Management of users and local groups - SME Networks

General index of the series: Computer Networks for SMEs: Introduction

Author: Federico Antonio Valdes Toujague
federicotoujague@gmail.com
https://blog.desdelinux.net/author/fico

Hello friends and friends!

This article is a continuation of Squid + PAM Authentication in CentOS 7- SMB Networks.

UNIX / Linux operating systems offer a REAL multi-user environment, in which many users can work simultaneously on the same system and share resources such as processors, hard drives, memory, network interfaces, devices inserted in the system, and so on.

For this reason, System Administrators are obliged to continuously manage the users and groups of the system and to formulate and implement a good administration strategy.

Next we will see very concisely the general aspects of this important activity in Linux Systems Administration.

Sometimes it is better to offer Utility and then Need.

This is a typical example of that order. First we show how to implement an Internet Proxy service with Squid and local users. Now we must ask ourselves:

¿how can I implement network services on a UNIX / Linux LAN from local users and with a acceptable security?.

It does not matter that, in addition, Windows clients are connected to this network. It only matters the need for which services the SME Network needs and what is the simplest and cheapest way to implement them.

¿Perhaps the authentication mechanism at the birth of the ARPANET, Internet and other networks Wide Aarea Network o Local Aarea Network initials was based on LDAP, Directory Services, In the Microsoft LSASS, In the Active Directory, or by Kerberos?, just to mention a few.

A good question that everyone should seek their answers. I invite you to search for the term «authentication»On Wikipedia in English, which is by far the most complete and coherent as far as original content -in English- is concerned.

According to History already roughly, first was the Authentication y Content local, after NIS Network Information System developed by Sun Microsystem and also known as Yellow Pages o yp, and then LDAP Lightweight Directory Access Protocol.

What about «Acceptable Security»Comes up because many times we worry about the security of our local network, while we access Facebook, Gmail, Yahoo, etc. -to mention just a few- and we give Our Privacy in them. And look at the large number of articles and documentaries that regarding the No Privacy on the Internet exist.

Note on CentOS and Debian

CentOS / Red Hat and Debian have their own philosophy on how to implement security, which is not fundamentally different. However we affirm that both are very stable, safe and reliable. For example, in CentOS the SELinux context is enabled by default. In Debian we must install the package selinux-basics, which indicates that we can also use SELinux.

In CentOS, FreeBSD, and other operating systems, the -system- group is created wheel to allow access as root only to system users belonging to that group. Read /usr/share/doc/pam-1.1.8/html/Linux-PAM_SAG.html, and /usr/share/doc/pam-1.1.8/html/Linux-PAM_SAG.html. Debian does not incorporate a group wheel.

Main files and commands

Commands on CentOS and Debian

[root @ linuxbox ~] # chpasswd -h # Update passwords in batch mode
Usage mode: chpasswd [options] Options: -c, --crypt-method METHOD the crypt method (one of NONE DES MD5 SHA256 SHA512) -e, --encrypted the provided passwords are encrypted -h, --help shows this help prompt and terminate -m, --md5 encrypts password in clear using MD5 algorithm -R, --root CHROOT_DIR directory to chroot into -s, --sha-rounds number of SHA rounds for SHA encryption algorithms * # batch- Execute commands when system load allows. In other words # when the average load falls below 0.8 or the value specified by invoking # the atd command. More information man-batch.

[root @ linuxbox ~] # gpasswd -h # Declare Administrators in / etc / group and / etc / gshadow
How to use: gpasswd [options] GROUP Options: -a, --add USER adds USER to GROUP -d, --delete USER removes USER from GROUP -h, --help shows this help message and ends -Q, - -root CHROOT_DIR directory to chroot into -r, --delete-password remove the GROUP's password -R, --restrict restricts access to GROUP to its members -M, --members USER, ... sets the list of members of GROUP -A, --administrators ADMIN, ... sets the list of GROUP administrators Except for the -A and -M options, the options cannot be combined.

[root @ linuxbox ~] # groupadd -h    # Create a new group
How to use: groupadd [options] GROUP Options: -f, --force terminate if group already exists, and cancel -g if GID is already in use -g, --gid GID use GID for new group - h, --help displays this help message and ends -K, --key KEY = VALUE overwrites the default values of "/etc/login.defs" -o, --non-unique allows you to create groups with GIDs (not unique ) duplicates -p, --password PASSWORD use this encrypted password for the new group -r, --system create a system account -R, --root CHROOT_DIR directory to chroot into

[root @ linuxbox ~] # group del -h # Delete an existing group
How to use: groupdel [options] GROUP Options: -h, --help show this help message and terminate -R, --root CHROOT_DIR directory to chroot into

