Linux is a first citizen in Microsoft Azure — and in other cloud providers, for that matter — and getting around in this platform is vital for any heterogeneous environment, which is the norm in medium-to-large enterprises. And for that, certification is important. We will focus on one of the areas of the Linux Certified System Administrator exam, specifically user and group management, which is about 10 percent of the test. Here are some of the topics you will need to know for this part of the Linux Certified System Administrator exam:
My initial thought was to describe the commands required to manage several aspects of the user and group management, but after writing that I noticed that I didn’t explain the inner workings and files used to make it happen. So in this article, we will take a step back and look at the files that are needed for user and groups management, and in the next section, we will cover the management process and security involved on it.
The first one that we need to understand is the /etc/passwd, and this file contains all users in the current system and some vital information. Here is a view of the /etc/passwd file in a brand-new installation of CentOs (we created a user for me, called Anderson, to illustrate the properties for a regular user).
Any entry in the /etc/passwd file will have the structure listed below, and they are going to be divided by colon, a brief explanation of every field is shown in the image below.
By default, the /etc/passwd file is clear text and anyone logged on the system can read it, so a more secure approach is to move the password to a different file. This process is accomplished using /etc/shadow file. The shadow file is part of the shadow-utils package, and it is installed and enabled by default on Red Hat-based operating system.
Besides making a more secure environment, the shadow file also introduces the ability to control aging passwords and the capability to enforce security policies.
The file is shown in the image below, and we added one user to show how a regular entry looks like for a regular user.
The structure of the /etc/shadow file follows the same pattern of the previous file, where a colon divides the fields. However, it has more areas available to control password features.
Note: All number of days are based on Jan. 1, 1970. That is the reason that we see a considerable amount of days for password last change even when we changed it a few days ago.
An important takeaway of the /etc/shadow file is the field encrypted password is comprised of three areas. These areas start with a $ symbol. The first one is the $id, which defines the encryption in use. The second is the $salt, which is a random string to make dictionary attacks more difficult, and the third one is the encrypted password/hash.
If you want to understand in detail the encryption, the following table has all possible values being used in the $id field, as follows.
The last file of our little journey is the /etc/groups, where all local groups are kept in any given Linux server.
There is a fourth file that is not used very often, but it is important to mention —the /etc/gshadow, which stores all group password (in case they are used). The content of such a file is depicted in the image below.
That’s the short story about the files behind user and group management, which are a part of the Linux Certified System Administrator exam. In the next article, we will cover several tasks required for a Linux administrator to maintain users and groups, and we will play with these files that we covered in this article. Some of the commands will only work when we have /etc/shadow in place, and some nuances in finding if a user is disabled or locked can be checked by just checking the files that we explored today.
Featured image: Shutterstock / Wikimedia
Embedding privacy-by-design principles in the building and design of a business, website, application, product, or tool is a good thing…
Office 365 Exchange Online admins must ensure all mailboxes created in Office 365 have auditing enabled. Here’s how to check…
If you plan to liquidate your IT assets, it is critical you have a chain of custody for every device…
As open source becomes the norm, open source intelligence tools are in demand. Here are a few that are already…
As businesses head to the cloud, will CapEx IT be a thing of the past? Or will there always be…
Don’t be this IT admin: Disaster hits and all you can say is, “I should have set up a database…