Linux administration, user management

Users and groups management

Users are stored in /etc/passwd file in next format:

user:x:1000:1000:denis,,,:/home/user:/bin/bash
  1. Username
  2. Has password in /etc/shadow
  3. uid = user id
  4. gid = group id
  5. Friendly username, might include email or phone
  6. Default home directory
  7. Default shell or no login

Encrypted password are stored in /etc/shadow file.

Groups are listed in /etc/group.

Create user accounts

Defaults for creating user account are located in /etc/adduser.conf.

There it’s possible to configure user default directory, prefix for default directory, skeleton for default directory.

Modifying and deleting user accounts

  • Login as user "su username"
  • Changing password "passwd" or using with sudo, if user do not know the password
  • Changing shell possible using "chsh"
  • Change user info "chfn username"
  • Change user name "usermod -l newusername oldusername"
  • Change default directory "usermod -d /home/user -m username"

Create and modify groups

  • Create a group "sudo addgroup name"
  • Add user to group "sudo adducer username groupname"
  • Add user to group "sudo usermod -a -G groupname username"
  • Modify or delete group "groupmod/delgroup"

Home folder templating and global environment configuration

There is a possibility to set skeleton in /etc/skel.

Configure and monitor user resources.

To check resources used by user "top -u username".

Same with "ps -u username".

Setting limits for users "/etc/security/limits.etc".

Configure permissions to allow group collaboration

  • To change folder group "chgrp groupname folder"
  • Allowing write for group "chmod g+w folder"
  • Check user group "/etc/group"
  • Forcing all files belong to a group, not user "chmod g+s folder"

Granting users and groups sudo access

Check if user has sudo access "/etc/sudoers".

Possible to assign user to "sudo" group.

Authentication tools

PAM (pluggable authentication modules) configuration location is /etc/pam.d folder.

LDAP: Lightweight directory access protocol, you would need server + client.

Packages needed ldap-utils (client), slapd(server).

Reconfigure LDAP server:

dpkg reconfigure ldap-auth-config

To configure LDAP on the machine we need to add changes to "/etc/nsswitch.conf":

  • passwd: compat ldap
  • group: compat ldap
  • shadow: compat ldap

Kerberos needs Key Distribution Center (KDC) to work.

We need krb5-kdc and krb5-admin-server to work with Kerberos.

Теги