05 - Basic User Management

Question 1

Listing logged-in users

Answer 1

who and w (what) commands show who is logged in the system

The who command references the /run/utmp file and displays the information.

The w (what) command displays information in a similar format as the who command, but it also tells the length of time the sue has been idle for (IDLE), along with the CPU time used by all processes including any existing background jobs attached to this terminal (JCPU), the CPU time used by the current process (PCPU), and current activity (WHAT).

Question 2

What is pts and tty?

Answer 2

pts stands for pseudo terminal session, and tty identifies a terminal window on the console.

Question 3

History of successful login attempts and system reboot

Answer 3

The last command reports the history of successful user login attempts and system reboots by consulting the wtmp file located in the var/log directory. This file keeps a record of all login and logout activities, including the login time, duration a user stayed logged in, and tty.

last reboot
last [username]

Question 4

History of unsuccessful login attempts

Answer 4

The lastb command reports the history of unsuccessful user login attempts by reading the btmp file located in the /var/tmp directory. This file keeps a record of all unsuccessful login attempts, including the login name, time, and tty.

Question 5

Reporting recent user login attempts

Answer 5

The lastlog command reports the most recent login evidence information for every user account that exists on the system. This information is captured in the lastlog file located in the/var/log directory. This file keeps a record of the most recent user login attempts, including the login name, time, and port (or tty)

Question 6

Examining User and Group information

Answer 6

The id (identifier) command displays the calling user’s UID (User Identifier), username, GID (Group Identifier), group name, all secondary groups the user is a member of, the SELinux security context.

Each user and group has a corresponding number for identification purposes.
1. id [username]

The groups command, in contrast, lists all groups the calling user is a member of.

The first group listed is the primary group for the user who executed this command; all other groups are secondary (or supplementary). The groups command can also be used to view group membership information for a different user.

Question 7

Local user authentication files

Answer 7

RHEL supports three fundamental user account types:
1. root
2. normal, and
3. service

The root user aka superuser or administrator, has full access to all services and administrative functions on the system. This user is created by default during installation.

Normal users have user-level privileges; they cannot perform any administrative functions but can run applications and programs that have been authorized.

Service accounts take care of their respective services, which include apache, ftp, mail, and chrony.

Question 8

Account information for local users

Answer 8

Use account information for local users is stored in four files that are located in teh /etc directory.

These files are passwd, shadow, group, and gshadow.

here are updated when a user or group account i created, modified, or deleted. The same files are referenced to check and validate the credentials for a use at the time of their login attempt, and hence the files are referred to as user authentication files.

The backup for these files are passwd-, shadow-, group-, and gshadow-.

Even root have no access permission for shadow- and gshadow- files.

Question 9

The passwd file

Answer 9

The passwd file is a simple plaintext file but it contains vital user login data. There are seven colon-separated fields per line entry.
Field 1 - Login Name
Filed 2 - Password placeholder - x - account disabled or hashed password
Filed 3 - UID - Comprises a numeric UID between 0 and ~4.2 billion
Filed 4 - GID - Group ID - comes from /etc/group
Field 5 - Comments - Called GECOS (General Eletronic Comprehensive Operating System), optionally stores general comments
Filed 6 - Home directory
Filed 7 - Shell’s absolute path - default is /bin/bashh

Question 10

Hashed password

Answer 10

Hashed password is a combination of random letters, numbers, and special characters - is an irreversible, unique, and scrambled string of characters to safeguard a clear text password. It is generated as a result of a convesion process of a password using one of the available hashing algorithms. By default, RHEL uses th SHA-512 alrogithm for this purpose.

Question 11

The shadow file

Answer 11

RHEL has a secure password control mechanism in place that provides an advanced level of password security for local users. This control is referred to as the shadow password. With this control mechanism in place, user passwords are hashed and stored in a more secure file /etc/shadow, but there are certain limits. These limits or other settings are defined in the /etc/login.defs file, which the shadow password mechanism enforces on user accounts. This is called password aging.

With the shadow password mechanism active, a user is initially checked in the passwd file for existence and then in the shadow file for authenticity.

