This section discusses some of the things that you will want to know now that you have the Shadow Suite installed on your system. More information is contained in the manual pages for each command.
The Shadow Suite added the following command line oriented commands for adding, modifying, and deleting users. You may also have installed the adduser
program.
The useradd
command can be used to add users to the system. You also invoke this command to change the default settings.
The first thing that you should do is to examine the default settings and make changes specific to your system:
useradd -D
GROUP=1 HOME=/home INACTIVE=0 EXPIRE=0 SHELL= SKEL=/etc/skel
The defaults are probably not what you want, so if you started adding users now you would have to specify all the information for each user. However, we can and should change the default values.
On my system:
/bin/bash
useradd -D -g100 -e60 -f0 -s/bin/bash
Now running useradd -D
will give:
GROUP=100 HOME=/home INACTIVE=0 EXPIRE=60 SHELL=/bin/bash SKEL=/etc/skel
Just in case you wanted to know, these defaults are stored in the file /etc/default/useradd
.
Now you can use useradd
to add users to the system. For example, to add the user fred
, using the defaults, you would use the following:
This will create the following entry in the
useradd -m -c "Fred Flintstone" fred
/etc/passwd
file:
And the following entry in the
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash
/etc/shadow
file:
fred:!:0:0:60:0:0:0:0
fred
's home directory will be created and the contents of /etc/skel
will be copied there because of the -m
switch.
Also, since we did not specify a UID, the next available one was used.
fred
's account is created, but fred
still won't be able to login until we unlock the account. We do this by changing the password.
passwd fred
Changing password for fred Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New Password: ******* Re-enter new password: *******
/etc/shadow
will contain:
And
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
fred
will now be able to login and use the system. The nice thing about useradd
and the other programs that come with the Shadow Suite is that they make changes to the /etc/passwd
and /etc/shadow
files atomically. So if you are adding a user, and another user is changing their password at the same time, both operations will be performed correctly.
You should use the supplied commands rather than directly editing /etc/passwd
and /etc/shadow
. If you were editing the /etc/shadow
file, and a user were to change his password while you are editing, and then you were to save the file you were editing, the user's password change would be lost.
Here is a small interactive script that adds users using useradd
and passwd
:
#!/bin/bash # # /sbin/newuser - A script to add users to the system using the Shadow # Suite's useradd and passwd commands. # # Written my Mike Jackson <[email protected]> as an example for the Linux # Shadow Password Howto. Permission to use and modify is expressly granted. # # This could be modified to show the defaults and allow modification similar # to the Slackware Adduser program. It could also be modified to disallow # stupid entries. (i.e. better error checking). # ## # Defaults for the useradd command ## GROUP=100 # Default Group HOME=/home # Home directory location (/home/username) SKEL=/etc/skel # Skeleton Directory INACTIVE=0 # Days after password expires to disable account (0=never) EXPIRE=60 # Days that a passwords lasts SHELL=/bin/bash # Default Shell (full path) ## # Defaults for the passwd command ## PASSMIN=0 # Days between password changes PASSWARN=14 # Days before password expires that a warning is given ## # Ensure that root is running the script. ## WHOAMI=`/usr/bin/whoami` if [ $WHOAMI != "root" ]; then echo "You must be root to add news users!" exit 1 fi ## # Ask for username and fullname. ## echo "" echo -n "Username: " read USERNAME echo -n "Full name: " read FULLNAME # echo "Adding user: $USERNAME." # # Note that the "" around $FULLNAME is required because this field is # almost always going to contain at least on space, and without the "'s # the useradd command would think that you we moving on to the next # parameter when it reached the SPACE character. # /usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \ -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME ## # Set password defaults ## /bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1 ## # Let the passwd command actually ask for password (twice) ## /bin/passwd $USERNAME ## # Show what was done. ## echo "" echo "Entry from /etc/passwd:" echo -n " " grep "$USERNAME:" /etc/passwd echo "Entry from /etc/shadow:" echo -n " " grep "$USERNAME:" /etc/shadow echo "Summary output of the passwd command:" echo -n " " passwd -S $USERNAME echo ""
Using a script to add new users is really much more preferable than editing the /etc/passwd
or /etc/shadow
files directly or using a program like the Slackware adduser
program. Feel free to use and modify this script for your particular system.
For more information on the useradd
see the online manual page.
The usermod
program is used to modify the information on a user. The switches are similar to the useradd
program.
Let's say that you want to change fred
's shell, you would do the following:
Now
usermod -s /bin/tcsh fred
fred
's /etc/passwd
file entry would be change to this:
Let's make
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh
fred
's account expire on 09/15/97:
Now
usermod -e 09/15/97 fred
fred
's entry in /etc/shadow
becomes:
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0
For more information on the usermod
command see the online manual page.
userdel
does just what you would expect, it deletes the user's account. You simply use:
The
userdel -r username
-r
causes all files in the user's home directory to be removed along with the home directory itself. Files located in other file system will have to be searched for and deleted manually.
