My Lazy Admin: Shell Accounts

Main Config files

-----------------

/etc/passwd	format: :::::: for second field: x - restricts user to access the system (shadow password format method), this means that the user has an encrypted password !! - no password has been set blank - requires only user name to log on
/etc/shadow	format: username:encrypted password:last:may:must:warn:expire:disable:reserved 1. User name : It is your login name 2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits 3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed 4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password 5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password) 6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed 7. Inactive : The number of days after password expires that account is disabled 8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
/etc/gshadow	format: group_name:password:admin:member
/etc/default/useradd	default settings for account creation
/etc/skel	location of default files that will be copied to the user's home directory
/etc/group	location of available groups in the system format: group_name:group_password:GID:list_of_members

Password Policy

---------------

Config files:

/etc/pam.d/system-auth

/etc/login.defs

/etc/default/useradd

/etc/pam.d/system-auth	- uses PAM mechanism (Pluggable Authentication Module) - used in enforcing stronger passwords - you can see more info by hitting "man pam_unix" - NOTE: changing this file may break your logins (e.g SSH connections no longer work, your connection is being closed, etc) so be sure to have a backup of this file before making any changes format: module_interface control_flag module_name module_arguments module interfaces auth -> requests and verifies the validity of a password account -> checks if a user account has expired or if a user is allowed to log in at a particular time of day password -> used for changing user passwords session -> manages user sessions (e.g like mounting a user's home directory and making the user's mailbox available) control flags required -> result must be successful for authentication to continue (user not notified) requisite -> result must be successful for authentication to continue (user notified) sufficient -> result is ignored if it fails optional -> result is ignored include -> can be removed from config module names - example of module names are: pam_unix.so, pam_deny.so, pam_cracklib.so pam_unix.so -> used in RHEL 5/6 pam_cracklib.so -> checks the password against the dictionary and other constraints module arguments retry=3 -> denotes 3 chances SHA512 -> password hashing algorithm used minlen=8 -> minmimun password length (supersedes PASS_MIN_LEN in /etc/login.defs) ucredit=-1 -> atleast 1 uppercase character lcredeit=-1 -> atleast 1 lowercase character ocredit=-1 -> atleast 1 special character dcredit=-1 -> atleast 1 digit examples: line that shows password history password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=10 line that shows max retries account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset shows a strong password policy password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
/etc/login.defs	- config file for login programs - config file for "Shadow Suite" - doesn't use PAM - this file is required to be present - see more info by hitting "man login.defs" # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 8 PASS_WARN_AGE 7
/etc/default/useradd	- config file uses by "useradd" to get the default settings for the newly created user - you can also use "useradd -D" to display the config - see mroe info by hitting "man useradd" GROUP=100 # user's initial login group (group must exist) HOME=/home # location of user's home directory INACTIVE=-1 # number of days after a password expires until the account is permanently disabled # (0 disables account as soon as password expires, -1 disables the feature) EXPIRE= # # of days on which the account will be disabled (empty string is no expiry date) SHELL=/bin/bash # user's shell to use SKEL=/etc/skel # skel directory CREATE_MAIL_SPOOL=yes # self explanatory

Managing Shell Accounts

-----------------------

Listing

## checks for empty passwords

awk -F: '($2 == "") {print}' /etc/shadow

Adding

## adds a user account to the system

useradd [option/s]

-c <"comment"> -->enables you to insert a comment

-d -->specifies home directory

-u -->specifies user id (UID)

-g -->specifies the primary group by either group id or group name (or -g )

-G -->specifies the supplementary groups

-k -->specifies the other directory other than /etc/skel

-m -->creates user home directory if it doesn't exist

-s -->specifies login shell

-p -->specifies user password

-D -->lists default options for account creation

-Db -->changes default home directory

-Dg -->changes default startup group

-Ds -->changes default startup shell

-DE -->adds an account expiration date

-Df -->disables an account for a specified number of days after a password expires

-Ds

-->change default shell for account creation

-n -->avoids creating user with their own group (bob:bob)

## prevents creating usernames with their own groups

useradd -n bob

Deleting

## deletes a user account

userdel [options]

-r -->deletes a user account and user home directory

Updating

## updates and creates users in batch

newusers

## directly edits password file

vipw

UIDs

----

UID/GID	RID	Purpose	Examples
System Users	0-499	System user accounts	root, apache, mysql
System Groups	0-499	System group accounts	lp
Normal Users	500-999	User accounts outside of LDAP	devel

Managing Passwords

------------------

General Commands

passwd [options] ##sets user password

* if shadowing is enables, there might be a need to manually add the user in

/etc/shadow and put !! in the password field before issuing passwd command

-S -->checks status of user account (locked/unlocked)

-l -->locks a user account

-u -->unlocks a user account

-uf -->force unlocks a user account

-d -->removes a password (changes to passwordless acount)

-x number_of_days --> sets maximum number of days for which password remains valid

-n number_of_days --> sets minimum number of days for which password remains valid

-w number_of_days --> sets the number of days prior to password expiry that the user begins to receive warnings

-f --> similar to chage -d 0

usermod [options] ##modifies use accounts

-l new_user_name user_name changes username

-c "comment" user_name changes comment

-d new_home_dir user_name changes home directory

-s new_shell user_name changes home directory

-u new_UID user_name changes UID *only files UID inside the home directory will be changed

-G current_group,group_to_add1,..,group_to_addN user_name ##add groups to an account

-g new_group_name user_name ##changes group

-L user_name ##locks a user

-U user_name ##unlocks a user

chage [option] ##sets password expiration date

-d mm/dd/yyyy -->indicates the last date that the password was changed (same with "chage -d YYYY-MM-DD ")

-M max_of_days -->specifies the number of days for which the password is valid

-m min_of_days -->specifies the minimum number of days before the user can change the password

-E mm/dd/yyyy -->specifies the date on which the account will expire

-I number_of_days -->specifies the date on which the account will expire

-W number_of_warning_days -->specifies the number of days before a password expires and warns for expiration

-l -->lists the number of days before an account expires

-d 0 -->adds a prompt at login asking user to change password

example chage outputs:

RHEL 3.X/4.X:

[root@server~]# chage -l bob

Minimum: 0

Maximum: 99999

Warning: 7

Inactive: -1

Last Change: Jan 27, 2014

Password Expires: Never

Password Inactive: Never

Account Expires: Never

[root@server~]#

RHEL 5.X/6.X:

[root@server~]# chage -l bob

Last password change : Mar 14, 2015

Password expires : never

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

[root@server~]#

min # of days between password change -> if this is set to 5, you are only allowed to change your password once every 5 days

max # of days between password change -> this is the number of days your current password is valid

warning -> prior number of days system will warn you that your password will expire soon

inactive -> after a password has expired, system will track how many days your account will be inactive until you change your password. when you reach that "inactive" # of days and you haven't change your password, your account will be lock.

Listing	to check if user is existing: id grep -i /etc/passwd lastb ##list unsuccesful login attempts faillog ##reports on failed login attempts lastlog ##list all recent user login groups ##lists groups where the user belongs pwck ##verifies integrity of password files grpck ##verifies integrity of group files ##checks and reset locked account pam_tally --user bob pam_tally --reset --user bob pam_tally2 --> for RHEL 6.4
Changing	##alternative methods of changing user password echo 'password' \| passwd --stdin echo "user_name:password" \| chpasswd
Modifying	faillog -r -u ##clears fail logins ## forces password change upon login chage -d 0 bob
Removing/Disabling	## disables all password aging chage -I -1 -m 0 -M 99999 -E -1

Managing Groups

---------------

General Commands	groupadd [options] ##adds a new group to the system -g GID -->specifies a numerical id -r -->creates a system group groupmod [options] ##modifies group information -g new_GID -->changes current GID -n new_group_name -->changes current group name -o -->forces operation newgrp ##changes/logins to a new group gpasswd [option] ##adds users to groups -a -->adds a named user to the specified group -A -->makes the named user the admin of the specified group -d -->removes the named user from the specified group -M -->enables you to add several members to the specified group (separated with commas) -r -->removes the password from the specified group -R -->prevents users from issuing newgrp comand to join the specified group
Modifying	gpasswd ##changes group password
Deleting	groupdel ##deletes a group grpunconv ##disables group shadowing
Adding	grpconv ##enables group shadowing

Logins

------

Listing	# checks last login time for a particular user lastlog -u
Adding	pwconv ##enables shadowing
Removing	pwunconv ##disables shadowing

Switching Accounts

------------------

## switch to another user

## switch to another user and makes the shell a login shell

su -c

## switch to root

su -

su - root

## passes a command but not switches to the user

su -c "your_command"

Log Files

---------

/var/log/secure

/var/log/authlog

/var/log/sulog

NIS (Network Information Service)

---------------------------------

/etc/yp.conf

main NIS configuration file

commands

make -C /var/yp ##updates NIS maps for any changes made to user information (or cd to /var/yp and issue make command)

authconfig-tui ##configuring system authentication resources (used to bind NIS client to NIS domain)