Field 1 - Login Name
Field 2 - Encrypted password
Field 3 - Last Change
Field 4 - Minimum days for password change
Field 5 - Max no. of days for password validity
Field 6 - Warning in days for password change
Filed 7 - Password expiry - No of days to login in after password expiry
Field 8 - account expiry - days to expire and no longer available
Field 9 - reserved

Question 12

The group file

Answer 12

The group file is a simple plaintext file and contains critical group information.

Every user on the system must be a member of at least one group, which is referred to as the User Private Group (UPG). By default, a group name matches the username it is associated with.

Field 1 - Group Name
Field 2 - Encrypted password - x - points to the /etc/gshadow file for the actual password
Field 3 - GID
Field 4 - Group Members

Question 13

The gshadow file

Answer 13

The shadow password implementation also provides an added layer of protection at the group level. With this mechanism in place, the group passwords are hashed and stored in a more secure file /etc/gshadow.
Field 1 - Group name
Field 2 - Encrypted password
Field 3 - Group administrator
Field 4 - members

Question 14

gpasswd

Answer 14

The gpasswd command is used to add group administrators, add or delete group members, assign or revoke a group-level password, and disable the ability of the newgrp command to access a group This command picks up the default values from the /etc/login.def file.

Question 15

useradd file

Answer 15

The useradd command picks up the default values from the /etc/default/useradd and /etc/login.defs files for any options that are not specified at the command line when executing it. Moreover, the login.defs file is also consulted by the usermod, userdel, chage, and passwd commands as needed.

useradd -D

Question 16

login.defs file

Answer 16

login.defs file comprises of additional directives that set several defaults. User and group management commands consult this file to obtain information that is not supplied at the command line.

Question 17

User account management

Answer 17

Managing user accounts involves creating, assigning passwords to, modifying, and deleting them.

Tools are useradd to add a new user to the system, usermod to modify the attributes of an existing users, and userdel to remove a user from the system. In addition, the passwd command is available to set or modify a user’s password.

Question 18

useradd

Answer 18

The useradd command adds entries to the four user authentication files for each account added to the system.

It created a home directory for the user and copies the default user startup files from the skeleton directory /etc/skel into the user’s home directory.

It can also be used to update the default settings that are used at the time of creation for unspecified settings.
Option:
-b (–base-dire)
-c (–comment)
-d (–home-dir)
-e (–expiredate)
-f (–inactive)
-g (–gid)
-G (–groups)
-k (–skel)
-m (–create-home)
-o (–non-unique)
-r (–system)
-s (–shell)
-u (–uid)
login

Question 19

usermod

Answer 19

Usermod is used to modify the attributes of a user account.
Options:
-a (–append)
-l (–login)
-m (–move-home)

Question 20

userdel

Answer 20

The userdel command is used to remove entries for a specified user from the authenticatino files, and deletes the user’s home directory if the -r flag is also specified.

The -f flag option may be used to force the removal even if the user is still logged in.

Question 21

No-login (non-interactive) user account

Answer 21

The nologin shell is a special purpose program that can be employed for user accounts that do not require login access to the system. It is located in the /usr/bin (or /sbin) directory. With this shell assigned, the user if refused with the message, “This account is currently not available.” displayed on the screen.

If a custom message is required, you can create a file called nologin.txt in the /etc directory and add the desired text to it.

Typical examples of user accounts that do not require login access are the service accounts such as ftp, apache, and sshd.

Question 22

Where is user account information stored?

Answer 22

User account information for local users is stored in four files that are located in the /etc directory.
1. passwd
2. shadow
3. group
4. gshadow

These files are updated when a user or group account is created, modified, or deleted.

The same files are referenced to check and validate the credentials for a user at the time of their login attempt, and hence the files are referred to as user authentication files. These files are so critical to the operation of the system that the system creates their automatic backups by default as passwd-, shadow-, group-, and gshadow- in the /etc directory.

Two fo the files - gshadow and shadow - along with their backups have no access permissions for any user, not even root.