<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>Linux Shadow Password HOWTO: Putting the Shadow Suite to use.</TITLE> <LINK HREF="Shadow-Password-HOWTO-8.html" REL=next> <LINK HREF="Shadow-Password-HOWTO-6.html" REL=previous> <LINK HREF="Shadow-Password-HOWTO.html#toc7" REL=contents> </HEAD> <BODY> <A HREF="Shadow-Password-HOWTO-8.html">Next</A> <A HREF="Shadow-Password-HOWTO-6.html">Previous</A> <A HREF="Shadow-Password-HOWTO.html#toc7">Contents</A> <HR> <H2><A NAME="sec-work"></A> <A NAME="s7">7. Putting the Shadow Suite to use.</A></H2> <P>This section discusses some of the things that you will want to know now that you have the <EM>Shadow Suite</EM> installed on your system. More information is contained in the manual pages for each command. <P> <H2><A NAME="ss7.1">7.1 Adding, Modifying, and deleting users</A> </H2> <P>The <EM>Shadow Suite</EM> added the following command line oriented commands for adding, modifying, and deleting users. You may also have installed the <CODE>adduser</CODE> program. <P> <H3>useradd</H3> <P>The <CODE>useradd</CODE> command can be used to add users to the system. You also invoke this command to change the default settings. <P>The first thing that you should do is to examine the default settings and make changes specific to your system: <BLOCKQUOTE><CODE> <PRE> useradd -D </PRE> </CODE></BLOCKQUOTE> <HR> <PRE> GROUP=1 HOME=/home INACTIVE=0 EXPIRE=0 SHELL= SKEL=/etc/skel </PRE> <HR> <P>The defaults are probably not what you want, so if you started adding users now you would have to specify all the information for each user. However, we can and should change the default values. <P>On my system: <UL> <LI>I want the default group to be 100</LI> <LI>I want passwords to expire every 60 days</LI> <LI>I don't want to lock an account because the password is expired</LI> <LI>I want to default shell to be <CODE>/bin/bash</CODE></LI> </UL> To make these changes I would use: <BLOCKQUOTE><CODE> <PRE> useradd -D -g100 -e60 -f0 -s/bin/bash </PRE> </CODE></BLOCKQUOTE> <P>Now running <CODE>useradd -D</CODE> will give: <HR> <PRE> GROUP=100 HOME=/home INACTIVE=0 EXPIRE=60 SHELL=/bin/bash SKEL=/etc/skel </PRE> <HR> <P>Just in case you wanted to know, these defaults are stored in the file <CODE>/etc/default/useradd</CODE>. <P>Now you can use <CODE>useradd</CODE> to add users to the system. For example, to add the user <CODE>fred</CODE>, using the defaults, you would use the following: <BLOCKQUOTE><CODE> <PRE> useradd -m -c "Fred Flintstone" fred </PRE> </CODE></BLOCKQUOTE> This will create the following entry in the <CODE>/etc/passwd</CODE> file: <BLOCKQUOTE><CODE> <PRE> fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash </PRE> </CODE></BLOCKQUOTE> And the following entry in the <CODE>/etc/shadow</CODE> file: <BLOCKQUOTE><CODE> <PRE> fred:!:0:0:60:0:0:0:0 </PRE> </CODE></BLOCKQUOTE> <CODE>fred</CODE>'s home directory will be created and the contents of <CODE>/etc/skel</CODE> will be copied there because of the <CODE>-m</CODE> switch. <P>Also, since we did not specify a UID, the next available one was used. <P><CODE>fred</CODE>'s account is created, but <CODE>fred</CODE> still won't be able to login until we unlock the account. We do this by changing the password. <BLOCKQUOTE><CODE> <PRE> passwd fred </PRE> </CODE></BLOCKQUOTE> <HR> <PRE> Changing password for fred Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New Password: ******* Re-enter new password: ******* </PRE> <HR> Now the <CODE>/etc/shadow</CODE> will contain: <BLOCKQUOTE><CODE> <PRE> fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0 </PRE> </CODE></BLOCKQUOTE> And <CODE>fred</CODE> will now be able to login and use the system. The nice thing about <CODE>useradd</CODE> and the other programs that come with the <EM>Shadow Suite</EM> is that they make changes to the <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE> files atomically. So if you are adding a user, and another user is changing their password at the same time, both operations will be performed correctly. <P>You should use the supplied commands rather than directly editing <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE>. If you were editing the <CODE>/etc/shadow</CODE> file, and a user were to change his password while you are editing, and then you were to save the file you were editing, the user's password change would be lost. <P>Here is a small interactive script that adds users using <CODE>useradd</CODE> and <CODE>passwd</CODE>: <HR> <PRE> #!