7. Putting the Shadow Suite to use.

This section discusses some of the things that you will want to know now that you have the Shadow Suite installed on your system. More information is contained in the manual pages for each command.

7.1 Adding, Modifying, and deleting users

The Shadow Suite added the following command line oriented commands for adding, modifying, and deleting users. You may also have installed the adduser program.

useradd

The useradd command can be used to add users to the system. You also invoke this command to change the default settings.

The first thing that you should do is to examine the default settings and make changes specific to your system:

useradd -D

GROUP=1
HOME=/home
INACTIVE=0
EXPIRE=0
SHELL=
SKEL=/etc/skel

The defaults are probably not what you want, so if you started adding users now you would have to specify all the information for each user. However, we can and should change the default values.

On my system:

• I want the default group to be 100
• I want passwords to expire every 60 days
• I don't want to lock an account because the password is expired
• I want to default shell to be /bin/bash

useradd -D -g100 -e60 -f0 -s/bin/bash

Now running useradd -D will give:

GROUP=100
HOME=/home
INACTIVE=0
EXPIRE=60
SHELL=/bin/bash
SKEL=/etc/skel

Just in case you wanted to know, these defaults are stored in the file /etc/default/useradd.

Now you can use useradd to add users to the system. For example, to add the user fred, using the defaults, you would use the following:

useradd -m -c "Fred Flintstone" fred

fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash

fred:!:0:0:60:0:0:0:0

Also, since we did not specify a UID, the next available one was used.

fred's account is created, but fred still won't be able to login until we unlock the account. We do this by changing the password.

passwd fred

Changing password for fred
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******

fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0

You should use the supplied commands rather than directly editing /etc/passwd and /etc/shadow. If you were editing the /etc/shadow file, and a user were to change his password while you are editing, and then you were to save the file you were editing, the user's password change would be lost.

Here is a small interactive script that adds users using useradd and passwd:

#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
#                 Suite's useradd and passwd commands.
#
# Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux
# Shadow Password Howto.  Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program.  It could also be modified to disallow
# stupid entries.  (i.e. better error checking).
#
##
#  Defaults for the useradd command
##
GROUP=100        # Default Group
HOME=/home       # Home directory location (/home/username)
SKEL=/etc/skel   # Skeleton Directory
INACTIVE=0       # Days after password expires to disable account (0=never)
EXPIRE=60        # Days that a passwords lasts
SHELL=/bin/bash  # Default Shell (full path)
##
#  Defaults for the passwd command
##
PASSMIN=0        # Days between password changes
PASSWARN=14      # Days before password expires that a warning is given
##
#  Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
        echo "You must be root to add news users!"
        exit 1
fi
##
#  Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
        -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
#  Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
##
#  Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
#  Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n "   "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n "   "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n "   "
passwd -S $USERNAME
echo ""

Using a script to add new users is really much more preferable than editing the /etc/passwd or /etc/shadow files directly or using a program like the Slackware adduser program. Feel free to use and modify this script for your particular system.

For more information on the useradd see the online manual page.

usermod

The usermod program is used to modify the information on a user. The switches are similar to the useradd program.

Let's say that you want to change fred's shell, you would do the following:

usermod -s /bin/tcsh fred

fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh

usermod -e 09/15/97 fred

fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0

For more information on the usermod command see the online manual page.

userdel

userdel does just what you would expect, it deletes the user's account. You simply use:

userdel -r username

If you want to simply lock the account rather than delete it, use the passwd command instead.

7.2 The passwd command and passwd aging.

The passwd command has the obvious use of changing passwords. Additionally, it is used by the root user to:

• Lock and unlock accounts (-l and -u)
• Set the maximum number of days that a password remains valid (-x)
• Set the minimum days between password changes (-n)
• Sets the number of days of warning that a password is about to expire (-w)
• Sets the number of days after the password expires before the account is locked (-i)
• Allow viewing of account information in a clearer format (-S)

For example, let look again at fred

passwd -S fred
fred P 03/04/96 0 60 0 0

This simply means that if fred logs in after the password expires, he will be prompted for a new password at login.