/usr/lib/yp/ypinit -m ##builds NIS database on server side

configuring NIS server daemon:

configuring NIS passwd daemon (lets users change their passwords on the nis server from nis clients):

configuring NIS map transfer daemon (used to speed up the transfer of very large nis maps):

configuring NIS client daemon:

to verify if a user authentication has been updated:

ypmatch passwd

getent passwd

ypcat passwd

ypwhich -m ##queries NIS database

yppasswd ##changes user password using a normal account

yppasswd -p ##changes user password using a root account (no need to update the database afterwards)

ypdomainname ##prints NIS domain (or domainanme)

useradd -p ##to prevent encountering NIS password errors

rpcinfo -u yppasswd ##another way of checking yppasswdd status

Sudo

----

/etc/sudoers	- main config file - to edit this file, use "visudo" command (IMPORTANT: don't edit manually) Format: = \| \| \|__ This can be a user alias \| \| This can be a command alias __\| Examples: bob ALL=(ALL) /bin/su # specifies a single command for a single user UNIX_ADMINS ALL=(ALL) /bin/su # specifies a single command for a list of users bob ALL=(ALL) NOPASSWD: /bin/su # bypass password during sudo UNIX_ADMINS ALL=(ALL) NOPASSWD: ALL # indicates user can run ALL commands UNIX_ADMINS ALL=(ALL) NOPASSWD: UNIX_CMDS # uses a command alias (list of commands) Declaring User Aliases: # User_Alias = , , ..., User_Alias UNIX_ADMINS = bob, john, mary Declaring Command Aliases: # Cmnd_Alias = , , ..., Cmnd_Alias UNIX_CMDS = /sbin/reboot, /sbin/fdisk, /sbin/shutdown Cmnd_Alias FILE_CMDS = /bin/chown, /bin/cp Cmnd_Alias MISC_CMDS = /bin/chown -R testuser:testuser /home/testuser/B/, /bin/cp /home/testuser/*.dmp /root/dmp_files/ You may add sudo rules under /etc/sudoers.d/. Example is: [vagrant@node1 ~]$ sudo cat /etc/sudoers.d/vagrant %vagrant ALL=(ALL) NOPASSWD: ALL [vagrant@node1 ~]$
Displaying	# checks what sudo commands you have sudo -l
Modifying	# edits sudoers file visudo

Troubleshooting

---------------

Unable to change NIS password	when error below is encountered, be sure to always add NIS users with "-p" option: useradd -p [root@rhn1 ~]# yppasswd -p user3 Changing NIS account information for user3 on rhn1. Please enter root password: Changing NIS password for user3 on rhn1. Please enter new password: Please retype new password: Error while changing the NIS password. The NIS password has not been changed on rhn1.
Cannot issue yp commands even though ypbind is running	error messages: No such map passwd.byname. Reason: Can't bind to server which serves this domain scenario: [root@rhn2 ~]# ypcat passwd No such map passwd.byname. Reason: Can't bind to server which serves this domain [root@rhn2 ~]# solution/s: - try turning off NetworkManager: service NetworkManager stop - check if domain is correct: ypdomainname - check connectivity to NIS server - check entry in yp.conf: domain server
Couldn't chdir to home directory	- try to disable se linux in /etc/sysconfig/selinux: SELINUX=disabled
Internal NIS error	issue "make -C /var/yp" on NIS server
NIS hang	- restart autofs
Wrong time inside chrooted environment	wrong time inside chrooted environment Scenario: "ls" shows timestamps which are 5 hours off by the corect time Resolution: cp -p /usr/share/zoneinfo/America/New_York /home/jail/etc/localtime # where /home/jail/etc/ is the chroot's location of config files
Unable to save sudoers file	"What now?" --> respond with .. x - exit withought saving the changes
Needs TTY?	sudo: sorry, you must have a tty to run sudo --> comment out "Defaults requiretty" in visudo --> note that this method is very insecure --> or for a particular user: "Defaults:bob!requiretty"
Unable to change group ownership	colon not permitted --> you can encounter this on commands which uses colon --> example is: /bin/chown root:root /dir/ --> use this instead: /bin/chown root.root /dir/ --> then save the changes
This account is currently not available.	--> you get this when doing ssh or su'ing to a specific user (user locked down) --> this is because it has a shell of /bin/nologin or /bin/false (check in /etc/passwd) --> change the shell to /bin/bash: chsh -s /bin/bash bob

