Users
& Groups Management in Linux
Add
new user
# useradd --create-home -d
/home/mike -s /bin/bash mike
Verify
# cat /etc/passwd |grep mike
mike:x:501:501::/home/mike:/bin/bash
#
Add new group
# groupadd SAP
Add user to a group
# usermod -aG SAP mike
Find user group membership
# groups mike
mike :
mike SAP
#
User Status
# passwd -S mike
mike LK 2012-10-08 0 99999 7 -1
(Password locked.)
#
Set User password
# passwd mike
User Status
# passwd -S mike
mike PS 2012-10-09 0 99999 7 -1
(Password set, MD5 crypt.)
#
|
NP
|
Indicate
user has no password (NP)
|
|
PS
|
User has an existing or locked password (PS). The
second part gives the date of the last password change.
|
|
LK
|
Indicate user account is locked.
|
|
2012-10-09
|
Indicate last time user login
|
|
0
|
Indicate user can change his password any time
|
|
10
|
Indicate password will expire in 10 days means users
have to change password within 10 days.
99999 password never expire
|
|
7
|
Indicate user will keep receiving alert every time he
login about think about to change password.
|
|
-1
|
Indicate inactivity
|
Delete User Password
# passwd -d mike
Removing password for user mike.
passwd: Success
#
Verify
# passwd -S mike
mike NP 2012-10-09 0 99999 7 -1 (Empty
password.)
#
Lock a user account
# passwd -l mike
Locking password for user mike.
passwd: Success
#
Verify
# passwd -S mike
mike LK 2012-10-09 0 99999 7 -1 (Password
locked.)
#
Unlock an account
# passwd -u mike
Unlocking password for user mike.
passwd: Success.
#
Verify
# passwd -S mike
mike PS 2012-10-09 0 99999 7 -1
(Password set, MD5 crypt.)
#
Lock/Unlock user account with Usermod
# usermod -L mike
# usermod -U mike
User Gecos
# chfn mike
Changing finger information for mike.
Name []: Mike Shaw
Office []:
Office Phone []:
Home Phone []:
Finger information changed.
#
Verify
# finger mike
Login: mike Name: Mike Shaw
Directory: /home/mike Shell: /bin/bash
Last login Fri Oct 9 17:37 (PDT) on pts/2 from 192.168.2.20
No mail.
No Plan.
#
Password Related Commands
# chage -l mike
Last password change : Oct 10, 2012
Password expires : never
Password inactive : never
Account expires :
never
Minimum number of days between password
change : 0
Maximum number of days between password
change : 99999
Number of days of warning before
password expires : 7
#
# chage -M 10 mike
# chage -l mike
Last password change : Oct 10, 2012
Password expires : Oct
20, 2012
Password inactive : never
Account expires :
never
Minimum number of days between password
change : 0
Maximum number of days between password
change : 10
Number of days of warning before
password expires : 7
#
# chage -m 3 mike
# chage -l mike
Last password change : Oct 10, 2012
Password expires : Oct
20, 2012
Password inactive : never
Account expires :
never
Minimum number of days between password
change : 3
Maximum number of days between password
change : 10
Number of days of warning before
password expires : 7
#
Set
Account Expiry date for an User
# chage -E "2012-12-31" mike
# chage -l mike
Last password change : Oct 10, 2012
Password expires : never
Password inactive : never
Account expires : Dec 31, 2012
Minimum number of days between password
change : 3
Maximum number of days between password
change : 10
Number of days of warning before
password expires : 7
#
Increase
Password Expire date without resetting the password
# chage -E "2013-02-28" mike
# chage -l mike
Last password change : Oct 10, 2012
Password expires : never
Password inactive : never
Account expires : Feb 28, 2013
Minimum number of days between password
change : 0
Maximum number of days between password
change : 99999
Number of days of warning before
password expires : 7
#
Forcing
the users to change the password on next logon
# chage -d 0 mike
# chage -l mike
Last password change : password must be changed
Password expires : never
Password inactive : never
Account expires : Dec
31, 2012
Minimum number of days between password
change : 3
Maximum number of days between password
change : 20
Number of days of warning before
password expires : 7
#
Disable
password aging for a user account or for a service account
To turn off the password expiration for a user account,
set the following:
-m 0 will set the minimum number of days between
password change to 0
-M 99999 will set the maximum number of days between
password changes to 99999
-I -1 (number minus one) will set the “Password
inactive” to never
-E -1 (number minus one) will set “Account expires”
to never.
# chage -m 0 -M 99999 -I -1 -E -1 mike
# chage -l mike
Last password change : Oct 10, 2012
Password expires : never
Password inactive : never
Account expires :
never
Minimum number of days between password
change : 0
Maximum number of days between password
change : 99999
Number of days of warning before
password expires : 7
#
Setup Failed Login Attempts
Edit and modify the following PAM configuration file to
record failed login attempts and append the following :
# vi /etc/pam.d/system-auth
auth required pam_tally.so
no_magic_root
account required pam_tally.so deny=5 no_magic_root lock_time=180
account required pam_tally.so deny=5 no_magic_root lock_time=180
Now
make some unsuccessful attempts for user mike
# faillog -u mike
Login Failures Maximum Latest On
mike 6
10 10/09/13 18:56:53 -0700 192.168.2.2
#
Reset login count & verfiy
# faillog -r mike
# faillog -u mike
Login Failures Maximum Latest On
mike 0
10 10/09/13 18:56:53 -0700 192.168.2.2
#