CIT 500: IT Fundamentals Users. Topics 1.Identity 2.User Accounts 3./etc/{passwd,shadow} 4.User...

CIT 500: IT Fundamentals

Users

Topics

1. Identity2. User Accounts3. /etc/{passwd,shadow}4. User Commands5. Passwords6. Groups

2

What is Identity?

Computer’s representation of an entity.

Authentication binds a principal to an identity.

Example:– username expresses your identity.– password binds the person typing to that

particular identity (username).

Purpose of Identity

Access Control– Most systems base access rights on identity of

principal executing the process.

Accountability– Logging and auditing functions.– Need to track identity across account/role changes

(e.g., su, sudo).

What is Authentication?

Binding of an identity to a subject.

Based on one of the following factors:1. What the entity knows (e.g., passwords)2. What the entity has (e.g., access card)3. What the entity is (e.g., fingerprints)4. Where the entity is (e.g., local terminal)

Or a combination of two or more factors.

Groups and Roles

An “entity” may be a set of entities referred to by a single identifier.

Users often need to share access to files, and thus are taken as groups.

A role is a group that ties membership to function

User Types

Regular users– Humans with accounts on system.– May log in via network or on console.

Special users– Non-human users for specific programs, i.e. http.– Used for file permission purposes.

Superuser– Admin user with UID 0 has special permissions.– Username is typically root.

7

User Accounts

UNIX accounts described by the following fields– User ID (UID)– Group ID (GID)– Password– Comment (a/k/a GCOS field)– Home directory– Login shell

User account data stored in /etc/passwd– Except password itself, which is in /etc/shadow

8

/etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shwaldenj:x:100:100:James Walden, faculty:/home/waldenj:/bin/bashsmith:x:101:101:John Smith, student:/home/smithj:/bin/bash

9

/etc/shadowRoot-only readable file for password storage

– Prevents users from reading encrypted passwords– Additional fields support password aging features.

One line per account, including fields for– Username– Encrypted password– Days since 1/1/1970 password was last changed– Days before password may be changed– Days after which password must be changed– Days before password is to expire that user is warned– Days after password expires that account is disabled– Days since 1/1/1970 that account is disabled

/etc/shadowroot:$1$A4h5.ZbC$DekjN2J7W5jymRS8gAbcT2:14565:0:99999:7:::daemon:*:14537:0:99999:7:::bin:*:14537:0:99999:7:::sys:*:14537:0:99999:7:::games:*:14537:0:99999:7:::man:*:14537:0:99999:7:::lp:*:14537:0:99999:7:::mail:*:14537:0:99999:7:::news:*:14537:0:99999:7:::uucp:*:14537:0:99999:7:::waldenj:$1$0nAbDEFg$HiJk9l1mNopQRlhTUVW5x.:14537:0:99999:7:::smith:$1$j02bHyTU$.vwXYz1ABcDEcfGH83IjK/:14565:0:99999:7:::

Note that not all fields are currently used: see blank fields at end of each line.

Accessing Account Information

Direct access to account informationgrep username /etc/{passwd,shadow}

grep username /etc/group

What if account information is elsewhere?getent passwd username

getent group username

Where else might account info be stored?NISLDAP

User Identification Commands

The whoami command provides username of the current user.

> whoamiwaldenj

The id command provides complete user and group information with user and group names and UIDs and GIDs.

> iduid=100(waldenj) gid=100(waldenj) groups=100(waldenj),1001(faculty)> id smithjuid=101(smithj) gid=101(smithj) groups=101(smithj),1001(faculty)

13

Changing your Identity

The su command changes your UID.– Without an argument, changes to root.– Requires a password unless you are already root.– Use exit command to change back.

The sudo command runs a command as root.– Use your own password to authenticate.– sudo cat /etc/shadow– sudo useradd

Superuser PowersSuperuser can

• Read any file.• Modify any file.• Add / remove users.• Become any user.• Kill any process.• Reprioritize processes.• Configure network.• Set date/time.• Shutdown / reboot.

