number).
System default configuration files that store the user account information
When you create a user or group all the default information will get an update on some configuration files, there are three important configuration files available to store all the user and group updated information.As you know all the configuration files come under the directory /etc inside this we will have passwd,shadow&group files.
This /etc/passwd file stores the User essential information which is must require during the login.Total seven fields are there in this file, By default, the passwd file will look like below entry format only.
f)Default Home Directory
Each field is separated by a colon(:)
Let me explain the fields one by one
Username: User Id when users logs in to the server.Maximum allowed characters for the username is in between 1 and 32.
Password: An x character indicates the encrypted password is stored in the /etc/shadow file.
User ID(UID): The UID number for the root user is “0”, The UID 1-499 is reserved for the default system accounts, above 500 will use it for the secondary user accounts which we create it manually by useradd command.
Group ID(GID): It shows the Group ID that is stored in /etc/group file.
Home Directory: The default home directory for non-root user logins, if this directory does not exist then the user directory become / only, login problem might occur if /home is not available while login.
Login Shell: This indicates The default shell to be used when the user login to the system.
Let me show you the screenshot of /etc/passwd file how the fields are separated,
Check the file permission for /etc/passwd
#ls -l /etc/passwd
As this file contains sensitive user information The permission for other user is set to read-only so that users cant modify this file,
This file holds the user’s encrypted password information, once you have created the password it would be encrypted and stored inside this file along with your login name.Only the root user can read this file, other users cannot read this file.Let us have a look at this file
1.Username: This is your login name
2.Password: Your encrypted password information, The $id is the algorithm used on GNU/Linux as follows
a.$1$ is MD5Algorithm
b.$2a$ is Blowfish Algorithm
c.$5$ is SHA-256 Algorithm
3.The last password changed: Days since the last password was changed.
4.Minimum: The Number of days left before the user is allowed to change his password.
5.Maximum: The no of days the password is valid
6.Warning: The number of days before password is set to expire that users are warned to change his password.
Note: Last two fields separated by colon are mentioned below
7.Inactive: The number of days after password expires that account is disabled
8.Expire: Days since the account is disabled.
Note: The password filed which starts with an exclamation mark (!) means that the password is locked if it starts without ! means account is unlocked.
Let me show you this with one example…
When the account is in locked state
From the above output, you can see the encrypted password starts with the ! ! mark which indicates the account is in the locked state
After the account is unlocked
From the above output, the encrypted password starts without the ! mark coz the account has been unlocked.
It holds the user groups information like which user belongs to which group, As like the above files all the entries are separated by colon(:)
1.Group name: It indicates the group name
2.Password: By default password is not used hence it is empty, if the password is there for the group then it can store the encrypted password, If you need a group with privileged access then create a password for a group.
3.GroupID(GID): All users must be assigned a group ID when you check the /etc/passwd file you will find the group associated with each account.
4.Group List: It holds the usernames who all are members of the group, all the names are separated by commas.
To Check the group informations
To find out the Groups the user is added
#groups <user name>
Here the user Vasanth belongs to the system groups ntp and adm.
How to create a user account?
Creating a user to Linux box is very easy, however, this operation is allowed to be performed by the root user only.In two ways you can add a user to Linux box.
1)By editing the /etc/passwd file(i.e,Manually adding all the fields like UID,GID,LOGINNAME,COMMENT,SHELL)
2)By using the “useradd” command which creates the account automatically as long as you give the correct details…
Syntax: To create a user account by using the “useradd” command
#useradd -u <uid> -g <gid> -d <home_directory> -s <login_shell> -c <comment> <login_name>
s —–>To define the user Login shell
c —–> To leave a comment for a user account
Now let us add a user account by using this syntax
#useradd -u 1500 -g 10 -d /home/nirmal -s /bin/bash -c "Site Admin" nirmal
After adding the account successfully, all the information will get automatically updated in the /etc/passwd file.
From the above output, all the fields successfully updated in /etc/passwd file.
Now if you want to confirm to which group the user “hema” was added run the following command,
#id <user name> #id hema
The group name for the id 10 is “wheel”.If you have your own group you can also mention that with the useradd command, in this example i have used the default sys group id 10 (wheel).
Note: Sometimes the useradd command might fail under the following conditions
1.The UID you specify has already taken
2.The GID you mention does not exit
3.The comment conatins specail charcters syuch as (!) and (/)
4.The shell you specify doesnot exist.
#useradd <user name>
In this method, the system uses the defaults to create the user account and update the same in /etc/passwd file,
Now check the account details in /etc/passwd file
#cat /etc/passwd |grep jeya
Note: The root UID and GID is always 0, and default group for root is always 0.
Note: Check the second field that appears with “x” character which means its a password filed(“x” appears coz we are using the process called password shadowing) I will explain you about the password shadowing in our upcoming posts.
Note: In /etc/shadow if you see exclamation (!!) in the password field it indicates no password assigned to the user.
Since the user Vasanth has the password you will see the encrypted password line, Now check the other users Hema and jeya you can see the !! symbol which says both the users don’t have the password.
