===== User Management on Linux CentOS / Redhat v7 =====
==== Base commands ====
=== List all users ===
List local and LDAP users
[user1@linux1] /home/user1 > getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
...
List parameters for a specific user
[root@linux1] /root > lslogins shs
Username: shs
UID: 1000
Gecos field: Sandra H-S
Home directory: /home/shs
Shell: /bin/bash
No login: no
Password is locked: no
Password not required: no
Login by password disabled: no
Password encryption method: SHA-512
Primary group: shs
GID: 1000
Supplementary groups: secteam,sudo
Supplementary group IDs: 11,27
Last login: 14:44
Last terminal: pts/1
Last hostname: 192.168.0.13
Hushed: no
Password expiration warn interval: 7
Password changed: 2020-Sep30
Maximum change time: 99999
Running processes: 67
List user logged in
[root@linux1] /root > lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 151 0 0 root
1000 shs 68 0 0 12:35 Sandra H-S
[root@linux1] /root > passwd -S glpiagent
glpiagent PS 2024-02-13 0 99999 7 -1 (Password set, SHA512 crypt.)
List all groups, local and LDAP
[user1@linux1] /home/user1 > getent group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
...
adgrp01:*:2222222:user1,user2,user3
=== Change a user password ===
# echo -e "MyOldPasswd\nMyNewPasswd\nMyNewPasswd" | passwd
# echo "user01:MyNewPasswd" | chpasswd
=== List all users LDAP ===
List local and LDAP users
[user1@linux1] /home/user1 > strings /var/lib/sss/db/*
name=aix-users@test.lu,cn=groups,cn=test.lu,cn=sysdb
lu,cn=sysdb
T@test.lu,cn=users,cn=name=aix-users@test.lu,cn=groups,cn=test.lu,cn=sysdb
lu,cn=sysdb
T@test.lu,cn=users,cn=test.lu,cn=sysdb
&DN=@INDEX:UIDNUMBER:1234423298
@INDEX:UIDNUMBER:1234423298
@IDXVERSION
@IDX
name=user01@test.lu,cn=users,cn=test.lu,cn=sysdb
DN=@INDEX:GIDNUMBER:1234400513
@INDEX:GIDNUMBER:1234400513
@IDXVERSION
@IDX
...
[user1@linux1] /home/user1 > getent passwd -s sss user01
user01@test.lu:*:1234423298:1234400513:My test user:/home/user01@test.lu:/usr/bin/bash
List users in an AD group
[user1@linux1] /home/user1 > getent group grpadmin@test.lu
grpadmin@ad.lu:*:1234423233:user01@test.lu,user02@test.lu,user03@test.lu,
=== Create user and group ===
Create group and user:
groupadd -g 150 staff (-r)
useradd -u 200 -c 'Test User1' -d /home/user1 -g staff -G staff,apache -s /bin/bash -p password user1
To add a system user (add the options: -r -m), it will be ceated in the SYS_UID/SYS_GID id range specified in /etc/login.defs
Add a secondary group for the user1
usermod -aG group2 user1
list member of a group
groupmems -l group2
Lock a user (-U for unlock)
usermod -L [LOGIN]
The **chage** utility.
[root@linux01 ~]# chage -M 90 myadmin
[root@linux01 ~]# chage -l myadmin
Last password change : May 23, 2025
Password expires : May 23, 2026
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 8
[root@linux01 ~]# lchage -l myadmin
Account is not locked.
Minimum: 0
Maximum: 90
Warning: 8
Inactive: Never
Last Change: 05/23/2025
Password Expires: 05/23/2026
Password Inactive: Never
Account Expires: Never
Usage: chage [options] [LOGIN]
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
lock a user:
passwd -l USER
usermod -L USER
Unlock a user:
passwd -u USER
usermod -U USER
Verify the status of a user with passwd command
P or PS: password is set (user is unlocked)
L or LK: User is locked
N or NP: No password is needed by the user
[root@temp-rh8 ~]# passwd -S agent
agent PS 2023-10-16 0 99999 7 -1 (Password set, SHA512 crypt.)
Change PAM config for pawword-history
pam-config -a --pwhistory --pwhistory-remember=6
=== delete user and group ===
Removes the user entries from the /etc/passwd and /etc/shadow, files.
$ userdel -r username
Removes the group, -f: It used to delete a group even if it is the primary group of a user.
$ groupdel -f groupname
==== Defaults User parameters ====
=== Password Algorithm ===
You can check the current password algorithm:
[root@centos7 etc]# authconfig --test|grep hashing
password hashing algorithm is sha512
[root@centos7 etc]# cat /etc/login.defs | grep ENCRYPT
ENCRYPT_METHOD SHA512
[root@centos7 ~]# cat /etc/sysconfig/authconfig | grep PASSWDALGORITHM
PASSWDALGORITHM=sha512
Change the Algorithm:
[root@centos7 etc]# authconfig --passalgo=sha512 --update
getsebool: SELinux is disabled
Content of login.defs file:
[root@centos7 etc]# cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
==== User locked ====
Check locked users
[root@Linux ~]# passwd -S user1
user1 LK 2023-01-07 0 99999 7 -1 (Password locked.)
To check if a system is configured to allow more or less than the usual three failed logins, we can check the value of deny in the **/etc/security/faillock.conf** file:
# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
deny = 3
# faillock --user baeldung
baeldung:
When Type Source Valid
2022-06-21 18:32:16 RHOST 192.168.0.22 V
2022-06-21 18:32:29 RHOST 192.168.0.22 V
2022-06-21 18:32:41 RHOST 192.168.0.22 V
Unlock a user:
# faillock --user baeldung --reset
Or
# rm /var/run/faillock/baeldung
http://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils
http://wiki.centos.org/HowTos/OS_Protection
http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-auth-on-linux/