Managing User Account in Linux

Users

Managing user account is an important task for the system administrators on their daily task, in this article  I will explain to you how to administrate the user accounts and also we will see the configuration files that are needed for maintaining the user accounts.Basically all the users on the system are identified by username and the user id(UID) number,Humans can recognize the user by its username but the operating system uses the UID number to identify the users in your system, when you create a user account by default a UID will get generate with an account.Each and every user will have the unique UID number.

Special Users

While installing the operating system some default user accounts will get created in your system, these accounts are normally called as the default system accounts.These special users will have different UID numbers.

Groups

Every user on your system is also a member of one or more groups.Instead of setup individual permissions for each and every user, adding a user to a group and then assigning the permission is the easiest way of setting permissions for different users.Like UID groups will have GID (group identification number).

System default configuration files that store the user account information

When you create a user or group all the default information will get an update on some configuration files, there are three important configuration files available to store all the user and group updated information.As you know all the configuration files come under the directory /etc inside this we will have passwd,shadow&group files.
1./etc/passwd
This /etc/passwd file stores the User essential information which is must require during the login.Total seven fields are there in this file, By default, the passwd file will look like below entry format only.
a)Username
a)Password
b)user ID
d)Group ID(GID)
e)Comment
f)Default Home Directory
g)Login Shell
Each field is separated by a colon(:)
Let me explain the fields one by one
Username: User Id when users logs in to the server.Maximum allowed characters for the username is in between 1 and 32.
Password: An character indicates the encrypted password is stored in the /etc/shadow file.
User ID(UID): The UID number for the root user is “0”, The UID 1-499 is reserved for the default system accounts, above 500 will use it for the secondary user accounts which we create it manually by useradd command.
Group ID(GID): It shows the Group ID that is stored in /etc/group file.
Home Directory: The default home directory for non-root user logins, if this directory does not exist then the user directory become / only, login problem might occur if /home is not available while login.
Login Shell: This indicates The default shell to be used when the user login to the system.
Let me show you the screenshot of /etc/passwd file how the  fields are separated,

Check the  file permission for /etc/passwd

#ls  -l /etc/passwd
As this file contains sensitive user information The permission for other user is set to read-only so that users cant modify this file,

2)/etc/shadow

This file holds the user’s encrypted password information, once you have created the password it would be encrypted and stored inside this file along with your login name.Only the root user can read this file, other users cannot read this file.Let us have a look at this file
#cat  /etc/shadow

1.Username: This is your login name
2.Password: Your encrypted password information, The $id is the algorithm used on GNU/Linux as follows
a.$1$ is MD5Algorithm
b.$2a$ is Blowfish Algorithm
c.$5$ is SHA-256 Algorithm
3.The last password changed: Days since the last password was changed.
4.Minimum: The Number of days left before the user is allowed to change his password.
5.Maximum: The no of days the password is valid
6.Warning: The number of days before password is set to expire that users are warned to change his password.
Note: Last two fields separated by colon are mentioned below
7.Inactive: The number of days after  password expires that account is disabled
8.Expire: Days since the account is disabled.
Note: The password filed which starts with an exclamation mark (!) means that the password is locked if it starts without ! means account is unlocked.
Let me show you this with one example…
When the account is in locked state

From the above output, you can see the encrypted password starts with the ! mark which indicates  the account is in the locked state
After the account is unlocked

From the above output, the encrypted password starts without the ! mark coz the account has been unlocked.

3./etc/group file

It holds the user groups information like which user belongs to which group, As like the above files all the entries are separated by colon(:)

1.Group name: It indicates the group name
2.Password: By default password is not used hence it is empty, if the password is there for the group then it can store the encrypted password, If you need a group with privileged access then create a password for a group.
3.GroupID(GID): All users must be assigned a group ID when you check the /etc/passwd file you will find the group associated with each account.
4.Group List: It holds the usernames who all are members of the group, all the names are separated by commas.

To Check the group informations

#cat /etc/group

or

#less /etc/group

or

more /etc/group

To find out the Groups the user is added

#groups  <user name>
#groups  vasanth

Here the user Vasanth belongs to the system groups ntp and adm.

