Linux is a first citizen in Microsoft Azure — and in other cloud providers, for that matter — and getting around in this platform is vital for any heterogeneous environment, which is the norm in medium-to-large enterprises. And for that, certification is important. We will focus on one of the areas of the Linux Certified System Administrator exam, specifically user and group management, which is about 10 percent of the test. Here are some of the topics you will need to know for this part of the Linux Certified System Administrator exam:
My initial thought was to describe the commands required to manage several aspects of the user and group management, but after writing that I noticed that I didn’t explain the inner workings and files used to make it happen. So in this article, we will take a step back and look at the files that are needed for user and groups management, and in the next section, we will cover the management process and security involved on it.
The first one that we need to understand is the /etc/passwd, and this file contains all users in the current system and some vital information. Here is a view of the /etc/passwd file in a brand-new installation of CentOs (we created a user for me, called Anderson, to illustrate the properties for a regular user).
Any entry in the /etc/passwd file will have the structure listed below, and they are going to be divided by colon, a brief explanation of every field is shown in the image below.
By default, the /etc/passwd file is clear text and anyone logged on the system can read it, so a more secure approach is to move the password to a different file. This process is accomplished using /etc/shadow file. The shadow file is part of the shadow-utils package, and it is installed and enabled by default on Red Hat-based operating system.
Besides making a more secure environment, the shadow file also introduces the ability to control aging passwords and the capability to enforce security policies.
The file is shown in the image below, and we added one user to show how a regular entry looks like for a regular user.
The structure of the /etc/shadow file follows the same pattern of the previous file, where a colon divides the fields. However, it has more areas available to control password features.
Note: All number of days are based on Jan. 1, 1970. That is the reason that we see a considerable amount of days for password last change even when we changed it a few days ago.
An important takeaway of the /etc/shadow file is the field encrypted password is comprised of three areas. These areas start with a $ symbol. The first one is the $id, which defines the encryption in use. The second is the $salt, which is a random string to make dictionary attacks more difficult, and the third one is the encrypted password/hash.
If you want to understand in detail the encryption, the following table has all possible values being used in the $id field, as follows.
The last file of our little journey is the /etc/groups, where all local groups are kept in any given Linux server.
There is a fourth file that is not used very often, but it is important to mention —the /etc/gshadow, which stores all group password (in case they are used). The content of such a file is depicted in the image below.
That’s the short story about the files behind user and group management, which are a part of the Linux Certified System Administrator exam. In the next article, we will cover several tasks required for a Linux administrator to maintain users and groups, and we will play with these files that we covered in this article. Some of the commands will only work when we have /etc/shadow in place, and some nuances in finding if a user is disabled or locked can be checked by just checking the files that we explored today.
Featured image: Shutterstock / Wikimedia
Monolithic apps don’t cut it in an age of faster development and speedy rollouts of new updates. Rebuild those old…
Business email often contains sensitive information, and the issue of compliance quickly raises its head. But what does compliance exactly…
In 2019, everyone’s got their eggs in one big Kubernetes basket. And it’s safe to say that Kubernetes 2020 will…
Windows has a lot of built-in troubleshooting packs that can help you diagnose problems. Here’s how to unleash these tools…
As much as you wish it were so, email is not going away. It’s time to face that fact —…