30 - User Accounts Flashcards

Question

# Deleting User Accounts When deleting a user as in: **$ sudo userdel morgan** What gets erased by default and what doesn't?

Answer 1

Removes the user's record in these files by default: * **/etc/passwd** * **/etc/shadow** * **/etc/group** Not Erased: * the users home directory **/home/morgan** * unless **-r** option is used,

Answer 2

**usermod**

Answer 3

**sudo usermod -L dexter**

Answer 4

A Locked account can run programs, but can never login to the system and have no valid password associated with them. For example, **/etc/passwd** has entries like: * *bin:x:1:1:bin:/bin:/sbin/nologin daemon: x:2:2:daemon:/sbin:/sbin/nologin** The nologin shell returns the following if a locked user tries to login to the system: **This account is currently not available.** or whatever message may be stored in **/etc/nologin.txt**.

Answer 5

* bin * daemon or sys

Answer 6

* $ sudo usermod -L dexter * $ sudo usermod -U dexter

Answer 7

$ sudo chage -E 2014-09-11 morgan Another way to lock an account is to use **chage** to change the expiration date of an account to a date in the past

Answer 8

* **username** - the user's unique name * **password** - either the hashed password (if **/etc/shadow** is not used) or a placeholder ("x" when **/etc/shadow** is used) * **UID** - user identification number * **GID** - primary group identification number for the user * **comment** - comment area, usually the user's real name * **home** - directory pathname for the user's home directory * **shell** - absolutely qualified name of the shell to invoke at login.

Answer 9

* 1000 * 1000 * UID\_MIN * /etc/login.defs Historically, Red Hat-derived distributions used UID\_MIN=500, not 1000, but beginning with RHEL 7 the more common value of 1000 was adopted.

Answer 10

* UID\_MIN

Answer 11

Use of **/etc/shadow** enables password aging on a per user basis. At the same time, it also allows for maintaining greater security of hashed passwords.

Answer 12

The default permissions of **/etc/passwd** are **644 (-rw-r--r--)**; anyone can read the file. This is unfortunately necessary because system programs and user applications need to read the information contained in the file. These system programs do not run as the user root and, in any event, only root may change the file. Of particular concern are the hashed passwords themselves. If they appear in /etc/passwd, anyone may make a copy of the hashed passwords and then make use of utilities such as Crack and John the Ripper to guess the original cleartext passwords given the hashed password. This is a security risk! **/etc/shadow** has permission settings of **400 (-r--------)**, which means that only root can access this file. This makes it more difficult for someone to collect the hashed passwords. Unless there is a compelling good reason not to, you should use the /etc/shadow file.

Answer 13

The colon-separated fields are: 1. **username**: unique user name 2. **password**: the hashed (sha512) value of the password 3. **lastchange**: days since Jan 1,1970 that password was last changed 4. **mindays**: minimum days before password can be changed 5. **maxdays**: maximum days after which password must be changed 6. **warn**: days before password expires that the user is warned 7. **grace**: days after password expires that account is disabled 8. **expire**: date that account is/will be disabled 9. **reserved**: reserved field. The **username** in each record must match exactly that found in **/etc/passwd**, and also must appear in the **identical order**. All dates are stored as the number of days since Jan. 1, 1970 (the epoch date). The password hash is the string **"$6$"** followed by an eight character salt value, which is then followed by a **$** and an **88** character (sha512) password hash.

Answer 14

**passwd** By default, the password choice is examined by **pam\_cracklib.so**, which furthers making good password choices.

Answer 15

A regular user can only change their password. While the root user can change anyones passwords.

Answer 16

**pam\_cracklib.so**

Answer 17

**chage** ## Footnote chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user Examples: **$ sudo chage -l dexter $ sudo chage -m 14 -M 30 kevlin $ sudo chage -E 2012-4-1 morgan $ sudo chage -d 0 clyde** Only the root user can use **chage**. The one exception to this is that any user can run chage **-l** to see their aging, as in the screenshot on this page. To force a user to change their password at their next login, do: **$ sudo chage -d 0 USERNAME**

