See this page as a slide show
CT320: Network and System Administration
Accounts and Namespaces
Thanks to Dr. James Walden, NKU, Russ Wakefield, CSU,
and Dr. Indrajit Ray, CSU, for contents of these slides
Topics
- UNIX User Accounts
- Passwords
- User Management
- Namespaces
UNIX Accounts
- Account Components
- Username
- UID
- Password
- Home directory
- Account Files
/etc/passwd
/etc/shadow
/etc/group
- Account Management
- Adding users
- Removing and disabling users
- Account/password policies
/etc/passwd, /etc/shadow
Central file(s) describing UNIX user accounts.
/etc/passwd | /etc/shadow |
Username | Username |
x | Encrypted password |
UID | Date of last pw change |
Default GID | Days until change allowed |
GCOS | Days until change required |
Home directory | Expiration warning time |
Login shell | Expiration date |
/etc/passwd entries
$ getent passwd root
root:x:0:0:root:/root:/bin/bash
$ getent passwd mstrout
$ getent passwd mstrout | tr : '\n'
Username
- Syntax
- Each username must be unique.
- 8 or fewer chars (32 on some systems)
- Any character except : or newline, theoretically.
- Issues
- Naming standards
applin
, j_applin
, or neutron
?
- How to ensure that usernames are unique?
- System uses UIDs internally
UIDs
- UIDs are 32-bit non-negative integers.
- Standards
- The super-user,
root
, is UID 0.
- System accounts have low UIDs (≤1000)
- Uniqueness
- Multiple usernames can have same UID!
- Re-using UIDs may give away files to new user.
- Distributed systems may require unique UIDs across
organizational boundaries.
Password
- Syntax
- Length: unlimited (MD5, SHA), 8 chars (crypt)
- Chars: anything except newline, though certain control
chars (e.g., backspace) may be interpreted by the system.
Spaces are useful for passphrases.
- Stored in “encrypted” (really, hashed) format
Password Field
x | password is in /etc/shadow |
* | login forbidden |
nothing | no password needed |
13-char string | original DES hashing algorithm |
$1$ salt$ hash | MD5 |
$2a$ salt$ hash | Blowfish |
$2y$ salt$ hash | Blowfish with correct 8-bit char handling |
$3$ salt$ hash | NT LAN Manager hash algorithm |
$4$ salt$ hash | SHA-1 |
$5$ salt$ hash | SHA-256 |
$6$ salt$ hash | SHA-512 |
Hashing
Good hash algorithms, such as SHA-512, are considered non-reversible,
and return radically different results for small input changes:
Word
| SHA-512 hash
|
---|
escape
|
d412b342e7c8eab0034d26408568938965f8b6bff475381aa7c1e6afce026f29
3e35bdbf40e0c7567a8e006611debe94b3c849bd900e62123b12a40fcb3e620e
|
escaped
|
bf42edb1581ed28a5b48b4678ab014252b03e729d31b3c5ac1acec1c5727d22a
0265ffee61c02fb7ea7c49fc75d1b97e885973e416ffb8b1de7944927b53d9bd
|
escapee
|
d056ce4dce966ce111f5304b0bb98568e0a446fd2308119030f8f4d649d632b6
e644322729507b540fc3ad4a7ba80fc6f26e4b81115fd35f4927b2ca5b15a850
|
escaper
|
341706ac2911fbdfbe0ed9c09a36f2b70f9d9d9585af499568f59124fa4efa96
7460ea99edb81ed0d72373b977f321512c44440c7ea750f02bc04047627c5642
|
escapes
|
020b71a59aa43d82ec0cd10c49b1a833fd41f088f7845a03ed36d5af29d6d78e
6393d154ca1e892ff560d6fae2b4eb36e7c04853b4dd97297ef6e62f9b0a8521
|
Common passwords
According to Wikipedia,
the most common passwords of 2016 are:
123456 | qwerty | login | 121212 | master |
password | 1234567890 | welcome | flower | hottie |
12345 | 1234567 | solo | passw0rd | loveme |
12345678 | princess | abc123 | dragon | zaq1zaq1 |
football | 1234 | admin | sunshine | password1 |
Rainbow Tables
- A simple attack is to use a list of common passwords and try
them for every user. Or, just try every word in the dictionary.
- Unfortunately, this means that you have to hash every word
in the dictionary. Hashing is slow!
- Speed it up by computing, once, hashes for all dictionary words.
We call the precomputed hashes a Rainbow table.
Partial MD5 rainbow table:
e0ebc3c409070d07f1df0f2f4132509e escape
bafbb2fabbff5876f8bf7834f802936b escaped
712f32fc42f27433a6db7cba03a980b3 escapee
1ba8fbf22b249654d5cde753bae85def escaper
f801cba4d35a3da1501ab3162cbb4dee escapes
Salt
- Salt is the cure for this.
- Each line in the password file has some random salt bits.
$1$BTZEc3ZC$OgrtMuWtLyZ.9AbsXGTey0
- 48-bit salt, as used with MD5 & SHA, means 248
(~281 trillion) different hashes for each password.