If you want to simply lock the account rather than delete it, use the passwd
command instead.
The passwd
command has the obvious use of changing passwords. Additionally, it is used by the root user to:
-l
and -u
)-x
)-n
)-w
)-i
)-S
)For example, let look again at fred
This means that
passwd -S fred fred P 03/04/96 0 60 0 0
fred
's password is valid, it was last changed on 03/04/96, it can be changed at any time, it expires after 60 days, fred will not be warned, and and the account won't be disabled when the password expires.
This simply means that if fred
logs in after the password expires, he will be prompted for a new password at login.
If we decide that we want to warn fred
14 days before his password expires and make his account inactive 14 days after he lets it expire, we would need to do the following:
Now
passwd -w14 -i14 fred
fred
is changed to:
For more information on the
fred P 03/04/96 0 60 14 14
passwd
command see the online manual page.
The file /etc/login
is the configuration file for the login
program and also for the Shadow Suite as a whole.
/etc/login
contains settings from what the prompts will look like to what the default expiration will be when a user changes his password.
The /etc/login.defs
file is quite well documented just by the comments that are contained within it. However, there are a few things to note:
From the above list you can see that this is a rather important file, and you should make sure that it is present, and that the settings are what you desire for your system.
The /etc/groups
file may contain passwords that permit a user to become a member of a particular group. This function is enabled if you define the constant SHADOWGRP
in the /usr/src/shadow-YYMMDD/config.h
file.
If you define this constant and then compile, you must create an /etc/gshadow
file to hold the group passwords and the group administrator information.
When you created the /etc/shadow
, you used a program called pwconv
, there no equivalent program to create the /etc/gshadow
file, but it really doesn't matter, it takes care of itself.
To create the initial /etc/gshadow
file do the following:
touch /etc/gshadow chown root.root /etc/gshadow chmod 700 /etc/gshadow
Once you create new groups, they will be added to the /etc/group
and the /etc/gshadow
files. If you modify a group by adding or removing users or changing the group password, the /etc/gshadow
file will be changed.
The programs groups
, groupadd
, groupmod
, and groupdel
are provided as part of the Shadow Suite to modify groups.
The format of the /etc/group
file is as follows:
Where:
groupname:!:GID:member,member,...
groupname
The name of the group
!
The field that normally holds the password, but that is now relocated to the /etc/gshadow
file.
GID
The numerical group ID number
member
List of group members
The format of the /etc/gshadow
file is as follows:
Where:
groupname:password:admin,admin,...:member,member,...
groupname
The name of the group
password
The encoded group password.
admin
List of group administrators
member
List of group members
The command gpasswd
is used only for adding or removing administrators and members to or from a group. root
or someone in the list of administrators may add or remove group members.
The groups password can be changed using the passwd
command by root or anyone listed as an administrator for the group.
Despite the fact that there is not currently a manual page for gpasswd
, typing gpasswd
without any parameters gives a listing of options. It's fairly easy to grasp how it all works once you understand the file formats and the concepts.
The program pwck
is provided to provide a consistency check on the /etc/passwd
and /etc/shadow
files. It will check each username and verify that it has the following:
It will also warn of any account that has no password.
It's a good idea to run pwck
after installing the Shadow Suite. It's also a good idea to run it periodically, perhaps weekly or monthly. If you use the -r
option, you can use cron
to run it on a regular basis and have the report mailed to you.
grpck
is the consistency checking program for the /etc/group
and /etc/gshadow
files. It performs the following checks:
It also has the -r
option for automated reports.
Dial-up passwords are another optional line of defense for systems that allow dial-in access. If you have a system that allows many people to connect locally or via a network, but you want to limit who can dial in and connect, then dial-up passwords are for you. To enable dial-up passwords, you must edit the file /etc/login.defs
and ensure that DIALUPS_CHECK_ENAB
is set to yes
.
Two files contain the dial-up information, /etc/dialups
which contains the ttys (one per line, with the leading "/dev/" removed). If a tty is listed then dial-up checks are performed.
The second file is the /etc/d_passwd
file. This file contains the fully qualified path name of a shell, followed by an optional password.
If a user logs into a line that is listed in /etc/dialups
, and his shell is listed in the file /etc/d_passwd
he will be allowed access only by suppling the correct password.
Another useful purpose for using dial-up passwords might be to setup a line that only allows a certain type of connect (perhaps a PPP or UUCP connection). If a user tries to get another type of connection (i.e. a list of shells), he must know a password to use the line.
Before you can use the dial-up feature, you must create the files.
The command dpasswd
is provided to assign passwords to the shells in the /etc/d_passwd
file. See the manual page for more information.