How to create a user account?

Creating a user to Linux box is very easy, however, this operation is allowed to be performed by the root user only.In two ways you can add a user to Linux box.
1)By editing the /etc/passwd file(i.e,Manually adding all the fields like UID,GID,LOGINNAME,COMMENT,SHELL)
2)By using the “useradd” command which creates the account automatically as long as you give the correct details

Syntax: To create a user account by using the “useradd” command

#useradd    -u <uid>    -g <gid>    -d <home_directory>  -s <login_shell>   -c <comment>    <login_name>

Options:

s —–>To define the user Login shell
c —–> To leave a comment for a user account
Now let us add a user account by using this syntax
#useradd -u 1500  -g  10  -d  /home/nirmal  -s  /bin/bash  -c "Site Admin"  nirmal

After adding the account successfully, all the information will get automatically updated in the /etc/passwd file.
#cat /etc/passwd

From the above output, all the fields successfully updated in /etc/passwd file.

Now if you want to confirm to which group the user “hema” was added run the following command,

#id  <user name>

#id  hema

The group name for the id 10 is “wheel”.If you have your own group you can also mention that with the useradd command, in this example i have used the default sys group id 10 (wheel).
Note: Sometimes  the useradd command might fail under the following conditions

1.The UID you specify has already taken

2.The GID you mention does not exit

3.The comment conatins specail charcters syuch as (!) and (/)

4.The shell you specify doesnot exist.

Method:2

Syntax:
#useradd   <user name>
In this method, the system uses the defaults to create the user account and update the same in /etc/passwd file,
#useradd  jeya

Now check the account details in /etc/passwd file

#cat /etc/passwd  |grep jeya

Note: The root UID and GID is always 0, and default group for root is always 0.
Note: Check the second field that appears with “x” character which means its a password filed(“x” appears coz we are using the process called password shadowing) I will explain you about the password shadowing in our upcoming posts.
Note: In /etc/shadow if you see exclamation (!!)  in the password field it indicates no password assigned to the user.

 

Since the user Vasanth has the password you will see the encrypted password line, Now check the other users Hema and jeya you can see the !! symbol which says both the users don’t have the password.
As I said useradd <username> will take the defaults to create the user account, if you would like to know what default values would be assigned to a user when creating a user account with useradd command, here you go..
In Linux, there are two configuration files available which hold the default values to be assigned to a user with user add command.
1)/etc/default/useradd file

#cat /etc/default/useradd

or
you can also use the following command to fetch the same details
#useradd -D

2)/etc/login.defs

This file conatin the values like UID,GID,expiry information,password encryption method and many more informations
#cat /etc/login.defs

You can also change the default values with the useradd command, Let me show you some couple of example on how to change the default values  of  useradd command

Change the default values of useradd command?

In two ways you can  change the default values of the useradd command
1.Editing the /etc/default/useradd file manually
2.With useraddd command by using some options

Now am going to change the default  home directory for all new users

#useradd -D

From the above output all the users will use /home as their default home directory, Now let us change this default home directory,
#userad -D -b /var/users

Now check whether it is updated in the configuration file
#useradd -D

or

#useradd -D |grep HOME

The above output shows,  from now onwards all the new users will use /var/users as their default home directory

Change the default Login Shell

By default all the users will use the /bin/bash as their default login shell, now am going to change from bash to bourne shell i.e, sh
#useradd -D -s /bin/sh

#useradd -D

From the output we can see the default shell from now onwards all the new users will use sh as their login shell
Once you have created a user account the next step is to set a password to the account we have a command passwd by using this we can set the password for the account.

Ex:1 To set a password to a account

Syntax:
#passwd  <user name>

#cat /etc/shadow  |grep hema

From the above screenshot, you will not see the encrypted lines in the password filed as the user is not having the password yet and the (!!) indicates the account is not yet set with the password(i.e, No password)
#passwd Hema

New password:******

After creating the password it should get update as an encrypted format in the /etc/shadow file
#cat /etc/shadow |grep Hema

As you can see from the output, before you create a password for the account in /etc/shadow file nothing is showing in the password field you will see only !! (which indicates no password NP), after assigning the password you can see the encrypted line in the password filed.

