30 - User Accounts Flashcards

1
Q

User Account Management

By the end of this chapter, you should be able to:

A

1) Explain the purpose of individual user accounts and list their main attributes.
2) Create new user accounts and modify existing account properties, as well as remove or lock accounts.
3) Understand how user passwords are set, encrypted and stored, and how to require changes in passwords over time for security purposes.
4) Explain how restricted shells and restricted accounts work.
5) Understand the role of the root account and when to use it.
6) Use Secure Shell (ssh) and remove logins and commands.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

User Accounts:

Linux systems provide a multi-user environment which permits?

A

People & processes to have separate simultaneous working environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

User Accounts:

What is the purposes of having individual user accounts include?

A

1) Providing each user with their own individualized private space
2) Creating particular user accounts for specific dedicated purposes
3) Distinguishing privileges among users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

User Accounts:

What special user account allow the user to do anything on the system?

A

root account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

User Accounts:

To avoid making costly mistakes, and for security reasons, the root account should only be used when?

A

absolutely necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

User Accounts:

Normal user accounts are for?

A

regular people who will work on the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

User Accounts:

Some user accounts (like the daemon account) exist for?

A

the purpose of allowing processes to run as a user other than root.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

User Accounts:

What is group management for? (discussed more in future chapter)

A

where subsets of the users on the system can share files, privileges, etc., according to common interests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Attributes of a User Account:

Each user on the system has a corresponding line in the ____ file that describes their basic account attributes. (We will talk about passwords, as well as this file, later). For example:

A

/etc/passwd

….

beav:x:1000:1000:Theodore Cleaver:/home/beav:/bin/bash warden:x:1001:1001:Ward Cleaver:/home/warden:/bin/bash dobie:x:1002:1002:Dobie Gillis:/home/dobie:/bin/bash

….

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Attributes of a User Account:

What are the 7 attributes of a User Account?

A
  1. User name
  2. User password
  3. User Identification Number (UID)
  4. Group Identification Number (GID)
  5. Comment or GECOS Information
  6. Home Directory
  7. Login Shell
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Attributes of a User Account:

What is the User name attribute?

A

The unique name assigned to each user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Attributes of a User Account:

What is the User Identification Number (UID)​ attribute?

A

A unique number assigned to the user account. The UID is used by the system for a variety of purposes, including a determination of user privileges and activity tracking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Attributes of a User Account:

What is the User password attribute?

A

The password assigned to each user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Attributes of a User Account:

What is the Group Identification Number (GID) attribute?

A

Indicates the primary, principal, or default group of the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Attributes of a User Account:

What is the Comment or GECOS Information attribute?

A

A defined method to use the comment field for contact information (full name, email, office, contact number). (Don’t worry about what GECOS means, it is a very old term.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Attributes of a User Account:

What is the Login Shell attribute?

A

Normally, this is a shell program such as /bin/bash or /bin/csh. Sometimes, however, an alternative program is referenced here for special cases. In general, this field will accept any executable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Attributes of a User Account:

What is the Home Directory attribute?

A

For most users, this is a unique directory that offers a working area for the user. Normally, this directory is owned by the user, and except for root will be found on the system somewhere under /home.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Creating User Accounts

What command is used to create user accounts?

A

useradd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Creating User Accounts

What is the location of the file that is used to configure useradd default settings?

A

/etc/default/useradd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Creating User Accounts

Where is the defaults file that is used by a lot of the user management commands?

A

/etc/login.defs

The /etc/login.defs file provides default configuration information for several user account parameters. The useradd, usermod, userdel, and groupadd commands, and other user and group utilities take default values from this file. Each line consists of a directive name and associated value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Creating User Accounts

The default algorithm for creating a user accounts will auto assign the new users ___ and ___, ___ , and ___.

A
  • UID
  • GID
  • home directory
  • shell choice
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Creating User Accounts

What steps occur when creating this new user account?

$ sudo useradd dexter

A
  1. The next available UID greater than UID_MIN (specified in /etc/login.defs) by default is assigned as dexter’s UID.
  2. A group called dexter with a GID=UID is also created and assigned as dexter’s primary group.
  3. A home directory /home/dexter is created and owned by dexter.
  4. dexter’s login shell will be /bin/bash.
  5. The contents of /etc/skel is copied to /home/dexter. By default, /etc/skel includes startup files for bash and for the X Window system.
  6. An entry of either !! or ! is placed in the password field of the /etc/shadow file for dexter’s entry, thus requiring the administrator to assign a password for the account to be usable.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Deleting User Accounts

What is the command used to delete a user?

A

userdel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Deleting User Accounts

Only the ___ user can delete users

A

root

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Deleting User Accounts

When deleting a user as in:

$ sudo userdel morgan

What gets erased by default and what doesn’t?

A

Removes the user’s record in these files by default:

  • /etc/passwd
  • /etc/shadow
  • /etc/group

Not Erased:

  • the users home directory /home/morgan
  • unless -r option is used,
26
Q

Modifying User Accounts

What command is used to change characteristics of a user account, such as group memberships, home directory, login name, password, default shell, user id, etc. It modifies the respective /etc files.

A

usermod

27
Q

Modifying User Accounts

What command is used to lock a user named “dexter” out of his account? (Making it so “dexter” cannot login anymore)

A

sudo usermod -L dexter

28
Q

Locked Accounts

What does a “locked” account mean?

A

A Locked account can run programs, but can never login to the system and have no valid password associated with them.

For example, /etc/passwd has entries like:

  • *bin:x:1:1:bin:/bin:/sbin/nologin
    daemon: x:2:2:daemon:/sbin:/sbin/nologin**

The nologin shell returns the following if a locked user tries to login to the system:

This account is currently not available.

or whatever message may be stored in /etc/nologin.txt.

29
Q

Locked Accounts

What are some of the locked user accounts that Linux ships with?

A
  • bin
  • daemon or sys
30
Q

Locked Accounts

What are the commands to lock and unlock an account?

A
  • $ sudo usermod -L dexter
  • $ sudo usermod -U dexter
31
Q

Locked Accounts

What is another way to lock an account other than using the usermod -L command?

A

$ sudo chage -E 2014-09-11 morgan

Another way to lock an account is to use chage to change the expiration date of an account to a date in the past

32
Q

User IDs and /etc/passwd

Describe the record information for this user in the /etc/passwd file:

beav:x:1000:1000:Theodore Cleaver:/home/beav:/bin/bash

A
  • username - the user’s unique name
  • password - either the hashed password (if /etc/shadow is not used) or a placeholder (“x” when /etc/shadow is used)
  • UID - user identification number
  • GID - primary group identification number for the user
  • comment - comment area, usually the user’s real name
  • home - directory pathname for the user’s home directory
  • shell - absolutely qualified name of the shell to invoke at login.
33
Q

User IDs and /etc/passwd

The convention most Linux distributions have used is that any account with a user ID less than ___ is considered special and belongs to the system; normal user accounts start at ___. The actual value is defined as ___ and is defined in ___.

A
  • 1000
  • 1000
  • UID_MIN
  • /etc/login.defs

Historically, Red Hat-derived distributions used UID_MIN=500, not 1000, but beginning with RHEL 7 the more common value of 1000 was adopted.

34
Q

User IDs and /etc/passwd

If a User ID is not specified when using useradd, the system will incrementally assign UIDs starting at the ___ environment variable.

A
  • UID_MIN
35
Q

User IDs and /etc/passwd

It is bad practice to edit /etc/passwd, /etc/group or /etc/shadow directly; use appropriate utilities such as ___.

A
  • usermod
36
Q

Why Use /etc/shadow?

Why use /etc/shadow for storing user passwords vs storing it in the /etc/passwd?

A

Use of /etc/shadow enables password aging on a per user basis. At the same time, it also allows for maintaining greater security of hashed passwords.

37
Q

Why Use /etc/shadow?

Why is using /etc/passwd bad for storing user hashed passwords vs storing it in /etc/shadow?

A

The default permissions of /etc/passwd are 644 (-rw-r–r–); anyone can read the file. This is unfortunately necessary because system programs and user applications need to read the information contained in the file. These system programs do not run as the user root and, in any event, only root may change the file.

Of particular concern are the hashed passwords themselves. If they appear in /etc/passwd, anyone may make a copy of the hashed passwords and then make use of utilities such as Crack and John the Ripper to guess the original cleartext passwords given the hashed password. This is a security risk!

/etc/shadow has permission settings of 400 (-r——–), which means that only root can access this file. This makes it more difficult for someone to collect the hashed passwords.

Unless there is a compelling good reason not to, you should use the /etc/shadow file.

38
Q

Password Management

Explain the pieces of this user’s password record in the /ect/shadow file.

daemon:*:16141:0:99999:7:::
…..
beav:$6$iCZyCnBJH9rmq7P.$RYNm10Jg3wrhAtUnahBZ/mTMg.RzQE6iBXyqaXHvxxbKTYqj.d 9wpoQFuRp7fPEE3hMK3W2gcIYhiXa9MIA9w1:16316:0:99999:7:::

A

The colon-separated fields are:

  1. username: unique user name
  2. password: the hashed (sha512) value of the password
  3. lastchange: days since Jan 1,1970 that password was last changed
  4. mindays: minimum days before password can be changed
  5. maxdays: maximum days after which password must be changed
  6. warn: days before password expires that the user is warned
  7. grace: days after password expires that account is disabled
  8. expire: date that account is/will be disabled
  9. reserved: reserved field.

The username in each record must match exactly that found in /etc/passwd, and also must appear in the identical order.

All dates are stored as the number of days since Jan. 1, 1970 (the epoch date).

The password hash is the string “$6$” followed by an eight character salt value, which is then followed by a $ and an 88 character (sha512) password hash.

39
Q

Password Management

What command is used to change a user’s password?

A

passwd

By default, the password choice is examined by pam_cracklib.so, which furthers making good password choices.

40
Q

Password Management

What’s the difference between powers that a regular user has vs the root user has when changing password?

A

A regular user can only change their password. While the root user can change anyones passwords.

41
Q

Password Management

When using passwd to change a user’s password what program under the hood by default is used to check if the password meets security requirements?

A

pam_cracklib.so

42
Q

Normal users will not be allowed to set bad passwords, such as ones that are too short, or based on dictionary words. However, ___ is allowed to do so.

A

root user

43
Q

Password Aging

What utility is used to manage password aging?

A

chage

chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user

Examples:

$ sudo chage -l dexter
$ sudo chage -m 14 -M 30 kevlin
$ sudo chage -E 2012-4-1 morgan
$ sudo chage -d 0 clyde

Only the root user can use chage. The one exception to this is that any user can run chage -l to see their aging, as in the screenshot on this page.

To force a user to change their password at their next login, do:

$ sudo chage -d 0 USERNAME

44
Q

Restricted Shell

What utility is used to use a restricted shell?

A

$ bash -r

  • A restricted shell functions in a more tightly controlled environment than a standard shell, but otherwise functions normally. In particular, it:
  • Prevents the user from using cd to change directories.
  • Prevents the user from redefining the following environment variables: SHELL, ENV, and PATH.
  • Does not permit the user to specify the absolute path or executable command names starting from /.
  • Prevents the user from redirecting input and/or output.

There are other restrictions; the best way to see them all is to do man bash and search for RESTRICTED SHELL.

Restricted accounts can also be enabled by creating a symlink to /bin/bash, named /bin/rbash, and using in /etc/passwd, as we will discuss next.

rbash is not secure! It is actually very easy to avoid the restrictions and modern techniques such as the use of SELinux are much more robust. We discuss only if you encounter the methods described here.

Restricted Accounts:

There are times when granting access to a user is necessary, but should be limited in scope. Setting up a restricted user account can be useful in this context. A restricted account:

  • Uses the restricted shell
  • Limits available system programs and user applications
  • Limits system resources
  • Limits access times
  • Limits access locations.

From the command line, or from a script, a restricted shell may be invoked with /bin/bash -r. However, flags may not be specified in the /etc/passwd file. A simple way to get around this restriction would be to do one of the following:

$ cd /bin ; sudo ln -s bash rbash
$ cd /bin ; sudo ln bash rbash
$ cd /bin ; sudo cp bash rbash

and then, use /bin/rbash as the shell in /etc/passwd.

When setting up such an account, one should avoid inadvertently adding system directories to the PATH environment variable; this would grant the restricted user the ability to execute other system programs, such as an unrestricted shell.

Restricted accounts are also sometimes referred to as limited accounts.

45
Q

The Root Account

The ___ account should only be used for administrative purposes when absolutely necessary and never used as a regular account. Mistakes can be very costly, both for integrity and stability, and system security.

A

root

46
Q

The Root Account

By default, ___ logins through the network are generally prohibited for security reasons. You can permit Secure Shell logins using ssh, which is configured with the file ___, and PAM (Pluggable Authentication Modules), which we will discuss later, through the pam_securetty.so module and the associated ___ file. Root login is permitted only from the devices listed in ___.