[root @ linuxbox ~] # groupmems -h # Declare Administrators in a user's primary group
How to use: groupmems [options] [action] Options: -g, --group GROUP change the name of the group instead of the user's group (can only be done by the administrator) -R, --root CHROOT_DIR directory to chroot into Actions: -a, --add USER adds USER to group members -d, --delete USER removes USER from group members list -h, --help displays this help message and ends -p, - purge purge all group members -l, --list lists group members

[root @ linuxbox ~] # group mod -h # Modify the definition of a group
How to use: groupmod [options] GROUP Options: -g, --gid GID changes the group identifier to GID -h, --help shows this help message and ends -n, --new-name NEW_Group changes the name a NEW_GROUP -o, --non-unique allows to use a duplicate GID (not unique) -p, --password PASSWORD changes the password to PASSWORD (encrypted) -R, --root CHROOT_DIR directory to chroot into

[root @ linuxbox ~] # grpck -h # Check the integrity of a group file
How to use: grpck [options] [group [gshadow]] Options: -h, --help show this help message and exit -r, --read-only display errors and warnings but do not change files -R, - -root CHROOT_DIR directory to chroot into -s, --sort sort entries by UID

[root @ linuxbox ~] # grpconv
# Associated commands: pwconv, pwunconv, grpconv, grpunconv
# Used to convert to and from shadow passwords and groups
# The four commands operate on files / etc / passwd, / etc / group, / etc / shadow, 
# and / etc / gshadow. For more information man grpconv.

[root @ linuxbox ~] # sg -h # Execute a command with a different group ID or GID
How to use: sg group [[-c] order]

[root @ linuxbox ~] # newgrp -h # Change the current GID during a login
How to use: newgrp [-] [group]

[root @ linuxbox ~] # new users -h # Update and create new users in batch mode
Usage mode: newusers [options] Options: -c, --crypt-method METHOD the crypt method (one of NONE DES MD5 SHA256 SHA512) -h, --help show this help message and exit -r, --system create system accounts -R, --root CHROOT_DIR directory to chroot into -s, --sha-rounds number of SHA rounds for SHA encryption algorithms *

[root @ linuxbox ~] # pwck -h # Check the integrity of password files
How to use: pwck [options] [passwd [shadow]] Options: -h, --help show this help message and exit -q, --quiet report errors only -r, --read-only display errors and warnings but do not change files -R, --root CHROOT_DIR directory to chroot into -s, --sort sort entries by UID

[root @ linuxbox ~] # useradd -h # Create a new user or update the default # information of the new user
How to use: useradd [options] USER useradd -D useradd -D [options] Options: -b, --base-dir BAS_DIR base directory for the home directory of the new account -c, --comment COMMENT GECOS field of the new account -d, --home-dir PERSONAL_DIR new account's home directory -D, --defaults print or change the default setting of useradd -e, --expiredate EXPIRY_DATE expiration date of new account -f, - inactive INACTIVE period of inactivity of the password of the new account
delgroup
  -g, --gid GROUP name or identifier of the primary group of the new account -G, --groups GROUPS list of supplementary groups of the new account -h, --help shows this help message and ends -k, - skel DIR_SKEL uses this alternate "skeleton" directory -K, --key KEY = VALUE overwrites the default values of "/etc/login.defs" -l, --no-log-init does not add the user to the databases from lastlog and faillog -m, --create-home creates the home directory of user -M, --no-create-home does not create the home directory of user -N, --no-user-group does not create a group with the same name as the user -o, --non-unique allows creating users with duplicate (non-unique) identifiers (UIDs) -p, --password PASSWORD encrypted password of the new account -r, --system creates an account of the system -R, --root CHROOT_DIR directory to chroot into -s, --shell CONSOLE console access of the new account -u, --uid UID user identifier of the new account -U, --user-group createa group with the same name as user -Z, --selinux-user USER_SE uses the specified user for the SELinux user

[root @ linuxbox ~] # userdel -h # Delete a user's account and related files
Usage mode: userdel [options] USER Options: -f, --force force some actions that would fail otherwise eg removal of user still logged in or files, even if not owned by the user -h, --help displays this message Help and finish -r, --remove remove home directory and mailbox -R, --root CHROOT_DIR directory to chroot into -Z, --selinux-user remove any SELinux user mapping for the user

[root @ linuxbox ~] # usermod -h # Modify a user account
How to use: usermod [options] USER Options: -c, --comment COMMENT new value of the GECOS field -d, --home PERSONAL_DIR new personal directory of the new user -e, --expiredate EXPIRED_DATE sets the expiration date of the account to EXPIRED_DATE -f, --inactive INACTIVE sets idle time after account expires to INACTIVE -g, --gid GROUP forces use of GROUP for new user account -G, --groups GROUPS list of supplemental groups -a, --append append the user to the supplemental GROUPS mentioned by the -G option without removing him / her from other groups -h, --help display this help message and terminate -l, --login NAME again name for user -L, --lock locks user account -m, --move-home move contents of home directory to new directory (use only in conjunction with -d) -o, --non-unique allows to use Duplicate (non-unique) UIDs -p, --password PASSWORD use encrypted password for new account -R, --root CHR OOT_DIR directory to chroot into -s, --shell CONSOLE new access console for user account -u, --uid UID forces use of UID for new user account -U, --unlock unlocks user account -Z, --selinux-user SEUSER new SELinux user mapping for the user account

Commands in Debian

Debian differentiates between useradd y adduser. Recommends that System Administrators use adduser.

root @ sysadmin: / home / xeon # adduser -h # Add a user to the system
root @ sysadmin: / home / xeon # addgroup -h # Add a group to the system
adduser [--home DIRECTORY] [--shell SHELL] [--no-create-home] [--uid ID] [--firstuid ID] [--lastuid ID] [--gecos GECOS] [--ingroup GROUP | --gid ID] [--disabled-password] [--disabled-login] USER Add a normal user adduser --system [--home DIRECTORY] [--shell SHELL] [--no-create-home] [ --uid ID] [--gecos GECOS] [--group | --ingroup GROUP | --gid ID] [--disabled-password] [--disabled-login] USER Add a user from the system adduser --group [--gid ID] GROUP addgroup [--gid ID] GROUP Add a user group addgroup --system [--gid ID] GROUP Add a group from the system adduser USER GROUP Add an existing user to an existing group general options: --quiet | -q do not display process information on standard output --force-badname allow user names that do not match the configuration variable NAME_REGEX --help | -h usage message --version | -v version number and copyright --conf | -c FILE use FILE as configuration file

root @ sysadmin: / home / xeon # delusional -h # Remove a normal user from the system
root @ sysadmin: / home / xeon # delgroup -h # Remove a normal group from the system
deluser USER removes a normal user from the system example: deluser miguel --remove-home removes the user's home directory and the mail queue. --remove-all-files removes all files owned by the user. --backup backs up files before deleting. --backup-to destination directory for backups. The current directory is used by default. --system only remove if you are a system user. delgroup GROUP deluser --group GROUP removes a group from the system example: deluser --group students --system only remove if it is a group from the system. --only-if-empty only remove if they have no more members. deluser USER GROUP removes the user from the group example: deluser miguel students general options: --quiet | -q don't give process info on stdout --help | -h usage message --version | -v version number and copyright --conf | -c FILE use FILE as configuration file

Policies

There are two types of policies that we must consider when creating user accounts:

User Account Policies
Password aging policies

User Account Policies

In practice, the fundamental components that identify a user account are:

User account name - user LOGIN, not the name and surnames.
User id - UID.
Main group to which it belongs - GID.
Password - Password.
Access permits - access permissions.

The main factors to consider when creating a user account are:

The length of time that the user will have access to the file system and resources.
The amount of time in which the user must change their password - periodically - for security reasons.
The amount of time that the login -login- will remain active.

Furthermore, when assigning a user his UID y Password, we must take into account that:

The integer value UID it must be unique and not negative.
El Password it must be of adequate length and complexity, so that it is difficult to decipher.

Password aging policies

On a Linux system, the Password of a user is not assigned a default expiration time. If we use password aging policies, we can change the default behavior and when creating users, the defined policies will be taken into account.

In practice, there are two factors to consider when setting the age of a password:

Security.
User convenience.

A password is more secure the shorter its expiration period. There is less risk of it being leaked to other users.

To set the password aging policies, we can use the command change:

[root @ linuxbox ~] # chage
Usage mode: chage [options] USER Options: -d, --lastday LAST_DAY sets the day of the last password change to LAST_DAY -E, --expiredate CAD_DATE sets the expiration date to CAD_DATE -h, --help displays this help message and ends -I, --inactive INACTIVE disables the account after INACTIVE days from the expiration date -l, --list shows the account's age information -m, --mindays MINDAYS sets the number minimum days before changing password to MIN_DAYS -M, --maxdays MAX_DAYS sets the maximum number of days before changing password to MAX_DAYS -R, --root CHROOT_DIR directory to chroot into -W, --warndays WARNING_DAYS sets the days of expiration notice to DAYS_NOTICE

In the previous article we created several users as an example. If we want to know the age values of the user's account with LOGIN Galadriel:

[root @ linuxbox ~] # chage --list galadriel
Last password change: Apr 21, 2017 Password expires: never Inactive password: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of notice before password expires: 7

Those were the default values that the system had when we created the user account using the graphical administration utility "Users and groups":

To change password aging defaults, it is recommended to edit the file /etc/login.defs y modify the minimum amount of values we need. In that file we will only change the following values:

# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 #! More than 273 years! PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7

for the values that we chose according to our criteria and needs:

PASS_MAX_DAYS 42 # 42 continuous days that you can use the Password
PASS_MIN_DAYS 0 # password can be changed at any time PASS_MIN_LEN 8 # minimum password length PASS_WARN_AGE 7 # Number of days the system warns you to # change the password before it expires.

We leave the rest of the file as it was and we recommend not changing other parameters until we know well what we are doing.

The new values will be taken into account when we create new users. If we change the password of an already created user, the value of the minimum password length will be respected. If we use the command Passwd instead of the graphical utility and we write that the password will be «legolas17«, The system complains like the graphic tool« Users and groups »and it replies that«Somehow the password reads the username»Although in the end I accept that weak password.

[root @ linuxbox ~] # passwd legolas
Changing the password of the legolas user. New Password: goalkeeper               # is less than 7 characters
INCORRECT PASSWORD: Password is less than 8 characters Retype new password: legolas17
Passwords do not match.               # Logical right?
New Password: legolas17
INCORRECT PASSWORD: Somehow the password reads the user's name Retype the new password: legolas17
passwd: all authentication tokens were updated successfully.

We incur "the weakness" of declaring a password that includes the LOGIN user. That is a non-recommended practice. The correct way would be:

[root @ linuxbox ~] # passwd legolas
Changing the password of the legolas user. New Password: highmountains01
Retype the new password: highmountains01
passwd: all authentication tokens were updated successfully.

To change the expiration values of the Password de Galadriel, we use the chage command, and we only have to change the value of PASS_MAX_DAYS from 99999 to 42:

[root @ linuxbox ~] # chage -M 42 galadriel
[root @ linuxbox ~] # chage -l galadriel
Last password change: Apr 21, 2017 Password expires: Jun 02, 2017 Inactive password: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 42
Number of days of notice before password expires: 7

And so on, we can change the passwords of the users already created and their expiration values manually, using the graphical tool «Users and groups», or using a script - script that automates some of the non-interactive work.

In this way, if we create local users of the system in a way that is not recommended by the most common practices regarding security, we can change that behavior before continuing to implement more PAM-based services..

If we create the user anduin with LOGIN «anduin»And password«ThePassword»We will obtain the following result:

[root @ linuxbox ~] # useradd anduin
[root @ linuxbox ~] # passwd anduin
Changing the password of the user anduin. New Password: ThePassword
INCORRECT PASSWORD: Password does not pass dictionary verification - It is based on a word in the dictionary. Retype the new password: ThePassword
passwd - All authentication tokens were updated successfully.

In other words, the system is creative enough to indicate the weaknesses of a password.

[root @ linuxbox ~] # passwd anduin
Changing the password of the user anduin. New Password: highmountains02
Retype the new password: highmountains02
passwd - All authentication tokens were updated successfully.

Policy Summary

It is clear that the password complexity policy, as well as the minimum length of 5 characters, is enabled by default in CentOS. On Debian, the complexity check works for normal users when they try to change their password by invoking the command Passwd. For the user root, there are no default limitations.
It is important to know the different options that we can declare in the file /etc/login.defs using the command man login.defs.
Also, check the content of the files / etc / default / useradd, and also in Debian /etc/adduser.conf.

System Users and Groups

In the process of installing the operating system, a whole series of users and groups are created which, one literature calls Standard Users and another System Users. We prefer to call them System Users and Groups.

As a rule, system users have a UID <1000 and your accounts are used by different applications of the operating system. For example, the user account «squid»Is used by the Squid program, while the« lp »account is used for the printing process from word or text editors.

If we want to list those users and groups, we can do it using the commands:

[root @ linuxbox ~] # cat / etc / passwd
[root @ linuxbox ~] # cat / etc / group

It is not recommended at all to modify the users and groups of the system. 😉

Due to its importance, we repeat that in CentOS, FreeBSD, and other operating systems, the -system- group is created wheel to allow access as root only to system users belonging to that group. Read /usr/share/doc/pam-1.1.8/html/Linux-PAM_SAG.html, and /usr/share/doc/pam-1.1.8/html/Linux-PAM_SAG.html. Debian does not incorporate a group wheel.

Managing user and group accounts

The best way to learn how to manage user and group accounts is:

Practicing the use of the commands listed above, preferably in a virtual machine and before of using graphical tools.
Consulting the manuals or man pages of each command before searching for any other information on the Internet.

Practice is the best criterion of truth.

Summary

By far, a single article dedicated to Local User and Group Management is not enough. The degree of knowledge that each Administrator acquires will depend on the personal interest in learning and deepening about this and other related topics. It is the same as with all the aspects that we have developed in the series of articles SME Networks. In the same way you can enjoy this version in pdf here.

Next delivery

We will continue to implement services with authentication against local users. We will then install an instant messaging service based on the program Prosody.

See you soon!

DesdeLinux

Management of local users and groups - SME networks