Note: Even for the account lock it shows the same !! mark

Ex:2 To check the details or status of an account password

With passwd command you have to use the option -S to fetch the status of the account password,

Syntax:

#passwd  -S  <username>

S --> To fetch the status of the user password

#passwd -S  hema

The result  will give you seven fields, each one with different status
1.The first field is USER LOGIN NAME
2.The second field says whether the account is in locked state(LK) or no password(NP)
3.The third field shows the date of the last password change
4.The Fourth field shows the Minimum age for the password
5.The fifth field shows the maximum age for the password
6.The sixth field shows the warning period for the password
7.The seventh field shows the inactivity period for the password.

Ex:3 To Lock a specified account

Syntax:

#passwd   -l   <username>

l -->indicates to lock the account password

#cat /etc/shadow  |grep hema

Now lock the user account as below
#passwd -l  hema

Now check the shadow file for the changes,
#cat /etc/shadow  |grep hema

Ex:4  To Unlock the account

Syntax:
#passwd  -u  <username>
#passwd  -u hema

#cat /etc/shadow  |grep hema

From the output you can see once the account has brought it back to unlock state the !! mark removed before the $ sign, so as an admin you should know the meaning for !!, NP, PS in the shadow file.
I will show you one small example of how the status is getting updating before and after the account is locked and unlocked

PS –>Account has password and it is in active state
LK –> Account is Unlocked

Ex:5 To set Minimum number of days Before the password change

The user cant change or modify his/her password till the minimum allowed days gets completed,
if I assign 6 days as a minimum password age for the user Vasanth then the user Vasanth must have to use the current password for at least 6 days and he is not allowed to change the password within these 6 days.
Syntax:
#passwd  -n  <days>  <username>
#passwd  -n   6  vasanth

Now check the password status for the user Vasanth,
#passwd  -S vasanth

From the above output now the minimum days required to change the password is changed to 6 days

Ex:6  Set the Maximum number of days before the password change

Is nothing but telling the user how many days the user can use the current password, means within this allowed maximum days the user must have to change his/her password, once the maximum days get over the account will automatically Lock.
Syntax:
#passwd  -x <days> <username>
#passwd  -S hema

From the above screenshot the max number of days allowed before the password change is 7 days for the user Hema, Let me modify this by using the following command
#passwd  -x 10 hema

Now check the status
#passwd  -S hema

Ex:7 How to Set warning days before the password expires

If you set the warning days for a user then he/she will receive an alert message to change the password 12 days before the account expiry date.
Syntax:
#passwd  -w  <warning days>  <username>
#passwd -w 12  hema

Now check the status whether it is updated on the password management file

Ex:8 How to DELETE the password for a user account?

In two ways you can perform this, one is by editing the /etc/shadow file,i.e, removing the encrypted line for the user and the second one is its quite easy way to execute by using the “passwd” command with the “-d “option you can remove the password.
Synatx:
#passwd -d  <username>
Let me remove the password for the user hema, remember after removing the pasword check the password staus in /etc/shadow fiile
#passwd  -S hema

Now delete the password by using the following command
#passwd -d Hema

#passwd -S hema

or

#cat  /etc/shadow  |grep hema

From the above screenshot, you will see the password status has been updated on all the password management files.
In our next tutorial, i will explain you how to control the password management by using the “chage” utility.
If you found this article useful, Please do Subscribe and share it with your friends.Thank you🙂🙂

 

[rainmaker_form id=”235″]

About Author:

Hello readers! Let me introduce my self first. My name is Vasanth Nirmal Singh J S having 9+ years of experience in IT on all flavours of Unix operating systems ,Storage's and many more .. I would like to share my technical experience i have come across - can be help to other people. So in this blog, I'll post my thoughts related to ITIS. I'll share experiences that I've had while working in different environments. You can expect content related to Unix,Solaris,Linux,EMC Storeages,HP-UX and many others. I hope this blog can be useful for you! Your comments will be appreciated!

0 thoughts on “Managing User Account in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *