List local and LDAP users
[user1@linux1] /home/user1 > getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin ...
List parameters for a specific user
[root@linux1] /root > lslogins shs Username: shs UID: 1000 Gecos field: Sandra H-S Home directory: /home/shs Shell: /bin/bash No login: no Password is locked: no Password not required: no Login by password disabled: no Password encryption method: SHA-512 Primary group: shs GID: 1000 Supplementary groups: secteam,sudo Supplementary group IDs: 11,27 Last login: 14:44 Last terminal: pts/1 Last hostname: 192.168.0.13 Hushed: no Password expiration warn interval: 7 Password changed: 2020-Sep30 Maximum change time: 99999 Running processes: 67
List user logged in
[root@linux1] /root > lslogins -u UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS 0 root 151 0 0 root 1000 shs 68 0 0 12:35 Sandra H-S
[root@linux1] /root > passwd -S glpiagent glpiagent PS 2024-02-13 0 99999 7 -1 (Password set, SHA512 crypt.)
List all groups, local and LDAP
[user1@linux1] /home/user1 > getent group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: ... adgrp01:*:2222222:user1,user2,user3
# echo -e "MyOldPasswd\nMyNewPasswd\nMyNewPasswd" | passwd
# echo "user01:MyNewPasswd" | chpasswd
List local and LDAP users
[user1@linux1] /home/user1 > strings /var/lib/sss/db/* name=aix-users@test.lu,cn=groups,cn=test.lu,cn=sysdb lu,cn=sysdb T@test.lu,cn=users,cn=name=aix-users@test.lu,cn=groups,cn=test.lu,cn=sysdb lu,cn=sysdb T@test.lu,cn=users,cn=test.lu,cn=sysdb &DN=@INDEX:UIDNUMBER:1234423298 @INDEX:UIDNUMBER:1234423298 @IDXVERSION @IDX name=user01@test.lu,cn=users,cn=test.lu,cn=sysdb DN=@INDEX:GIDNUMBER:1234400513 @INDEX:GIDNUMBER:1234400513 @IDXVERSION @IDX ...
[user1@linux1] /home/user1 > getent passwd -s sss user01 user01@test.lu:*:1234423298:1234400513:My test user:/home/user01@test.lu:/usr/bin/bash
List users in an AD group
[user1@linux1] /home/user1 > getent group grpadmin@test.lu grpadmin@ad.lu:*:1234423233:user01@test.lu,user02@test.lu,user03@test.lu,
Create group and user:
groupadd -g 150 staff (-r) useradd -u 200 -c 'Test User1' -d /home/user1 -g staff -G staff,apache -s /bin/bash -p password user1
To add a system user (add the options: -r -m), it will be ceated in the SYS_UID/SYS_GID id range specified in /etc/login.defs
Add a secondary group for the user1
usermod -aG group2 user1
list member of a group
groupmems -l group2
Lock a user (-U for unlock)
usermod -L [LOGIN]
The chage utility.
[root@linux01 ~]# chage -M 90 myadmin [root@linux01 ~]# chage -l myadmin Last password change : Jul 22, 2019 Password expires : Oct 20, 2019 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Usage: chage [options] [LOGIN]
Options: -d, --lastday LAST_DAY set date of last password change to LAST_DAY -E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -h, --help display this help message and exit -I, --inactive INACTIVE set password inactive after expiration to INACTIVE -l, --list show account aging information -m, --mindays MIN_DAYS set minimum number of days before password change to MIN_DAYS -M, --maxdays MAX_DAYS set maximim number of days before password change to MAX_DAYS -W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
lock a user:
passwd -l USER usermod -L USER
Unlock a user:
passwd -u USER usermod -U USER
Verify the status of a user with passwd command
P or PS: password is set (user is unlocked) L or LK: User is locked N or NP: No password is needed by the user
[root@temp-rh8 ~]# passwd -S agent agent PS 2023-10-16 0 99999 7 -1 (Password set, SHA512 crypt.)
Change PAM config for pawword-history
pam-config -a --pwhistory --pwhistory-remember=6
Removes the user entries from the /etc/passwd and /etc/shadow, files.
$ userdel -r username
Removes the group, -f: It used to delete a group even if it is the primary group of a user.
$ groupdel -f groupname
You can check the current password algorithm:
[root@centos7 etc]# authconfig --test|grep hashing password hashing algorithm is sha512 [root@centos7 etc]# cat /etc/login.defs | grep ENCRYPT ENCRYPT_METHOD SHA512 [root@centos7 ~]# cat /etc/sysconfig/authconfig | grep PASSWDALGORITHM PASSWDALGORITHM=sha512
Change the Algorithm:
[root@centos7 etc]# authconfig --passalgo=sha512 --update getsebool: SELinux is disabled
Content of login.defs file:
[root@centos7 etc]# cat /etc/login.defs # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 201 SYS_GID_MAX 999 # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local # # If useradd should create home directories for users by default # On RH systems, we do. This option is overridden with the -m flag on # useradd command line. # CREATE_HOME yes # The permission mask is initialized to this value. If not specified, # the permission mask will be initialized to 022. UMASK 077 # This enables userdel to remove user groups if no members exist. # USERGROUPS_ENAB yes # Use SHA512 to encrypt password. ENCRYPT_METHOD SHA512
To check if a system is configured to allow more or less than the usual three failed logins, we can check the value of deny in the /etc/security/faillock.conf file:
# Deny access if the number of consecutive authentication failures # for this user during the recent interval exceeds n tries. # The default is 3. deny = 3
# faillock --user baeldung baeldung: When Type Source Valid 2022-06-21 18:32:16 RHOST 192.168.0.22 V 2022-06-21 18:32:29 RHOST 192.168.0.22 V 2022-06-21 18:32:41 RHOST 192.168.0.22 V
Unlock a user:
# faillock --user baeldung --reset
Or
# rm /var/run/faillock/baeldung
http://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils
http://wiki.centos.org/HowTos/OS_Protection
http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-auth-on-linux/