CT320: Network and System Administration

Fall 2019

Accounts

Show Lecture.Accounts as a slide show.

CT320 Accounts

Accounts and Namespaces

Thanks to:

for the contents of these slides.

Topics

  1. UNIX User Accounts
  2. Passwords
  3. User Management
  4. Namespaces

UNIX Accounts

/etc/passwd, /etc/shadow

Central file(s) describing UNIX user accounts.

/etc/passwd/etc/shadow
UsernameUsername
xEncrypted password
UIDDate of last pw change
Default GIDDays until change allowed
GCOSDays until change required
Home directoryExpiration warning time
Login shellExpiration date

/etc/passwd entries

$ getent passwd root
root:x:0:0:root:/root:/bin/bash

$ getent passwd cs155
cs155:$6$nEUJCmhPFNLGLV9A$aWOD7Ha.d14/9Wj9K0zErIpwcQvg8mnidNTD6bBG/RWZLJ4yWaksyTKXn9cXP5omDmGtssYrvMzxoq4ISR91K.:2543:1549:CS155 Instructor:/s/bach/a/class/cs155:/sbin/nologin

$ getent passwd cs155 | tr : '\n'
cs155
$6$nEUJCmhPFNLGLV9A$aWOD7Ha.d14/9Wj9K0zErIpwcQvg8mnidNTD6bBG/RWZLJ4yWaksyTKXn9cXP5omDmGtssYrvMzxoq4ISR91K.
2543
1549
CS155 Instructor
/s/bach/a/class/cs155
/sbin/nologin

Username

$ getent passwd cs155 | cut -d: -f1
cs155

UIDs

$ getent passwd cs155 | cut -d: -f3
2543

Password

$ getent passwd cs155 | cut -d: -f2
$6$nEUJCmhPFNLGLV9A$aWOD7Ha.d14/9Wj9K0zErIpwcQvg8mnidNTD6bBG/RWZLJ4yWaksyTKXn9cXP5omDmGtssYrvMzxoq4ISR91K.

Password Field

ContentsDescriptionSanity
xpassword is in /etc/shadowsane
*login forbiddensane
nothingno password needednuts
13-char stringoriginal DES hashing algorithmnuts
$1$salt$hashMD5nuts
$2a$salt$hashBlowfishnuts
$2y$salt$hashBlowfish with 8-bit supportnuts
$3$salt$hashNT LAN Manager hash algorithmnuts
$4$salt$hashSHA-1nuts
$5$salt$hashSHA-256nuts
$6$salt$hashSHA-512sane

Hashing

Good hash algorithms, such as SHA-512, are considered non-reversible, and return radically different results for small input changes:

Word SHA-512 hash
escape

d412b342e7c8eab0034d26408568938965f8b6bff475381aa7c1e6afce026f29
3e35bdbf40e0c7567a8e006611debe94b3c849bd900e62123b12a40fcb3e620e

escaped

bf42edb1581ed28a5b48b4678ab014252b03e729d31b3c5ac1acec1c5727d22a
0265ffee61c02fb7ea7c49fc75d1b97e885973e416ffb8b1de7944927b53d9bd

escapee

d056ce4dce966ce111f5304b0bb98568e0a446fd2308119030f8f4d649d632b6
e644322729507b540fc3ad4a7ba80fc6f26e4b81115fd35f4927b2ca5b15a850

escaper

341706ac2911fbdfbe0ed9c09a36f2b70f9d9d9585af499568f59124fa4efa96
7460ea99edb81ed0d72373b977f321512c44440c7ea750f02bc04047627c5642

escapes

020b71a59aa43d82ec0cd10c49b1a833fd41f088f7845a03ed36d5af29d6d78e
6393d154ca1e892ff560d6fae2b4eb36e7c04853b4dd97297ef6e62f9b0a8521

Common passwords

According to Wikipedia, the most common passwords of 2016 are:

123456  qwerty  login  121212  master  
password  1234567890 welcome flower  hottie  
12345  1234567  solo  passw0rd loveme  
12345678  princess  abc123  dragon  zaq1zaq1  
football  1234  admin  sunshine password1 

Rainbow Tables

Partial MD5 rainbow table:

    e0ebc3c409070d07f1df0f2f4132509e escape
    bafbb2fabbff5876f8bf7834f802936b escaped
    712f32fc42f27433a6db7cba03a980b3 escapee
    1ba8fbf22b249654d5cde753bae85def escaper
    f801cba4d35a3da1501ab3162cbb4dee escapes

Salt

mkpasswd

mkpasswd can be handy for generating an initial password:

$ mkpasswd
Sh3P?fm3v
$ mkpasswd
Cmzk35tY$
$ mkpasswd -l 20
Owccxsvsuyz'9Oevz7na
$ mkpasswd -c 2 -C 2 -s 2 -d 2
RVac$4w\2
$ mkpasswd -c 10 -C 10 -s 10 -d 10 -l 60
l5_?jz2|5+Lzl1.mLyrl1lQuod88,ZvOivPgc98Kghzjsohdi#T1]Z/dmNw+
$ mkpasswd -c 0 -C 0 -d 0 -s 50 -l 50
[:{^~.?$@@")@[>@{+':&.$#,._'}>|+',$-{,,</-/?|\|,[(

Or, should you let the user choose one?

Password Aging

/etc/login.defs determines password longevity:

$ grep PASS /etc/login.defs
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_MIN_LEN	5
PASS_WARN_AGE	7

Feedback

    $ ssh xyzzy@denver.cs.colostate.edu
    xyzzy@denver.cs.colostate.edu's password:
    Permission denied, please try again.
    xyzzy@denver.cs.colostate.edu's password:
    Permission denied, please try again.
    xyzzy@denver.cs.colostate.edu's password:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

GID

    wheel:x:10:root,waldenj,bergs
$ getent passwd cs155 | cut -d: -f4
1549

GECOS

$ getent passwd cs155 | cut -d: -f5
CS155 Instructor

Home Directory

$ getent passwd cs155 | cut -d: -f6
/s/bach/a/class/cs155

Login Shell

$ getent passwd cs155 | cut -d: -f7
/sbin/nologin

Popular Login Shells

$ ssh acushla getent passwd | cut -d: -f7 | sort | uniq -c | sort -rn
Host key verification failed.

Changing your Shell

$ cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/tmux
/bin/tmux
/usr/bin/zsh
/bin/zsh
/bin/ksh
/bin/rksh
/usr/bin/ksh
/usr/bin/rksh
/bin/csh
/bin/tcsh
/usr/bin/csh
/usr/bin/tcsh
/bin/false
/bin/true
/sbin/nologin
/usr/local/etc/no_access

Adding a User

  1. Create account with useradd.
  2. Lock account until user arrives.
  3. User signs account agreement.
  4. Set password with the passwd command.
    • Yes, both /etc/passwd and /bin/passwd exist.

Adding a User

Disabling an Account

Removing a User

Namespaces

The letters “HP” have many meanings, including:

How does this not cause confusion?

Because they’re in different topics, areas of interest, businesses, or … namespaces!

Namespaces

Systems include many namespaces:

Types of Namespaces

Namespace Problems

Name Selection

Name Lifetime

Namespace Scope

Key Points