Tutorials/Tips and Tricks

-------------------------

creating multiple users using script	1. create a text file containing list of users 2. use text file for the script below: for i in $(cat ) do useradd -m -d /root/home/$i -s /bin/bash -g $i done 1. create text file touch batch-user-add.txt 2. create user list and append the following: user1:password:1001:513:Student Account:/home/user1:/bin/bash user2:password:1002:513:Sales user:/home/user2:/bin/bash user100:password:1100:513:Sales user:/home/user100:/bin/bash tom:password:1110:501:Guest Account:/home/guest:/bin/menu jerry:password:1120:501:Guest Account:/home/guest:/bin/menu 3. create users in batch newusers batch-user-add.txt format of text file: loginname:password:uid:gid:comment:home_dir:shell 4. verify that the files below are updated. less /etc/passwd less /etc/group less /etc/shadow
Adding supplementary groups to an account	1. id # id icmadmin uid=513(icmadmin) gid=513(icmadmin) groups=513(icmadmin),510(dssdicmp),521(ibmcmgrp) 2. usermod -G , *include the existing subgroups usermod -G dssdicmp,ibmcmgrp,db2admin icmadmin 3. id # id icmadmin uid=513(icmadmin) gid=513(icmadmin) groups=513(icmadmin),510(dssdicmp),521(ibmcmgrp),520(db2admin)
Enabling nis services/daemons at boot time	[root@rhn1 nfs]# chkconfig \| grep ^yp ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@rhn1 nfs]# [root@rhn1 nfs]# chkconfig ypbind on [root@rhn1 nfs]# chkconfig yppasswdd on [root@rhn1 nfs]# chkconfig ypserv on [root@rhn1 nfs]# chkconfig ypxfrd on [root@rhn1 nfs]# chkconfig \| grep ^yp ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off yppasswdd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ypserv 0:off 1:off 2:on 3:on 4:on 5:on 6:off ypxfrd 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@rhn1 nfs]#
Setting up chroot	- chrooting is a good way of containing an isolated environment Different ways of using chroot command: chroot /path/to/new/root chroot /path/to/new/root /path/to/server chroot [options] /path/to/new/root /path/to/server Requirements: 1. you need to set your jail directory (e.g /home/jail or /chroot) 2. you need to copy required binaries, libraries, config files etc into your chrooted environment (e.g required libs for /bin/bash must be copied over) 3. you need to copy passwd, group, and shadow files on your chrooted environment 4. you must set a chroot shell for your chrooted users (e.g /bin/chroot-shell) #!/bin/sh /usr/bin/sudo /usr/sbin/chroot /home/jail /bin/su - $USER "$@"
Find files owned/not owned by a specific user	find / -user bob find / ! -user bob
Configuring NIS	[NIS server] 1. install yp utilities and set NIS domain afterwards: yum install yp* ypdomainname nisdomain ###to make nisdomain permanent, add this line in /etc/sysconfig/network NISDOMAIN=nisdomain 2. start yp server daemon: service ypserv start 3. start yp passwd daemon: service yppasswdd start 4. start yp forward daemon: service ypxfrd start 5. initialize NIS domain: /usr/lib/yp/ypinit -m 6. edit config file: vi /etc/yp.conf ###add this line below ypserver rhn1 7. restart nis daemons and services: service ypserv restart service yppasswdd restart service ypxfrd restart 8. start NIS bind: service ypbind start 9. enable services at boot time: chkcofing ypserv on chkconfig yppasswdd on chkconfig ypxfrd on chkconfig ypbind on 10. test NIS: ypcat passwd [NIS client] 1. install yp tools: yum install yp-tools 2. bind NIS client to NIS server: authconfig-tui check Use NIS uncheck Local authorization is sufficient 3. test NIS: ypcat passwd
AutoFS configuration for home directories	[NIS/NFS client] 1. install autofs: yum install autofs 2. edit auto master: vi /etc/auto.master ##add the following line below /home /etc/auto.home --timeout=600 3. create map file: vi /etc/auto.home ##add the following line below * -fstype=nfs rhn1:/home/& 4. start autofs: service autof start chkconfig autofs on 5. test auto fs: su user1
Moving user to a new home directory	This is a simple hack if you want to move an existing user's home directory to a new location. This is helpful if you have a new partition create for user's home dirs (e.g /home2) 1. Execute this 1 command usermod -md /home2/bob bob # /home2 must exist # /home2/bob will be created automatically by the command # bob's files on the old home dir will be moved to the new # the old home dir (together with its contents) will be deleted 2. Test as root su - bob # this shouldn't return an error 3. You can also see that the /etc/passwd entry has been updated as well grep bob /etc/passwd

My Lazy Admin

Sunday, August 5, 2018

Shell Accounts

No comments:

Post a Comment