- Makes pre-computed hash dictionaries impractical.
mkpasswd
mkpasswd can be handy for generating an initial password:
$ mkpasswd
au,E6bq7Z
$ mkpasswd
8exTO3wv-
$ mkpasswd -l 20
pPDrsgj4adtmh^kgpn5i
$ mkpasswd -c 2 -C 2 -s 2 -d 2
6;hft1#FM
$ mkpasswd -c 10 -C 10 -s 10 -d 10 -l 60
NVipnS-95}+I5fuzt5l$3%hinVhang{G0agjl83n&rf>Eiesj1XuTaX2xz$=
$ mkpasswd -c 0 -C 0 -d 0 -s 50 -l 50
>_)}>)@%{~{(%!:)-&~+&<+"|+;,<;]'=?%/.@@>}||+!*#&*&
Or, should you let the user choose one?
Password Aging
/etc/login.defs
determines password longevity:
$ grep PASS /etc/login.defs
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
- Is this good, from a security point of view?
- What value is
PASS_MIN_DAYS
?
- You can pre-expire the password, to force the user to change it:
# passwd -e smith
Feedback
$ ssh xyzzy@denver.cs.colostate.edu
xyzzy@denver.cs.colostate.edu's password:
Permission denied, please try again.
xyzzy@denver.cs.colostate.edu's password:
Permission denied, please try again.
xyzzy@denver.cs.colostate.edu's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
- Which was wrong, the account
xyzzy
or the password?
- Why didn’t it tell me which one?
GID
- GIDs are 32-bit non-negative integers.
- Each user has a default GID.
- File group ownership set to default GID
- Temporarily change default GID:
newgrp
- Groups are described in
/etc/group
- Users may belong to multiple groups.
- Format: group name, pw, GID, user list
wheel:x:10:root,waldenj,bergs
GECOS
- Original use
- Data for General Electric Comprehensive Operating System
- Current use
- User information
- Full name, location, phone number, e-mail
Home Directory
- Users CWD at login time
- Typically where user stores all files
Login Shell
- Process started when user logs in
- Typically a shell like bash, tcsh, ksh, or zsh
- System users may be different.
- Disabled accounts have a special “go-away” shell.
$ getent passwd | cut -d: -f7 | sort | uniq -c | sort -n
1 /bin/bash
1 /bin/sync
1 /sbin/halt
1 /sbin/shutdown
6317 /sbin/nologin
Changing your Shell
$ cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/tmux
/bin/tmux
/usr/bin/zsh
/bin/zsh
/bin/ksh
/bin/rksh
/usr/bin/ksh
/usr/bin/rksh
/bin/csh
/bin/tcsh
/usr/bin/csh
/usr/bin/tcsh
/bin/false
/bin/true
/sbin/nologin
/usr/local/etc/no_access
- The chsh program change your login shell.
- It may restrict your shell to one from
/etc/shells
.
- Alas,
chsh
fails here, so you have to send email to the sys
admin people. How quaint!
Adding a User
- Create account with useradd.
- Lock account until user arrives.
- User signs account agreement.
- Set password with the passwd command.
- Yes, both
/etc/passwd
and /bin/passwd
exist.
Adding a User
- Edit
/etc/{passwd,shadow}
with vipw.
- Set password with the passwd command.
- Edit
/etc/group
to add groups.
- Create user home directory.
mkdir /home/studenta
chown studenta.student /home/studenta
chmod u=rwx,go=rx /home/studenta
- Copy default files from
/etc/skel
:
.bashrc
, .Xdefaults
, .xsession
, etc.
- Set e-mail aliases, disk quotas, etc.
- Verify that the account works.
Disabling an Account
- Edit account configuration:
- Place
*
in front of encrypted password.
- Replace shell with nologin program.
- Kill active logins and processes.
Removing a User
- Disable account.
- Change shared passwords (root, etc.)
- Why are you using @#!?☠$★ shared passwords‽
- Kill active logins and processes.
- Remove:
- from local databases/files
- from e-mail aliases
- mail spool (backup first)
- crontabs and pending jobs
- temporary files
- home directory (backup first)
- from passwd, shadow, and group
- Or use userdel.
Namespaces
Systems include many namespaces:
- User account names
- Filesystem pathnames
- Hostnames
- Printer names
- Service names
Types of Namespaces
- Flat
- No duplicates may exist.
- Example: usernames in
/etc/passwd
- Hierarchical
- Tree-structured namespace like DNS.
- Duplicates can exist.
- Ex:
www.nku.edu
and www.google.com
Namespace Problems
- How to select names?
- How to avoid name collisions?
- How to ensure consistency?
- How to distribute names?
Name Selection
- Functional Names
- mail hostname,
~ct320
, student account
- Formula-based Names
- cvg0141 hostname, student0148 account
- Themed Names
- constellations (orion, ursa, etc.)
- Use something big. Seven dwarves doesn’t allow for much expansion.
- Steal from another standard (e.g., .us, .fr, .de)
- No Standard
Name Lifetime
- When are names removed?
- Immediately ater PC, user leaves org
- Set time after resource is no longer in use
- When are names re-used?
- Immediately: functional names
- Never
- Ater a set time
Namespace Scope
- Geographical scopes
- Local machine. (e.g.,
/etc/passwd
)
- Local network
- Organization
- Global (e.g., DNS)
- Service scopes
- Single username for UNIX, NT, e-mail
- Transferring scopes
- Difficult without advance planning.
- Some names may have to change.
Key Points
- UNIX accounts use
/etc/passwd
- Password security: shadow, hashing, salts
- User management: add, disable, remove
- Namespaces: flat and hierarchical
- Name selection policies
- Names are valid in specific scopes