As I said useradd <username> will take the defaults to create the user account, if you would like to know what default values would be assigned to a user when creating a user account with useradd command, here you go..
In Linux, there are two configuration files available which hold the default values to be assigned to a user with user add command.
1)/etc/default/useradd file #cat /etc/default/useradd
you can also use the following command to fetch the same details
This file conatin the values like UID,GID,expiry information,password encryption method and many more informations
You can also change the default values with the useradd command, Let me show you some couple of example on how to change the default values of useradd command
Change the default values of useradd command?
In two ways you can change the default values of the useradd command
1.Editing the /etc/default/useradd file manually
2.With useraddd command by using some options
Now am going to change the default home directory for all new users
From the above output all the users will use /home as their default home directory, Now let us change this default home directory,
#userad -D -b /var/users
Now check whether it is updated in the configuration file
#useradd -D |grep HOME
The above output shows, from now onwards all the new users will use /var/users as their default home directory
Change the default Login Shell
By default all the users will use the /bin/bash as their default login shell, now am going to change from bash to bourne shell i.e, sh
#useradd -D -s /bin/sh
From the output we can see the default shell from now onwards all the new users will use sh as their login shell
Once you have created a user account the next step is to set a password to the account we have a command “passwd“ by using this we can set the password for the account.
Ex:1 To set a password to a account
#passwd <user name> #cat /etc/shadow |grep hema
From the above screenshot, you will not see the encrypted lines in the password filed as the user is not having the password yet and the (!!) indicates the account is not yet set with the password(i.e, No password)
#passwd Hema New password:******
After creating the password it should get update as an encrypted format in the /etc/shadow file
#cat /etc/shadow |grep Hema
As you can see from the output, before you create a password for the account in /etc/shadow file nothing is showing in the password field you will see only !! (which indicates no password NP), after assigning the password you can see the encrypted line in the password filed.
Note: Even for the account lock it shows the same !! mark
Ex:2 To check the details or status of an account password
With passwd command you have to use the option -S to fetch the status of the account password,
#passwd -S <username> S --> To fetch the status of the user password #passwd -S hema
The result will give you seven fields, each one with different status
1.The first field is USER LOGIN NAME
2.The second field says whether the account is in locked state(LK) or no password(NP)
3.The third field shows the date of the last password change
4.The Fourth field shows the Minimum age for the password
5.The fifth field shows the maximum age for the password
6.The sixth field shows the warning period for the password
7.The seventh field shows the inactivity period for the password.
Ex:3 To Lock a specified account
Syntax: #passwd -l <username> l -->indicates to lock the account password #cat /etc/shadow |grep hema
Now lock the user account as below
#passwd -l hema
Now check the shadow file for the changes,
#cat /etc/shadow |grep hema
Ex:4 To Unlock the account
#passwd -u <username>
#passwd -u hema
#cat /etc/shadow |grep hema
From the output you can see once the account has brought it back to unlock state the !! mark removed before the $ sign, so as an admin you should know the meaning for !!, NP, PS in the shadow file.
I will show you one small example of how the status is getting updating before and after the account is locked and unlocked
PS –>Account has password and it is in active state
LK –> Account is Unlocked
Ex:5 To set Minimum number of days Before the password change
The user cant change or modify his/her password till the minimum allowed days gets completed,
if I assign 6 days as a minimum password age for the user Vasanth then the user Vasanth must have to use the current password for at least 6 days and he is not allowed to change the password within these 6 days.
#passwd -n <days> <username>
#passwd -n 6 vasanth
Now check the password status for the user Vasanth,
#passwd -S vasanth
From the above output now the minimum days required to change the password is changed to 6 days
Ex:6 Set the Maximum number of days before the password change
Is nothing but telling the user how many days the user can use the current password, means within this allowed maximum days the user must have to change his/her password, once the maximum days get over the account will automatically Lock.
#passwd -x <days> <username>
#passwd -S hema
From the above screenshot the max number of days allowed before the password change is 7 days for the user Hema, Let me modify this by using the following command
#passwd -x 10 hema
Now check the status
#passwd -S hema
Ex:7 How to Set warning days before the password expires
If you set the warning days for a user then he/she will receive an alert message to change the password 12 days before the account expiry date.
#passwd -w <warning days> <username>
#passwd -w 12 hema
Now check the status whether it is updated on the password management file
Ex:8 How to DELETE the password for a user account?
In two ways you can perform this, one is by editing the /etc/shadow file,i.e, removing the encrypted line for the user and the second one is its quite easy way to execute by using the “passwd” command with the “-d “option you can remove the password.
#passwd -d <username>
Let me remove the password for the user hema, remember after removing the pasword check the password staus in /etc/shadow fiile
#passwd -S hema
Now delete the password by using the following command
#passwd -d Hema
#passwd -S hema
#cat /etc/shadow |grep hema
From the above screenshot, you will see the password status has been updated on all the password management files.
In our next tutorial, i will explain you how to control the password management by using the “chage” utility.
If you found this article useful, Please do Subscribe and share it with your friends.Thank you🙂🙂