If we decide that we want to warn fred 14 days before his password expires and make his account inactive 14 days after he lets it expire, we would need to do the following:

passwd -w14 -i14 fred

fred P 03/04/96 0 60 14 14

7.3 The login.defs file.

The file /etc/login is the configuration file for the login program and also for the Shadow Suite as a whole.

/etc/login contains settings from what the prompts will look like to what the default expiration will be when a user changes his password.

The /etc/login.defs file is quite well documented just by the comments that are contained within it. However, there are a few things to note:

• It contains flags that can be turned on or off that determine the amount of logging that takes place.
• It contains pointers to other configuration files.
• It contains defaults assignments for things like password aging.

From the above list you can see that this is a rather important file, and you should make sure that it is present, and that the settings are what you desire for your system.

7.4 Group passwords.

The /etc/groups file may contain passwords that permit a user to become a member of a particular group. This function is enabled if you define the constant SHADOWGRP in the /usr/src/shadow-YYMMDD/config.h file.

If you define this constant and then compile, you must create an /etc/gshadow file to hold the group passwords and the group administrator information.

When you created the /etc/shadow, you used a program called pwconv, there no equivalent program to create the /etc/gshadow file, but it really doesn't matter, it takes care of itself.

To create the initial /etc/gshadow file do the following:

touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow

Once you create new groups, they will be added to the /etc/group and the /etc/gshadow files. If you modify a group by adding or removing users or changing the group password, the /etc/gshadow file will be changed.

The programs groups, groupadd, groupmod, and groupdel are provided as part of the Shadow Suite to modify groups.

The format of the /etc/group file is as follows:

groupname:!:GID:member,member,...

groupname

The name of the group

!

The field that normally holds the password, but that is now relocated to the /etc/gshadow file.

GID

The numerical group ID number

member

List of group members

The format of the /etc/gshadow file is as follows:

groupname:password:admin,admin,...:member,member,...

groupname

The name of the group

password

The encoded group password.

admin

List of group administrators

member

List of group members

The command gpasswd is used only for adding or removing administrators and members to or from a group. root or someone in the list of administrators may add or remove group members.

The groups password can be changed using the passwd command by root or anyone listed as an administrator for the group.

Despite the fact that there is not currently a manual page for gpasswd, typing gpasswd without any parameters gives a listing of options. It's fairly easy to grasp how it all works once you understand the file formats and the concepts.

7.5 Consistency checking programs

pwck

The program pwck is provided to provide a consistency check on the /etc/passwd and /etc/shadow files. It will check each username and verify that it has the following:

• the correct number of fields
• unique user name
• valid user and group identifier
• valid primary group
• valid home directory
• valid login shell

It will also warn of any account that has no password.

It's a good idea to run pwck after installing the Shadow Suite. It's also a good idea to run it periodically, perhaps weekly or monthly. If you use the -r option, you can use cron to run it on a regular basis and have the report mailed to you.

grpck

grpck is the consistency checking program for the /etc/group and /etc/gshadow files. It performs the following checks:

• the correct number of fields
• unique group name
• valid list of members and administrators

It also has the -r option for automated reports.

7.6 Dial-up passwords.

Dial-up passwords are another optional line of defense for systems that allow dial-in access. If you have a system that allows many people to connect locally or via a network, but you want to limit who can dial in and connect, then dial-up passwords are for you. To enable dial-up passwords, you must edit the file /etc/login.defs and ensure that DIALUPS_CHECK_ENAB is set to yes.

Two files contain the dial-up information, /etc/dialups which contains the ttys (one per line, with the leading "/dev/" removed). If a tty is listed then dial-up checks are performed.

The second file is the /etc/d_passwd file. This file contains the fully qualified path name of a shell, followed by an optional password.

If a user logs into a line that is listed in /etc/dialups, and his shell is listed in the file /etc/d_passwd he will be allowed access only by suppling the correct password.

Another useful purpose for using dial-up passwords might be to setup a line that only allows a certain type of connect (perhaps a PPP or UUCP connection). If a user tries to get another type of connection (i.e. a list of shells), he must know a password to use the line.

Before you can use the dial-up feature, you must create the files.

The command dpasswd is provided to assign passwords to the shells in the /etc/d_passwd file. See the manual page for more information.