Answer 18

$ bash -r * A restricted shell functions in a more tightly controlled environment than a standard shell, but otherwise functions normally. In particular, it: * Prevents the user from using cd to change directories. * Prevents the user from redefining the following environment variables: SHELL, ENV, and PATH. * Does not permit the user to specify the absolute path or executable command names starting from /. * Prevents the user from redirecting input and/or output. There are other restrictions; the best way to see them all is to do man bash and search for RESTRICTED SHELL. Restricted accounts can also be enabled by creating a symlink to **/bin/bash**, named **/bin/rbash**, and using in **/etc/passwd**, as we will discuss next. **rbash** is not secure! It is actually very easy to avoid the restrictions and modern techniques such as the use of SELinux are much more robust. We discuss only if you encounter the methods described here. Restricted Accounts: There are times when granting access to a user is necessary, but should be limited in scope. Setting up a restricted user account can be useful in this context. A restricted account: * Uses the restricted shell * Limits available system programs and user applications * Limits system resources * Limits access times * Limits access locations. From the command line, or from a script, a restricted shell may be invoked with **/bin/bash -r**. However, flags may not be specified in the **/etc/passwd** file. A simple way to get around this restriction would be to do one of the following: **$ cd /bin ; sudo ln -s bash rbash $ cd /bin ; sudo ln bash rbash $ cd /bin ; sudo cp bash rbash** and then, use **/bin/rbash** as the shell in **/etc/passwd**. When setting up such an account, one should avoid inadvertently adding system directories to the PATH environment variable; this would grant the restricted user the ability to execute other system programs, such as an unrestricted shell. Restricted accounts are also sometimes referred to as limited accounts.

Answer 19

* root * /etc/ssh/sshd\_config * /etc/securetty * /etc/securetty

Answer 20

* root * root

Answer 21

* PAM * auditd

Answer 22

To copy files from one system to another: ## Footnote **$ scp file.txt farflung.com:/tmp $ scp file.tex student@farflung.com/home/student $ scp -r some\_dir farflung.com:/tmp/some\_dir**

Answer 23

To run a command on multiple machines simultaneously: $for machines in node1 node2 node3 do (ssh $machines some\_command &) done

Answer 24

Every user had a **.ssh** config directory with config files in thier home directory. You can configure SSH further to expedite its use, in particular to permit logging in without a password. User-specific configuration files are created under every user's home directory in the hidden .ssh directory:

Answer 25

**id\_rsa**: the user's private encryption key **id\_rsa.pub**: the user's public encryption key **authorized\_keys**: A list of public keys that are permitted to login **known\_hosts**: A list of hosts from which logins have been allowed in the past **config**: A configuration file for specifying various options.

Answer 26

1. First, a user has to generate their **private** and **public** encryption keys with ssh-keygen: 1. $ ssh-keygen 1. .ssh/**id\_rsa** (private key generated) 2. .ssh/**id\_rsa.pub** (public key generated) The public key can be given to any machine with which you want to permit password-less access. It should also be added to your **authorized\_keys** file, together with all the public keys from other users who have accounts on your machine and you want to permit password-less access to their accounts. The **.ssh**/**known\_hosts** file is gradually built up as ssh accesses occur. If the system detects changes in the users who are trying to log in through ssh, it will warn you of them and afford the opportunity to deny access. Note that the **authorized\_keys** file contains information about users and machines: $ cat **authorized\_keys** ssh-rsa AAAAB3NzaC1yc2EAAAADAQ ...0000aSd...hilda@sbc while the **known\_hosts** only contains information about computer nodes: $ cat **known\_hosts** 192.30.252.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSw ....BK6Tb...==

Answer 27

The **known\_hosts** file is gradually built up as ssh accesses occur. If the system detects changes in the users who are trying to log in through ssh, it will warn you of them and afford the opportunity to deny access. Note that the **authorized\_keys** file contains information about users and machines: $ cat **authorized\_keys** ssh-rsa AAAAB3NzaC1yc2EAAAADAQ ...0000aSd...hilda@sbc while the **known\_hosts** only contains information about computer nodes: $ cat **known\_hosts** 192.30.252.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSw ....BK6Tb...== You can examine the **man ssh\_config** page to see what kinds of options can go into the ssh configuration files.

Answer 28

**man ssh\_config**

Answer 29

**tigervnc**

Answer 30

Virtual Network Computing

Answer 31

* vncserver * vncviewer **which vncserver vncviewer** ``` */usr/bin/vncserver /usr/bin/vncviewer* ``` **$ sudo [dnf|yum|zypper|apt-get] install tigervnc\***

Answer 32

1. Start the with 1. **$ vncserver** 2. Test the vnc server locally 1. **$ vncviewer localhost:2** 2. You may have to play with numbers other than 2, such as 1, 3, 4..., depending on what you are running at the moment, and how your machine is configured. 3. View the vnc server remotely 1. vncviewer -via username@host\_machine localhost:2 If you get a rather strange message about having to authenticate because of 'color profile', and no passwords work, you have to kill the colord daemon on the server machine, as in: **$ sudo systemctl stop colord** This is a bug (not a feature), and it will only appear in some distributions and some systems for unclear reasons.