/bin/bash # # /sbin/newuser - A script to add users to the system using the Shadow # Suite's useradd and passwd commands. # # Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux # Shadow Password Howto. Permission to use and modify is expressly granted. # # This could be modified to show the defaults and allow modification similar # to the Slackware Adduser program. It could also be modified to disallow # stupid entries. (i.e. better error checking). # ## # Defaults for the useradd command ## GROUP=100 # Default Group HOME=/home # Home directory location (/home/username) SKEL=/etc/skel # Skeleton Directory INACTIVE=0 # Days after password expires to disable account (0=never) EXPIRE=60 # Days that a passwords lasts SHELL=/bin/bash # Default Shell (full path) ## # Defaults for the passwd command ## PASSMIN=0 # Days between password changes PASSWARN=14 # Days before password expires that a warning is given ## # Ensure that root is running the script. ## WHOAMI=`/usr/bin/whoami` if [ $WHOAMI != "root" ]; then echo "You must be root to add news users!" exit 1 fi ## # Ask for username and fullname. ## echo "" echo -n "Username: " read USERNAME echo -n "Full name: " read FULLNAME # echo "Adding user: $USERNAME." # # Note that the "" around $FULLNAME is required because this field is # almost always going to contain at least on space, and without the "'s # the useradd command would think that you we moving on to the next # parameter when it reached the SPACE character. # /usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \ -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME ## # Set password defaults ## /bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1 ## # Let the passwd command actually ask for password (twice) ## /bin/passwd $USERNAME ## # Show what was done. ## echo "" echo "Entry from /etc/passwd:" echo -n " " grep "$USERNAME:" /etc/passwd echo "Entry from /etc/shadow:" echo -n " " grep "$USERNAME:" /etc/shadow echo "Summary output of the passwd command:" echo -n " " passwd -S $USERNAME echo "" </PRE> <HR> <P>Using a script to add new users is really much more preferable than editing the <CODE>/etc/passwd</CODE> or <CODE>/etc/shadow</CODE> files directly or using a program like the Slackware <CODE>adduser</CODE> program. Feel free to use and modify this script for your particular system. <P>For more information on the <CODE>useradd</CODE> see the online manual page. <P> <H3>usermod</H3> <P>The <CODE>usermod</CODE> program is used to modify the information on a user. The switches are similar to the <CODE>useradd</CODE> program. <P>Let's say that you want to change <CODE>fred</CODE>'s shell, you would do the following: <BLOCKQUOTE><CODE> <PRE> usermod -s /bin/tcsh fred </PRE> </CODE></BLOCKQUOTE> Now <CODE>fred</CODE>'s <CODE>/etc/passwd</CODE> file entry would be change to this: <BLOCKQUOTE><CODE> <PRE> fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh </PRE> </CODE></BLOCKQUOTE> Let's make <CODE>fred</CODE>'s account expire on 09/15/97: <BLOCKQUOTE><CODE> <PRE> usermod -e 09/15/97 fred </PRE> </CODE></BLOCKQUOTE> Now <CODE>fred</CODE>'s entry in <CODE>/etc/shadow</CODE> becomes: <BLOCKQUOTE><CODE> <PRE> fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0 </PRE> </CODE></BLOCKQUOTE> <P>For more information on the <CODE>usermod</CODE> command see the online manual page. <P> <H3>userdel</H3> <P><CODE>userdel</CODE> does just what you would expect, it deletes the user's account. You simply use: <BLOCKQUOTE><CODE> <PRE> userdel -r username </PRE> </CODE></BLOCKQUOTE> The <CODE>-r</CODE> causes all files in the user's home directory to be removed along with the home directory itself. Files located in other file system will have to be searched for and deleted manually. <P>If you want to simply lock the account rather than delete it, use the <CODE>passwd</CODE> command instead. <P> <H2><A NAME="ss7.2">7.2 The passwd command and passwd aging.</A> </H2> <P>The <CODE>passwd</CODE> command has the obvious use of changing passwords. Additionally, it is used by the <EM>root</EM> user to: <UL> <LI>Lock and unlock accounts (<CODE>-l</CODE> and <CODE>-u</CODE>)</LI> <LI>Set the maximum number of days that a password remains valid (<CODE>-x</CODE>)</LI> <LI>Set the minimum days between password changes (<CODE>-n</CODE>)</LI> <LI>Sets the number of days of warning that a password is about to expire (<CODE>-w</CODE>)</LI> <LI>Sets the number of days after the password expires before the account is locked (<CODE>-i</CODE>)</LI> <LI>Allow viewing of account information in a clearer format (<CODE>-S</CODE>)</LI> </UL> <P>For example, let look again at <CODE>fred</CODE> <BLOCKQUOTE><CODE> <PRE> passwd -S fred fred P 03/04/96 0 60 0 0 </PRE> </CODE></BLOCKQUOTE> This means that <CODE>fred</CODE>'s password is valid, it was last changed on 03/04/96, it can be changed at any time, it expires after 60 days, fred will not be warned, and and the account won't be disabled when the password expires. <P>This simply means that if <CODE>fred</CODE> logs in after the password expires, he will be prompted for a new password at login. <P>If we decide that we want to warn <CODE>fred</CODE> 14 days before his password expires and make his account inactive 14 days after he lets it expire, we would need to do the following: <BLOCKQUOTE><CODE> <PRE> passwd -w14 -i14 fred </PRE> </CODE></BLOCKQUOTE> Now <CODE>fred</CODE> is changed to: <BLOCKQUOTE><CODE> <PRE> fred P 03/04/96 0 60 14 14 </PRE> </CODE></BLOCKQUOTE> For more information on the <CODE>passwd</CODE> command see the online manual page. <P> <H2><A NAME="ss7.3">7.3 The login.defs file.</A> </H2> <P>The file <CODE>/etc/login</CODE> is the configuration file for the <CODE>login</CODE> program and also for the <EM>Shadow Suite</EM> as a whole. <P><CODE>/etc/login</CODE> contains settings from what the prompts will look like to what the default expiration will be when a user changes his password. <P>The <CODE>/etc/login.defs</CODE> file is quite well documented just by the comments that are contained within it. However, there are a few things to note: <UL> <LI>It contains flags that can be turned on or off that determine the amount of logging that takes place.</LI> <LI>It contains pointers to other configuration files.</LI> <LI>It contains defaults assignments for things like password aging.</LI> </UL> <P>From the above list you can see that this is a rather important file, and you should make sure that it is present, and that the settings are what you desire for your system. <P> <H2><A NAME="ss7.4">7.4 Group passwords.</A> </H2> <P>The <CODE>/etc/groups</CODE> file may contain passwords that permit a user to become a member of a particular group. This function is enabled if you define the constant <CODE>SHADOWGRP</CODE> in the <CODE>/usr/src/shadow-YYMMDD/config.h</CODE> file. <P>If you define this constant and then compile, you must create an <CODE>/etc/gshadow</CODE> file to hold the group passwords and the group administrator information. <P>When you created the <CODE>/etc/shadow</CODE>, you used a program called <CODE>pwconv</CODE>, there no equivalent program to create the <CODE>/etc/gshadow</CODE> file, but it really doesn't matter, it takes care of itself. <P>To create the initial <CODE>/etc/gshadow</CODE> file do the following: <BLOCKQUOTE><CODE> <PRE> touch /etc/gshadow chown root.root /etc/gshadow chmod 700 /etc/gshadow </PRE> </CODE></BLOCKQUOTE> <P>Once you create new groups, they will be added to the <CODE>/etc/group</CODE> and the <CODE>/etc/gshadow</CODE> files. If you modify a group by adding or removing users or changing the group password, the <CODE>/etc/gshadow</CODE> file will be changed. <P>The programs <CODE>groups</CODE>, <CODE>groupadd</CODE>, <CODE>groupmod</CODE>, and <CODE>groupdel</CODE> are provided as part of the <EM>Shadow Suite</EM> to modify groups. <P>The format of the <CODE>/etc/group</CODE> file is as follows: <BLOCKQUOTE><CODE> <PRE> groupname:!:GID:member,member,... </PRE> </CODE></BLOCKQUOTE> Where: <DL> <DT><B><CODE>groupname</CODE></B><DD><P>The name of the group <DT><B><CODE>!</CODE></B><DD><P>The field that normally holds the password, but that is now relocated to the <CODE>/etc/gshadow</CODE> file. <DT><B><CODE>GID</CODE></B><DD><P>The numerical group ID number <DT><B><CODE>member</CODE></B><DD><P>List of group members </DL> <P>The format of the <CODE>/etc/gshadow</CODE> file is as follows: <BLOCKQUOTE><CODE> <PRE> groupname:password:admin,admin,...:member,member,... </PRE> </CODE></BLOCKQUOTE> Where: <DL> <DT><B><CODE>groupname</CODE></B><DD><P>The name of the group <DT><B><CODE>password</CODE></B><DD><P>The encoded group password. <DT><B><CODE>admin</CODE></B><DD><P>List of group administrators <DT><B><CODE>member</CODE></B><DD><P>List of group members </DL> <P>The command <CODE>gpasswd</CODE> is used only for adding or removing administrators and members to or from a group. <CODE>root</CODE> or someone in the list of administrators may add or remove group members. <P>The groups password can be changed using the <CODE>passwd</CODE> command by <EM>root</EM> or anyone listed as an administrator for the group. <P>Despite the fact that there is not currently a manual page for <CODE>gpasswd</CODE>, typing <CODE>gpasswd</CODE> without any parameters gives a listing of options. It's fairly easy to grasp how it all works once you understand the file formats and the concepts. <P> <P> <H2><A NAME="ss7.5">7.5 Consistency checking programs</A> </H2> <P> <P> <H3>pwck</H3> <P>The program <CODE>pwck</CODE> is provided to provide a consistency check on the <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE> files. It will check each username and verify that it has the following: <UL> <LI>the correct number of fields</LI> <LI>unique user name</LI> <LI>valid user and group identifier</LI> <LI>valid primary group</LI> <LI>valid home directory</LI> <LI>valid login shell</LI> </UL> <P>It will also warn of any account that has no password. <P>It's a good idea to run <CODE>pwck</CODE> after installing the <EM>Shadow Suite</EM>. It's also a good idea to run it periodically, perhaps weekly or monthly. If you use the <CODE>-r</CODE> option, you can use <CODE>cron</CODE> to run it on a regular basis and have the report mailed to you. <P> <H3>grpck</H3> <P><CODE>grpck</CODE> is the consistency checking program for the <CODE>/etc/group</CODE> and <CODE>/etc/gshadow</CODE> files. It performs the following checks: <UL> <LI>the correct number of fields</LI> <LI>unique group name</LI> <LI>valid list of members and administrators</LI> </UL> <P>It also has the <CODE>-r</CODE> option for automated reports. <P> <H2><A NAME="ss7.6">7.6 Dial-up passwords.</A> </H2> <P>Dial-up passwords are another optional line of defense for systems that allow dial-in access. If you have a system that allows many people to connect locally or via a network, but you want to limit who can dial in and connect, then dial-up passwords are for you. To enable dial-up passwords, you must edit the file <CODE>/etc/login.defs</CODE> and ensure that <CODE>DIALUPS_CHECK_ENAB</CODE> is set to <CODE>yes</CODE>. <P>Two files contain the dial-up information, <CODE>/etc/dialups</CODE> which contains the ttys (one per line, with the leading "/dev/" removed). If a tty is listed then dial-up checks are performed. <P>The second file is the <CODE>/etc/d_passwd</CODE> file. This file contains the fully qualified path name of a shell, followed by an optional password. <P>If a user logs into a line that is listed in <CODE>/etc/dialups</CODE>, and his shell is listed in the file <CODE>/etc/d_passwd</CODE> he will be allowed access only by suppling the correct password. <P>Another useful purpose for using dial-up passwords might be to setup a line that only allows a certain type of connect (perhaps a PPP or UUCP connection). If a user tries to get another type of connection (i.e. a list of shells), he must know a password to use the line. <P>Before you can use the dial-up feature, you must create the files. <P>The command <CODE>dpasswd</CODE> is provided to assign passwords to the shells in the <CODE>/etc/d_passwd</CODE> file. See the manual page for more information. <P> <P> <HR> <A HREF="Shadow-Password-HOWTO-8.html">Next</A> <A HREF="Shadow-Password-HOWTO-6.html">Previous</A> <A HREF="Shadow-Password-HOWTO.html#toc7">Contents</A> </BODY> </HTML>