Superuser can’t• Change read-only

filesystem.• Decrypt hashed

passwords.• Modify NFS-mounted

filesystems.• Read or modify SELinux

protected files.

Creating an Account

useradd –c “John Smith” username– Creates account with specified username.– Sets comment to “John Smith” to store name.– Uses defaults from /etc/login.defs for other fields,

such as home directory, shell, password aging, &c.

To set password become root and run– passwd username

Modifying an Account

usermod [options] username-c comment

-d homedir

-e password-expire-date

-G group1,group2 [adds groups]

-l newusername [changes username]

-L [locks account, prevents logins]

-s shell

Removing an Account

The userdel command removes an accountMust supply –r option to remove homedir.

Passwords

Passwords– Most common type of authentication.– Authentication binds a person to an identity.– Use passwd command to change.

Attacks against passwords– Reading passwords from disk storage.– Intercepting passwords via wiretapping.– Guessing passwords.

19

Protecting Passwords

Against disk storage attacks– Store password in secure file, /etc/shadow.– Store one-way hash of password, not password itself.– Compare hash of password entered by user with hash of

password stored on disk to login.

Against wiretapping– Do not send passwords over email.– Use encrypted protocols like ssh to login.

Against guessing– Do not use dictionary words, birthdates, names.– Choose a long password.

20

People Don’t Choose Random Passwords

Commonly Used Bad Passwords• 123456• letmein• password• 12345678• dragon• qwerty• michael• 654321• harley• ranger• iwantu• xxxxxxx• turtle• united

• porsche• guitar• black• diamond• nascar• jun0389• 06031989• amanda• phoenix• mickey• tigers• purple• xmen94• aaaaaa

• prince• beach• amateur• ncc1701• tennis• startrek• swimming• kitty• rainbox• 112233• 232323• giants• enter• 0• cupcake

• 8675309• marlboro• newyork• diablo• sexsex• access14• abgrtyu• 123123• dragon123• applepie• 31415926• 99skip• just4fun• xcvb• typewriter

How to Select Good Passwords

1. Long passwords, consisting of multiple words..Use nth letter of each word if phrase too long.

2. Themes:1. Word combinations: 3 blind katz2. E-mail or URL: yoda@strong-this-password-is.net3. Phone number: (888) 888-eight eight4. Bracketing: Starfleet -> *!-Starfleet-!*5. Add a word: shopping -> Goin’ shopping6. Repetition: Pirate--PirateShip7. Letter swapping: Sour Grape -> Gour Srape

Password AgingRequirement that password be changed after a period of time or after an event has occurred.If expected time to guess is 180 days, should change password more frequently than 180 days.

1. If change time too short, users have difficulty recalling passwords.

2. Cannot allow users to change password to current one.3. Also prevent users from changing passwords too soon.4. Give notice of impending password change requirement.5. Expire account to prevent logins if password not changed

within time specified by policy.

Groups

Users belong to one or more groups.– User always has a primary group.– Files are created with GID of primary group.– User can access files accessible to any of the

groups to which the user belongs.

Groups contain zero or more users.– Created by the system administrator.– Some groups exist for programs like special users.– Other groups exist for human users.

25

/etc/grouproot:x:0:

daemon:x:1:

bin:x:2:

sys:x:3:

adm:x:4:

tty:x:5:

disk:x:6:

lp:x:7:

waldenj:x:100:

smithj:x:101:

faculty:x:1001:smithj,waldenj

26

Group Commands

groupadd [-g GID] groupnameCreates a new group.

groupmod groupname-n newgroupname-g newgroupID

usermod –Gmodifies group membership

groupdelremoves a group

References

1. Red Hat, RHEL Installation Guide, http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/index.html, 2009.

2. Syed Mansoor Sarwar, Robert Koretsky, Syed Ageel Sarwar, UNIX: The Textbook, 2nd edition, Addison-Wesley, 2004.

3. Nicholas Wells, The Complete Guide to Linux System Administration, Thomson Course Technology, 2005.