A
  • root
  • /etc/ssh/sshd_config
  • /etc/securetty
  • /etc/securetty
47
Q

The Root Account

It is generally recommended that all ___ access be through su, or sudo (causing an audit trail of all root access through sudo). Note that some distributions (such as Ubuntu), by default actually prohibit logging in directly to the ___ account.

A
  • root
  • root
48
Q

The Root Account

___ can also be used to restrict which users are allowed to su to root. It might also be worth it to configure ___ to log all commands executed as root.

A
  • PAM
  • auditd
49
Q

SSH

What command do you use to login to a remote system?

A

ssh

50
Q

SSH

How do you copy files and folders from one system to another via ssh?

A

To copy files from one system to another:

$ scp file.txt farflung.com:/tmp
$ scp file.tex student@farflung.com/home/student
$ scp -r some_dir farflung.com:/tmp/some_dir

51
Q

SSH

What is the bash script to run ssh on multiple system?

A

To run a command on multiple machines simultaneously:

$for machines in node1 node2 node3
do
(ssh $machines some_command &)
done

52
Q

SSH Configuration Files

Where is the ssh configuration file location?

A

Every user had a .ssh config directory with config files in thier home directory.

You can configure SSH further to expedite its use, in particular to permit logging in without a password. User-specific configuration files are created under every user’s home directory in the hidden .ssh directory:

53
Q

SSH

What config files are location in the .ssh folder? And what are they for?

A

id_rsa: the user’s private encryption key

id_rsa.pub: the user’s public encryption key

authorized_keys: A list of public keys that are permitted to login

known_hosts: A list of hosts from which logins have been allowed in the past

config: A configuration file for specifying various options.

54
Q

SSH

What are the steps to setup ssh connection to a server?

A
  1. First, a user has to generate their private and public encryption keys with ssh-keygen:
    1. $ ssh-keygen
      1. ​.ssh/id_rsa (private key generated)
      2. .ssh/id_rsa.pub (public key generated)

​​​The public key can be given to any machine with which you want to permit password-less access. It should also be added to your authorized_keys file, together with all the public keys from other users who have accounts on your machine and you want to permit password-less access to their accounts.

The .ssh/known_hosts file is gradually built up as ssh accesses occur. If the system detects changes in the users who are trying to log in through ssh, it will warn you of them and afford the opportunity to deny access.

Note that the authorized_keys file contains information about users and machines:

$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ
…0000aSd…hilda@sbc

while the known_hosts only contains information about computer nodes:

$ cat known_hosts
192.30.252.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSw
….BK6Tb…==

55
Q

SSH

What is the .ssh/known_hosts config file contain?

A

The known_hosts file is gradually built up as ssh accesses occur. If the system detects changes in the users who are trying to log in through ssh, it will warn you of them and afford the opportunity to deny access. Note that the authorized_keys file contains information about users and machines:

$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ
…0000aSd…hilda@sbc

while the known_hosts only contains information about computer nodes:

$ cat known_hosts
192.30.252.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSw
….BK6Tb…==

You can examine the man ssh_config page to see what kinds of options can go into the ssh configuration files.

56
Q

SSH

What command give you information about what options can go into the ssh configuation files?

A

man ssh_config

57
Q

Remote Graphical Login

What is a common program you can use to graphically connect to a remote machine?

A

tigervnc

58
Q

Remote Graphical Login

What does VNC stand for?

A

Virtual Network Computing

59
Q

Remote Graphical Login

Which vnc packages do you need installed for vnc to work?

How can you check if these packages are installed?

How can you install these packages if you don’t have them?

A
  • vncserver
  • vncviewer

which vncserver vncviewer

*/usr/bin/vncserver
/usr/bin/vncviewer*

$ sudo [dnf|yum|zypper|apt-get] install tigervnc*

60
Q

Remote Graphical Login

How do you use tigervnc?

A
  1. Start the with
    1. $ vncserver
  2. Test the vnc server locally
    1. $ vncviewer localhost:2
    2. You may have to play with numbers other than 2, such as 1, 3, 4…, depending on what you are running at the moment, and how your machine is configured.
  3. View the vnc server remotely
    1. vncviewer -via username@host_machine localhost:2

If you get a rather strange message about having to authenticate because of ‘color profile’, and no passwords work, you have to kill the colord daemon on the server machine, as in:

$ sudo systemctl stop colord

This is a bug (not a feature), and it will only appear in some distributions and some systems for unclear reasons.​