wiki

User Tools

Site Tools

Trace: linuxppc_devices redhat_user
linux:redhat_user

This is an old revision of the document!

Table of Contents

User Management on Linux CentOS / Redhat v7

Base commands

List all users

List local and LDAP users 

[user1@linux1] /home/user1 > getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
...

List all groups, local and LDAP 

[user1@linux1] /home/user1 > getent group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
...
adgrp01:*:2222222:user1,user2,user3

List all users LDAP

List local and LDAP users 

[user1@linux1] /home/user1 > strings /var/lib/sss/db/*
name=aix-users@test.lu,cn=groups,cn=test.lu,cn=sysdb
lu,cn=sysdb
T@test.lu,cn=users,cn=name=aix-users@test.lu,cn=groups,cn=test.lu,cn=sysdb
lu,cn=sysdb
T@test.lu,cn=users,cn=test.lu,cn=sysdb
&DN=@INDEX:UIDNUMBER:1200423298
@INDEX:UIDNUMBER:1200423298
@IDXVERSION
@IDX
name=user01@test.lu,cn=users,cn=test.lu,cn=sysdb
DN=@INDEX:GIDNUMBER:1200400513
@INDEX:GIDNUMBER:1200400513
@IDXVERSION
@IDX

...

Create user and group

Create group and user: 

groupadd -g 150 staff           (-r)
useradd -u 200 -c 'Test User1' -d /home/user1 -g staff -G staff,apache -s /bin/bash  -p password user1

To add a system user (add the options: -r -m), it will be ceated in the SYS_UID/SYS_GID id range specified in /etc/login.defs

Add a secondary group for the user1 

usermod -aG group2 user1

list member of a group 

groupmems -l group2

Lock a user (-U for unlock) 

usermod -L [LOGIN]

The chage utility.

Usage: chage [options] [LOGIN] 

Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

lock a user: 

passwd -l USER
usermod -L USER

Unlock a user: 

passwd -u USER
usermod -U USER

Change PAM config for pawword-history 

pam-config -a --pwhistory --pwhistory-remember=6

delete user and group

Removes the user entries from the /etc/passwd and /etc/shadow, files. 

$ userdel -r username

Removes the group, -f: It used to delete a group even if it is the primary group of a user. 

$ groupdel -f groupname

Defaults User parameters

Password Algorithm

You can check the current password algorithm: 

[root@centos7 etc]# authconfig --test|grep hashing
 password hashing algorithm is sha512
[root@centos7 etc]# cat /etc/login.defs | grep ENCRYPT
ENCRYPT_METHOD SHA512
[root@centos7 ~]# cat /etc/sysconfig/authconfig | grep PASSWDALGORITHM
PASSWDALGORITHM=sha512

Change the Algorithm: 

[root@centos7 etc]# authconfig --passalgo=sha512 --update
getsebool:  SELinux is disabled

Content of login.defs file: 

[root@centos7 etc]# cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

http://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils

http://wiki.centos.org/HowTos/OS_Protection

http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-auth-on-linux/

linux/redhat_user.1647867090.txt.gz · Last modified: 2022/03/21 13:51 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki