See this page as a slide show
CT320: Network and System Administration
Accounts and Namespaces
Thanks to Dr. James Walden, NKU, Russ Wakefield, CSU,
and Dr. Indrajit Ray, CSU, for contents of these slides
Topics
- UNIX User Accounts
- Passwords
- User Management
- Namespaces
UNIX Accounts
- Account Components
- Username
- UID
- Password
- Home directory
- Account Files
/etc/passwd
/etc/shadow
/etc/group
- Account Management
- Adding users
- Removing and disabling users
- Account/password policies
/etc/passwd, /etc/shadow
Central file(s) describing UNIX user accounts.
/etc/passwd | /etc/shadow |
|---|
| Username | Username |
x | Encrypted password |
| UID | Date of last pw change |
| Default GID | Days until change allowed |
| GCOS | Days until change required |
| Home directory | Expiration warning time |
| Login shell | Expiration date |
student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash
student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7:::
Username
- Syntax
- Each username must be unique.
- 8 or fewer chars (32 on some systems)
- Any character except : or newline
- Issues
- Naming standards
applin, j_applin, or neutron?
- How to ensure that usernames are unique?
- System uses UIDs internally
UIDs
- UIDs are 32-bit non-negative integers.
- Standards
- The super-user,
root, is UID 0.
- System accounts have low UIDs (≤1000)
- Uniqueness
- Multiple usernames can have same UID!
- Re-using UIDs may give away files to new user.
- Distributed systems may require unique UIDs across
organizational boundaries.
Password
- Syntax
- Length: unlimited (MD5, SHA1), 8 chars (crypt)
- Chars: anything except newline, though certain control
chars may be interpreted by system.
- Stored in “encrypted” (really, hashed) format
- Hashed: crypt, MD5, SHA1
- Salted: 12-bit salt means 4096 different hashes for each password
- Makes pre-computed hash dictionaries 4096 times as large.
Encrypted Password
x | no password here, it’s in /etc/shadow |
* | login forbidden |
| nothing | no password needed |
$1$salt$hash | MD5 |
$2a$salt$hash | Blowfish |
$2y$salt$hash | Blowfish (correct handling of 8-bit chars) |
$3$salt$hash | NT LAN Manager hash algorithm |
$4$salt$hash | SHA-1 |
$5$salt$hash | SHA-256 |
$6$salt$hash | SHA-512 |
| 13-char string | original DES hashing algorithm |
GID
- GIDs are 32-bit non-negative integers.
- Each user has a default GID.
- File group ownership set to default GID
- Temporarily change default GID:
newgrp
- Groups are described in
/etc/group
- Users may belong to multiple groups.
- Format: group name, pw, GID, user list
wheel:x:10:root,waldenj,bergs
GECOS
- Original use
- Data for General Electric Comprehensive OS
- Current use
- User information
- Full name, location, phone number, e-mail
Home Directory
- Users CWD at login time
- Typically where user stores all files
Login Shell
- Process started when user logs in
- Typically a shell like bash, tcsh, ksh, or zsh
- System users may be different.
- Disabled accounts have a noshell program.
Adding a User
- Create account with
adduser.
- Lock account until user arrives.
- User signs account agreement.
- Set password with the
passwd command.
Adding a User
- Edit
/etc/{passwd,shadow} with vipw.
- Set password with the
passwd command.
- Edit
/etc/group to add groups.
- Create user home directory.
mkdir /home/studenta
chown studenta.student /home/studenta
chmod u=rwx,go=rx /home/studenta
- Copy default files from
/etc/skel:
.bashrc, .Xdefaults, .xsession, etc.
- Set e-mail aliases, disk quotas, etc.
- Verify that the account works.
Disabling an Account
- Edit account configuration:
- Place
* in front of encrypted password.
- Replace shell with nologin program.
- Kill active logins and processes.
Removing a User
- Disable account.
- Change shared passwords (root, etc.)
- Why are you using @#!?☠$★ shared passwords‽
- Kill active logins and processes.
- Remove:
- from local databases/files
- from e-mail aliases
- mail spool (backup first)
- crontabs and pending jobs
- temporary files
- home directory (backup first)
- from passwd, shadow, and group
Namespaces
Systems include many namespaces:
- User account names
- Filesystem pathnames
- Hostnames
- Printer names
- Service names
Types of Namespaces
- Flat
- No duplicates may exist.
- Ex: usernames in
/etc/passwd
- Hierarchical
- Tree-structured namespace like DNS.
- Duplicates can exist.
- Ex:
www.nku.edu and www.google.com
Namespace Problems
- How to select names?
- How to avoid name collisions?
- How to ensure consistency?
- How to distribute names?
Name Selection
- Functional Names
- mail hostname, /cit/470, student account
- Formula-based Names
- cvg0141 hostname, student0148 account
- Themed Names
- constellations (orion, ursa, etc.)
- No Standard
Name Lifetime
- When are names removed?
- Immediately ater PC, user leaves org
- Set time after resource is no longer in use
- When are names re-used?
- Immediately: functional names
- Never
- Ater a set time
Namespace Scope
- Geographical scopes
- Local machine. (e.g.,
/etc/passwd)
- Local network
- Organization
- Global (e.g., DNS)
- Service scopes
- Single username for UNIX, NT, e-mail, VPN?
- Transferring scopes
- Difficult without advance planning.
- Some names may have to change.
Key Points
- UNIX accounts use
/etc/passwd
- Password security: shadow, hashing, salts
- User management: add, disable, remove
- Namespaces: flat and hierarchical
- Name selection policies
- Names are valid in specific scopes
